Insight: Security Management in Automotive Environment

About the Author and This Research

Mirko De Vincentiis published this thesis-level research on arXiv in 2025, focusing on the systemic challenges of cybersecurity management in the automotive domain. His work spans intrusion detection on CAN bus networks, the application of traditional and quantum machine learning algorithms for threat identification, and the design of risk assessment models that align with international automotive security standards. While the research is presented as academic work with in-vitro experimental validation, its value to industry practitioners lies in its systematic literature review—which rigorously documents the fragmentation problem that plagues current automotive cybersecurity research and practice—and in the modular framework it proposes as a solution.

The timing of this publication is notable. In 2025, CISA and the U.S. Coast Guard issued advisory AA25-212A identifying persistent cyber hygiene weaknesses across critical infrastructure organizations, echoing De Vincentiis's finding that most existing security implementations address only one phase of the security lifecycle rather than an integrated whole. For Taiwanese automotive suppliers preparing for TISAX assessments or ISO/SAE 21434 audits, this convergence of academic and regulatory signals is a strong indicator that holistic security management frameworks are no longer optional.

ANDURIL: A Five-Dimensional Framework That Unifies Detection, Response, and Prevention

The central contribution of this research is the ANDURIL (Automotive Network Defense Unified Response Intrusion Limitation) model, which addresses a structural gap that has persisted in automotive cybersecurity research for years: the tendency to optimize for a single security phase while neglecting the other two.

Finding 1: The Three-Phase Integration Gap Is the Industry's Foundational Problem

Through a systematic literature review, De Vincentiis demonstrates that the overwhelming majority of automotive cybersecurity research focuses on one of three phases—Detection, Response, or Prevention—without integrating all three. Most published work concentrates on improving the accuracy of intrusion detection algorithms for CAN bus traffic, with far less attention paid to post-detection incident response procedures or proactive risk prevention frameworks. This finding has direct implications for Taiwanese suppliers: purchasing an intrusion detection system does not constitute compliance with ISO/SAE 21434's requirements for continuous cybersecurity activities, which explicitly require ongoing threat monitoring, incident response capability, and periodic risk reassessment throughout the vehicle lifecycle.

Finding 2: The ANDURIL Framework Offers a Modular Path to Integrated Compliance

The ANDURIL framework is structured around five dimensions, each encompassing Detection, Response, and Prevention operational units. Key technical components include: (1) traditional machine learning algorithms for CAN bus anomaly detection; (2) quantum machine learning (Quantum ML) algorithms benchmarked against traditional methods for detection speed and model accuracy; (3) a Security Operation Center (SOC)-based incident response model; (4) an attack risk assessment model designed to interface with the Threat Analysis and Risk Assessment (TARA) methodology required by ISO/SAE 21434; and (5) a web application to support decision-making during active attack scenarios. The modular design is deliberately scalable, allowing suppliers of different sizes to prioritize which dimensions to implement first based on available resources and the most pressing compliance deadlines.

Finding 3: Quantum ML Benchmarking Points to a Medium-Term Technology Roadmap

One of the more forward-looking elements of this research is its systematic comparison of traditional machine learning and quantum machine learning algorithms for CAN bus threat identification, evaluated on both detection time and model accuracy. This is among the first comparative studies of its kind in the automotive cybersecurity domain. For OEM manufacturers and Tier 1 suppliers developing technology roadmaps for 2026–2030, this benchmarking data provides an early-stage reference point for assessing when quantum computing-enhanced security tools might become operationally viable. The author honestly acknowledges that all experiments were conducted in vitro (laboratory conditions) and that in vivo validation on real embedded components remains necessary—a critical caveat that practitioners should weigh carefully when assessing the framework's current deployment readiness.

Strategic Implications for Taiwan's Automotive Supply Chain

The ANDURIL framework's publication intersects with several concurrent regulatory and market developments that are directly affecting Taiwan's automotive supplier ecosystem.

