Automotive Cybersecurity for OEMs and Tier-1 Suppliers

The automotive cybersecurity discipline is now structured around two interlocking standards: UN-R 155 (the United Nations regulation mandating Cybersecurity Management Systems for vehicle type approval) and ISO/SAE 21434 (the international standard for cybersecurity engineering of road vehicles). The 2024 UN-R 155 implementation deadline in many regulatory regimes has moved this work from voluntary practice to type-approval prerequisite.

Melina supports automotive OEMs and Tier-1 suppliers across the technical and process layers of this work.

Where Melina engages on automotive cybersecurity

CSMS readiness for UN-R 155 type approval

Vehicle manufacturers seeking type approval need a documented Cybersecurity Management System addressing concept, development, production, operations, and decommissioning. We support readiness work on:

• CSMS process design and gap assessment against UN-R 155 and ISO/SAE 21434
• Cybersecurity-interface agreement design for OEM-supplier coordination
• Pre-audit gap remediation before formal type-approval audit

TARA execution

TARA (Threat Analysis and Risk Assessment) is the central artifact in ISO/SAE 21434 implementation. We execute TARA on items ranging from individual ECU classes to full vehicle E/E architectures, working alongside the engineering team.

A common engagement frame: the OEM has drafted an initial TARA, the supplier has drafted their portion, and the two need to be reconciled at the cybersecurity-interface boundary. We run that reconciliation as a structured workshop output.

In-vehicle network and ECU testing

Hands-on testing on physical hardware:

• CAN bus and CAN-FD message analysis, replay, and injection
• OBD-II and DoIP diagnostic-service security review (UDS authentication, programming session, security access)
• ECU firmware extraction, reverse engineering, vulnerability research
• Gateway behavior between in-vehicle network zones
• Telematics Control Unit (TCU) end-to-end security — cellular path, OTA channel, back-end API
• Infotainment head unit (IVI) attack surface — BLE, Wi-Fi, USB, side-loaded apps

Cybersecurity case documentation

The cybersecurity case is the per-project evidence package that demonstrates the cybersecurity goals were met. We support cybersecurity-case preparation as a deliverable alongside technical findings — including traceability between TARA risk treatments, design decisions, verification artifacts, and validation outcomes.

Service mapping

Automotive engagements typically draw across:

• IoT & Embedded Security — for ECU and embedded testing
• Architecture & Cloud Review — for TCU back-end and connected services
• Mobile & App Security — for companion mobile apps
• AI/ML Security — where ADAS or in-vehicle assistants integrate ML models

Compliance and standards frame

Automotive engagements typically operate within:

• UN-R 155 / UN-R 156 (vehicle type-approval cybersecurity and SUMS)
• ISO/SAE 21434 (the de-facto implementation standard for CSMS)
• ISO/PAS 5112 (the audit-specific companion standard for CSMS audits)
• China-market: GB/T 44464 (passenger vehicle cybersecurity), MLPS classification for connected services
• ISO 26262 alignment for safety-relevant cybersecurity work

Engagement model

UN-R 155 readiness and CSMS gap assessment are typically Custom Engagement. TARA execution and ECU testing are typically Scoped Assessment. Continuous engagement across multiple ECU programs is typically Retainer.

“Most of the substantive risk in an automotive cybersecurity program lives in TARA quality, not in ECU pentest depth. A high-quality TARA propagates correctly into the cybersecurity case and the verification activities; a TARA with anti-patterns inherits the drift downstream, where it surfaces at type-approval audit. That’s why we publish the Seven Anti-Patterns + Four-Question Review Protocol as a free internal-review tool.” — Tatiana K., CEO, Melina Security

What buyers ask us first

In most discovery calls with automotive teams, the first three questions cluster:

1. “Can you sign off on type approval?” — No. UN-R 155 type approval is decided by accredited Technical Services. Our work informs the OEM’s submission and improves its chances; we are not in the approval path.
2. “Can you reconcile the OEM TARA with our supplier TARA?” — Yes. The cybersecurity-interface agreement boundary is where most automotive engagements start. We facilitate a structured reconciliation workshop and document the outcome in a form that survives an audit.
3. “How do we handle Chinese-market type approval alongside UN-R 155?” — GB/T 44464 and MLPS classification for the connected-services tier are the relevant Chinese-market gates. Our China-Compliance hub covers the framework; engagements split work into UN-R 155 readiness and China-market readiness as two parallel tracks against one TARA.

