Automotive cybersecurity compliance

---

The Biden Administration’s 2021 Executive Order on Improving the Nation’s Cybersecurity mandates the creation and maintenance of SBOMs for every software component, in order to safeguard the transparency and security of the software supply chain.

China MIIT (中国工业和信息化部) Ministry of Industry and Information Technology of China

published a guide for security risk management in the connected car supply chain 

UNECE WP. 29 & UN R155

Compliance in the automotive sector is particularly challenging:

1. Diverse Supply Chain Entities: With a wide range of suppliers, each managing their own software inventories and compliance processes, ensuring uniformity and completeness in SBOM documentation becomes a significant challenge.
2. Embedded Systems Complexity: Automotive companies utilize a variety of embedded systems, such as Buildroot and Yocto, to develop their software stacks. These systems, while powerful, often lack standardized mechanisms for generating and integrating SBOMs, complicating compliance efforts.
3. Rapid Technological Evolution: The fast pace of innovation in automotive technology, coupled with evolving cybersecurity threats, requires SBOMs to be continuously updated, demanding substantial time and resources from all supply chain participants.

• Increased Vulnerability to Cyber Attacks: Without comprehensive SBOMs, identifying and mitigating vulnerabilities in automotive software becomes more difficult, exposing manufacturers and users to increased cyber risk.
• Regulatory and Legal Repercussions: Non-compliance could result in legal penalties, loss of certifications, and restrictions on market access, significantly impacting a company’s operational and financial standing.
• Damage to Brand and Trust: The inability to assure the cybersecurity of vehicles undermines consumer trust and can lead to long-term reputational damage, affecting sales and competitive positioning.

Addressing these challenges necessitates a concerted effort from all stakeholders in the automotive supply chain. 

It involves adopting best practices for SBOM generation and management, leveraging advanced tools and technologies for automated compliance, and fostering a culture of collaboration and transparency among suppliers.

As the automotive industry navigates these compliance challenges, the focus must be on building resilient and secure software supply chains that not only meet regulatory demands but also protect the safety and privacy of end-users. Embracing this shift towards enhanced cybersecurity practices is not just about regulatory alignment; it's about driving the future of automotive safety and innovation.