Case study: Strengthening a Bus & Coach Manufacturer's Governance around Software Defined Vehicles (SDVs)

Situation:

Software-Defined Vehicles (SDVs) represent the innovation underway across the transport industry. NCC Group's transport security team is seeing increasing emphasis on the dynamic role software plays in dictating a vehicle's functionalities and features throughout a vehicle’s production life cycle. Gone are the days when manufacturers relied predominantly on hardware and static software for performance attributes locked in time. 

However, as vehicles become increasingly software-defined, the risk of introducing security vulnerabilities during software updates has grown significantly too. The client, who specializes in transit bus and coach vehicle production, approached NCC Group to address these potential vulnerabilities as their fleet of vehicles increasingly became 'software defined'. 

At a glance:

Organization: North American vehicle manufacturer

Industry/Sector: Transport

Situation: The client's vehicles became software-defined, raising concerns about vulnerabilities introduced during software updates and configuration changes.

Challenge: Managing Electronic Control Units across suppliers, with "human error" in software releases posing risks to vehicle safety, compliance, and functionality.

Solution: NCC Group designed a governance model with structured checks, cross-functional signoffs, supplier controls, and traceable release processes.

Results: The vehicle manufacturer achieved secure, compliant releases with reduced risk and improved supplier assurance. Additionally, NCC Group will provide ongoing training to build further trust with regulators and customers.

Transit operators and Original Equipment Manufacturers (OEMs) face unique challenges. They often manage hundreds of Electronic Control Units (ECUs) while working with a diverse mix of suppliers across a wide-reaching and interconnected transport ecosystem.

As a result, many of these organizations struggle to keep up with essential software updates and whether or not they may have compromised vehicle functionality, safety, or compliance.

One of the biggest risks this client had identified was the role of "human error" in software configuration and release, especially with complex programmable logic controllers and telematics gateways.

Accidental changes in configuration-driven systems can introduce significant risk, particularly when semantic or structural errors go unnoticed. This highlighted the need for robust sense-checking mechanisms to mitigate such risks.

NCC Group's team of experienced transport cyber security specialists worked closely with the security team at the vehicle manufacturer to design and implement a Software Release Management Policy (SRMP) and plan aligned to ISO 21434, ISO 24089, and UN R156.

The Group's solution for the bus and coach manufacturer included:

•  Building a comprehensive ECU inventory and responsibility matrix to track ownership of software and firmware across OEMs and suppliers.
• Designing a governance framework with Release Review Boards, clear decision gates, and segregation of duties. This governance model was intentionally cross-functional and brought together cyber security, safety, engineering, and operations to ensure every release was signed off with full accountability.
• Establishing a cyber relevancy check integrated into Engineering Change Notice (ECN) workflows to automatically flag when updates require Threat Analysis and Risk Assessment (TARA) review.
• Creating checklists and sanity checks to reduce human error in software program releases to validate configuration changes before deployment.
• Enhancing evidence traceability through Teamcenter, Git, and supplier documentation to support regulator and customer audits. This transparency, from ECN to TARA to release notes, was essential in building trust with regulators and customers.
• Additionally, NCC Group's team worked with the client to strengthen supplier assurance. Since most software originates from third-party vendors, they helped define enforceable supplier requirements through a Cyber Security Development Interface Agreement (CDIA), ensuring that controls and mechanisms were clearly articulated and auditable.

NCC Group's transport team provided the client with a scalable, SDV cyber security governance model that fully integrates suppliers, engineering teams, and operations. It includes a harmonized SRMP covering development through post-deployment. Structured evidence artifacts (release notes, OTA logs, ECN approvals, cyber security release packages) were also shared.

These models and documents will significantly help the client manage compliance obligations aligned to ISO 21434, ISO 24089, and UN R156.

Transport cyber security consultants worked closely with the manufacturer's security team to ensure this wasn't a 'one and done' exercise either. Instead, the client was left with everyday practical tools like checklists, decision gates, and templates that ensure updates are tested, reviewed, and compliant before release. 

The experts are now developing playbooks and training modules for engineering and cyber security teams to ensure these processes are embedded into daily operations.

Rami Riashy | Transport Cyber Security Consultant, NCC Group

"By establishing this foundation, our client reduced cyber risk and met regulatory demands. They also gained important competitive advantages: faster, safer releases, fewer customer disruptions, and demonstrable compliance that builds trust with regulators and operators alike. Investing in structured software release governance now has helped position this vehicle manufacturer as the market leader in secure, software-driven mobility."