Our corporate site Contact us

Article

Cybersecurity best practices for connected vehicle and dealership systems

Dealerships face growing cybersecurity risks that extend beyond traditional information technology systems to include operational technology and vehicle software.

As connected and automated vehicles (CAVs) become increasingly prevalent in Canada, dealerships face growing cybersecurity risks that extend beyond traditional information technology (IT) systems to include operational technology (OT) and vehicle software.

Protecting these complex ecosystems requires a comprehensive approach that addresses supply chain vulnerabilities, secure software update management, IT and OT convergence, and evolving insurer expectations.

Supply chain vulnerabilities

The automotive supply chain is global and multifaceted, involving OEMs, Tier 1 suppliers, software vendors, and dealerships. A single weak link can expose the entire ecosystem to cyber threats.

For example, compromised software components or unauthorized third-party access can introduce malware or backdoors into vehicle systems or dealership networks.

Software update management systems (SUMS) and over-the-air (OTA) updates security

Canadian regulations, aligned with UNECE R155 and FMVSS 155, require secure management of OTA updates to vehicles. SUMS must confirm that software updates are authenticated, integrity-checked, and securely deployed to prevent malicious code injection or rollback attacks. Dealerships play a critical role in validating these updates during servicing to maintain vehicle cybersecurity.

IT/OT convergence exploitation

Dealerships increasingly integrate IT systems, such as customer databases and sales platforms, with OT systems, including vehicle diagnostic tools and service bay equipment. This convergence expands the attack surface, as vulnerabilities in IT can be exploited to access OT systems controlling vehicle functions or sensitive data. Segmentation and strict access controls are essential to mitigate these risks.

Evolving insurer expectations

Marsh Canada, as a global broker and risk advisor, and the Insurance Bureau of Canada (IBC), as an industry association representing Canadian insurers, emphasize that insurers, brokers, and industry bodies each have distinct but complementary cybersecurity expectations for dealerships. These include implementing robust cybersecurity frameworks aligned with international standards such as ISO/SAE 21434, ensuring data privacy compliance under Canadian laws like PIPEDA, and adopting best practices in AI ethics and transparency.

With their focus on underwriting criteria and risk mitigation, insurers encourage dealerships to proactively manage emerging cyber and operational risks associated with AI-driven customer engagement. Through advice and guidance, Marsh helps dealerships meet insurers’ risk management expectations.

Six practical cybersecurity risk mitigation steps

Dealerships can actively manage their cybersecurity risk in the following ways:

Develop a formal CSMS aligned with ISO/SAE 21434 to manage cybersecurity risks throughout vehicle and dealership system lifecycles. This should include governance, risk assessment, supplier management, and continuous improvement.

Use OEM-authorized tools to verify cryptographic signatures and integrity of OTA updates during vehicle servicing. Maintain detailed logs of update activities for audit and compliance purposes.

Separate IT and OT networks to limit lateral movement of threats. Implement multi-factor authentication (MFA) and least privilege access policies for all systems, especially those interfacing with vehicle diagnostics and control systems.

Deploy intrusion detection systems and real-time monitoring tools to detect anomalies. Develop and regularly test incident response plans tailored to cyber incidents affecting both IT and OT environments.

Conduct regular cybersecurity training focused on phishing, social engineering, and secure handling of connected vehicle data. Technicians and service bay staff should be trained on secure diagnostic procedures and recognizing suspicious activities.

Vet suppliers’ cybersecurity postures through audits and contractual requirements. Collaborate with OEMs and industry groups like Auto-ISAC Canada to share threat intelligence and best practices.

In addition, they can take the following steps to improve the cybersecurity risk management capacities of technicians and service bay controls.

Secure diagnostic tools: Verify diagnostic equipment is updated with the latest security patches and only authorized personnel have access.
Control access to vehicle systems: Limit physical and remote access to vehicle ECUs and telematics modules during servicing.
Log and audit: Maintain logs of all diagnostic and software update activities to detect unauthorized access or anomalies.
Report incidents: Establish clear protocols for technicians to report suspected cybersecurity incidents immediately.

As CAVs continue to transform the automotive landscape in Canada, dealerships must adopt a proactive and comprehensive cybersecurity strategy to safeguard their complex ecosystems. Marsh offers tailored solutions that help dealerships navigate these challenges by providing expert risk advisory services, facilitating the implementation of robust cybersecurity management systems aligned with international standards, and supporting compliance with evolving regulatory requirements.

Article