Guardians of the Grid

Rajiv Pandey, Vice President of Technology at Tata Motors, is clear about one thing: cybersecurity is now foundational to the company’s innovation agenda. With more intelligent and connected vehicles, Tata Motors has gone far beyond IT protection to adopt an end-to-end security approach at every stage in the lifecycle.

From AI-led threat detection and Zero Trust architecture to global compliance and supply chain monitoring, Tata Motors is putting digital trust into layers throughout the company; not simply as security, but as a continued weight for strategic growth.

How has your cybersecurity strategy evolved in recent years, especially with the increasing digitisation and connectivity of modern vehicles?

Our cybersecurity strategy has significantly evolved to address the growing complexity of modern, connected vehicles. We’ve transitioned from conventional perimeter defences to a comprehensive, layered approach that incorporates secure vehicle platforms, Zero Trust principles, and AI-driven risk mitigation.

Our cybersecurity is now embedded across the vehicle lifecycle —from design to decommissioning—ensuring encrypted communications, secure over-the-air (OTA) updates, and real-time threat detection. We’ve reinforced governance through board-level oversight and adhere strictly to global standards such as ISO 27001 and India’s DPDP Act.

Cybersecurity is no longer a back-end function—it’s central to how we design, build, and deliver vehicles, with a multi-layered approach to securing the connected vehicle ecosystem and digital operations.

In addition, we regularly conduct resilience drills and foster collaboration across the Tata ecosystem to proactively address emerging threats. Today, cybersecurity is no longer just a safeguard; it is a strategic pillar that empowers trust, safety, and continuous innovation.

Connected vehicles process vast amounts of data—how are you ensuring customer data privacy and integrity across your digital ecosystem?

We’ve embedded privacy-by-design across every layer of our connected vehicle ecosystem, ensuring that data protection is a foundational principle, not an afterthought. Customer information is safeguarded through robust encryption, granular access controls, and secure, resilient cloud infrastructure.

The complexity and scale of automotive supply chains pose unique cybersecurity challenges, particularly when third-party software and components are involved. Vulnerabilities can emerge from diverse sources, including open-source code and hardware or software bills of materials sourced from multiple suppliers.

Our practices align with global data protection standards and are fully compliant with India’s DPDP Act. To reinforce accountability, governance is anchored at the board level, and we conduct rigorous audits of third-party partners to uphold data integrity across the value chain.

Ultimately, our commitment is clear: to earn and sustain customer trust through transparency, uncompromising security, and responsible data stewardship.

What unique cybersecurity challenges do automotive manufacturers face when it comes to securing the supply chain, particularly with third-party software and components?

The complexity and scale of automotive supply chains pose unique cybersecurity challenges, particularly when third-party software and components are involved. Vulnerabilities can emerge from diverse sources, including open-source code and hardware or software bills of materials sourced from multiple suppliers.

To address this, a robust cybersecurity interface agreement with supply chain partners is essential. This includes a clear understanding of software upgrades and patches in response to known vulnerabilities, ensuring that the cybersecurity posture remains effective and up to date throughout the vehicle’s service life. Regulatory developments such as the upcoming AIS 189 are aligned with this need, and preparations are underway to ensure compliance and readiness across the ecosystem.

How are you navigating and complying with diverse global data protection and cybersecurity regulations, especially with operations spanning multiple countries and regions?

Tata Motors operates with a global-first mindset, aligning cybersecurity and data protection practices with international standards such as GDPR, India’s DPDP Act, ISO 21434, and ISO 27001. Systems are designed to support consent management, data localisation, and encrypted cross-border data transfers.

Ongoing audits, strong vendor governance, and board-level oversight help us ensure proactive compliance with evolving regulations. The focus remains on maintaining customer trust and enabling operational agility across markets.

What role do AI and automation play in your organisation’s threat detection and incident response framework? Are you experimenting with predictive or self-healing security models?

AI and automation are central to Tata Motors’ cybersecurity strategy, supporting real-time threat detection, anomaly analysis, and automated incident triage. These tools reduce false positives and improve response times.

Predictive and self-healing security models are currently being piloted, particularly within connected vehicle platforms and manufacturing environments. These models forecast vulnerabilities and enable automated containment and remediation.

To ensure responsible deployment, an AI Risk Governance Board has been established at Tata Motors, with quarterly reviews focused on AI risk mitigation. The overarching approach is designed to balance innovation with trust, adaptability, and operational resilience.

Could you share a real-world example of a security upgrade or initiative that significantly enhanced resilience in your vehicles or manufacturing systems?

To enhance resilience in manufacturing systems, Tata Motors has deployed smart sensors, digital history cards, and online Statistical Process Control (SPC) for real-time monitoring of critical components. These tools have strengthened early anomaly detection and enabled prompt responses to potential threats.

On the vehicle side, a comprehensive upgrade of electrical and electronic (E&E) architectures has been carried out across the board to ensure a robust gateway.

Tata Motors operates with a global-first mindset, aligning cybersecurity and data protection practices with international standards such as GDPR, India’s DPDP Act, ISO 21434, and ISO 27001. Systems are designed to support consent management, data localization, and encrypted cross-border data transfers.

In parallel, our cybersecurity approach has been strengthened through automated operational technology (OT) asset discovery and preparation for compliance with global standards such as UNR 155/156 and ISO 21434. Together, these initiatives have significantly advanced resilience across both vehicle platforms and production environments.

What key cybersecurity lessons would you share with other CISOs, especially from industries just beginning their connected technology journeys?

Drawing from Tata Motors’ experience in navigating the complexities of connected mobility, the following principles have emerged as critical for any organisation embarking on its cybersecurity journey:

• Secure by design: Cybersecurity must be embedded from the outset, not treated as a post-deployment addition. Integrating security into every layer is fundamental to long-term resilience.
• Zero Trust is essential: Every system and supplier should be secured with strict access controls and encryption.
• Governance matters: Cybersecurity should be treated as a strategic priority, anchored in board-level oversight and integrated into enterprise-wide risk frameworks.
• Culture drives resilience: Investing in training and awareness is key to making security a shared responsibility across teams. A strong security culture ensures that protection is not just technical but also behavioural.

aanchalg@cybermedia.co.in