Insight: An adaptable security-by-design approach for ensuring a secu

Winners Consulting Services Co., Ltd. notes that a 2025 study by UK scholar Jeremy Bryans et al. is the first to systematically apply the Security-by-Design concept from ISO/SAE 21434 to the entire lifecycle of vehicle Over-the-Air (OTA) updates. By integrating Threat Analysis and Risk Assessment (TARA) with UNECE WP.29 mitigation requirements, it provides a directly referenceable methodological framework for Taiwanese automotive suppliers on their path to TISAX certification and ISO/SAE 21434 compliance.

About the Authors and This Research

The lead author, Jeremy Bryans, is from the Department of Computer Science at Loughborough University in the UK. With an h-index of 23 and over 1,748 citations, he has a long-standing focus on automotive cybersecurity engineering and formal verification, making him a representative figure in the European automotive cybersecurity academic community. Co-authors Don Dhaliwal and Victormills Iyieke contribute practical perspectives from industry implementation and embedded systems security, respectively. Notably, Iyieke's preliminary research in 2023 laid the groundwork for the evolution of this paper's methodology. Since its publication in *Computers & Security* (Elsevier) in 2024, the paper has been cited 7 times, a citation speed that indicates a high level of industry interest for an applied study focused on practical automotive cybersecurity engineering.

It is worth noting that Dhaliwal's academic metrics (h-index: 1, 7 citations) suggest his primary contribution is from an industry implementation standpoint. This is a signal for Taiwanese readers: the paper's value lies in the systematic nature of its engineering methodology, rather than purely on its theoretical academic depth. When evaluating such research, Taiwanese executives should focus on whether the methodological framework is transferable, rather than relying excessively on the authors' academic prestige.

The Security Design Gap in OTA Updates: The Paper's Core Problem and Solution

Modern vehicles contain over 100 Electronic Control Units (ECUs), and OTA updates have become a standard practice for OEMs to reduce costs and rapidly deploy features. However, existing OTA security mechanisms like the Uptane framework, OMA-DM standard, and ISO 24089 mostly focus on the technical protection of the update process itself. They rarely approach it from a Security-by-Design systems engineering perspective to fully embed the ISO/SAE 21434 security lifecycle requirements within the OTA system design—this is precisely the gap this research aims to fill.

Key Finding 1: An Adaptable Security-by-Design Framework Based on ISO/SAE 21434

The research team proposes an "Adaptable Security-by-Design Approach" that encompasses three layers: a Security Engineering Lifecycle, a Logical Security Layered Concept, and a Security Architecture. This framework uses ISO/SAE 21434 as its backbone standard and is validated against an Uptane framework prototype system implemented by Toradex, ensuring the methodology is grounded in a concrete embedded systems environment rather than remaining purely theoretical. The advantage of this three-layer architecture is its "adaptability"—regardless of the OTA technology an OEM adopts, this framework can be applied for systematic security design, reducing compliance uncertainty for manufacturers during technology selection.

Key Finding 2: TARA Identifies Top Threats, UNECE WP.29 Defines Mitigation Actions

The paper conducts a comprehensive Threat Analysis and Risk Assessment (TARA) in accordance with ISO/SAE 21434 to identify the highest-level threats in the OTA update process. It then defines corresponding mitigation actions based on UNECE WP.29 regulatory requirements and ultimately validates the effectiveness of these measures through Penetration Testing. This closed-loop process of "TARA → Threat Formalization → Mitigation Definition → Penetration Test Validation" is the study's most practical methodological contribution. It also embodies the spirit of systematic risk assessment emphasized by CISA's OT Secure Connections Principles, released in January 2026, as applied to the automotive domain.

Constructive Critique: Methodological Limitations and Gaps with Taiwanese Practice

However, in analyzing this research, the consulting team at Winners Consulting Services Co., Ltd. must also point out several noteworthy limitations. First, the research prototype is based on the Toradex platform, and the paper does not provide sufficient validation of its applicability to the Renesas, NXP, or domestic MCU platforms commonly used by Taiwanese suppliers. Second, the depth of the TARA is limited by the complexity of the prototype system and falls short of addressing the multi-supplier interface threat landscape of production vehicles. Third, the paper does not cover TISAX certification requirements, such as supplier security assessments and mapping to the VDA ISA questionnaire. Taiwanese suppliers seeking to directly use this framework for TISAX preparation will need additional compliance bridging work. These limitations do not diminish the paper's academic contribution but serve as a reminder to Taiwanese executives: this framework is a starting point, not a final destination.

Implications for Automotive Cybersecurity Practice in Taiwan: OTA Compliance is More Than a Technical Issue

Taiwanese automotive suppliers are facing dual pressures. On one hand, the EU's UNECE WP.29 regulations (UN R155 and UN R156) became mandatory for all new vehicle types in July 2024, holding OEMs responsible for the cybersecurity management of their entire supply chain. On the other hand, German Tier 1 customers increasingly require their Taiwanese Tier 2 and Tier 3 suppliers to obtain TISAX certification and demonstrate ISO/SAE 21434 compliance capabilities. The OTA Security framework from this paper has direct practical implications in this context.

