Skip to main content
Switch Language
  • Guide

Threat Analysis and Risk Assessment in Practice

Discover the nine steps and five targets of the threat analysis and risk assessment (TARA) procedure for automotive cybersecurity.

Vehicle manufacturers must protect their products against cyberattacks during the entire lifetime of the connected car to mitigate safety, financial, operational and privacy risks. At the center of automotive cybersecurity is the threat analysis and risk assessment (TARA), a comprehensive risk assessment procedure to be executed during the concept phase. ISO/SAE 21434 outlines the basic elements of a risk assessment for road vehicles.

Manufacturers cannot foresee the motivations or the abilities of threat actors in the future. Despite this, manufacturers must work to understand where and how their products are vulnerable, what harm is associated with each threat, and how they intend to manage the impact of the threats.

In a TARA, items are checked and related to each other in a sequential, structured process encompassing nine steps and five targets.

Nine steps and five targets to navigating a TARA

Before you begin a TARA

Before you can start a TARA, you first must define your item. Is it a subsystem or a set of subsystems, a vehicle-level function or a control unit? Describe the system’s environment, functions, interactions and interfaces.

Step 1: Asset identification

An asset is something related to the item that is crucial for a stakeholder and worth protecting. Examples of assets include internet communication channels, encryption keys and safety goals. The asset is important not only to the stakeholder — who benefits from its functionality — but also to a threat actor — who can use it to compromise the system.

Therefore, the first task is to list all your assets. Then systematically ascertain the following cybersecurity attributes of question each asset:

  • Confidentiality
  • Integrity
  • Availability
  • Nonrepudiation
  • Authenticity
  • Authorization

Next, identify the damage scenarios by evaluating what could happen if the assets’ cybersecurity properties are compromised.

Step 2: Impact rating

In this step, we evaluate the damage scenarios according to what consequences they may have for your stakeholders. This includes functional safety, finance, operations and privacy. ISO 21434 provides guidance on how to determine the damage scenario's severity. We can provide formulas and preset templates to help you calculate the ISO 21434 severity determination. A damage scenario will not impact each stakeholder equally.

This also accomplishes Target 1: rating the impact of damage.

Step 3: Threat scenario

In this step, we look at the assets again and determine what threat scenario may arise. A threat scenario is one potential way in which a damage scenario could be realized. In the threat scenario analysis, we try to identify what could happen if an item for which a security property of an asset is violated, and a threat scenario is realized. There are multiple ways to determine a damage scenario. For example, if we consider a compromised switch, the damage scenario could result in a possible threat scenario, namely by spoofing or flooding the controller area network (CAN) bus.

Step 4: Attack path analysis

Next, consider what path a potential attacker must follow for the threat scenario to occur. This is called attack path. For example, the compromised switch we considered in the previous step is located somewhere in the middle of the vehicle. To compromise the CAN bus, an attacker has to find a way through the system. The aim of this step is to identify this path.

ISO/SAE 21434 ignores the intruder and the possible motivation. Instead, it focuses on the technical possibility of an attack, reverse-engineering how an attack on a compromised cybersecurity property would have to be configured to be successful.

The United Nations Economic Commission for Europe (UNECE) regulations UN R155 and R156 provide a list of examples of vulnerabilities. Determine if these vulnerabilities are relevant in your system and identify additional threat scenarios.

Step 5: Attack feasibility rating

Not every theoretically possible attack is feasible in practice. Encryption, for example, may make a possible attack unlikely. In this step, we evaluate the potential for the attack to take place by considering five key parameters:

  1. Elapsed time 
  2. Required expertise  
  3. Product know-how  
  4. Required equipment  
  5. Window of opportunity  

Once we determine whether it is feasible for an attacker to conduct a successful attack, we have achieved Target 2: rating the feasibility of an attack (also called ease of attack).

Step 6: Risk value determination

In this step, we combine the results of the impact rating (the impact of the associated damage scenario, Target 1) and attack feasibility rating (the feasibility of the attack paths, Target 2):

Risk value = Impact × Attack feasibility

Because stakeholders may assess risks differently, we must apply a different risk value for each stakeholder.

This step achieves Target 3: determining the risk value.

Step 7: Risk treatment decision

Manufacturers have several options for dealing with risks:

  • Avoidance 
  • Reduction 
  • Sharing or transferring to third parties 
  • Acceptance 

A proper method of risk reduction is the specification of a security control (technical or organizational) or the introduction of redundancy. Third parties interested in risk transfers are insurance companies. Decide how you want to manage the risk.

It can be challenging to determine the effectiveness of a cybersecurity control, but this is a key activity in risk assessment.

Step 8: Cybersecurity goals

The cybersecurity goals and claims are derived from the results of the TARA and your decisions about how the risks should be dealt with. If you decide that you want to avoid a risk, then you may consider an alternative technical solution.

The cybersecurity goals form Target 4 of the TARA.

Step 9: Cybersecurity concept

The cybersecurity concept is derived from the cybersecurity goals and describes how to put the cybersecurity goals in practice. Derive requirements from the goals and allocate them to your architecture — the relevant components of your systems and organization. The cybersecurity concept includes these requirements and their allocation to the architecture.

The cybersecurity concepts achieve Target 5: capture all cybersecurity requirements and their allocation.

These are the essential steps for performing a TARA according to ISO/SAE 21434 requirements. This standard expects manufacturers to perform a TARA on a regular basis.

TARA in practice

 

UL Solutions Software Intensive Systems experts can support you in:

  • Fostering awareness for the need for comprehensive end-to-end safeguards.
  • Detailed assessments of any threats posed.
  • Matching your cybersecurity policies to processes, products and IT requirements and managing involved specialists.
  • Assessing and improving your development processes with respect to security issues.
  • Adapting existing workflows and procedures to address key cybersecurity issues.
  • Ensuring systems conform to UNECE homologation guidelines.
  • Defining and introducing new development processes that comply with the requirements of ISO/SAE 21434.
  • Evaluating, developing and implementing cybersecurity management systems.
  • Selecting of relevant security technology and industry standards according to your requirements.

We also offer templates and kits for ISO work products.

 

X

Get connected with our team

Thanks for your interest in our products and services. Let's collect some information so we can connect you with the right person.

Please wait…

Within UL Solutions we provide a broad portfolio of offerings to many industries. This includes certification, testing, inspection, assessment, verification and consulting services. In order to protect and prevent any conflict of interest, perception of conflict of interest and protection of both our brand and our customers brands, UL Solutions has processes in place to identify and manage any potential conflicts of interest and maintain the impartiality of our conformity assessment services.