We tend to think of cybersecurity in terms of servers, endpoints, and cloud environments. But there’s a class of networked computer that most organizations park right outside the building—sometimes dozens or hundreds of them—and rarely think about from a security perspective.
Vehicles.
Over the past several years, security researchers have repeatedly demonstrated that connected vehicles can be compromised through their internal networks. The most famous example remains Charlie Miller and Chris Valasek’s 2015 Jeep Cherokee hack, in which they remotely took control of steering and braking through the vehicle’s infotainment system. Since then, the findings have only multiplied. Competitions like Pwn2Own Automotive have become regular showcases for researchers chaining together vulnerabilities in vehicle internal communication buses and connected subsystems—moving laterally from less-critical components to more sensitive ones, gaining control over systems that should have been isolated and protected.
If that lateral movement pattern sounds familiar, it should. It’s the same playbook attackers use inside enterprise IT networks every day. And the vehicles being targeted aren’t exotic prototypes. They’re popular consumer and fleet models from major manufacturers.
These Aren’t Just Cars—They’re Rolling OT Environments
A modern connected vehicle is, from a cybersecurity standpoint, an operational technology (OT) environment on wheels. It contains dozens of electronic control units (ECUs) communicating over internal buses like CAN (Controller Area Network), Ethernet backbones, and increasingly, wireless interfaces. These systems manage everything from braking and steering to infotainment, telematics, GPS, and over-the-air update mechanisms.
The internal architecture of these vehicles shares a striking resemblance to industrial control systems (ICS) in manufacturing or critical infrastructure. In both cases, you have a mix of legacy communication protocols designed for reliability and real-time performance—not for security—interconnected with modern networked computing systems that introduce a much wider attack surface.
What researchers have shown, going all the way back to Miller and Valasek’s Jeep work and continuing through recent competition results, is that the boundary between “infotainment” and “vehicle control” isn’t always as robust as we’d hope. Once inside the internal network, an attacker can potentially traverse from lower-criticality systems toward higher-criticality ones. This mirrors a well-known problem in industrial OT environments, where IT/OT convergence has created pathways between corporate networks and physical control systems that were never intended to be connected.
Why Enterprise and Fleet Managers Should Pay Attention
If your organization operates a fleet—whether it’s five vehicles or five thousand—this body of research has direct implications for your risk posture.
- Fleet vehicles are networked endpoints. Modern fleet vehicles connect to telematics platforms, receive over-the-air updates, and often integrate with enterprise systems for logistics, routing, and asset management. Each of these connections is a potential vector.
- Vehicle compromise can mean physical safety risk. Unlike a compromised laptop, a compromised vehicle puts lives at risk. The stakes for OT-style attacks on vehicles are categorically different from those in traditional IT.
- Supply chain complexity is enormous. A single vehicle can contain software and hardware from dozens of suppliers, each with their own development practices, update cadences, and vulnerability profiles. This mirrors the third-party risk challenges organizations already face in their IT environments—but with even less visibility.
- Data exposure is underappreciated. Connected vehicles collect and transmit significant amounts of data—location history, driver behavior, connectivity credentials, and in some models with always-on voice assistants, even cabin audio. A compromised vehicle is also a compromised data source.
Modern fleet vehicles connect to telematics platforms, receive over-the-air updates, and often integrate with enterprise systems for logistics, routing, and asset management.
The Broader OT Security Lesson
The vehicle cybersecurity problem is really a subset of a much larger challenge: the security of operational technology in a world where everything is networked.
For years, OT security lagged behind IT security because operational systems were air-gapped—physically disconnected from networks that could be attacked remotely. That era is largely over. Today, OT systems in manufacturing, utilities, transportation, healthcare, and now vehicles are connected, remotely managed, and software-updated. The same convenience that enables over-the-air patches and remote diagnostics also enables remote attack surfaces.
What makes OT environments particularly difficult to secure is a set of constraints that don’t apply in the same way to IT:
- Patching is operationally complex. Consumer EVs may accept overnight OTA updates without much fuss, but fleet environments face harder problems: coordinating updates across hundreds of vehicles without disrupting operations, navigating manufacturer certification requirements for safety-critical components, and managing the risk that a bad update could brick a system responsible for braking or steering. The challenge isn’t that patching is impossible—it’s that it carries real operational and safety stakes.
