Supply Chain Strategies | ISO/SAE 21434 and WP.29 CSMS

TEAM UPSTREAM

There are multiple possible strategies to secure the supply chain. And securing the supply chain is mandated both by the WP.29 regulation and by the ISO/SAE 21434 standard.

The ISO/SAE standard even offers specific strategies on how to secure the supply chain.

The first one is that as part of the supplier evaluation by the OEM, the supplier would provide the OEM with a cybersecurity record of capability. This record will include various evidence on the cybersecurity quality of the supplier, including the overall cybersecurity management system with regards to the vehicles’ automotive security, the overall information security management of the supplier, and evidence of past cybersecurity assessments of the supplier.

The second strategy is that as part of the contractual agreement between the supplier and the OEM, a cybersecurity interface for development will be included. This agreement will list the overall division of responsibilities between the supplier and the OEM throughout the vehicle lifecycle from development to production and post-production.

There is not one method in how to do that, therefore, the important thing is to actually define how responsibilities will be shared and divided. One possible model for doing that is called RASIC, which stands for Responsible, Approve, Support, Inform, and Consult.

Implementing this model throughout the vehicle lifecycle in post-production, for example, can include the supplier monitoring for ongoing vulnerabilities regarding its component throughout the vehicle lifecycle. Once a new vulnerability is detected, it will be assessed using TARA by the supplier, and if the risk level justifies it, the supplier will inform the OEM.

The OEM will then consult the supplier if a fix is required, the supplier will develop and test the fix, and then the OEM will test the fix. And once the fix is approved, it will be deployed as a FOTA to the vehicles.

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

Switched on: leveraging cyber resilience to safeguard the future of EVs

More Details

Infographic: The Automotive Cybersecurity Inflection Point 2024 Report

More Details

Watch: Scaling Software-Defined Vehicle Security, without Increasing Costs

In this webinar, Upstream and BlackBerry IVY's experts discuss the role of synthetic sensors in automotive cybersecurity and how to reduce cloud computing and data…

More Details

Secure Connected IoT Devices in the Mobility & Transportation Ecosystem

More Details

Scaling Software-Defined Vehicle Security, without Increasing Costs

Connected and software-defined vehicles generate vast amounts of data – upwards of 25 GB an hour per car. To help make sense of this data…

More Details

Watch: The automotive cybersecurity inflection point in 2024: from experimental to massive-scale attacks

In this webinar, Upstream experts share significant findings from Upstream’s 2024 Global Automotive Cyber Trends Report, providing insights and predictions for 2024.

More Details