" " indicates required fields
Attacks against automotive supply chains have surged lately.
In early February 2025, a Japanese precision parts manufacturer had over 500 GB of sensitive data exfiltrated by a prominent ransomware group targeting various sectors, including automotive suppliers.
The incident is one example of how threat actors can launch full-scale cyber attacks against manufacturers and suppliers in the complex automotive supply chain.
Such incidents underscore how threat actors leverage vulnerabilities within automotive supply chains. An undisclosed vulnerability left undetected in an open-source dependency can exacerbate these threats. Consequently, generating and managing a Software Bill of Materials (SBOM) becomes essential to provide visibility into third-party libraries, dependencies, and interconnected software components, effectively mitigating security gaps before exploitation.
This blog outlines key insights from the Auto-ISAC SBOM Informational Report, emphasizing the impact on supply chains and best practices for collaboration among OEMs, Tier 1 and Tier 2 suppliers.
Implementing SBOM practices aligns automotive manufacturers with critical regulatory requirements, including ISO 26262 for functional safety and ISO/SAE 21434 for cybersecurity. SBOMs provide comprehensive transparency into vehicle-embedded software, facilitating regulatory compliance such as the EU Cyber Resilience Act (CRA), essential for obtaining CE marking.
The table below summarizes the relationship between various governments and bodies with SBOM adoption as outlined in the Auto-ISAC Software Bill of Materials (SBOM) report.
Scope of Global SBOM Impact
| Government/Bodies | SBOM |
| United States | Cybersecurity and Infrastructure Security Agency (CISA) and the National Highway Traffic Safety Administration (NHTSA) have emphasized SBOM use. EO 14028 emphasizes the importance of an SBOM for improving software supply chain security. OEMs can adopt SBOM practices to evaluate risks in software components and analyze known vulnerabilities throughout the supply chain. |
| European Union (EU) | The Cyber Resilience Act (CRA) mandates SBOM compliance for software supply chain security. |
| Japan | SBOMs align with US CISA guidelines. The Japanese automotive industry is exploring the implementation of SBOMs in collaboration with METI. |
Gartner projects that in 2025, 60% of organizations procuring mission-critical software will mandate SBOM disclosure in license agreements, highlighting its global significance.
Conducting a Thorough Risk Assessment: Consumer safety and cybersecurity are intertwined. Auto manufacturers must mitigate critical vulnerabilities in the supply chain to protect drivers from roadside accidents. Vehicle software must be updated to address newly discovered threats and patch critical vulnerabilities. OEMs must conduct a thorough risk assessment to minimize the threat surface and meet compliance requirements. ISO/SAE 21434 stresses the importance of conducting a Threat Analysis and Risk Assessment (TARA) to protect the integrity of interconnected vehicle systems and foster collaboration between OEMs and suppliers.
Pre-Sale Considerations: A predefined agreement clause for SBOMs must be established during the purchase negotiation stage to ensure data confidentiality in the Request for Proposal (RFP) and Request for Quotation (RFQ) stages. The report states that SBOM data should be shared with OEMs but not with retail consumers for either vehicles or parts. A Cybersecurity Interface Agreement (CIA) and Development Interface Agreement (DIA) must be included in the pre-sales process beyond the standard NDA to ensure the safe data exchange in an SBOM and outline the responsibilities of design, development, testing, and monitoring.
SBOMs should be incorporated into SLA requirements in all pre-sale documentation, as they impact the workload of Tier 1 and Tier 2 suppliers and influence post-sale security planning for both the supplier and the customer. Releasing a vehicle update is the sole responsibility of the OEM and may result in non-compliance if SBOM management is not properly integrated into the supply chain. Agreements should specify the acceptable and unacceptable licenses for the developed product and associated dependencies.
Development Integration: SBOMs must accurately reflect the software origin for components. The report suggests following several best practices to ensure smooth SBOM adoption for development teams. These practices include declarative dependency management in programming environments and examining project source code and configuration. Manual SBOM generation and maintenance may be substituted if automation methods aren’t available to generate an SBOM.
Vulnerability Management: A complete SBOM exchange facilitates clear communication and transparency between suppliers and consumers for a successful vulnerability management program. Threat intelligence is a critical component of a comprehensive vulnerability management program. Threat intelligence data is collected and aggregated from various sources, including private dark web forums, OSINT, OWASP Top 10, and other cybersecurity frameworks, to analyze the TTPs of attackers.
Security teams can then leverage the threat data to prioritize risk-based vulnerabilities in the supply chain and connected software components during the pre-market design phase. Factors to consider during an SBOM vulnerability management program include severity (typically measured by CVSS or NVD scores), potential data risks to integrity and confidentiality levels, and the complexity of the exploit.
Automation and Tooling: This section is divided into primary and secondary methods.
Primary methods include:
Secondary methods include:
Vulnerability disclosure is another key aspect of the sharing and collaboration process. Critical vulnerabilities discovered in any phase of development become the responsibility of the supplier to disclose. Certain metrics may be established and benchmarked to ensure timely vulnerability disclosure. These metrics may include:
The complexity of managing automotive SBOMs and vulnerabilities demands automated, integrated solutions. C2A Security’s EVSec platform specifically addresses these challenges by:
Schedule a demo to learn how C2A Security can help automate BOM validation in your supply chain.
CRO
C2A Security
VP and GM, Medical Technology
C2A Security
Ken Zalevsky brings over 20 years of medical device cybersecurity experience to his role at C2A Security, where he serves as VP and GM, Medical Technology, following the acquisition of Vigilant Ops in October 2025. A former Bayer executive, Ken founded Vigilant Ops in 2019 after witnessing the consequences of inadequate technical preparation in the healthcare industry. He is an active contributor to CISA’s SBOM working groups and a frequent speaker on software supply chain security. Ken’s mission: transform SBOM from a compliance checkbox into operational intelligence that keeps patients safe while streamlining regulatory processes.