Regulatory horizon

Automotive cybersecurity teams should be tracking three trends that will affect 2026-2028 engagement scope:

• Software-update governance — UN-R 156 (Software Update Management Systems) is now type-approval mandatory in many jurisdictions; the audit posture extends beyond the SUMS process document to evidence of update integrity, rollback handling, and change-control linkage to TARA.
• AI/ML components in safety-relevant functions — ADAS perception stacks, in-vehicle assistants, and driver-monitoring systems blur the line between cybersecurity and functional safety. Engagements increasingly need to address the model-input adversarial-robustness question alongside the conventional CAN-bus question.
• Post-market obligations — UN-R 155 imposes ongoing monitoring duties on type-approval holders. The cybersecurity case is not a launch document; it’s a living record. Engagement structures shift toward retainer when this is taken seriously.

How a typical Tier-1 engagement unfolds

A Tier-1 supplier with one ECU program and an existing process framework typically runs the following shape:

• Weeks 1-2: Discovery and scoping. Reviewing the existing TARA, cybersecurity-interface agreement, supplier-side process documentation, and the engineering schedule. We agree the in-scope ECUs, the test bench setup, and the cybersecurity-case structure.
• Weeks 3-6: Gap assessment against ISO/SAE 21434 work products. Technical bench testing on the ECUs (UDS service surface, firmware integrity, in-vehicle network behavior). Reconciliation workshop with the OEM cybersecurity team if applicable.
• Weeks 7-9: Reporting and remediation guidance. Cybersecurity-case input drafted in the format the OEM expects. Remediation workshop with the supplier’s engineering team to clarify fixes.
• Weeks 10-12: Re-test on remediated items. Final cybersecurity-case input delivered. 60-day remediation re-check scheduled.

Multi-ECU programs run on the same shape but extend across quarters under Retainer, with TARA updates and re-tests scheduled around the supplier’s release cadence.

Frequently asked questions

Can you sign off as the third-party assessor for UN-R 155 type approval?

No. UN-R 155 type-approval assessment is performed by accredited Technical Services designated by the type-approval authority. We provide assessment and engineering support to the OEM or supplier — our work is input into the OEM’s submission, not the type-approval decision.

Do you work in Chinese-market automotive cybersecurity?

Yes. Chinese-market vehicles operate under a different regulatory frame (GB/T 44464 and related GB-series standards, MLPS for connected services, automotive Important Data under DSL). Our China-market work supports OEMs and suppliers operating in or selling into mainland China.

What’s the typical engagement length for a CSMS readiness assessment?

For a Tier-1 supplier with one product line and an existing process framework, 6-10 weeks for the gap assessment and 3-6 months for remediation alongside the supplier’s engineering team. For an OEM building CSMS from a low maturity baseline, the readiness work is typically multi-quarter and structured as a retainer rather than a fixed assessment.

How does the Seven Anti-Patterns catalog apply during an active TARA engagement?

We use the catalog as a structured input at TARA review checkpoints rather than as a closing audit. Internal reviewers can apply the Four-Question Review Protocol during TARA close-out — typically catching three or four of the seven anti-patterns within an hour of focused review. External cybersecurity-case auditors using the same catalog often surface the remaining patterns at type-approval review; addressing them in advance materially reduces audit-cycle cost.

Do you support post-market obligations after type approval is granted?

Yes — UN-R 155 imposes ongoing monitoring duties on type-approval holders, and we structure post-market support as a Retainer covering quarterly threat-landscape review, TARA refresh on substantive design changes, and incident-response coordination if a field-discovered vulnerability emerges. The cybersecurity case is a living document, not a launch artifact, and the post-market support model reflects that.

Related

• What is TARA?
• What is ISO/SAE 21434?
• What is UN-R 155?
• Is UN-R 155 the same as ISO/SAE 21434? — FAQ
• Companion research: TARA Quality Anti-Patterns — A Practitioner Catalog and Four-Question Review Protocol

Services we run for Automotive — OEMs and Tier-1 Suppliers

• Automotive Cybersecurity

  CAN / LIN / FlexRay, V2X, telematics, ISO/SAE 21434 readiness.

• IoT & Embedded Security Assessment

  Hardware teardown, firmware extraction, device-to-cloud ecosystem assessment.

• Mobile & Web Application Security

  Mobile pentest (iOS / Android), web & API penetration testing.

Outcomes we package for this sector

• ISO/SAE 21434 Readiness