Automotive Engineering Series – Insight 03

Automotive engineering teams are being asked to deliver faster, with less tolerance for failure.

Software-defined vehicle programmes, secure OTA rollouts, zonal and service-oriented architectures, and continuous feature delivery are now baseline expectations. In parallel, regulatory pressure is increasing — from WP.29 (R155/R156), ISO/SAE 21434, and the forthcoming EU Cyber Resilience Act — tightening requirements around software integrity, traceability, and lifecycle governance.

None of these forces are new in isolation. What is new is how they converge on an area that’s often under-designed: Cryptographic Key Management.

Across OEMs and suppliers, keys and certificates are becoming one of the hardest parts of the vehicle stack to scale reliably — not because teams lack cryptography, but because operating models and ownership haven’t kept pace.

Why Key Management Breaks as Programmes Scale

Most automotive programmes didn’t start with a “key management problem”. They started with:

• a small number of ECUs

• limited OTA scope

• stable manufacturing processes

• long certificate lifetimes

As platforms evolve, identity and key handling tend to evolve organically — and often independently — across engineering teams, suppliers, plants, and cloud systems.

The result is a familiar set of failure modes:

• Certificates and key material expire mid-fleet, triggering update failures or emergency workarounds

• Firmware updates fail validation because signing chains differ across ECU generations

• Factory-injected keys don’t align cleanly with cloud or OTA trust models

• Different teams own different parts of the signing and identity lifecycle, with no single system of record

• Audit and compliance questions surface late, when remediation is slow and disruptive

These issues are rarely caused by “bad PKI”.

They’re caused by manual, fragmented key management being stretched beyond what it was designed to support.

From Security Detail to Delivery Bottleneck

As software becomes the primary vehicle differentiator, keys and certificates stop being a background security concern and start influencing core engineering outcomes.

Key and certificate issues now directly impact:

• OTA reliability, rollback behaviour, and recovery paths

• release cadence and update velocity

• factory provisioning consistency across plants and regions

• diagnostic and workshop access

• compliance evidence, traceability, and audit readiness

In other words, key management is no longer only about protecting assets — it’s increasingly about whether SDV programmes can operate smoothly at scale.

Many teams reach the same conclusion partway through expansion:

“We didn’t design our key management for this.”

Why Regulation Accelerates the Problem

Regulatory frameworks don’t just require controls — they require proof.

WP.29, ISO/SAE 21434, and the EU CRA increasingly expect:

• demonstrable software integrity

• traceable signing processes

• repeatable lifecycle controls

• evidence that keys and certificates are governed consistently over time

Manual processes and loosely coordinated tooling struggle to meet these expectations without introducing operational drag. As timelines tighten, the gap between using cryptography and managing cryptography at scale becomes harder to ignore.

A Practical Breakdown of Automotive Key Management at Scale

This paper provides an engineering-led view of cryptographic key management in modern automotive environments, including:

• how key management typically evolves inside real SDV programmes

• where manual and fragmented approaches begin to fail

• the relationship between OTA, ECU identity, manufacturing provisioning, and cloud trust

• why long-lived keys can become a hidden source of risk

• what changes when key management is treated as infrastructure, not tooling

It’s written for engineering, platform, and security teams who already feel these pressures — not as a theoretical PKI primer.

Download the Automotive Cryptographic Key Management Paper

Get the full PDF with analysis, examples, and practical framing drawn from real-world automotive programmes.

You’ll get instant access to a copy covering the patterns we’re seeing as vehicles, software, and identity scale together — and why key management is increasingly central to delivery, not just security.