Reflections from the 2025 Auto-ISAC Cybersecurity Summit

NCC Group was proud to continue the partnership with Auto-ISAC as an executive lunch sponsor at their 9th Annual Cybersecurity Summit in Washington, D.C.

The two-day event brought together hundreds of professionals from the global automotive security community, including Original Equipment Manufacturers (OEMs), suppliers, policymakers, researchers, and practitioners.

In 2025, delegates were urged to unite in advancing cyber resilience across the mobility sector with the theme "Secure what moves us." 

NCC Group attendees:

• Josh Kolleda - Practice Director, Transport
• Rami Riashy - Security Consultant – Automotive Lead
• Dimitri Havel - Security Consultant – Automotive Lead
• John Krokus - Sales Director

As one of the industry's premier gatherings, Auto-ISAC 2025 highlighted the urgency of collaboration, the realities of regulation, and the innovation required to keep pace with a rapidly evolving threat landscape.

1. Software-defined transformation continues as vehicles become platforms, blurring the lines between IT, OT, and mobility. 

As the use of connectivity interfaces continues to increase, the industry must take a mobility ecosystem view of cyber security to support the deployment of connected, automated, shared, and electric vehicles.

2. Collaboration and trust are paramount for OEMs, suppliers, and regulators who recognize that cyber resilience cannot be achieved in silos.

Multiple sessions focused on setting new methods for increased collaboration to enhance cyber security posture throughout the supply chain – from updated legal frameworks for sharing security-relevant component information to a new Enterprise Third-Party Risk Management evaluation framework for shared suppliers.

3. Regulatory pressure is intensifying global requirements (ISO 21434, UNECE R155/R156, U.S. Mandates) are reshaping supply chain expectations, and compliance strategies.

NHTSA representatives also stated the intent to release a Federal Automated Vehicle Framework and updates to Federal Motor Vehicle Safety Standards (FMVSS) soon.

4. Artificial Intelligence is moving from concept to practice as a defense and efficiency force multiplier and as a new attack vector requiring increased governance and awareness.

Such significant changes require a flexible approach and comprehensive, end-to-end solutions for AI security.

5. Fleet monitoring and post-production security are increasingly important priorities.

Securing vehicles is no longer a one-time event, but a lifecycle obligation. OEMs and suppliers largely have cyber security processes built into vehicle development models. However, enhancing security operations and updating the security model during the vehicle or product lifecycle in relation to its evolving environment continues to be challenging.

1. Governing Emerging Technology Risks in a Global Landscape

Elizabeth Cannon, Executive Director, Office of Information and Communications Technology and Services (OICTS), Bureau of Industry and Security (BIS), US Department of Commerce

Liz Cannon's session unpacked the newly finalized Connected Vehicles Rule, a sweeping set of North American mandates aimed at reducing national security risks tied to connected vehicle technologies. The rule addresses undue and unacceptable risks, from data collection and exfiltration of personal, sensor, and traffic data, to remote access that could enable vehicle hijacking, traffic manipulation, or obstruction.

She highlighted the scope of the rule, which targets the passenger vehicle market (GVWR under 10,001 lbs.), and applies specifically to Vehicle Connectivity Systems (VCS) hardware, covered software, and autonomous driving systems (ADS), especially when manufactured or supplied by entities under the People's Republic of China (PRC) or Russian jurisdiction.

Four key prohibitions are central:

1. Import of VCS hardware
2. Import of completed connected vehicles containing covered software
3. Sale of such completed vehicles
4. Related restrictions on entities under PRC/Russian ownership or control (taking effect by model year 2027 and 2029, depending on the component)

To manage compliance, Liz outlined a set of mechanisms:

• Declarations of Conformity to attest that no prohibited hardware or software is sold/imported
• General Authorizations (two active today) for limited use cases and temporary importation
• Specific Authorizations for case-by-case exemptions
• Advisory Opinion Requests to clarify whether a transaction falls under prohibition.

Finally, she introduced the Compliance Application and Reporting System (CARS), a new registration framework effective August 20, 2025. All registrants must provide corporate identity details, their registration type, and the intended use of CARS. BIS reviews are expected to take up to 10 days.

Ms. Cannon made her point clear: the compliance burden is rising quickly, timelines are short, and organizations must now build regulatory governance into their cyber strategies to avoid supply chain disruption.

2. AI as a Strategic Asset: Balancing Innovation and Risk

Melody Ayeli, Senior Director of Enterprise Artificial Intelligence at Toyota Motor North America

Melody Ayeli delivered a powerful session highlighting how Toyota is scaling AI across the enterprise, manufacturing, and in-vehicle experiences. At the heart of her message was Toyota's structured approach: Experiment, Enable, and Ensure.

The company is prototyping and testing new AI models, equipping teams with training and approved tools, and embedding governance to uphold ethical, legal, and organizational standards.

She showcased the tangible outcomes of this framework, AI initiatives that reduce time to knowledge, boost productivity, and deliver smarter customer experiences. In manufacturing, where mastery often takes a decade of experience, Toyota is closing skills gaps by digitizing institutional knowledge (manuals, VHS transcripts, maintenance records, and expert insights) and making it accessible through Gearpal AI.

