Supply Chain Strategies | ISO/SAE 21434 and WP.29 CSMS


There are multiple possible strategies to secure the supply chain. And securing the supply chain is mandated both by the WP.29 regulation and by the ISO/SAE 21434 standard.

The ISO/SAE standard even offers specific strategies on how to secure the supply chain.

The first one is that as part of the supplier evaluation by the OEM, the supplier would provide the OEM with a cybersecurity record of capability. This record will include various evidence on the cybersecurity quality of the supplier, including the overall cybersecurity management system with regards to the vehicles’ automotive security, the overall information security management of the supplier, and evidence of past cybersecurity assessments of the supplier.

The second strategy is that as part of the contractual agreement between the supplier and the OEM, a cybersecurity interface for development will be included. This agreement will list the overall division of responsibilities between the supplier and the OEM throughout the vehicle lifecycle from development to production and post-production.

There is not one method in how to do that, therefore, the important thing is to actually define how responsibilities will be shared and divided. One possible model for doing that is called RASIC, which stands for Responsible, Approve, Support, Inform, and Consult.

Implementing this model throughout the vehicle lifecycle in post-production, for example, can include the supplier monitoring for ongoing vulnerabilities regarding its component throughout the vehicle lifecycle. Once a new vulnerability is detected, it will be assessed using TARA by the supplier, and if the risk level justifies it, the supplier will inform the OEM.

The OEM will then consult the supplier if a fix is required, the supplier will develop and test the fix, and then the OEM will test the fix. And once the fix is approved, it will be deployed as a FOTA to the vehicles.

Newsletter Icon

to our newsletter

Sign up to receive updates delivered to your inbox

The high-impact automotive cyber security trends and incidents of H1-2022

This webinar will discuss three emerging cyber threats and their potential impact on end users, OEMs, and the entire smart mobility ecosystem.

More Details

H1’2022 Automotive Cyber Trend Report

This report offers extensive coverage and analysis of automotive-specific cyber incidents across all attack vectors and their impact on the wide ecosystem.

More Details

EV 充電所 拡大に向けて: EV充電所インフラ安全確保への課題

Delivering driver confidence with robust charging networks has created new opportunities for hackers to penetrate OEM and Tier-1 networks by tampering with charging station data.

More Details

The Leading Managed Vehicle SOC: Actively Protecting Millions of Vehicles for OEMs Worldwide

Protect automotive cybersecurity with an automotive-specific Vehicle Security Operations Center (VSOCs) to address the complexity of cyberattacks targeting OT networks, such as connected vehicles and&

More Details

Beyond Cyber: Upstream Puts Data in Motion

Automotive data in the cloud breaks silos, allowing teams to analyze information in the pursuit of identifying exciting new revenue opportunities.

More Details

2022 グローバルモビリティ サイバーセキュリティ報告書

2022 グローバルモビリティ サイバーセキュリティ報告書2022年版のサイバーセキュリティ報告書では過去10年に実際に 起こったサイバー攻撃の脅威を

More Details