December 2025: Constructive Cybersecurity Assurance Cases

When
Wednesday, December 03, 2025 11:00 AM EST

Who
Brian Murray, Director, Product Safety and Cybersecurity, STEER Tech

What
“Constructive Cybersecurity Assurance Cases”

Description
OEMs need to ensure the security of their supply chains. Meanwhile, non-traditional and new suppliers are on the rise. With ISO/SAE 21434, UNECE R155, and the Auto-ISAC, the automotive industry has a way forward on product cybersecurity, but it is still labor-intensive and expensive, especially for non-traditional suppliers. Moreover, OEMs need a way to efficiently flow down expectations and requirements and to receive and combine evidence of acceptable risk from multiple sources. 

One possible solution is to leverage cybersecurity assurance cases. These are already required by ISO/SAE 21434 [RQ-06-23], but commonly, the cybersecurity case produced by suppliers is just the set of work products already required by 21434 – evidence, but not an argument. We will show that cybersecurity assurance cases can be structured into an argument and that this approach can be more efficient for suppliers. We also show how assurance cases from suppliers can be compiled into an argument for the entire vehicle that is easier to navigate for assessors. The approach can be used beyond product security and may also be helpful for OT security.