Cybersecurity by Design: How Aptiv Secures Complex Systems From Edge to Cloud
With cyberthreats growing and regulatory expectations tightening, Aptiv is investing in security across every platform, from embedded systems and in‑vehicle networks to cloud connectivity and over‑the‑air updates.
Aptiv plans far ahead because our customers do. Big projects have long development timelines. OEMs design vehicles to be on the road for 15 years or more. It can take five years to build a large-scale manufacturing plant. Aerospace design schedules are measured in decades.
Ongoing commitments to cybersecurity are backed up by action. Aptiv’s layered approach encompasses several integrated efforts, exemplified by these ongoing Aptiv programs.
Applying “Secure by Design” to Every Industry
Security features must be embedded from the outset of every project and integrated into architecture, coding, testing and deployment processes. The “secure by design” concept emphasizes proactive risk management that minimizes attack surfaces, enforces least‑privilege access, validates inputs and continuously monitors systems. This approach is essential throughout any product lifecycle but particularly so in connected environments such as automotive, cloud and edge computing.
Aptiv applies secure-by-design principles in its hardware-centric use cases, such as software-defined vehicles. That perspective informs many Aptiv and Wind River priorities, including:
- Mixed criticality in edge AI contexts
- Zero Trust security built into cloud platforms
- Security embedded in Wind River’s enterprise Linux distribution
Read more: Explaining the Wind River® secure development lifecycle
Using Over-the-Air Updates to Improve System Security
Over the air (OTA) updates enable organizations to remotely deploy software improvements, security patches and feature enhancements to connected systems without requiring physical access. Centralization helps ensure that this can be accomplished safely and efficiently.
For instance, industrial equipment manufacturers use OTA to update control software on production lines. Connected medical devices, such as infusion pumps or imaging systems, receive OTA firmware updates. And automotive OTA updates allow manufacturers to improve vehicle safety as they improve their algorithms.
OTA systems are a delivery mechanism, not a security feature per se. However, incorporating OTA capabilities into a software architecture makes it possible to create and maintain secure systems. The use of OTA supports efforts to achieve continuous improvement, faster innovation cycles and a stronger security posture, making them essential for managing connected and software driven systems.
OTA systems are one element in Aptiv’s zero-configuration, seamless updates. We use containerization and standardized interfaces to deploy new features, security patches and application updates without complex manual reconfigurations. Behind the scenes, that is accomplished using secure redundant configuration management using blockchain. Data in transit is protected with state-of-the-art cryptography.
Read more: Wind River® Studio over-the-air updates offer a uniform interface for device updates, staged rollouts and unified support for all sorts of payloads
Automating production of software bills of materials
A bill of materials (BOM) is a detailed list of all of the raw materials, components, and instructions required for a product’s manufacture, repair or assembly. When everyone knows what’s in the “box,” organizations can do a better job managing supply chain risks, license compliance and security vulnerabilities.
Traditionally, BOMs have been used in hardware engineering and design because they list all assemblies and parts required to make a finished item. For instance, automotive BOMs are comprehensive, hierarchical, and structured lists of all raw materials, parts, components and subassemblies required to manufacture a vehicle. These digital documents help manage complex production to ensure just-in-time assembly, control costs and manage inventory.
However, the BOM concept extends beyond hardware. Software BOMs define a formal, nested inventory of everything in a software component, such as open-source libraries, third-party modules and their dependencies. By understanding the composition of the software going into vehicles — both Aptiv’s software and third-party libraries — OEMs can manage risk in deployed vehicles faster and more efficiently.
Software BOMs are now part of the standard development process, for security and other reasons:
- Aptiv automatically configures new system components to integrate seamlessly into the larger systems that track them.
- Continuous integration and deployment systems now produce BOMs for every build, even when updates occur weekly.
Read more: Everything included in a software bill of materials
Ensuring Secure Boot Compliance
The PC industry developed the Secure Boot security standard to help make sure that a device boots using only software that the OEM trusts. That is, the system must ensure that the code was made by the manufacturer rather than by an attacker. When a personal computer starts, its firmware checks the signature of each piece of boot software, including UEFI firmware drivers, EFI applications and the operating system. The computer boots only if the signatures are valid, whereupon the firmware passes control to the operating system.
