About the Authors and This Research

The paper was co-authored by Shahid Mahmood (h-index: 5, 53 total citations), Hoang Nga Nguyen (h-index: 4, 187 total citations), and Siraj Shaikh—a team with sustained focus on embedded systems security and vehicular cybersecurity. Published in 2022 and cited 42 times as of the time of this analysis (including 1 high-impact citation), the research occupies a meaningful position in the growing body of literature on automotive OTA security. What distinguishes this work from most prior studies is its orientation: rather than proposing yet another improved OTA architecture, the authors built an actual software tool to generate and execute security test cases against the Uptane reference implementation. Uptane is the OTA security framework co-developed under the auspices of the U.S. National Cybersecurity Center of Excellence (NCCoE) and is widely referenced by automotive OEMs globally.

The Research Problem: A Critical Gap in Automotive OTA Security Validation

Modern vehicles carry over 100 million lines of software code. Maintaining the security and functionality of these systems requires timely updates—increasingly delivered via over-the-air mechanisms. While OTA update systems offer obvious operational advantages, they also represent a new and significant attack surface. Crucially, the authors identified that despite a substantial body of research proposing improved OTA security designs, there was no study that systematically tested whether existing implementations were actually secure. This paper directly addresses that gap.

Core Finding 1: Uptane Is Robust Against Most Attacks—But DoS and Eavesdropping Vulnerabilities Are Real

Using a structured combination of attack tree analysis and model-based security testing, the research team conducted experimental attacks against the Uptane reference implementation. The results confirmed that Uptane's design holds up well against replay attacks, malicious firmware injection, and man-in-the-middle (MitM) attacks. However, the experiments also revealed genuine vulnerabilities to denial-of-service (DoS) and eavesdropping attacks. This finding has direct relevance to the vulnerability and incident handling obligations defined in ISO/SAE 21434 Chapter 13, and resonates with CISA's January 2026 guidance on operational technology (OT) security connectivity, which specifically flags availability-targeting attacks as a priority concern for critical infrastructure.

Core Finding 2: A Systematic Methodology for OTA Security Testing Can Be Automated

The research team's second major contribution is methodological. By constructing attack trees that model the threat landscape of OTA update systems, and then using those trees as inputs to a model-based test case generation tool, the authors demonstrated that systematic, repeatable security testing of OTA systems is achievable in practice. This pipeline—threat modeling → attack tree construction → automated test case generation → execution against target system—maps closely onto the structured threat analysis workflow required by TARA (Threat Analysis and Risk Assessment) under ISO/SAE 21434. In effect, this research provides a concrete technical implementation path for what the standard requires in conceptual terms.

Implications for Taiwan's Automotive Cybersecurity Practice

Taiwan's automotive component suppliers are increasingly required by Tier 1 customers and OEMs to demonstrate verifiable cybersecurity capabilities—not just compliance documentation. This research sharpens three specific obligations that Taiwan suppliers must address:

Obligation 1: UN R156 (SUMS) requires evidence of OTA update security, not just architectural claims. Under UNECE Regulation No. 156, vehicle manufacturers must establish a Software Update Management System (SUMS) that ensures all software updates—including OTA—are delivered securely throughout the vehicle lifecycle. Taiwan suppliers whose components are subject to OTA updates must be able to provide security validation documentation that satisfies SUMS audit requirements. Claiming adoption of Uptane or another framework, without test evidence, is no longer sufficient.

Obligation 2: ISO/SAE 21434 TARA must explicitly model OTA update channels as attack surfaces. The DoS and eavesdropping vulnerabilities identified in this study are precisely the kind of threats that should appear in a complete Threat Analysis and Risk Assessment for any ECU or TCU with OTA capability. Taiwan suppliers who omit OTA-specific attack paths from their TARA deliverables risk producing documentation that fails OEM technical reviews and TISAX assessments.

Obligation 3: TISAX assessors are increasingly scrutinizing OTA-related security controls. Evidence from recent Subaru STARLINK and Mitsubishi Outlander PHEV vulnerability disclosures demonstrates that OTA and connected vehicle attack surfaces are actively exploited. European OEMs are translating these incidents into stricter supplier audit requirements. TISAX assessments in 2025 and 2026 are expected to place greater weight on suppliers' ability to demonstrate not only that they have security controls for OTA updates, but that those controls have been tested and verified. The attack tree and model-based testing methodology presented in this paper offers a directly applicable technical approach for generating that evidence.

