Threat Analysis and Risk Assessment in Practice

An asset is something related to the item that is crucial for a stakeholder and worth protecting. Examples of assets include internet communication channels, encryption keys and safety goals. The asset is important not only to the stakeholder — who benefits from its functionality — but also to a threat actor — who can use it to compromise the system.

Therefore, the first task is to list all your assets. Then systematically ascertain the following cybersecurity attributes of question each asset:

• Confidentiality
• Integrity
• Availability
• Nonrepudiation
• Authenticity
• Authorization

Next, identify the damage scenarios by evaluating what could happen if the assets’ cybersecurity properties are compromised.

In this step, we evaluate the damage scenarios according to what consequences they may have for your stakeholders. This includes functional safety, finance, operations and privacy. ISO 21434 provides guidance on how to determine the damage scenario's severity. We can provide formulas and preset templates to help you calculate the ISO 21434 severity determination. A damage scenario will not impact each stakeholder equally.

This also accomplishes Target 1: rating the impact of damage.

In this step, we look at the assets again and determine what threat scenario may arise. A threat scenario is one potential way in which a damage scenario could be realized. In the threat scenario analysis, we try to identify what could happen if an item for which a security property of an asset is violated, and a threat scenario is realized. There are multiple ways to determine a damage scenario. For example, if we consider a compromised switch, the damage scenario could result in a possible threat scenario, namely by spoofing or flooding the controller area network (CAN) bus.

Next, consider what path a potential attacker must follow for the threat scenario to occur. This is called attack path. For example, the compromised switch we considered in the previous step is located somewhere in the middle of the vehicle. To compromise the CAN bus, an attacker has to find a way through the system. The aim of this step is to identify this path.

ISO/SAE 21434 ignores the intruder and the possible motivation. Instead, it focuses on the technical possibility of an attack, reverse-engineering how an attack on a compromised cybersecurity property would have to be configured to be successful.

The United Nations Economic Commission for Europe (UNECE) regulations UN R155 and R156 provide a list of examples of vulnerabilities. Determine if these vulnerabilities are relevant in your system and identify additional threat scenarios.

Not every theoretically possible attack is feasible in practice. Encryption, for example, may make a possible attack unlikely. In this step, we evaluate the potential for the attack to take place by considering five key parameters:

1. Elapsed time 
2. Required expertise  
3. Product know-how  
4. Required equipment  
5. Window of opportunity  

Once we determine whether it is feasible for an attacker to conduct a successful attack, we have achieved Target 2: rating the feasibility of an attack (also called ease of attack).

In this step, we combine the results of the impact rating (the impact of the associated damage scenario, Target 1) and attack feasibility rating (the feasibility of the attack paths, Target 2):

Risk value = Impact × Attack feasibility

Because stakeholders may assess risks differently, we must apply a different risk value for each stakeholder.

This step achieves Target 3: determining the risk value.

Manufacturers have several options for dealing with risks:

• Avoidance 
• Reduction 
• Sharing or transferring to third parties 
• Acceptance 

A proper method of risk reduction is the specification of a security control (technical or organizational) or the introduction of redundancy. Third parties interested in risk transfers are insurance companies. Decide how you want to manage the risk.

It can be challenging to determine the effectiveness of a cybersecurity control, but this is a key activity in risk assessment.

The cybersecurity goals and claims are derived from the results of the TARA and your decisions about how the risks should be dealt with. If you decide that you want to avoid a risk, then you may consider an alternative technical solution.

The cybersecurity goals form Target 4 of the TARA.

The cybersecurity concept is derived from the cybersecurity goals and describes how to put the cybersecurity goals in practice. Derive requirements from the goals and allocate them to your architecture — the relevant components of your systems and organization. The cybersecurity concept includes these requirements and their allocation to the architecture.

The cybersecurity concepts achieve Target 5: capture all cybersecurity requirements and their allocation.

These are the essential steps for performing a TARA according to ISO/SAE 21434 requirements. This standard expects manufacturers to perform a TARA on a regular basis.