- Legacy protocols persist. CAN bus, Modbus, and other OT protocols were designed decades ago without authentication or encryption. Replacing them is a multi-year, multi-billion-dollar industry challenge.
- Visibility is limited. Many organizations have poor asset inventories for their OT environments. They know what servers they run, but not necessarily what firmware version is on every ECU in every fleet vehicle.
Regulatory Momentum Is Building
It’s worth noting that regulators are catching up. UN Regulation No. 155 (UNECE WP.29) now requires automakers to implement cybersecurity management systems as a condition of vehicle type approval in many markets, and ISO/SAE 21434 establishes a framework for automotive cybersecurity engineering across the vehicle lifecycle. These standards give fleet managers something concrete to ask their OEMs about—and a basis for evaluating whether the vehicles they’re purchasing meet a credible security bar.
What Organizations Can Do Now
You don’t need to wait for automakers to solve this. There are practical steps that enterprise leaders can take today:
- Include vehicles in your asset and risk inventory. If your organization operates connected vehicles, they belong in your risk register alongside your servers and endpoints. Catalog what data they handle, what networks they connect to, and what update mechanisms they use.
- Segment vehicle telematics from core networks. Just as you would segment IoT or OT systems from your corporate IT environment, ensure that telematics and fleet management platforms don’t provide a bridge into more sensitive systems.
- Assess third-party risk in your fleet supply chain. Understand which vendors supply software and connectivity for your fleet vehicles. Ask about their security development lifecycle, vulnerability disclosure practices, and compliance with standards like ISO/SAE 21434.
- Incorporate vehicle and OT scenarios into tabletop exercises. Your incident response plan should account for the possibility that a fleet vehicle or connected OT device is the initial compromise vector—not just a server or workstation.
- Get a baseline OT security assessment. If you haven’t had your OT environment—vehicles included—evaluated by specialists, you’re operating without a map. An assessment identifies what you don’t know, which is where most of the risk lives.
If your organization operates connected vehicles, your regular OT assessments should be extended to include them.
The Parking Lot Is Part of Your Attack Surface
The techniques researchers use to compromise vehicles aren’t secret, and the underlying architectural weaknesses they exploit aren’t unique to one automaker. They’re systemic to how connected vehicles are built today.
For organizations managing fleets, critical infrastructure, or any environment where OT and IT converge, the lesson is clear: your attack surface doesn’t stop at the office door. It extends into the parking lot, onto the highway, and everywhere your connected assets operate.
If your security program hasn’t yet accounted for the computers on wheels in your fleet, Plurilock’s teams can help—from OT security assessments and third-party risk evaluation to adversary simulation that tests the real boundaries between your IT and operational environments. â–
Key Takeaways
-
Connected vehicles are functionally rolling OT environments, with dozens of ECUs communicating over legacy protocols like CAN bus that were designed for reliability—not security
-
Security researchers have repeatedly demonstrated lateral movement from infotainment systems to safety-critical vehicle controls, mirroring the IT/OT convergence risks seen in industrial environments
-
Fleet vehicles are networked endpoints that collect sensitive data, connect to enterprise systems, and introduce physical safety risks that far exceed those of a compromised workstation
-
Patching complexity, legacy protocols, and poor asset visibility make vehicle and OT security fundamentally harder than traditional IT security
-
Regulatory frameworks like UN Regulation No. 155 and ISO/SAE 21434 are raising the bar for automotive cybersecurity, giving fleet managers concrete standards to evaluate their OEMs against
-
Organizations should include vehicles in risk inventories, segment telematics from core networks, and conduct OT-specific security assessments to understand where the real exposure lies
Does your security program extend to the parking lot? Plurilock’s OT/ICS/SCADA testing services help organizations assess the security of operational technology environments—including connected fleets and the systems they integrate with. From baseline OT assessments to adversary simulation that tests real-world attack paths across IT/OT boundaries, our teams can help you map and secure the attack surface you might be overlooking. Contact us to get started.