Specifically, Taiwanese companies should focus on three aspects:

Aspect 1: OTA functionality has become a new focus area in TISAX audits. As the trend of Software-Defined Vehicles (SDV) accelerates, the weight of items related to software update security in the TISAX VDA ISA questionnaire continues to rise. The case of Lucid Motors adding Apple CarPlay to its Gravity electric SUV via an OTA update in March 2026 clearly demonstrates the widespread commercial application of OTA updates, but it also magnifies the exposure of security design flaws. Taiwanese module manufacturers and ECU suppliers that have not yet included the OTA update process in their TISAX audit preparation scope should immediately do so.

Aspect 2: The quality of TARA execution directly impacts ISO/SAE 21434 compliance judgments. This paper demonstrates a complete closed loop from TARA to penetration testing, which is precisely the supplier-level verification capability required by ISO/SAE 21434 Clause 15 (Supplier Security Management). Taiwanese suppliers unable to provide auditable TARA documentation will face significant gaps during Tier 1 customer audits.

Aspect 3: The ripple effect of CISA's OT Secure Connections Principles. Although CISA's OT Secure Connections Principles, released in January 2026, primarily target industrial control systems, their emphasis on "secure connection design principles" aligns closely with the Security-by-Design methodology of this paper. This indicates that such systematic security design thinking is becoming a common direction for global regulation. Taiwanese auto parts manufacturers with North American customers involving in-vehicle OT systems should incorporate this policy trend into their compliance assessments.

How Winners Consulting Services Helps Taiwanese Companies Build OTA Security Design Capabilities

Winners Consulting Services Co., Ltd. assists Taiwanese automotive suppliers in obtaining TISAX certification, implementing the ISO/SAE 21434 standard, and complying with UNECE WP.29 vehicle cybersecurity regulations. To address the practical gaps in OTA Security-by-Design revealed in this paper, we recommend Taiwanese companies take the following three steps:

1. OTA Cybersecurity Status Assessment (Recommended completion within 30 days): Assess the completeness of existing security design documentation for the OTA update process against the requirements of ISO/SAE 21434 Clause 9 (Concept Phase) and Clause 10 (Product Development) to identify TARA implementation gaps. Winners Consulting Services provides a standardized OTA cybersecurity maturity assessment questionnaire to help companies complete a preliminary diagnosis within two weeks.
2. TARA Execution and Threat Model Establishment (Recommended completion within 90 days): Conduct a systematic TARA for the OTA update process in accordance with ISO/SAE 21434, identify the highest-level threats, and map them to UNECE WP.29 mitigation requirements. Our consulting team has cross-platform TARA execution experience and can help manufacturers establish auditable and maintainable threat model documentation.
3. TISAX Audit Preparation and Supplier Security Assessment Integration (Recommended completion within 6 months): Integrate OTA security design documentation into TISAX VDA ISA audit preparations, ensuring that supplier-level security requirements (ISO/SAE 21434 Clause 15) can pass both documentary reviews and on-site audits by Tier 1 customers. Winners Consulting Services helps companies establish a complete TISAX management system within 7 to 12 months.

Frequently Asked Questions

What specific security design tasks are required for an OTA update system under the ISO/SAE 21434 framework?

According to ISO/SAE 21434, the security design for an Over-the-Air (OTA) update system must cover at least four layers. First, security goals for the OTA update process as an "item" must be identified during the concept phase (Clause 9). Second, a comprehensive Threat Analysis and Risk Assessment (TARA) must be conducted to identify high-risk threats such as update package tampering, man-in-the-middle attacks, and unauthorized version rollbacks. Third, security requirements based on risk levels must be defined and implemented in the software architecture during the product development phase (Clause 10). Fourth, the effectiveness of these requirements must be validated through penetration testing. The three-layer framework proposed in this paper (Security Engineering Lifecycle, Logical Security Layered Concept, Security Architecture) provides an adaptable template that Taiwanese suppliers can reference to establish their own documentation systems.

What are the most common gaps in OTA-related security management for Taiwanese automotive suppliers when implementing TISAX certification?

Based on Winners Consulting Services' experience, the three most common gaps for Taiwanese Tier 2 and Tier 3 suppliers in TISAX audits related to OTA are: First, a lack of documented TARA for the OTA update process, failing to meet the audit requirements of TISAX VDA ISA Chapter 5 (Threat Identification). Second, the access control and authentication mechanisms for OTA updates are not validated for security design as required by ISO/SAE 21434 Clause 10. Third, in supplier security management (ISO/SAE 21434 Clause 15), there is a lack of effective mechanisms for communicating and verifying security requirements with third-party software vendors providing OTA components. These three gaps directly correspond to the UNECE WP.29 UN R156 regulations for Software Update Management Systems (SUMS), and Taiwanese companies should prioritize addressing them.

What are the core requirements of TISAX certification, and how should Taiwanese companies implement it in stages?

TISAX (Trusted Information Security Assessment Exchange) is an information security assessment standard for the automotive industry established by the German Association of the Automotive Industry (VDA) based on ISO/IEC 27001. Its scope covers information security management, prototype protection, and connected vehicles. Taiwanese suppliers are advised to implement TISAX certification in four stages. Stage one (1-2 months) involves a VDA ISA gap analysis to identify non-conformities in existing security management systems. Stage two (3-5 months) focuses on establishing or strengthening security mechanisms based on the gap analysis, including OTA-related TARA documentation and access control design. Stage three (month 6) includes internal audits and management reviews to confirm effectiveness. Stage four (months 7-12) is the formal assessment by a TISAX-accredited audit provider (ENX-recognized). Winners Consulting Services provides end-to-end guidance to help companies complete certification within 7 to 12 months.