## What Are Software-Defined Vehicles?

The modern car is no longer primarily a mechanical machine. It is a rolling software platform. Software-defined vehicles (SDVs) consolidate the functions previously handled by dozens of isolated hardware components into centralized software layers running on high-performance computing units. Features ranging from braking and steering assistance to infotainment, navigation, and driver monitoring are now controlled, updated, and monetized through software.

This shift has brought undeniable advantages. Automakers can push new features to vehicles already on the road through over-the-air (OTA) updates, extend vehicle lifespan through software improvements, and build recurring revenue streams from subscriptions and upgrades. For consumers, the experience more closely resembles using a smartphone than driving a traditional car.

But the same connectivity and software dependency that makes SDVs powerful also makes them dangerous targets. Every new API endpoint, wireless interface, cloud connection, and OTA update channel is a potential entry point for attackers — and the automotive industry is struggling to keep pace with the threat.

## The Expanding Attack Surface of Software-Defined Vehicles

Traditional vehicles had limited connectivity. Their electronic control units (ECUs) operated in relative isolation, and physical access was typically required to compromise them. SDVs have fundamentally changed this equation.

Modern SDVs connect to cloud platforms, mobile applications, vehicle-to-everything (V2X) infrastructure, and third-party services simultaneously. Each connection adds to an attack surface that security researchers describe as sprawling and difficult to fully audit.

According to Upstream's 2026 Global Automotive and Smart Mobility Cybersecurity Report, AI-based architectures in SDVs have dramatically expanded attack surfaces by introducing new entry points and systematic exposures across the entire ecosystem. The report analyzed 494 publicly reported cybersecurity incidents from the automotive sector in 2025 alone — and identified AI-driven, software-based vehicle architectures as one of the two main drivers of rising threats.

Estimates suggest there are now more than 400 million connected vehicles in active use globally, each a potential target. As more of these vehicles move toward full software-defined architectures, the scale of the exposure grows accordingly.

## Real-World Attacks Are Already Happening

Software-defined vehicle cybersecurity risks are not hypothetical. Attacks on automotive targets have caused measurable, expensive damage.

Ransomware has emerged as the fastest-growing threat against the automotive and mobility ecosystem. In one high-profile incident cited by security researchers, a cyberattack crippled an automaker's IT systems and led to a worldwide vehicle production shutdown lasting nearly 40 days. The financial and operational consequences were severe.

Beyond production disruptions, cybercriminals have begun targeting drivers directly. Attackers have interfered with vehicle access and functionality to extort individual users — a disturbing development that moves automotive cyber threats from the enterprise environment into consumers' daily lives.

Keyless vehicle theft has also surged in markets across Europe, North America, and Asia. Attackers exploit vulnerabilities in CAN bus communication protocols and relay attack vectors to steal vehicles without physical key access. Law enforcement data indicates that vehicles equipped with keyless entry systems are disproportionately targeted, with some models experiencing theft rates many times higher than conventional counterparts.

## Why the Industry Is Struggling to Keep Up

The cybersecurity challenge facing the SDV industry is not simply technical. It is structural, organizational, and regulatory — all at once.

Software Cannot Be Physically Inspected

A recent Moody's analysis highlighted a fundamental problem: unlike hardware, software cannot be physically inspected using traditional automotive quality-control processes. As vehicles become updatable software platforms, any supplier failure, outage, or vulnerability can trigger immediate operational, regulatory, and reputational consequences for automakers. Moody's supply chain industry practice lead described the software-defined vehicle as a structural change for the entire automotive supply base, raising critical questions about the origin and integrity of third-party code.

The Supply Chain Is a Weak Link

SDVs depend on software from dozens of suppliers, each introducing their own dependencies and potential vulnerabilities. A single compromised component in the supply chain can propagate risk across entire vehicle fleets. Unlike automotive hardware, software supply chains are difficult to audit comprehensively, and vulnerabilities may remain dormant for months or years before being discovered or exploited.

OTA Updates Introduce New Risks

Over-the-air update capability is central to the SDV value proposition — but it also creates a high-value attack vector. Manufacturers must maintain the security and integrity of the entire OTA pipeline, from cloud servers all the way through to the vehicle's own verification systems. A compromised OTA channel could allow attackers to push malicious code to millions of vehicles simultaneously, at scale.

Talent and Expertise Gaps

The automotive industry has deep expertise in mechanical and electrical engineering, but software security is a newer discipline for most vehicle manufacturers. Recruiting and retaining cybersecurity professionals with both automotive domain knowledge and security engineering skills remains a significant challenge across the industry.

## Regulatory Pressure Is Building

Regulators are beginning to respond. The automotive cybersecurity standard ISO 21434, which establishes requirements for cybersecurity risk management throughout the vehicle lifecycle, is now in effect and influencing how chips, systems, and vehicles are designed from 2026 onward. The standard enables faster silicon certification and allows manufacturers to parallelize design and certification processes — reducing time to market while improving security posture.

In parallel, global regulatory efforts that began in previous years are taking effect in 2026. The United Nations Economic Commission for Europe's WP.29 regulations require automakers operating in key markets to implement cybersecurity management systems and demonstrate compliance throughout the vehicle lifecycle.

Modern vehicles produced under these frameworks incorporate secure boot processes, firmware integrity checks, encrypted communication between control units, and protections extending to in-car networks including Automotive Ethernet, camera interfaces, and OTA update systems.

## What Automakers and Suppliers Are Doing

The automotive industry is not standing still. Automakers are deploying advanced encryption, real-time threat detection, and more rigorous OTA security protocols. Some are building security operations centers (SOCs) modeled on enterprise cybersecurity practices, designed to monitor vehicle fleets for anomalous behavior continuously.

S&P Global Mobility's automotive insights team describes the evolution as a shift from minimal cybersecurity effort to SOC-like operations — a significant organizational and cultural change for traditional vehicle manufacturers. DevSecOps practices, which integrate security into software development workflows from the earliest stages, are being adopted across leading OEMs to replace the legacy approach of treating security as an afterthought.

Post-quantum cryptography is also entering the conversation. NXP and other semiconductor companies are developing technologies designed to protect automotive systems against the future threat of quantum computing-enabled attacks, which could render current encryption methods obsolete.

The concept of secure-by-design — building security into vehicle architecture from the ground up rather than bolting it on later — has shifted from a nice-to-have to an absolute necessity as the industry acknowledges the consequences of getting this wrong.

## The Road Ahead

Software-defined vehicles represent the future of the automotive industry. The economic, functional, and environmental benefits of software-driven architectures are too significant to ignore. But the cybersecurity risks they introduce are equally significant — and they affect not just automakers and suppliers but every driver on the road.

The industry is making progress. Regulatory frameworks are taking shape. Security standards are maturing. Automakers are investing more seriously in cybersecurity than at any previous point in the industry's history. But attackers are also becoming more sophisticated, leveraging AI to automate and accelerate attacks at a scale that traditional defenses were never designed to handle.

Closing this gap will require sustained investment, deeper collaboration across the automotive supply chain, and a fundamental cultural shift in how the industry thinks about software quality and security. The vehicles of the future will be defined by software. Whether they are also secured by it remains one of the most consequential open questions in both automotive and cybersecurity today.