attack feasibility level

Attack feasibility level is a core concept within ISO/SAE 21434:2021, "Road vehicles — Cybersecurity engineering," used to systematically evaluate the difficulty for an attacker to successfully execute an attack. It is a critical input for the Threat Analysis and Risk Assessment (TARA) process, which is mandatory for compliance with regulations like UNECE R155. The standard outlines specific factors for this evaluation, including Elapsed Time, Expertise, Knowledge of the item, Window of Opportunity, and the Equipment required. Each factor is rated on a scale, and these ratings are aggregated to determine a final feasibility level (e.g., Very Low to High). This metric is distinct from the "impact level," which assesses the consequences of a successful attack. By focusing on the likelihood of the threat materializing, attack feasibility provides a crucial dimension for calculating a comprehensive and justifiable risk score, guiding all subsequent security engineering activities.

In practice, applying the attack feasibility level involves a structured, multi-step process. First, engineers identify potential threat scenarios and attack paths using methods like STRIDE on the system's architecture. Second, for each scenario, they rate the feasibility based on the five parameters defined in ISO/SAE 21434. For example, an attack requiring physical access to a vehicle and highly specialized, expensive equipment will receive a much lower feasibility rating than a remote attack exploiting a known software vulnerability with publicly available tools. Finally, the resulting attack feasibility level is combined with the impact level in a risk matrix. This visualization helps teams prioritize the most severe threats—those with both high feasibility and high impact—and guides the development of specific cybersecurity goals and controls. This systematic approach improves the traceability of security requirements and can reduce critical vulnerabilities by over 30% during the design phase, significantly lowering compliance costs and post-production risks.

Taiwanese enterprises, particularly in the automotive supply chain, face several key challenges. First is a persistent talent gap, with a shortage of professionals possessing dual expertise in automotive engineering and cybersecurity, which makes accurate feasibility assessments difficult. Second, many firms suffer from subjective assessments due to a lack of access to structured threat intelligence or historical attack data, making ratings for parameters like "Expertise" or "Elapsed Time" inconsistent. Third, supply chain opacity is a major hurdle; Tier 1 suppliers often struggle to obtain complete system architecture details from global OEMs due to strict confidentiality policies, hindering a comprehensive TARA. To overcome these, firms should prioritize targeted training programs and partner with expert consultants, subscribe to automotive-specific threat intelligence feeds to build an internal knowledge base, and establish clear Cybersecurity Interface Agreements with customers at the project outset to define information sharing protocols and responsibilities.

Winners Consulting specializes in attack feasibility level for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact