The rise of connected vehicles and Cyber-Physical Systems (CPS) has sparked a profound shift in modern infrastructure merging the digital and physical realms into one interconnected fabric. From autonomous cars and smart logistics fleets to intelligent transport infrastructures, the cyber highway now runs parallel to the physical road.
But as vehicles evolve into complex, networked computing platforms on wheels, so too does the cyber-physical risk landscape. A data breach or firmware exploit no longer stays behind the screen it can manifest on the streets, impacting safety, privacy, business continuity, and even national security.
In this blog, we explore the emerging risks associated with connected cars and CPS, why they matter, and what must be done to navigate this new era of cyber-physical convergence.
The New Automotive Ecosystem
Today’s vehicles are not standalone machines. They are integrated nodes in a digital ecosystem of:
- On-board sensors & ECUs (electronic control units)
- 5G and cellular connectivity
- GPS and telematics
- Over-the-air (OTA) update services
- Cloud platforms and mobile apps
- Smart infrastructure (traffic lights, road sensors, ITS systems)
This wider environment forms a Cyber-Physical System where digital technologies directly control real-world processes. As a result, any compromise of the cyber layer can create unacceptable physical-world outcomes.
What Is a Cyber-Physical Risk?
Cyber-Physical risk refers to threats arising from the fusion of information technology (IT) and operational technology (OT). These risks can disrupt, damage, or endanger physical processes when cyber systems are maliciously accessed, manipulated, or malfunction.
In connected automotive platforms, this means hackers or system failures could potentially:
- Disrupt a vehicle’s braking, steering, or propulsion
- Track or hijack location services
- Capture personal data and behavioural analytics
- Compromise fleet operations or supply chains
- Shut down infrastructure networks congesting urban roads
- Tamper with vehicle-related financial transactions (charging, tolls, etc.)
Cyber incidents could, therefore, produce real-world consequences including collisions, injuries, economic disruption, and reputational damage.
Understanding the Threat Landscape
1. Remote Exploits & Wireless Attacks
Modern vehicles utilise cellular, Wi-Fi, Bluetooth, DSRC and other wireless technologies. Each interface forms a potential entry point. Proof-of-concept attacks such as the infamous 2015 Jeep Cherokee hack showed how attackers can remotely manipulate steering and brakes triggering widespread recalls.
2. Supply Chain Vulnerabilities
Suppliers provide firmware, chips, and code for in-vehicle systems. Weak links in this supply chain (e.g., insecure update servers, third-party code libraries, & rogue components) present a rich attack vector. Once inserted, malicious code can persist and spread across fleets.
3. Over-The-Air (OTA) Updates Gone Wrong
While OTA reduces recall costs, a compromised update can quickly infect thousands of vehicles. Attackers may spoof the OEM’s update servers, or exploit poor authentication mechanisms to push malicious firmware.
4. Insecure Mobile Apps and APIs
Mobile apps and telematics APIs give users and fleet operators valuable insights but weak security controls could leak user data, reveal vehicle locations, or grant attackers privileges to remotely unlock or start vehicles.
5. Interconnected Urban Infrastructure
Smart traffic and transportation systems are increasingly connected to governmental and public sector networks. If attackers exploit poor segmentation or legacy software, they could disrupt multiple cyber-physical systems simultaneously (e.g. emergency services, traffic controls, autonomous fleets).
The Business Impact of CPS Automotive Incidents
| Area | Cyber-Physical Impact |
|---|---|
| Safety | Loss of life, injuries, collisions, recalls |
| Financial | Legal liabilities, ransomware payouts, business interruption |
| Reputation | Loss of consumer trust, share price drop, brand damage |
| Regulatory | Fines under UNECE R155/R156, GDPR, PCI DSS, ISO 21434 |
| Operational | Fleet immobilisation, logistics disruption, production delays |
A single cyber-physical incident could cost millions far exceeding a traditional “data-only” breach.
Regulations & Standards Shaping the Future
Governments and regulators are developing obligations to manage cyber-physical risks:
- UNECE WP.29 (R155/R156): Requires automotive manufacturers to implement cybersecurity management systems and secure software update processes.
- ISO/SAE 21434: Sets out requirements for cybersecurity engineering in the automotive lifecycle.
- NIS2 Directive: Expands obligations for incident response and security across essential services, including transport.
- Cyber Resilience Act (proposed): Imposes post-market security responsibilities on connected devices and embedded software.
Non-compliance could halt production lines or restrict market access making cybersecurity a core business priority rather than a technical afterthought.
Navigating the Risk: 6 Strategic Imperatives
1. Secure-by-Design Engineering
Cybersecurity must be embedded from concept stage through to design, development, testing, and decommissioning. Using threat modelling (e.g., STRIDE), secure coding, and minimising attack surfaces is non-negotiable.
2. Robust Supply Chain Assurance
OEMs should require suppliers to meet stringent cybersecurity standards, conduct continuous V&V (verification & validation), and implement software bill of materials (SBOM) tracking and vulnerability disclosure.
3. Continuous Monitoring & Detection
Real-time anomaly detection, SIEM (Security Information & Event Management), and automotive intrusion detection systems (IDS) must be utilised to identify and respond to threats quickly.
4. Segmentation & Zero Trust Networking
Implement hardened segregation between external interfaces, safety-critical systems, and infotainment layers. Only enforce minimal access with strong identity verification.
5. Incident Response for CPS
Develop and rehearse response plans that consider physical safety, public communications, regulatory reporting, and cross-border coordination with traffic authorities or law enforcement.
6. User & Workforce Awareness
Drivers, engineers, and operational staff should be educated on secure practices, phishing risks, patching requirements, and reporting processes.
Future Trends Shaping Cyber-Physical Automotive Risk
- AI-Driven Attacks & Defences – AI may be used to attack (e.g., learning system behaviour) whilst also defending via predictive anomaly detection.
- Connected EV Charging Risks – As electric vehicles proliferate, charging infrastructure becomes a critical cyber-physical target.
- Vehicle-to-Everything (V2X) – Broader networking increases both operational efficiency and exploit surface.
- Autonomous Freight & Logistics – Driverless trucks and drones will shift risks from human error to automated systems & software logic.
- RegTech Solutions – Automated compliance and threat scoring tools will help OEMs and fleets to stay ahead of regulatory obligations.
Conclusion
The future of transport is undoubtedly connected, intelligent, and cyber-physical. But along with unprecedented efficiencies come a new generation of risks that blur traditional boundaries between cyber-attack and physical harm.
To protect people, property, and economies, manufacturers, suppliers, fleet operators, and regulators must treat cybersecurity not just as a technology problem but as a pervasive operational and safety challenge.
Cyber-physical resilience will become a competitive advantage. Those who can confidently secure their connected vehicles and CPS ecosystem will own the trust and the future of mobility.