Supply Chain Strategies | ISO/SAE 21434 and WP.29 CSMS


There are multiple possible strategies to secure the supply chain. And securing the supply chain is mandated both by the WP.29 regulation and by the ISO/SAE 21434 standard.

The ISO/SAE standard even offers specific strategies on how to secure the supply chain.

The first one is that as part of the supplier evaluation by the OEM, the supplier would provide the OEM with a cybersecurity record of capability. This record will include various evidence on the cybersecurity quality of the supplier, including the overall cybersecurity management system with regards to the vehicles’ automotive security, the overall information security management of the supplier, and evidence of past cybersecurity assessments of the supplier.

The second strategy is that as part of the contractual agreement between the supplier and the OEM, a cybersecurity interface for development will be included. This agreement will list the overall division of responsibilities between the supplier and the OEM throughout the vehicle lifecycle from development to production and post-production.

There is not one method in how to do that, therefore, the important thing is to actually define how responsibilities will be shared and divided. One possible model for doing that is called RASIC, which stands for Responsible, Approve, Support, Inform, and Consult.

Implementing this model throughout the vehicle lifecycle in post-production, for example, can include the supplier monitoring for ongoing vulnerabilities regarding its component throughout the vehicle lifecycle. Once a new vulnerability is detected, it will be assessed using TARA by the supplier, and if the risk level justifies it, the supplier will inform the OEM.

The OEM will then consult the supplier if a fix is required, the supplier will develop and test the fix, and then the OEM will test the fix. And once the fix is approved, it will be deployed as a FOTA to the vehicles.

Newsletter Icon

to our newsletter

Sign up to receive updates delivered to your inbox

By clicking Subscribe, I agree to the use of my personal data in accordance with Privacy Policy. Upstream will not sell, trade, lease, or rent your personal data to third parties.

Protecting Electric Vehicles: Modern Cybersecurity Solutions and the Road to Revenue

There is much to enjoy in the performance of electric vehicles and advanced features of electric vehicles, yet each connected capability such as GPS, mobile…

More Details

Protecting Commercial Vehicles: Continuous Operation and Uptime Amidst Cybersecurity Threats

Read about how a multi-layered cloud-based approach can protect today’s commercial vehicles while streamlining data processes.

More Details

Cybersecurity for Connected Vehicles: From Cost Centre to Value Centre

OEMs are relying on their connected vehicles to drive them from “Car Co’s” to “Tech Co’s”.

More Details

Upstream Detects a Critical Vulnerability in Linux-Based Head Units

Read about how Upstream’s AutoThreat® Intelligence team works to hunt threats that are hiding in the surface, deep, and dark web- allowing you to meet…

More Details

What is Upstream’s AutoThreat® Intelligence?

Upstream’s AutoThreat® Intelligence is the automotive industry’s leading cyber threat intelligence and risk assessment solution. It is purpose-built to collect, analyze, and leverage automotive t

More Details

How AutoThreat® Supports Automotive Cybersecurity

AutoThreat’s® automotive-focused analysts scour the surface, deep, and dark web for incidents that matter most to the automotive ecosystem. Together, our researchers combine both manual…

More Details