First, ISO/SAE 21434's continuous cybersecurity activity requirements cannot be satisfied by point solutions. Clauses 5 through 15 of ISO/SAE 21434 mandate ongoing threat monitoring, incident response, and risk reassessment across the vehicle lifecycle. The three-phase integration logic of ANDURIL maps directly onto this requirement, providing a structured rationale for why suppliers must invest in all three security phases rather than treating initial certification as the endpoint.

Second, UNECE WP.29 R155 requires CSMS coverage of post-production phases, which is the area most commonly neglected by Taiwanese suppliers. R155 explicitly requires OEMs and their supply chains to demonstrate cybersecurity management across development, production, and post-production stages. ANDURIL's SOC-oriented response model and attack risk assessment component directly address this post-production gap, providing a practical architecture for the ongoing monitoring and response capabilities that R155 auditors will scrutinize.

Third, TISAX assessments consistently identify incident response and supplier management as high-failure areas. TISAX, based on the VDA ISA framework, evaluates information security management practices that European automotive OEMs require of their supply chain partners. The incident response procedures supported by ANDURIL's Response operational unit align with the Security Incident Management requirements in TISAX, where Taiwanese suppliers frequently lose points due to the absence of documented response procedures and drill records.

The broader context reinforces urgency: VicOne and Trend Micro's Pwn2Own Automotive 2025 competition uncovered 49 zero-day vulnerabilities across automotive systems, and American research has confirmed that the majority of vehicle manufacturers demonstrate inadequate privacy protection practices. The connected vehicle ecosystem's expanding attack surface makes the integrated management approach ANDURIL proposes not just academically interesting, but operationally necessary.

How Winners Consulting Services Co. Ltd. Supports Taiwan's Automotive Suppliers

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) supports Taiwan's automotive supply chain in achieving TISAX certification, implementing ISO/SAE 21434, and satisfying UNECE WP.29 R155 cybersecurity management system requirements. Based on the strategic directions identified in the ANDURIL framework, we recommend the following three concrete actions for Taiwanese suppliers:

1. Conduct a Three-Phase Cybersecurity Maturity Assessment: Map your current security capabilities against ANDURIL's Detection, Response, and Prevention dimensions. Key diagnostic questions include: Does your organization have CAN bus monitoring or equivalent network monitoring for in-vehicle systems? Is there a documented, tested incident response procedure that satisfies ISO/SAE 21434 continuous cybersecurity activity requirements? Has a TARA been completed and maintained according to ISO/SAE 21434 Clause 15? The answers directly determine your organization's readiness for TISAX assessments and R155 type approval audits.
2. Build a TARA Workflow That Integrates With Your Monitoring Infrastructure: The ANDURIL framework's risk assessment model emphasizes grounding threat evaluation in international standards—directly aligned with ISO/SAE 21434's TARA methodology. We recommend that suppliers complete at least one full TARA cycle before the end of 2025, integrating its outputs into both the CSMS documentation system and the detection rule sets governing any network monitoring tools in use. This creates the feedback loop—from detected event to TARA update to control measure adjustment—that constitutes genuine continuous cybersecurity activity.
3. Plan Post-Production Security Monitoring Resources Proactively: CISA advisory AA25-212A and R155's post-production requirements both point to the same organizational gap: the lack of sustained monitoring capability after a product enters the market. We recommend that suppliers assess SOC capability options—whether in-house, outsourced, or shared-service models—as part of their 2025–2026 resource planning. Even a lightweight shared SOC arrangement can establish the compliance baseline needed to respond to OEM customer R155 audit requirements.

Frequently Asked Questions

How does the ANDURIL framework's CAN bus detection component connect to the TARA process required by ISO/SAE 21434?

