For inquiries about GlobalPlatform or website assistance, contact secretariat@globalplatform.org.

Back to all Blogs

Transforming Vehicle Cybersecurity: A Smarter Path to Regulatory Compliance

By Francesca Forestieri, Automotive Lead, GlobalPlatform

Back in 2015, cybersecurity experts sent shockwaves through the auto industry by demonstrating how a modern vehicle—a Jeep Cherokee in this case—could be remotely controlled by simply hacking into its infotainment system. Safety warnings were issued, cars were recalled, and an entire industry had to confront the reality of a new cybersecurity problem.

That was a decade ago. Since then, cars have added many more connectivity and automation features, significantly increasing the attack surface for cyber threats.

Cybersecurity regulations have inevitably followed. UNECE WP.29 issued regulations for automotive cybersecurity in June 2020, notably UNECE 155 for cybersecurity management systems. UNECE 155 came into force in January 2021 and, beginning last year, now applies to all newly produced vehicles in 64 countries. SAE J3101 Hardware Protected Security Environments—produced by the Society of Automotive Engineers (SAE)—aims to help automakers meet these new directives. It defines hardware-based security requirements for automotive electronic systems and calls for a hardware root of trust (HRoT) to ensure the integrity, confidentiality, and availability of critical vehicle functions. J3101 therefore serves as an important industry guideline for securing automotive systems.

But what is the strategy for meeting this new standard?

An actionable guide to implementing J3101

J3101 is essentially a list of requirements aimed at ensuring vehicle components are, for example, tamper-resistant, verifiable, and able to communicate securely. However, while it defines what the auto industry needs to include, the standard does not provide implementation guidelines on how to do it.

So how can we make SAE J3101 actionable? This is where GlobalPlatform comes into play. By mapping our Secure Element (SE) and Trusted Execution Environment (TEE) specifications onto J3101, we provide a clear, actionable path for compliance.

GlobalPlatform is collaborating with SAE to ensure that upcoming iterations of J3101 indicate that our SE and TEE specifications are a recognized means of compliance. This work is effectively transforming J3101 from a list of security requirements into a practical, implementable reference that auto OEMs and their supply chains can follow with confidence.

The GlobalPlatform specifications do not tick every box in J3101—but we’re not far off. Our analysis found that the GlobalPlatform SE fully meets 100% percent of J3101 requirements, while the GlobalPlatform TEE covers 98 percent.

GlobalPlatform technology has different security layers, with most J3101 requirements for security services supported by the platform (more than 75%) and others by the Trusted Applications (around 20%) that run on the platform. The development of Trusted Applets and Applications are foreseen as a key way to address the security specificities desired by the OEM and their suppliers. This approach has proved highly successful in the mobile and financial industries, allowing for security isolation across a wide ecosystem of service providers—a model that the auto industry is moving closer to every day.

Ensuring transparency across the supply chain

The regulatory challenge for the industry is complicated further by the fact that auto OEMs deal with a complex supply chain. A supplier may claim its component is secure, but how can the OEM know to what level? The commitment to security must go beyond simply having a picture of a padlock on the box.

But by basing their components on GlobalPlatform specifications, the security compliance process becomes transparent. This transparency, based upon certification, validates that the supplier has met the stated security robustness, and directly maps to the J3101 requirements. In this way, OEMs can simplify and accelerate their sourcing process with clear security robustness, while ultimately lowering the cost of security evaluations.

A GlobalPlatform-compliant supplier ultimately provides the auto OEM with complete confidence that the components embedded in their vehicles meet cybersecurity requirements. The message from the OEM to their supply chain may soon become: “Why are you not using a GlobalPlatform-certified SE or TEE?”

Collaborating with the Industry to Deliver Secure Solutions

As cybersecurity threats evolve, OEMs and suppliers must develop a long-term strategy. Managing security across hundreds of suppliers requires consistency, not just a collection of isolated security features. Now is the time to explore how to streamline compliance processes, reduce complexity, and ensure interoperability.

GlobalPlatform is already working with automakers to help them integrate its cybersecurity specifications. In fact, we’re actively engaging with stakeholders across the entire industry.

Whether you're looking to understand how GlobalPlatform can support your hardware security strategy or want to contribute to the development of security solutions, now is the time to get involved. By collaborating, we can shape protection profiles, align industry best practices, and bring innovative products into the ecosystem.

Our Cybersecurity Vehicle Forum takes place in New Orleans in April, while our Automotive Task Force is busy working on the alignment of GlobalPlatform technologies with automotive use cases.

Come join us and help secure the car of the future.

If you are a media representative, analyst, or conference organizer with a question, please email us at: pressoffice@globalplatform.org

Chat with us
GlobalPlatform
Hey There!

It seems you are using an outdated browser, unfortunately this means that our website will not render properly for you. Update your browser to view this website correctly.

GOOGLE CHROME
DOWNLOAD
FIREFOX
DOWNLOAD
MICROSOFT EDGE
DOWNLOAD