The same premise applies to automotive equipment. As vehicles are becoming more connected, OEMs are becoming increasingly concerned with safeguarding consumer data from cyberattacks. Vehicles regularly get new components, whether as replacements or upgrades. With a surfeit of configuration options for so many components, errors — and security problems — can occur, even during routine maintenance.
When a vehicle starts up, the system should verify the software’s authenticity and integrity before it starts running. In fact, OEMs are required to do this. Automotive regulations — specifically, UNECE R155 and R156 and ISO 21434 — require Secure Boot, Secure Load, and Secure Update, to ensure electronic control unit integrity and safety. These standards demand cryptographic verification of software, root-of-trust mechanisms and secure OTA update chains.
Aptiv cybersecurity can detect and respond appropriately to misbehaving vehicle software. We have demonstrated — and deployed — cybersecurity capabilities that enable secure software updates and lifecycle management. Aptiv supports Secure Boot with quantum-resistant encryption, ensuring tamper-free software.
A Secure Boot technology establishes a chain of trust by validating the full range of software components, from the hardware root of trust through the bootloader and kernel, right down to the signed container and the application itself. Combining container security with Secure Boot provides an end-to-end chain of trust for software running on a device.
Today, this works on software-defined vehicles. Tomorrow, it will work on other types of hardware.
Read more: Watch a short video explaining how automotive Secure Boot with Wind River® Helix™ works
Tracking Quantum-Resistant Crypto Developments
Quantum computers’ architecture, based on processing data in parallel, can swiftly handle complex problems that are difficult for conventional computers. Breakthrough work is genuinely underway.
But today’s encryption systems will become vulnerable when practical quantum computers arrive. While that may sound like a long way off, preparation for quantum threats must begin now. Organizations need time to implement post-quantum cryptography transition plans methodically. That is critical; Aptiv’s customers already work with extended product timelines.
It is an area of deep focus. Aptiv works closely with semiconductor companies and has demonstrated chip-accelerated quantum-resistant cryptography. We are already certified in National Institute of Standards and Technology quantum cybersecurity standards.
Read more: Why It’s Time to Invest in Quantum Cybersecurity offers practical advice for how OEMs — and everyone else — should prepare
Participating in Security-Related Standards Groups
Security‑related standards groups play a critical role in defining the frameworks, best practices and certification requirements that ensure that digital systems are safe, reliable and interoperable. Industry leaders, regulators and technical experts work together to establish common baselines for risk management, secure development, data protection and incident response. Doing so makes it easier for everyone to align with regulatory expectations, reduce vulnerabilities and build trust with customers and partners.
Aptiv uses established security-first development standards, and it builds security systems that comply with new government regulations. Moreover, both Aptiv and Wind River are active participants in several security-related standards groups, sometimes in leadership positions, such as the following:
- The Alliance for Automotive Innovation, a major U.S. automotive industry association that influences vehicle cybersecurity policy, regulation and standards adoption.
- Forum of Incident Response and Security Teams (FIRST), specifically its Product Security Incident Response Teams. FIRST is a global cybersecurity organization focused on incident response collaboration, vulnerability handling and threat intelligence sharing.
- The OPEN Alliance (automotive Ethernet consortium), a standards developer for automotive Ethernet networking, which has direct cybersecurity implications (such as secure in-vehicle communications).
Aptiv’s participation means that our personnel know what is happening in the industry and how organizations are responding and that our experts are among those who define what the proper responses should be.
Read more: Positioning Automotive Cybersecurity for the Future
Looking forward
Aptiv is both adapting to the evolving threat landscape and actively helping to shape it. Through direct contributions to global standards like ISO/SAE 21434, formal certification to those frameworks, and participation in industry alliances and security communities, we have embedded cybersecurity into the full lifecycle of our products, positioning Aptiv as a key enabler of trust among its customers.