Beyond the factory floor, Toyota is deploying AI into R&D, service tech support, and customer call centers, while enterprise tools like ToyotaGPT provide a secure, internally hosted LLM assistant approved for use with Toyota's most sensitive data. Ms. Ayeli also revealed the Toyota AI Vehicle Expert, a curated voice-assistant platform delivering conversational AI to dealers, service centers, customers, and directly inside vehicles through a sophisticated in-vehicle AI architecture that blends edge and cloud processing.

Her talk also addressed the regulatory landscape: nearly 700 AI-related bills were introduced in the US in 2024 alone, alongside 148 globally, underscoring why Toyota formed a Responsible AI Board. This board aligns AI with corporate goals, ensures compliance, manages risks, and engages with evolving government policies.

The message was clear: Toyota is not only innovating with AI but doing so responsibly, with governance, security, and ethics at the core, while unlocking new efficiencies and experiences across the business and customer journey.

3. Securing Mobility for the Next 10 Years

John Bozzella, President and CEO of Alliance for Automotive Innovation

John Bozzella delivered a forward-looking call to action for the automotive industry, policymakers, and the cyber security community. He framed the moment as urgent; as vehicles become ever more connected and software-driven, the risks to safety, privacy, and national security escalate, and the industry must step into that challenge with boldness and collaborative resolve.

Key points from Bozzella's address:

• Rebooting policy landscapes

Bozzella urged a refresh of US privacy and vehicle safety regulations, particularly in the context of connected vehicles. He stressed that recently issued rules, like the BIS (Bureau of Industry and Security) measures over Chinese-connected component risks, are critical but insufficient in isolation. He argued these rules must be balanced to prevent overreach while protecting against genuine geopolitical threats.

• Expanding collaboration across lifecycles and domains

He pressed Auto-ISAC and the wider community to broaden the definition of "collaboration." Rather than limiting cooperation to pre-deployment phases, he emphasized the expanded "lift cycle" from onboard systems to offboard connectivity, telecommunication infrastructure, and supplier networks. The endless flow of data between vehicle, network, and cloud demands that OEMs, suppliers, telecom providers, and even regulators share more than threat intelligence; they must co-design governance, standards, and response frameworks.

• Global competitiveness and technology sovereignty

Bozzella reminded the audience that every nation wants a competitive automotive industry, one built on electrification, connectivity, and autonomy. He argued that securing global leadership in this space requires not just innovation, but deeper strategic partnerships across industry, government, and borders, to bolster cyber defenses, protect supply chains, and ensure resilience.

• A call for purposeful engagement with regulators

He encouraged stronger, more proactive engagement with agencies like NHTSA, FCC, and CISA. Rather than viewing regulation as a burden to manage, he invoked the idea of shaping regulation as a co-owned mission. By working together, policymakers and industry can align incentives, reduce fragmentation, and build frameworks that protect and encourage growth.

On Day 2, NCC Group hosted an executive roundtable lunch with over 20 senior automotive and cyber security leaders. After recharging the batteries and getting to know one another, I gave a brief talk titled "Opening the Aperture: An Ecosystem View of Automotive Cyber Security." 

We then listened as candid discussions sparked up around a variety of interesting ideas brought forth in the presentation: 

• The automotive industry is mid-journey on compliance

Most OEMs hold their relevant certificates of compliance, but many came with findings, short lifespans, or surveillance audits. This raised discussions on how to sustain compliance efficiently across global platforms. Most companies will have understood how to achieve compliance, but many are still working hard to understand how to maintain compliance efficiently and cost-effectively.

• Governance and responsibility are shifting. 

Cyber security is moving from a specialist task to a shared responsibility across engineering, quality, and manufacturing teams. Attendees at the conference debated how to instill this culture shift across large, distributed organizations.

• Lifecycle assurance and audits are intensifying

Security is now embedded into vehicle development lifecycles, with continual improvement demanded by regulators. This sparked a conversation about how OEMs and suppliers can prepare for high-frequency and/or more in-depth re-audits while innovating quickly, especially in emerging markets.

• The ecosystem view is expanding (IoT)

Vehicles no longer operate in isolation; they are tied to EV charging, home automation, infrastructure, and third-party services, with more integrations on the horizon. The group discussed how to model threats and assure security across these interconnections, especially when stakeholders have varying levels of maturity and ownership models.

• More diverse collaboration is necessary

The automotive industry, specifically OEMs and suppliers, has made significant progress in collaborating to elevate cybersecurity posture across the board, largely as a direct result of Auto-ISAC efforts. However, this collaboration and communication need to start involving additional stakeholders within the mobility operating environment, namely infrastructure owner-operators, large fleet operators, and independent repair centers.

The dialogue reinforced that while every organization faces unique challenges, shared frameworks and aligned governance are essential for scaling trust across the industry.

Looking ahead – Collaboration is vital

Our leading takeaway from Auto-ISAC 2025 is that the path forward depends on collaboration, consistency, and the courage to innovate securely. 

As pioneers in automotive cyber security, NCC Group is proud to support any effort to advance security and safety across the sector. We help our automotive clients build vehicles with greater connectivity and capability while achieving greater cyber resilience. 

Gatherings like this one are crucial to achieving our collective security goals in the current, evolving threat landscape. Our work and partnership with Auto-ISAC is founded upon safeguarding mobility, innovation, and public trust.

This year's Auto-ISAC Summit was another powerful reminder that our work is more important than ever, and there's still plenty to be done.