Insight: Automotive Cybersecurity: A Survey on Frameworks, Standards,

==

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Automotive Cybersecurity (AUTO), identifies a critical warning for Taiwan's automotive supply chain: a 2024 peer-reviewed survey already cited 21 times confirms that modern vehicles' expanding digital attack surfaces — spanning CAN bus, Automotive Ethernet, and V2X channels — have outpaced existing security defenses, and that only a synchronized implementation of TISAX certification, ISO/SAE 21434, and UNECE WP.29 compliance can preserve Taiwan suppliers' access to European and Japanese OEM markets.

About the Authors and This Research

This paper was led by Professor Claudiu Vasile Kifor of Lucian Blaga University of Sibiu, Romania, one of Central Europe's established voices in engineering quality management and system safety. With an h-index of 7 and 195 cumulative citations, Kifor brings a practitioner-oriented lens to automotive security research. Co-author Aurelian Popescu, an emerging researcher with an h-index of 2 and 15 citations, contributes a fresh perspective on the evolving regulatory and testing landscape.

Published in 2024 via the MDPI Sensors journal and now cited 21 times, the study adopts a systematic literature review methodology to map the current state of automotive cybersecurity across four thematic pillars: (1) frameworks and technologies, (2) standards and regulations, (3) monitoring and vulnerability management, and (4) testing and validation. For industry practitioners, the study's most valuable contribution is not a single technical finding but a structured map of where the gaps between academic research and industrial practice remain widest — a blueprint for where organizations must invest next.

Core Insight: Digital Complexity Has Outrun Security Maturity in Modern Vehicles

The fundamental argument of Kifor and Popescu's survey is that the automotive industry faces a structural security deficit. Modern vehicles are no longer mechanical systems with limited electronic components — they are software-defined platforms with hundreds of millions of lines of code, dozens of Electronic Control Units (ECUs), and communication interfaces spanning multiple network protocols. The attack surface is enormous, and the existing security frameworks, while increasingly sophisticated, have not yet converged into a coherent, industry-wide standard implementation.

Finding 1: Multi-Channel Connectivity Creates an Asymmetric Defense Problem

The survey documents the breadth of communication channels now present in modern vehicles: CAN bus, LIN, FlexRay, Automotive Ethernet, Bluetooth, Wi-Fi, and V2X (Vehicle-to-Everything) interfaces each represent a potential entry point for malicious actors. The asymmetry is stark — an attacker needs to find and exploit only one vulnerability, while defenders must harden every interface simultaneously. The paper notes that this complexity is compounded in Software-Defined Vehicle (SDV) architectures, where over-the-air (OTA) update capabilities introduce new attack vectors even after a vehicle leaves the factory. For Taiwan's Tier 1 and Tier 2 suppliers providing ECUs, sensors, and connectivity modules, this finding is a direct mandate: every component must be designed with security-by-design principles embedded from the earliest concept phase, precisely as ISO/SAE 21434 Chapter 8 (Product Development) requires.

Finding 2: Standards Are Interdependent, Not Interchangeable

One of the most practically important findings of this survey is the clarification that the major automotive cybersecurity standards and regulations form an interdependent ecosystem rather than alternative choices. ISO/SAE 21434 provides the engineering methodology for cybersecurity across the vehicle lifecycle. UNECE WP.29 Regulation 155 (UN R155), which became mandatory for new vehicle types in Europe, Japan, and South Korea in July 2022 and extended to all produced vehicle types in July 2024, requires OEMs to implement a certified Cybersecurity Management System (CSMS) — for which ISO/SAE 21434 compliance is the primary technical basis. TISAX (Trusted Information Security Assessment Exchange), developed by the German Association of the Automotive Industry (VDA), addresses the information security of the supply chain entities themselves. Companies that attempt to address only one of these frameworks while ignoring the others will find their compliance posture incomplete. The survey explicitly identifies monitoring and vulnerability management as the least mature area across both research and practice.

Finding 3: Testing and Validation Represent the Largest Research and Practice Gap

The survey's analysis of testing and validation methodologies reveals a significant gap between theoretical security assurance and practical implementation. While techniques such as penetration testing, fuzz testing (fuzzing), and formal verification are well-discussed in academic literature, the automotive industry lacks a unified testing methodology and integrated toolchain. There is no broadly accepted automotive-specific testing benchmark that maps test coverage to regulatory requirements. For Taiwan's manufacturing sector, this gap is both a challenge and an opportunity: companies that invest now in building structured, documented testing processes aligned with ISO/SAE 21434's verification and validation requirements will have a significant competitive advantage in supplier qualification audits.

What This Research Means for Taiwan's Automotive Cybersecurity Practice

Taiwan's automotive component manufacturers are not facing a distant future risk — they are facing an immediate market access crisis. The regulatory timeline has already closed, and the findings of this survey map directly onto the specific vulnerabilities in Taiwan's supply chain readiness.

European market entry requirements are now fully enforced. As of July 2024, UN R155 applies to all vehicle types being produced for European markets. Any Taiwan supplier providing components to European OEMs must be able to demonstrate that their products and processes do not introduce cybersecurity risks — and this demonstration must be backed by documented evidence consistent with ISO/SAE 21434's TARA (Threat Analysis and Risk Assessment) methodology.

TISAX has become a de facto prerequisite for German OEM supply chains. Volkswagen Group, BMW Group, and Mercedes-Benz have incorporated TISAX Assessment Labels into their supplier qualification processes. Taiwan suppliers without the appropriate TISAX label — Assessment Level 2 (AL2) for standard sensitive information, or AL3 for highly sensitive data such as prototype vehicle information — risk being excluded from RFQ processes entirely. The timeline to obtaining a TISAX label, including preparation, typically ranges from 6 to 18 months.