ANDURIL's Detection dimension uses machine learning algorithms to identify anomalous CAN bus traffic patterns. ISO/SAE 21434 Clause 15 requires organizations to identify threat scenarios, assess their impact and feasibility, and assign risk values through the TARA process. The practical integration point is that TARA outputs—specifically the high-risk threat scenarios—should directly inform the detection rules and alert thresholds configured in any CAN bus monitoring system. Conversely, anomalous events detected at runtime should trigger a TARA review cycle to assess whether the threat model needs updating. Organizations that maintain this bidirectional feedback loop satisfy ISO/SAE 21434's continuous cybersecurity activity requirements in a way that a standalone detection tool cannot.

What are the most common failure points for Taiwanese suppliers during TISAX assessments?

Based on practical assessment experience, Taiwanese suppliers most frequently lose points in three TISAX (VDA ISA) areas: Security Incident Management—due to absent or untested incident response procedures; Supplier Management—due to cybersecurity requirements not being contractually specified for sub-suppliers; and Physical Security—due to access control and visitor management practices falling short of TISAX requirements. ANDURIL's Response operational unit addresses the first failure area most directly. Suppliers that develop documented incident response SOPs informed by the framework's SOC-oriented model will see measurable improvements in their TISAX assessment scores, particularly if those procedures are supported by evidence of at least one tabletop or live drill exercise.

Does TISAX certification satisfy UNECE WP.29 R155 compliance requirements?

TISAX and UNECE WP.29 R155 address related but distinct compliance domains. TISAX, based on VDA ISA, evaluates information security management with emphasis on data protection and IT security practices. R155 mandates a Cybersecurity Management System (CSMS) specifically for vehicle cybersecurity, covering the development, production, and post-production lifecycle. R155 directly constrains OEM manufacturers seeking type approval in markets including the EU, Japan, and South Korea, with compliance obligations flowing down to supply chain partners through contractual requirements. TISAX certification demonstrates strong information security governance but does not substitute for a CSMS built to ISO/SAE 21434. Suppliers that have achieved TISAX AL2 certification should assess whether their existing documentation can be extended to support an ISO/SAE 21434-aligned CSMS, as significant structural overlap exists but critical gaps typically remain in TARA methodology and post-production monitoring.

What is the realistic timeline and resource investment for building an ISO/SAE 21434-compliant security management system?

For a mid-sized Taiwanese automotive supplier with 200–500 employees, building a foundational ISO/SAE 21434-compliant cybersecurity management system typically requires 9 to 18 months. Organizations with an existing ISO 27001 or IATF 16949 management system baseline can typically compress this timeline to 7 to 12 months. Resource requirements generally include 1 to 2 dedicated or part-time cybersecurity management personnel, external consulting support for TARA methodology design and documentation framework development, and tool investments for threat monitoring infrastructure. External consulting fees typically represent 40–60% of total initial investment, with the remainder allocated to internal personnel time and tooling. TISAX assessment fees are separate and vary by assessment level: AL2, the most common requirement for Taiwanese suppliers, involves third-party assessment costs that should be budgeted as part of the overall program plan.

Why engage Winners Consulting Services Co. Ltd. for Automotive Cybersecurity matters?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) provides integrated advisory capability across ISO/SAE 21434, TISAX, and UNECE WP.29 R155—three frameworks that Taiwanese automotive suppliers must navigate simultaneously. Our team addresses both the technical layer (TARA methodology design, CAN bus security assessment, control measure specification) and the management layer (CSMS documentation, TISAX assessment preparation, gap analysis against R155 requirements). We support clients through a structured engagement path from diagnostic to certification, with a target timeline of 7 to 12 months for TISAX-compliant framework establishment. Our complimentary Automotive Cybersecurity Mechanism Diagnostic gives prospective clients a clear picture of their current compliance gaps and prioritized action items before committing to a full engagement—ensuring resources are allocated to the highest-impact areas from the outset.

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、2025年に発表されたANDURILフレームワークが、自動車のサイバーセキュリティ管理における「検知・対応・予防」の三段階を初めて統合的に扱う五次元モデルであることを指摘し、ISO/SAE 21434およびUNCE WP.29 R155、TISAXへの対応を進める台湾の自動車サプライヤーにとって、具体的な管理体制構築の青写真となると評価しています。