About the Authors and This Research

This paper is co-authored by Jeremy Bryans, Don Dhaliwal, and Victormills Iyieke, representing a collaborative effort between UK-based academic and industry expertise. Jeremy Bryans is an established figure in automotive cybersecurity with an h-index of 23 and over 1,748 cumulative citations, having contributed extensively to formal verification and security architecture for connected and automated vehicles (CAVs). The research team's decision to prototype and validate their proposed approach on a real Uptane-based OTA system built on the Toradex platform — rather than remaining purely theoretical — significantly enhances its practical relevance for industrial stakeholders.

The paper has been cited 7 times since its 2025 publication, a notable early uptake that reflects growing urgency across the automotive cybersecurity research community. It is published via arXiv and indexed under Computers & Security (DOI: https://doi.org/10.1016/j.cose.2024.104268), ensuring academic credibility alongside accessibility for practitioners.

Core Research Findings: Three Layers, One Integrated Security Lifecycle

The central argument of the paper is precise and actionable: existing OTA update mechanisms — including Uptane, OMA-DM, and ISO 24089 variants — address protocol-level security, but none systematically integrates the Security-by-Design philosophy mandated by ISO/SAE 21434. This gap leaves vehicle systems vulnerable at exactly the points where design decisions are made, rather than only at the transport layer.

Finding 1: Security-by-Design Requires Three Integrated Architectural Layers

The proposed adaptable Security-by-Design framework is structured across three layers: the Security Engineering Lifecycle, the Logical Security Layered Concept, and the Security Architecture. These must be designed concurrently and not treated as sequential phases. The research team implemented this framework on a prototype OTA update system based on the Uptane framework as deployed by Toradex. A full Threat Analysis and Risk Assessment (TARA) was conducted according to ISO/SAE 21434, the highest-risk threats were formally catalogued, and mitigation actions were defined according to UNECE WP.29 regulations. Penetration testing was then conducted to validate that the proposed architecture could withstand the identified attack vectors — creating a closed-loop "design → analyse → verify" process that ISO/SAE 21434 requires but that industry implementations frequently shortcut.

Finding 2: Uptane Alone Is Insufficient for ISO/SAE 21434 Compliance

The research makes an important distinction that many Tier 1 suppliers and OEMs overlook: the Uptane framework (managed under the Linux Foundation) addresses protocol-layer integrity — preventing malicious updates from being accepted — but does not cover the broader cybersecurity engineering obligations in ISO/SAE 21434 Chapters 10 through 15. These include security requirements engineering, architectural security analysis, software-level verification, and post-development cybersecurity monitoring. Similarly, ISO 24089 governs software update management system (SUMS) processes but does not substitute for ISO/SAE 21434's security lifecycle requirements. For Taiwan suppliers, this means that deploying Uptane is a necessary but not sufficient condition for TISAX compliance or UNECE R156 conformance.

Implications for Taiwan's Automotive Cybersecurity Landscape

Taiwan's automotive supply chain faces a dual regulatory and commercial imperative. On the regulatory side, UNECE WP.29's R155 (Cybersecurity Management System) and R156 (Software Update Management System) have taken full effect for new vehicle type approvals in the EU, with major Japanese OEMs also extending these requirements to their global supply chains. On the commercial side, TISAX (Trusted Information Security Assessment Exchange) — the VDA-backed information security certification for automotive suppliers — is increasingly being required not just of direct OEM partners, but of second and third-tier suppliers involved in connected vehicle components.

The OTA update capability specifically sits at the intersection of both R155 and R156. A Taiwanese ECU supplier or embedded systems developer whose products include OTA update functionality must be able to demonstrate: (1) a documented TARA covering OTA-specific threat scenarios, (2) Security-by-Design evidence throughout the product development lifecycle, and (3) an operational SUMS that satisfies ISO 24089 update authorization, versioning, integrity verification, and incident response requirements. The increasing deployment of OTA updates for mainstream vehicle features — as illustrated by Lucid Motors' March 2026 OTA introduction of Apple CarPlay and Android Auto for the Gravity SUV — confirms that OTA is now a standard delivery vehicle for vehicle functionality, not an exceptional maintenance tool.

CISA's January 2026 publication of the "Secure Connectivity Principles for Operational Technology" further reinforces that connected system security — of which OTA-enabled vehicles are a prime example — is being elevated from an engineering best practice to a formal governance expectation. For Taiwan's export-oriented automotive suppliers, this convergence of standards (ISO/SAE 21434, ISO 24089), regulations (UNECE R155/R156), and certification requirements (TISAX) creates a complex but navigable compliance landscape — provided organizations act systematically rather than reactively.

Winners Consulting Services Co. Ltd.: Practical Guidance for Taiwan Suppliers

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）assists Taiwan's automotive supply chain in achieving TISAX certification, implementing ISO/SAE 21434, and meeting UNECE WP.29 regulatory requirements. Based on the findings of Bryans et al. (2025), we recommend the following structured actions:

1. Conduct an OTA Security Gap Analysis Against ISO/SAE 21434 and ISO 24089: Map current OTA development practices against the requirements of ISO/SAE 21434 Chapters 10–15 and ISO 24089 SUMS requirements. Specifically assess whether TARA outputs are actively driving Security Requirements Specification updates, and whether the organization has documented security architecture decisions for OTA components. This analysis can typically be completed within 4 to 6 weeks and provides the prioritized action roadmap for subsequent remediation.
2. Implement the Three-Layer Security-by-Design Architecture in Product Development Processes: Integrate the Security Engineering Lifecycle, Logical Security Layered Concept, and Security Architecture design into existing V-model or agile development workflows. For organizations using Uptane or proprietary OTA mechanisms, conduct a specific review of key management practices, ECU authorization validation, firmware integrity checking, and rollback protection mechanisms against UNECE WP.29 mitigation requirements. Winners Consulting provides standardized architecture templates and facilitated workshops to support organizations in completing this integration within 90 days.
3. Establish an Annual Penetration Testing Programme for OTA Attack Surfaces: The paper's use of penetration testing to validate the proposed Security-by-Design framework reflects an important principle: compliance documentation without technical validation is insufficient for TISAX AL2+ audits or OEM cybersecurity assessments. Taiwan suppliers should define an annual penetration testing scope covering the highest-risk OTA attack surfaces — including transport layer interception, firmware tampering, rollback attacks, and authorization bypass — and incorporate test results into the Cybersecurity Case documentation required by ISO/SAE 21434 Clause 14.

