Finite State to spotlight automotive supply chain security

Finite State said Chief Security Officer Sharon Hagi will deliver a keynote on automotive supply chain security at the Auto-ISAC Europe Cybersecurity Workshop. The session will focus on software-defined vehicle ecosystems.

Hagi's presentation, titled "AI Closes the Window: Automotive Supply Chain Security in an Accelerated Threat Environment," is aimed at European carmakers, suppliers and mobility groups navigating cyber rules, vulnerability disclosure requirements and the practical task of securing vehicles built on evolving software stacks.

The announcement reflects a broader shift in the automotive industry as cars rely more heavily on software across electronic control units, mobile applications, cloud systems and supplier components. That has increased the volume of code and third-party inputs manufacturers must track, assess and document across a vehicle's life cycle.

Automotive groups are also under pressure to show they understand what software is in each vehicle platform, where known vulnerabilities sit and whether those weaknesses are actually exposed in deployed products. As regulators and customers demand more detailed evidence, security teams are being pushed beyond periodic checks and manual reporting.

Rising complexity

The keynote will address the challenge of managing software complexity across ECUs and supply chains while reducing vulnerability noise. It will also examine how companies can maintain security and compliance readiness on a continuous basis rather than treating it as a one-off exercise.

The issue has grown more pressing as vehicles increasingly resemble connected computing systems, with functions spread across embedded software, remote services and supplier code. In that environment, a flaw may not sit in a single component but emerge from the interaction of several parts of the wider system.

Matt Wyckhouse, Chief Executive Officer and Founder of Finite State, framed the risk in those terms.

"Modern cars are hackable in the same way any complex connected product is hackable. The most realistic risk is a chain of weaknesses across the vehicle, the mobile app, the cloud backend or supplier-provided software. The industry has made real progress with secure update mechanisms, stronger engineering practices, vulnerability disclosure programs, SBOMs and automotive cybersecurity standards. But the hard part is proving, continuously, what is actually in the vehicle and whether it is exposed, recognizing that it's impossible to secure what isn't understood," Wyckhouse said.

Security workflows

Beyond the keynote, Finite State outlined areas it is highlighting in demonstrations tied to connected vehicle security workflows. Those include building a consolidated record from firmware, binaries, source code and supplier inputs, then using that information to understand what is shipped across ECUs and vehicle platforms.

It also pointed to methods for ranking vulnerabilities by exploitability and context rather than volume alone. In practice, that means distinguishing between a disclosed flaw with little relevance to an in-vehicle system and one that creates meaningful exposure in a specific build or variant.

Another focus is the step from a newly disclosed CVE to an assessment of affected vehicle platforms. For carmakers and suppliers, that process can be difficult when software versions differ across models, hardware configurations and regional variants, and when supplier code is folded into larger systems.

Traceability is another recurring theme. Security and engineering teams are being asked to connect architecture decisions, threat analysis, risks and requirements to software deployed in the field, then keep that mapping current as systems are updated.

Compliance demands

Its approach also centres on producing software bills of materials, vulnerability exploitability exchange records, traceability data and audit-ready reports on a continuous basis. Such outputs are becoming more important as automotive groups respond to evolving cyber obligations and customer assurance requirements.

For the sector, the challenge is not only technical but organisational. Carmakers rely on multi-tier supplier networks, while software is updated more often and integrated across a broader set of systems than in previous vehicle generations. That makes it harder to maintain a single, accurate view of what components are present and how risk should be assigned.

It also complicates accountability when vulnerabilities emerge. A weakness may originate in a third-party library, appear inside supplier-delivered software and then surface in a finished vehicle sold under an OEM brand, leaving manufacturers to prove both awareness and remediation.

Finite State, which focuses on product security and software supply chain risk management, has positioned itself around that problem set in industries including automotive and medical devices. Its message to vehicle makers is that fragmented tooling and manual workflows are struggling to keep pace with firmware-heavy systems and continuous software delivery.

Hagi's session will address how automotive security teams can build more defensible workflows as the software footprint in vehicles continues to expand.