The automotive industry is currently undergoing a tectonic shift that is fundamentally redefining the vehicle as we know it. According to the latest McKinsey & Company report, "The automotive software and electronics market through 2035," the traditional hardware-centric model is being replaced by Software-Defined Vehicles (SDVs) and advanced zonal architectures.
For the modern CISO and their cybersecurity teams, this isn't just a change in how cars are built—it is a complete transformation of the attack surface. As vehicles move from isolated machines to highly connected, AI-powered nodes in a global network, the stakes for maintaining safety and security have never been higher.
One of the most significant trends identified by McKinsey in the report is the transition from hundreds of individual Electronic Control Units (ECUs) to zonal and central computing architectures.
-
The complexity play: By 2035, centralized high-performance computers (HPCs) will manage everything from autonomous driving to infotainment, significantly reducing the complexity of physical wiring.
-
The security trade-off: While this centralization makes the system more manageable, it also creates a high-value target. A single vulnerability in a central compute node could grant an attacker control over multiple critical safety functions—steering, braking, and powertrain—that were previously isolated.
-
AI integration: Generative AI is expected to influence nearly 78% of the software market by 2035. For security teams, this means managing AI models that are "first-order design inputs" for the vehicle's architecture, requiring new defenses against adversarial AI attacks that could "spoof" sensor data from LiDAR or cameras.
Keeping the road safe: a new operational reality
The McKinsey report highlights that advanced features such as Level 3+ autonomous driving will rely on massive real-time data processing and high-performance sensors like LiDAR. This introduces three critical challenges for cybersecurity teams.
-
The OTA update pipeline: Over-the-Air (OTA) updates are now the standard for fixing bugs and deploying new features. However, securing the entire pipeline from the cloud to the vehicle is a massive undertaking, as compromised updates could potentially be used to brick entire fleets or inject malicious code simultaneously.
-
Machine identity: With the rise of "non-human" identities—AI agents and automated service accounts—verifying the identity of every connected component throughout its lifecycle is becoming a mandatory requirement.
-
Data privacy at scale: Modern vehicles generate a wealth of sensitive data, from biometric driver profiles to precise location history. As this data moves between the vehicle and the backend "cloud" infrastructures, the risk of massive data leaks and subsequent extortion or ransomware attacks increases.
Hemanth Tadepalli, Senior Cybersecurity and Compliance SME at May Mobility, writes and speaks often on automotive security. He offered his perspective:
- "As vehicles are becoming more software-defined platforms, adversaries are no longer thinking in terms of individual ECUs since they're mapping full kill chains. We're seeing automotive threat actors adopt enterprise-grade TTPs such as supply-chain compromise, identity abuse, lateral movement across zonal architectures, and coordinated attacks designed to scale across entire fleets."
- "Regarding the zonal and centralized compute architectures, these simplify engineering, but they also collapse the blast radius. For example, a single flaw in a central node can translate into systemic safety risk, and this is why CISOs must treat these platforms like mission-critical infrastructure, not as embedded systems with a longer patch cycle."
- "AI models are now part of the vehicle's control plane, which means adversarial AI attacks—such as sensor spoofing, model manipulation, and data poisoning—can move from theoretical to operational risk. Defending against these threats will require security teams to understand model behavior, not just network telemetry."
The verdict: Is the automotive industry ahead or behind?
The answer is a paradox: the industry is both ahead in regulation and behind in current resilience.
Driven by global regulations like UNECE R155/R156 and standards like ISO/SAE 21434, the automotive sector has moved faster than many other industrial sectors to make cybersecurity a "regulated obligation" rather than an optional feature.
Despite these mandates, a "Cybersecurity Gap" remains. Connectivity and software complexity are outstripping the ability of many security teams to maintain real-time visibility. In 2024 alone, the estimated cost of cyberattacks on the industry—including data leakage and ransomware—surged to $22.5 billion.
To navigate the road to 2035, security leaders must move from being "compliance checkers" to "architectural partners."
Security requirements must be factored in alongside performance and cost at the very start of the engineering phase, particularly as "AI model architecture" becomes a baseline design input.
With the industry relying on a vast network of third-party software and sensors, implementing Software Bills of Materials (SBOMs) and rigorous supplier audits is non-negotiable for preventing supply-chain-driven crises.
The shift toward centralized compute requires the development of Vehicle Security Operation Centers (vSOCs) that can monitor fleet-wide telemetry and provide autonomous, real-time response to threats.
