Automotive cybersecurity engineering starts with threat analysis and risk assessment (TARA)

Dec 8, 2022 by Dr. Zhendong Ma and Ronaldo Mendes

   

   

   

As software and connectivity fundamentally transform the automotive industry — due to the advent of autonomous driving, shared mobility and electrification — cybersecurity becomes one of the make-or-break challenges for the industry. Regulations such as UNECE R155 demand OEMs and their suppliers to integrate cybersecurity activities into the whole project lifecycle to provide evidence of timely, end-to-end and effective cybersecurity management, which ultimately allows certification of the system secured against cyberattacks. One of the main aspects for automotive is to ensure that the vehicle, system and/or component is cyber resilient. For that purpose, the recently released international standard ISO/SAE 21434 provides guidance on how to perform one of the most relevant cybersecurity activities: The TARA.

What is TARA and why does it matter?

In the context of automotive cybersecurity engineering, risk assessment is called “Threat Analysis and Risk Assessment (TARA).” It’s an automotive-specific risk assessment procedure aligned with the ISO/SAE 21434 standard. As with any risk assessment, TARA starts with the definition of the item that needs to be ensured for cyber resilience. Afterwards, damage scenarios and threats are identified, and their respective impact and feasibility are carefully assessed to determine a corresponding risk value which should be treated accordingly.

TARA is an indispensable mechanism to driving security by design — this is proven to be the most effective and efficient way of ensuring security in the final product. Ultimately, as TARA is one of the core activities defined within the ISO/SAE 21434, customers will certainly demand its execution and maintenance throughout the product lifecycle.

How to perform TARA

ISO/SAE 21434 provides a standardized approach to TARA such that risk and risk treatment decisions can be understood and compared across organizations along the supply chain. Generally, TARA consists of the following steps:

  • Asset identification — to identify objects of the system that need to be protected from cyberattacks (e.g., a software program or a communication link)
  • Damage scenario identification and impact rating — to identify negative consequences from a successful cyberattack and to estimate the impact on the system and its user
  • Threat scenario identification and attack path analysis — to enumerate potential ways of attacking the asset and to identify the series of actions required to achieve these attacks
  • Attack feasibility rating — to estimate the ease or plausibility of identified attacks
  • Risk value determination — to calculate the value of risk from impact and attack feasibility
  • Risk treatment decision — to make conscious decisions about treating potential attacks (e.g., reducing the risk or retaining the risk)

Who should perform TARA?

Risk treatment decisions are used to derive cybersecurity design, architecture and implementation details. Without a proper TARA, cybersecurity engineering is prone to fail because security controls might not be considered if a potential threat hasn’t been identified, or if incorrect risk values lead to a wrong priority ranking and high risks are mistakenly treated as acceptable ones.

The quality of TARA strongly depends on the knowledge and experiences of the cybersecurity engineers who perform the analyses. In addition to being familiar with the standard and method, a competent cybersecurity engineer needs to have an in-depth understanding of the automotive systems under evaluation and up-to-date knowledge of attack methods and exploitation techniques specific to the automotive domain. Additionally, he or she must be a good communicator when collaborating with development teams, architects, safety engineers and other experts in order to complete different parts of the TARA.

Tips and reminders for TARA

Details matter: In a TARA process, an experienced cybersecurity engineer knows where to focus, where vulnerabilities are likely to appear, where to look for common paths of attacks and how to produce useful information for later usage. The description of a threat needs to be precise and informative to provide sufficient understanding for deriving cybersecurity goals and effective countermeasures.

TARA is an iterative process done in tandem with project development. Often, key information is missing for TARA at the beginning of a project. One way to overcome this, is to use assumptions to limit the scope of analysis and to offset the lack of information. These assumptions are then changed once more information (such as system architecture and software design) becomes available. For example, by assuming that an electronic control unit (ECU) has security access for privileged diagnostic access, you can exclude threats that use direct diagnostic interface to read and write ECU data or code. If more details become available along the project development, additional threats related to bypassing or manipulating the security access implementation can be added in the analysis.

Achieving TARA excellence

TARA is a pivotal step for systematically managing automotive cybersecurity risks. Familiarity of the TARA process, method and tools, combined with knowledge in automotive cybersecurity engineering and past project experiences are key factors to guaranteeing the quality of TARA. Zoreza Global has a pool of automotive cybersecurity consultants with the technical expertise to steer your organization toward TARA excellence. Contact our Software Factory team to learn more about how we can support your TARA process and secure your automotive products.

Related content

Open banking — it pays to be flexible

Blog

Open banking — it pays to be flexible

What’s the quickest and easiest route to digital treasury?

Blog

What’s the quickest and easiest route to digital treasury?

Impact of the war in Ukraine on the Eastern European IT labor market

Blog

Impact of the war in Ukraine on the Eastern European IT labor market