The organizations deploying autonomous vehicles today are running one of the most complex cybersecurity challenges in modern infrastructure. They are not just IT shops. They are not just transportation operators. They are both simultaneously — and they have inherited the attack surface of each.
The Convergence Problem Nobody Talks About
Most cybersecurity guidance treats IT and OT as separate domains — which is increasingly a fiction, and especially so for AV operators. A modern autonomous vehicle deployment involves cloud management platforms, vehicle control systems, V2X communications, and physical sensors — all with firmware, attack surfaces, and failure modes.
The adversary does not recognize the IT/OT boundary. A compromise of the fleet management cloud can propagate to vehicle commands. A compromised roadside unit can inject false positioning data. An unsecured API in the passenger app is an entry point to network segments that were never designed for external traffic.
Why Traditional MDR Falls Short for AV Environments
Most commercial MDR services are optimized for enterprise IT: Windows endpoints, SaaS applications, corporate networks. AV operations generate fundamentally different telemetry — high-frequency sensor data, vehicle state changes, OT protocols like CANbus and SOME/IP that most SIEM platforms do not natively parse.
An MDR solution deployed on an AV program needs custom detection logic, purpose-built playbooks, and analysts who understand what normal looks like in an AV environment.
The NIST CSF 2.0 Gap for Mobility Operators
NIST Cybersecurity Framework 2.0 is the right backbone for an AV cybersecurity program. But the implementation guidance at each function needs significant adaptation for mobility contexts — from continuous asset discovery for moving fleets, to detection logic calibrated to operational telemetry, to incident response playbooks that account for the physical dimension of a cyber incident affecting vehicle operations.
What the First Fully Autonomous Public Transit Deployment Taught Us
The JTA NAVI program in Jacksonville — the first fully autonomous public transportation network in the United States — offered a real-world proving ground for these principles. Several lessons apply broadly to commercial AV operators: elevate cybersecurity to program-level, build shared responsibility explicitly across every vendor and integrator, invest in detection before you need it, and ensure tabletop exercises include physical scenarios.
Bottom Line
Autonomous vehicle operators are not enterprise IT organizations with vehicles bolted on. The security architecture, monitoring approach, incident response procedures, and governance structure all need to account for the specific convergence of IT, OT, and physical operations that AV programs represent. The programs that get this right treat cybersecurity as a program-level discipline from day one.