Asset-level analysis

Asset-level analysis is a bottom-up cybersecurity risk assessment methodology focused on individual components (assets) within a complex system like a vehicle. As defined in Clause 15 of ISO/SAE 21434 (Threat Analysis and Risk Assessment - TARA), the process begins with identifying critical assets, such as Electronic Control Units (ECUs), gateways, or sensors. For each asset, it involves identifying relevant threat scenarios, analyzing potential attack paths, and evaluating the impact on security properties. This granular approach provides precise data for designing and validating security controls. It differs from system-level analysis, which evaluates systemic risks arising from the interaction of multiple assets, by focusing on the inherent vulnerabilities of a single component.

In practice, Asset-level analysis follows the TARA process mandated by ISO/SAE 21434, typically in three steps. First, **Asset Identification**, where all critical components within the vehicle's E/E architecture are inventoried and the system boundary is defined. Second, **Threat Analysis and Risk Assessment**, where methods like STRIDE are used to identify threats for each asset, followed by an evaluation of impact and attack feasibility to determine a risk value. Third, **Risk Treatment**, where security controls are implemented based on the risk value. For example, a Tier 1 supplier identified a high-risk vulnerability in an infotainment ECU's update mechanism. By implementing secure boot and firmware signing (controls), they reduced the calculated risk value by over 70%, ensuring compliance and passing the OEM's cybersecurity audit.

Taiwanese automotive suppliers, often in Tier 2 or Tier 3 roles, face several key challenges. First, **Supply Chain Information Asymmetry**: They often lack access to the complete system architecture from OEMs, limiting the scope and accuracy of their analysis. Second, **Lack of Integrated Tools and Talent**: Many rely on manual spreadsheets for TARA, which is inefficient and error-prone for complex systems. There is also a significant shortage of professionals with dual expertise in automotive engineering and cybersecurity. Third, **Varying Audit Requirements**: Different OEMs interpret ISO/SAE 21434 differently, forcing suppliers to customize risk reports and compliance evidence. To overcome this, enterprises should prioritize adopting automated TARA tools and collaborate with external experts like Winners Consulting for targeted training and project guidance to build internal capabilities quickly.

Winners Consulting specializes in Asset-level analysis for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact