Attack Feasibility

Attack feasibility is a measure of the attributes of an attack path that enable a threat scenario, essentially assessing the difficulty for an attacker to succeed. This concept is formally defined and applied in the automotive cybersecurity standard ISO/SAE 21434, specifically in Clause 15 for Threat Analysis and Risk Assessment (TARA). Instead of predicting the probability of an attack, it evaluates its practicability based on the required resources and capabilities. Annex H of ISO/SAE 21434 provides a framework for rating attack feasibility using factors such as: 1) Elapsed Time, 2) Expertise, 3) Knowledge of the Item, 4) Window of Opportunity, and 5) Equipment. By rating these factors, an overall feasibility level (e.g., Very Low, Low, Medium, High) is determined. This rating, combined with the impact assessment, is a critical input for calculating the final risk value, distinguishing it from general likelihood estimations by focusing on capability over intent.

In practice, applying attack feasibility follows a structured process within the TARA framework. Step 1: Threat Scenario Identification: Identify critical assets and define threat scenarios that could compromise cybersecurity goals. Step 2: Attack Path Analysis and Feasibility Rating: For each scenario, map potential attack paths. Then, evaluate each path against the ISO/SAE 21434 feasibility factors (time, expertise, etc.) to assign a rating. For example, an attack requiring physical access and specialized hardware would receive a lower feasibility rating than a remote attack using known exploits. Step 3: Risk Determination and Prioritization: The feasibility rating is combined with the impact rating (e.g., safety, operational) in a risk matrix to determine the overall risk level. High-risk threats (e.g., high feasibility, severe impact) are prioritized for mitigation. This systematic approach allows automotive manufacturers and suppliers to focus resources on the most plausible threats, improving product security and ensuring compliance, often reducing critical risks by over 80% before production.

Taiwan enterprises, particularly in the automotive supply chain, face several challenges. 1. Lack of Expertise and Data: Many SMEs lack dedicated cybersecurity experts and historical attack data, leading to subjective and inconsistent feasibility assessments. Mitigation involves building internal knowledge bases, leveraging public threat intelligence (e.g., MITRE ATT&CK), and engaging external consultants for initial framework setup and training. 2. Time-to-Market Pressure: Thorough TARA activities are time-consuming and can conflict with aggressive development schedules. The solution is to 'shift-left,' integrating feasibility analysis early in the design phase and using automated tools to accelerate the process. 3. Supply Chain Complexity: Assessing attack paths that span components from multiple suppliers is difficult without transparent information sharing. Overcoming this requires establishing cybersecurity agreements that mandate the exchange of TARA results and security data, fostering a collaborative risk management culture across the supply chain.

Winners Consulting specializes in attack feasibility for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact