Cybersecurity in carmaking: when the factory becomes the attack surface

The production line has long been a place of optimised precision, where every millisecond of downtime carries a measurable cost. But as automotive manufacturers wire their plants deeper into cloud infrastructure, connect hundreds of supplier systems, and layer artificial intelligence across manufacturing execution, a new kind of vulnerability is taking root on the shop floor.

Bodo Philipp, Chief Executive of MHP Consulting UK, a subsidiary of Porsche AG within the Volkswagen Group, has watched this transformation with the trained eye of someone who advises some of the world’s most complex manufacturing operations. His assessment is simultaneously clear-eyed and sobering.

The first and most structurally stubborn problem in automotive manufacturing cybersecurity is the machinery itself. Modern production lines are not clean, homogeneous computing environments – they are layered accumulations of industrial equipment from different vendors, running proprietary operating systems that in some cases predate the smartphone.

Carmaking machines built for another era

“In automotive manufacturing, one of the biggest cybersecurity challenges is the extremely heterogeneous and long-lived machinery landscape,” says Philipp. “Production lines rely on industrial equipment from many different vendors, often running proprietary operating systems or legacy software that has been in service for 10, 15, or even 20 years. These machines are highly reliable from an operational perspective, but they were never designed with modern cybersecurity threats in mind.”

The problem is not merely technical ignorance from an earlier age. Updating these machines is frequently impossible without triggering the very disruption manufacturers are trying to avoid.

“Because updates are difficult to deploy, sometimes no longer supported by the manufacturer, or require costly downtime, vulnerabilities can remain unnoticed for long periods,” Philipp notes. “This creates a real risk that outdated systems become an entry point for attackers - especially as production networks become more connected, integrate with cloud services, and exchange data with vehicles and backend systems.”

The challenge, as Philipp is careful to emphasise, is also organisational; ensuring visibility across all assets, assessing legacy risks, and defining a strategy that balances cybersecurity with production continuity. “In my view,” he says, “the key is to establish a structured vulnerability management approach, introduce compensating controls where updates are not feasible, and gradually modernise the most critical systems without disrupting manufacturing operations.”

The supplier problem OEMs cannot outsource

If legacy machinery represents a challenge that is largely internal, the supplier attack surface introduces a systemic problem that no single manufacturer can solve alone. The modern automotive supply chain runs through hundreds of Tier-1 to Tier-3 suppliers, each connecting into shared engineering, production and logistics systems. Every connection is a potential vector - and Philipp is unambiguous about where legal accountability sits.

“The supplier attack surface”, he says, “has grown massively as OEMs now collaborate with hundreds of Tier-1 to Tier-3 suppliers across engineering, production, and logistics systems. The key is that OEMs cannot treat this as a purely operational challenge, it is a regulatory obligation.

“Under UNECE R155, the OEM is legally responsible for the cybersecurity of the entire vehicle, including the production environment and all supplier-provided components or systems. That means the OEM must maintain governance and oversight across the full value chain, not just its own internal operations.”

The standard that provides the architecture for this governance is ISO/SAE 21434:2021 - the first international standard dedicated to automotive cybersecurity engineering. It provides a comprehensive framework for managing cybersecurity risks in road vehicle electrical and electronic (E/E) systems, ensuring security is integrated throughout the entire vehicle lifecycle - from initial concept to decommissioning - which Philipp describes as the essential foundation.

Read the article

JLR Cyberattack: UK's costliest ($2.5bn) breach further exposes production fragility

Independent analysts say the attack on Jaguar Land Rover has caused unprecedented damage to Britain's automotive sector, with recovery not expected until early 2026 as supply chain impacts deepen across 5,000 tier suppliers and companies.

“To achieve this without slowing programme execution, OEMs need structured, scalable processes rather than ad-hoc controls. ISO/SAE 21434:2021 provides exactly that foundation. It defines how cybersecurity requirements should be communicated, validated, and monitored throughout the development lifecycle, including how suppliers are integrated into risk assessments, interface definitions, and verification activities. These processes must then be adapted for production, especially when supplier-provided production elements, such as tooling, software, or automation systems, are integrated into the OEM’s manufacturing environment.”

Perhaps counterintuitively for some, Philipp argues that rigorous governance accelerates, rather than impedes supplier innovation.

“The real enabler is transparency,” he says. “OEMs need clear visibility into supplier cybersecurity capabilities, update processes, and vulnerability handling. This requires consistent documentation, traceability of software and hardware elements, and a governance model that allows suppliers to innovate while still meeting regulatory expectations.

“Instead of slowing innovation,” he continues, “this approach actually accelerates it: when roles, responsibilities, and cybersecurity requirements are clearly defined, suppliers can develop faster and OEMs can integrate their solutions with confidence.”

From paperwork to practice - from East to West

The existence of UNECE WP.29 R155 and R156 (which mandate certified cybersecurity and software update management systems) has undeniably raised the regulatory floor. But whether it has changed behaviour inside the plant is a different question. Philipp observes the persistence of the compliance mindset with candour.

“UNECE R155 and R156 have significantly raised the cybersecurity baseline, but many OEMs still approach the topic with a compliance mindset rather than treating it as a core element of operational resilience. The gap becomes most visible in production environments, where legacy machinery, limited asset visibility, and supplier-integrated production elements are not yet governed with the same rigor as vehicle development.”

The most instructive comparison Philipp draws is with China, where the regulatory approach is markedly more interventionist.

“However, this gap is starting to close, especially in markets like China, where cybersecurity audits go far deeper into manufacturing operations. Chinese regulatory authorities routinely inspect production networks, supplier-provided tooling, and software update processes. This forces OEMs to operationalise cybersecurity, not just document it. As a result, manufacturers are increasingly adapting ISO/SAE 21434 processes for production, ensuring that supplier integration, risk assessments, and traceability extend beyond development into the shop floor.”

Amazon's AWS outage exposes automotive production's digital vulnerability

Amazon's 15-hour AWS outage affected billions in transactions globally. With major OEMs running production systems on the same infrastructure, the incident raises urgent questions about automotive manufacturing's digital resilience.

The ultimate benchmark for success, in Philipp’s view, is operational rather than administrative. He says that the real differentiator is transparency. OEMs need clear visibility into every software component, configuration, and supplier contribution entering the plant, and when transparency and documentation are strong, cybersecurity becomes part of daily operations rather than a periodic compliance exercise. “That’s the direction the industry is moving”, he adds, “from meeting regulatory requirements to building genuine resilience into manufacturing systems.”

When the factory becomes the attack surface

The convergence of cloud-based manufacturing execution systems, real-time analytics and AI-driven optimisation has made automotive factories dramatically more capable. It has also made them dramatically more exposed. The attack surface has expanded both at the edges of production environments, as well as through the foundational core of manufacturing processes.

“As factories become smarter and more connected – with cloud-based MES platforms, real-time analytics, and AI-driven optimisation – we are seeing new categories of cyber risk emerge directly inside manufacturing operations,” says Phillip.

“These include compromised cloud integrations, manipulated AI models, tampered production data, and attacks on highly connected OT/IT interfaces. But the important point is that cybersecurity in vehicle manufacturing cannot be treated as a set of isolated priorities.” And the reasoning behind this holistic framing rests on the structural interconnection of the vehicle’s entire lifecycle.

“In the automotive sector, every phase of the vehicle lifecycle is tightly interconnected: development, production, and in-field operation. An attack vector in one phase can immediately become a risk in another. A compromised MES system can influence calibration data; manipulated AI models can affect quality decisions; a supplier-side vulnerability can propagate into production and ultimately into the vehicle delivered to the customer.”

The appropriate response, Philipp argues, must be equally integrated: “This is why cybersecurity defence must always be viewed holistically. Of course, individual technologies and use cases require their own risk assessments, cloud connectivity, AI models, OT networks, legacy machinery, but these assessments must feed into a unified lifecycle-wide security strategy. What we learn from cloud security, from AI misuse cases, or even from incidents in other industries, is directly relevant for defending a smart factory.”

AMS' recent research in partnership with ABB suggests the industry has already recognised the scale of the threat. In the survey, 84% of manufacturers identified cybersecurity as a critical strategic priority - a reflection of how quickly digital risk has moved from an IT concern to a boardroom issue. Yet the findings also exposed a deeper tension running through modern manufacturing: the same connected systems driving gains in efficiency, visibility and automation are simultaneously opening vast new attack surfaces across the smart factory environment.

Cybersecurity now tops production concerns as smart factories expand vulnerabilities

Cybersecurity has vaulted to manufacturers' top strategic priority as 84% rate digital threats as critical - yet the very smart factory systems delivering productivity gains are creating unprecedented attack surfaces across connected production environments

In practice, this means integrating production risks into the same governance frameworks used for development and in-field operations, ensuring transparency across systems, and applying cross-domain threat intelligence. “Smart factories expand the attack surface,” says Phillip, “but they also reinforce the need for a consistent, end-to-end cybersecurity posture rather than a set of isolated priorities.”

The human factor in ransomware

If the structural vulnerabilities of the factory are rooted in architecture and governance, the most immediate operational threat still arrives through a familiar channel: human behaviour. Ransomware has become the defining cyber threat in manufacturing, and its dominant vectors are human rather than purely technical.

Next to the AMS-ABB survey findings, Philipp draws on the Sophos State of Ransomware in Manufacturing and Production 2025 report to ground the discussion in further data.

He points out that on the shop floor today, cyber resilience means far more than having backups or meeting compliance requirements. In manufacturing, downtime has immediate physical and financial consequences, so resilience needs to focus on keeping production running even when ransomware attempts occur.

“What we see in the data is that the human factor remains one of the biggest vulnerabilities,” he says. “According to the Sophos State of Ransomware in Manufacturing and Production 2025 report, 23% of attacks start with malicious emails and 20% with credential-based attacks, both of which rely heavily on human interaction. In addition, over 40% of organisations cite lack of expertise or unknown security gaps as contributing factors.

“This, he says, “shows that ransomware is not only a technical problem; it is deeply tied to human behaviour, skills, and processes.”

And Phillip’s prescription, of ransomware being a human, as well as a technical problem, follows directly from his diagnosis. “True resilience therefore, requires strengthening people, processes, and technology together,” he says. “Continuous security-awareness training helps employees recognise phishing and social-engineering attempts before they become incidents. Strong access controls and multi-factor authentication reduce the impact of credential misuse. And a well-rehearsed incident-response structure ensures that even if a mistake happens, the organisation can contain the attack quickly and prevent production shutdowns.”

Read the article

The Porsche E-Cayenne is conceived from the line backwards

In the Cayenne Electric, architecture, battery and body structure merge. Porsche has developed the SUV from a manufacturing perspective. This has consequences for the underbody, material mix and the production system.

But ultimately, Philipp defines cyber resilience on the shop floor as the convergence of human readiness and technical architecture. “In essence, cyber resilience on the shop floor means building a workforce that is prepared, a production environment that is segmented and monitored, and an organisation that can respond rapidly without losing operational continuity. It’s the combination of human readiness and technical safeguards that keeps manufacturing running when ransomware hits.”

Secure-by-design moves from aspiration to obligation

For many years, secure-by-design has been a principle more honoured in conference rooms than on the automotive factory floor. And the barriers are structural: retrofitting cybersecurity into production engineering is costly, time-consuming, and frequently incompatible with the economic realities of automotive manufacturing.

Philipp names the problem directly, saying, “cybersecurity is increasingly being embedded into production engineering disciplines – from PLC configuration to MES architecture and factory-software deployment – but it is still far from being the default standard across automotive manufacturing.

“The main barrier is that secure-by-design is expensive: it requires earlier risk assessments, more robust architectures, and longer development cycles. And in reality, customers are rarely willing to pay a premium for cybersecurity, even though the long product lifecycles in automotive mean that regular software updates and long-term maintenance become a major organisational and economic burden.”

The regulatory environment, however, is narrowing the space for delay. IEC 62443, which defines secure-by-design principles for industrial control systems, and the European Union’s Cyber Resilience Act are together transforming what was previously discretionary into something approaching legal compulsion.

“At the same time, new technologies such as cloud-connected MES, AI-driven optimisation, and highly networked OT systems require much deeper cybersecurity risk analyses than traditional production setups. This is where standards and regulations are now pushing the industry forward.”

Phillip says that IEC 62443 explicitly defines secure-by-design principles for industrial control systems, including secure PLC configuration, network segmentation, and hardened deployment processes. And in the EU, the Cyber Resilience Act (CRA) will make secure-by-design and secure-by-default mandatory for many digital components used in manufacturing environments.

“So while secure-by-design is not yet the universal norm,” he says, “the regulatory landscape is rapidly changing. With IEC 62443 and the CRA, secure-by-design is shifting from a ‘nice-to-have’ to a legal obligation, and OEMs will need to embed cybersecurity into production from the start not as an afterthought.

“The challenge is balancing cost and speed with these new requirements, but the direction is clear: secure-by-design will become the baseline expectation across automotive manufacturing.”

Read the article

Volkswagen and XPeng launch first joint electric model into series production

Series production of the ID.UNYX 08 has started in Hefei. For Volkswagen, the model is more than just a new electric car for China. The SUV is intended to demonstrate that the group’s “In China, for China” strategy is genuinely bringing speed, local development and new electronics architectures into series production.

A hard foundation without software - culture before technology

All of the technical frameworks, regulatory requirements and governance structures discussed across the preceding dimensions rest, in Philipp’s analysis, on a foundation that has nothing to do with software.

And his starting point for the question is characteristically precise. “Before I answer,” he says, “it’s important to clarify that we never discuss details from individual client projects neither within the Porsche ecosystem nor with any of the many global manufacturers we support. However, what we can share are the patterns and lessons we see across industries when helping organisations build cybersecurity resilience in manufacturing.

“The most important lesson is that true resilience starts with culture, not technology. In many plants, cybersecurity is still perceived as a slowdown or a blocker. But when employees understand that cybersecurity protects not only the product but also the company and ultimately their own jobs, the mindset shifts.”

“A security-first culture requires transparency: measures must be explained clearly, independently verified, and vulnerabilities must be handled openly. Security risks arise from mistakes, technical or human, and discovering them should trigger a positive reaction, not fear of consequences. Every identified weakness is one less entry point for attackers.”

And clearly, the organisational dividend, when this cultural shift is achieved, extends across every technical domain. “When this mindset is visible in both management and the workforce,” he says, “all other measures like governance frameworks, secure engineering practices, incident response and supplier integration, become far more effective.”

The metrics for confirming that culture has genuinely shifted are, in Philipp’s view, concrete and observable.

He says that measuring whether this works is straightforward, since what will emerge will be fewer unreported incidents, faster detection times, more proactive vulnerability disclosures from employees, and a noticeable increase in cross-functional engagement in cybersecurity topics. “When people feel safe to speak up and take ownership,” he says, “that’s when a security-first culture is truly taking hold across global manufacturing sites.”

For an industry accustomed to measuring resilience in uptime percentages and output rates, the argument that culture is the root variable in cybersecurity may require some adjustment. But given the speed and scale at which the attack surface is expanding, carmakers who wait for regulation to force the conversation are likely to find that the cost of delay has already been paid somewhere else on the plant floor.