How Winners Consulting Services Helps Taiwan Suppliers Build OTA Security Capabilities

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）helps Taiwan automotive suppliers achieve TISAX certification, implement ISO/SAE 21434, and meet UNECE WP.29 vehicle cybersecurity regulatory requirements. For OTA security specifically, we recommend the following action sequence:

1. Conduct an OTA Attack Surface Inventory integrated with your TARA process: Using the attack tree methodology described in this research, systematically map all OTA-related attack vectors for your components—firmware delivery channels, authentication and integrity verification mechanisms, rollback protection, update authorization flows—and incorporate these as explicit threat scenarios in your ISO/SAE 21434 TARA documentation. This simultaneously fulfills ISO/SAE 21434 Chapter 15 requirements and provides inputs for OTA Security Automotive design verification under UN R156.
2. Establish a model-based OTA security testing protocol aligned with UN R156 SUMS requirements: Design repeatable security test cases—drawing on the attack tree analysis—that can be executed at development milestones and reused for regression testing after updates. Maintain records of test execution results as SUMS compliance evidence and TISAX technical supporting documentation. This transforms a one-time compliance exercise into a durable engineering capability.
3. Build a continuous vulnerability monitoring and incident response mechanism for OTA update systems: The DoS vulnerability finding in this research underscores that even well-designed frameworks require ongoing vigilance. Winners Consulting Services assists clients in establishing the structured vulnerability and incident handling processes required by ISO/SAE 21434 Chapter 13, with specific procedures for OTA-related security incidents—including notification timelines and containment actions that satisfy TISAX assessor expectations.

Frequently Asked Questions

Our company uses Uptane for OTA updates. Does this research mean we still need additional security testing?

Yes. This study's experimental findings confirm that even the Uptane reference implementation—the most widely referenced open-source framework for automotive OTA security—contains exploitable vulnerabilities in denial-of-service and eavesdropping scenarios. ISO/SAE 21434 Chapter 10 explicitly requires that cybersecurity specifications be verified through testing, and TISAX assessors increasingly expect suppliers to provide documented security test results rather than simply naming the framework they have adopted. Using Uptane or any other established framework is a sound starting point; it is not a substitute for structured verification testing.

What are the most common OTA-related compliance gaps when Taiwan suppliers undergo ISO/SAE 21434 audits?

Based on Winners Consulting Services' advisory experience with Taiwan automotive component manufacturers, two gaps appear most frequently. First, TARA deliverables omit OTA update channels as explicit attack surfaces, leaving the threat analysis incomplete under ISO/SAE 21434 Chapter 15. Second, vulnerability management procedures (ISO/SAE 21434 Chapter 13) lack OTA-specific incident response steps—particularly for scenarios involving compromised update delivery infrastructure. Both gaps are directly flagged during TISAX assessments and, if unresolved, result in assessment findings that delay certification.

What is the typical timeline to prepare OTA-related documentation for TISAX assessment?

For a Taiwan supplier preparing TISAX certification with OTA-capable components, the OTA security preparation work should be embedded in a three-phase schedule. Months 1–3: complete OTA attack surface inventory and update TARA documentation to align with ISO/SAE 21434 and UN R156 SUMS structure. Months 3–6: design and execute security test cases based on attack tree analysis; establish test records. Months 6–9: finalize vulnerability management and incident response SOPs, conduct internal gap assessment, remediate remaining findings, and submit for formal TISAX evaluation. In total, allow at least 9 months from program initiation to assessment readiness for OTA-involved product lines.

What resources are required to establish an OTA security testing capability, and what is the return on investment?

For a single ECU product line, establishing an ISO/SAE 21434-aligned OTA security testing protocol typically requires 2–4 person-months of engineering effort, supplemented by external consulting support for methodology design and TISAX documentation preparation. The return on this investment should be assessed against the alternative: European OEM procurement teams are increasingly disqualifying suppliers who cannot provide OTA security verification documentation in Tier 1 RFQs. Suppliers who establish this capability before 2026—while TISAX assessment volume in Taiwan is still manageable—will encounter lower competition for assessor slots and less mature audit requirements than those who defer to 2027 or later.

Why engage Winners Consulting Services for automotive cybersecurity matters?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) specializes in ISO/SAE 21434 implementation and TISAX certification advisory for Taiwan's automotive supply chain. Our team combines standard interpretation expertise with TARA implementation experience and working knowledge of UNECE WP.29 regulations including UN R155 and UN R156. We understand the specific constraints of Taiwan's SME component manufacturers—limited dedicated cybersecurity headcount, compressed timelines, and the practical challenge of differentiating automotive cybersecurity requirements from IT security frameworks like ISO 27001. Our structured advisory service, from gap assessment through mock audit, is designed to deliver a TISAX-ready management system within 7 to 12 months.

車載OTAアップデートの体系的脅威評価とセキュリティテスト：台湾自動車サプライヤーへのISO 21434・TISAX実務示唆

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、2022年に発表された学術論文（引用数42回）が自動車OTA（Over-the-Air）アップデートセキュリティの検証方法論における重大な空白を埋めたと評価している。研究結果は、業界で広く採用されているUptaneフレームワークの参照実装においても、サービス拒否（DoS）攻撃と盗聴攻撃に対する実際の脆弱性が存在することを実証した。ISO/SAE 21434準拠とTISAX認証を目指す台湾の自動車部品サプライヤーにとって、この発見は「フレームワークを採用すれば十分」という前提を根本から問い直すものである。