Frequently Asked Questions

What are the highest-risk attack vectors in automotive OTA update systems, and how should they be addressed under ISO/SAE 21434?

The highest-risk OTA attack vectors identified in systematic TARA studies include man-in-the-middle interception of update packages, firmware integrity tampering, cryptographic key compromise, rollback attacks that revert vehicles to previously patched vulnerable states, and ECU authorization bypass. Under ISO/SAE 21434, each of these must be formally identified in a TARA process with documented attack feasibility ratings and corresponding security goals. Bryans et al. (2025) conducted exactly this analysis on a real Uptane-based prototype, identifying several high-severity threat pathways not addressed by the Uptane protocol itself. Taiwan suppliers should ensure their TARA processes are continuously maintained — triggered by any change in the OTA architecture or threat environment — rather than conducted as a one-time activity at project initiation. This ongoing TARA maintenance is a specific requirement under ISO/SAE 21434 Clause 15 for post-development cybersecurity activities.

What are the most common OTA-related compliance gaps for Taiwan suppliers seeking TISAX certification?

Based on Winners Consulting's advisory experience, the three most prevalent TISAX compliance gaps for Taiwan suppliers with OTA capabilities are: first, TARA documentation that exists as a standalone artifact but does not demonstrably influence security architecture decisions — a disconnect that auditors identify as a Major Non-Conformance under TISAX AL2; second, reliance on third-party OTA frameworks (such as Uptane) as a substitute for ISO/SAE 21434 security engineering lifecycle obligations, particularly for verification and validation activities; and third, absence of a maintained Software Update Management System (SUMS) aligned with ISO 24089, which is required to demonstrate ongoing UNECE R156 conformance. Addressing all three gaps in a coordinated program — rather than sequentially — is typically more efficient and reduces total compliance preparation time by 30% to 40%.

What specific TISAX requirements relate to OTA security, and how should Taiwan enterprises prepare?

TISAX assessments under the VDA ISA framework evaluate automotive cybersecurity capabilities across information security and product security domains. For suppliers involved in OTA update development or integration, key assessment criteria include: existence and maintenance of a Security Development Lifecycle (SDL) covering OTA components, documented TARA with traceable decision records, evidence of code security review and penetration testing, and supplier security management processes per ISO/SAE 21434 Chapter 15. Preparation is best structured in three phases: Phase 1 (months 1–3) covers current-state gap analysis and critical deficiency remediation; Phase 2 (months 3–6) establishes the document system and technical validation mechanisms; Phase 3 (months 6–9) executes internal audit and mock assessment. Winners Consulting provides end-to-end support targeting TISAX certification completion within 9 to 12 months.

What resources and investment are realistically required to build ISO/SAE 21434-compliant OTA security design capability?

For a mid-sized Taiwan automotive supplier (100–500 employees) with no existing ISO/SAE 21434 foundation, building OTA security design capability typically requires 6 to 12 months, 2 to 3 dedicated staff members, and external advisory support for TARA facilitation, architecture review, and penetration testing coordination. The return on this investment is measurable: TISAX certification opens access to European OEM supply chains where AL2 is a mandatory entry requirement; UNECE R156 conformance protects against vehicle type approval revocation in EU markets; and systematic Security-by-Design implementation has been shown in industry studies to reduce late-stage security defect remediation costs by 60% to 80% compared to reactive patching. Organizations that treat OTA security compliance as a commercial enabler rather than a cost center typically achieve positive ROI within 18 to 24 months of initial investment.

Why engage Winners Consulting Services Co. Ltd. for Automotive Cybersecurity (AUTO) matters?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) is among Taiwan's specialist firms with simultaneous capability across TISAX assessment preparation, ISO/SAE 21434 implementation, and UNECE WP.29 compliance advisory. Our consultants bring over 10 years of automotive cybersecurity engineering practice, with client experience spanning OEM program offices, Tier 1 suppliers, and electronics component manufacturers. We understand the specific audit expectations of European and Japanese OEMs and the practical realities of Taiwan's supply chain structure. Our service model covers the full compliance journey — from initial gap analysis and TARA facilitation through security architecture design and penetration test coordination to TISAX audit accompaniment — with a realistic 7 to 12 month certification timeline that builds durable, maintainable security management capability rather than a one-time compliance artifact.

積穗科研株式会社：ISO/SAE 21434に基づくOTAセキュリティ設計の実践——台湾自動車サプライチェーンが今すぐ取るべき行動

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、2025年に発表された重要な学術研究に基づき、以下の核心的知見を台湾の自動車サプライチェーン企業に提示する：現代車両には100個以上のECUが搭載され、OTAリモート更新は既に標準的なソフトウェア展開手段となっているにもかかわらず、ISO/SAE 21434に基づいたSecurity-by-Designの体系的実装をOTAプロセス全体に適用している企業は依然として少数にとどまり、この設計上の空白こそが最も見過ごされているサイバーセキュリティリスクの一つとなっている。