Continuous monitoring capability is the next audit frontier. The survey's identification of monitoring and vulnerability management as the weakest link in current practice aligns with an emerging trend in OEM supplier audits: customers are increasingly asking not just whether a supplier has achieved certification, but whether they maintain a living Vehicle Security Operations Center (VSOC) capability. Taiwan suppliers must shift from a "certification event" mindset to a "continuous compliance" operational model.

How Winners Consulting Services Co. Ltd. Helps Taiwan Automotive Suppliers Build Competitive Compliance

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) provides end-to-end automotive cybersecurity consulting to Taiwan's automotive supply chain, covering TISAX certification preparation, ISO/SAE 21434 implementation, and UNECE WP.29 regulatory alignment. Our consultants bring cross-standard integration expertise that helps companies avoid duplicating effort across frameworks and reach compliance milestones efficiently.

1. Automotive Cybersecurity Gap Analysis Against ISO/SAE 21434 and TISAX: We conduct a structured assessment of your current design, development, testing, and post-production maintenance processes against the requirements of ISO/SAE 21434 (with specific focus on TARA methodology per Chapter 9 and post-development monitoring per Chapter 10) and the VDA-ISA questionnaire underlying TISAX. The output is a prioritized remediation roadmap with clear timelines and ownership assignments — not a generic checklist.
2. Integrated Cybersecurity Management System (CSMS) Design and Implementation: Responding directly to the survey's finding that standards are interdependent, we design CSMS frameworks that simultaneously satisfy ISO/SAE 21434, TISAX, and UN R155 requirements. We also help establish IDS/IPS monitoring mechanisms and Vulnerability Disclosure Processes (VDP) to address the continuous monitoring gap identified in the research.
3. Structured Security Testing Program Development: Addressing the testing gap highlighted by Kifor and Popescu, we help Taiwan suppliers establish documented penetration testing plans and fuzzing methodologies tailored to automotive-specific interfaces (CAN, Ethernet, OTA), and train internal teams to maintain and execute these programs independently — ensuring products can pass cybersecurity reviews during OEM qualification audits.

Frequently Asked Questions

What is the most urgent cybersecurity issue Taiwan automotive component manufacturers need to address right now?

The most urgent issue is demonstrable compliance readiness — the ability to prove to OEM customers that your products and processes meet ISO/SAE 21434 requirements. Research by Kifor and Popescu highlights that many suppliers have baseline security measures in place but lack systematic documentation and a formal TARA (Threat Analysis and Risk Assessment) process. Without this documented evidence, suppliers cannot pass OEM audits. The immediate priority should be establishing ISO/SAE 21434-aligned TARA records for key product lines and documenting cybersecurity activities throughout the development lifecycle.

What is the difference between ISO/SAE 21434 and TISAX, and which should Taiwan enterprises address first?

ISO/SAE 21434 is a technical engineering standard governing cybersecurity activities across the entire vehicle component lifecycle — from concept design through decommissioning. TISAX is an information security assessment mechanism for automotive supply chain entities, based on the VDA-ISA questionnaire, focused on how your company protects sensitive information (design data, prototype data, customer data). They are complementary. The recommended approach is to pursue both simultaneously: build your product cybersecurity engineering capability using ISO/SAE 21434 as the framework, and pursue TISAX assessment to provide German OEMs with a recognized trust credential. Both are required to fully satisfy UNECE WP.29 UN R155 obligations.

How long does TISAX certification take and what does it cost?

TISAX assessment typically requires 6 to 18 months from initial preparation to receiving an Assessment Label, depending on company size and existing information security maturity. Assessment Level 2 (AL2) applies to standard sensitive information, while AL3 is required for highly sensitive data such as prototype vehicle details. Costs vary significantly based on assessment scope (number of sites, systems in scope), the ENX-accredited assessment service provider selected, and the extent of preparation work needed. Winners Consulting recommends 3 to 6 months of pre-assessment preparation — including VDA-ISA gap analysis, ISO/SAE 21434 framework alignment, and internal audits — which significantly improves first-attempt success rates and overall cost efficiency.

Does UNECE WP.29 UN R155 actually affect Taiwan's Tier 2 suppliers?

Yes, directly and materially. While UN R155 formally obligates OEMs to implement a certified Cybersecurity Management System (CSMS), OEMs contractually flow down these obligations to their Tier 1 and Tier 2 suppliers. Taiwan Tier 2 suppliers must be able to provide cybersecurity technical documentation, support TARA processes for their components, and demonstrate that supplied parts do not introduce unmitigated cybersecurity risks. Since July 2024, this requirement applies to all vehicle types entering the European market — there is no longer a phase-in period for Taiwan suppliers serving European OEM customers.

Why choose Winners Consulting Services Co. Ltd. for Automotive Cybersecurity (AUTO) consulting?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) is one of Taiwan's few consulting organizations with demonstrated capability across ISO/SAE 21434 implementation, TISAX assessment preparation, and UNECE WP.29 regulatory interpretation. Our team has hands-on experience guiding Taiwan automotive supply chain manufacturers through TISAX evaluation processes, with deep familiarity with VDA-ISA questionnaire review criteria and ENX assessment body requirements. Unlike pure technology consultants, we specialize in translating complex international standards into executable management systems suited to Taiwan's SME manufacturing context — with a 90-day target to establish a sustainably operating compliance framework, not a one-time certification exercise.