Despite indications to the contrary, Canadians do agree on some things. Most of us assume that if a vehicle is legally sold, registered, insured and driving on public roads, somebody has worked through the most pressing safety and security questions. Yet, that assumption is becoming less reliable. Modern vehicles are no longer just mechanical beasts with software added for convenience. They are becoming software-defined systems that receive remote updates, generate diagnostic and location data, connect to phones and service tools, and communicate with manufacturer systems, fleet platforms, insurers, repair networks and roadside infrastructure.
Attack Vectors Are Numerous
The attack vectors are numerous and specific enough to regulate around. These include malicious or compromised over-the-air updates, exposed telematics units, weak mobile-app integrations, insecure diagnostic tools, cloud-to-vehicle command channels, stolen keys or vendor credentials, rollbacks to vulnerable software versions, data exfiltration from fleet systems, and co-ordinated disruption across vehicles that share the same update or management platform, to name just a few.
A single, private vehicle is one risk profile. A shared, connected and continuously deployed fleet is at another scale.
Global Approaches to Cybersecurity
Other jurisdictions have recognized the problem, although in different ways. The United States has moved toward restrictions on connected-vehicle software and hardware tied to countries of concern. Europe has leaned into process regulation, including cybersecurity management requirements for vehicle approval. Canada, by contrast, has mostly relied on guidance and voluntary tools. Those may be useful as a starting point, but they are not the same as a jurisdictional operating regime for connected vehicles already entering public and commercial use on a significant scale.
Alberta's Opportunity
This is where Alberta has an opening. The province should not treat connected-vehicle cybersecurity as a distant national policy file. Alberta has real authority over the environment where vehicles operate — registration, insurance, road use, procurement, public fleets, commercial fleets and infrastructure-adjacent activity. Calgary alone added 24,500 tech workers between 2021 and 2024, a 61 per cent growth rate, the fastest of any major North American market over that period. That gives Alberta a talent base to treat automotive cybersecurity as a practical economic lever, not just a defensive concern.
Key Questions to Address
The initial questions are straightforward. Can a fleet operator verify what software is running, where it came from and whether it is current? Are updates protected against rollback to vulnerable versions? What data is collected, where does it go, and who can access it? What obligations does a vendor have when support ends, credentials are compromised or a cyber incident affects safety-relevant systems? And what is the blast radius if the problem is not one vehicle, but an entire fleet using the same update channel?
