ISO/SAE 21434 Threat Analysis and Risk Assessment (TARA)

Threat Analysis and Risk Assessment (TARA) is a core methodology defined in the ISO/SAE 21434 "Road vehicles — Cybersecurity engineering" standard. It provides a systematic process to identify, analyze, and evaluate cybersecurity risks associated with a vehicle's Electrical/Electronic (E/E) systems. The process involves identifying critical assets and their damage scenarios, rating the impact on safety, privacy, operational, and financial aspects, analyzing threat scenarios and potential attack paths, and rating the feasibility of those attacks. The final risk value, derived from impact and feasibility, is used to define Cybersecurity Goals. This makes TARA a foundational activity for compliance with regulations like UNECE R155, which mandates a certified Cybersecurity Management System (CSMS) for vehicle type approval, distinguishing it from general IT risk assessments by its strong focus on vehicle safety and operational context.

In practice, enterprises apply ISO/SAE 21434 TARA through structured steps within the vehicle development lifecycle: 1. **Item Definition and Asset Identification:** In the concept phase, the system boundary (the 'item') is defined. Critical assets within this item, such as an ECU or a data bus, are identified, along with the cybersecurity properties (confidentiality, integrity, availability) to be protected. 2. **Impact, Threat, and Attack Path Analysis:** The impact of a compromised asset is rated according to safety, financial, operational, and privacy (SFOP) criteria. Threat scenarios are identified using methods like STRIDE, and potential attack paths are mapped out. 3. **Feasibility Rating and Risk Determination:** Each attack path's feasibility is rated based on factors like elapsed time, required expertise, and knowledge of the item. The impact and feasibility ratings are then used in a risk matrix to determine a final risk level. For risks exceeding an acceptable threshold, cybersecurity goals are formulated, which drive the subsequent security requirements and controls, ensuring a risk-driven approach to product security.

Taiwanese enterprises, particularly in the automotive supply chain, face several key challenges with TARA implementation: 1. **Cross-Disciplinary Skill Gap:** TARA requires a unique blend of automotive systems engineering and cybersecurity expertise, a talent profile that is not yet widely available. 2. **Complex Supply Chain Collaboration:** Defining cybersecurity responsibilities and interfaces between OEMs, Tier-1s, and Tier-2s is difficult. Inconsistent TARA methods and reporting formats across suppliers create significant integration challenges. 3. **Lack of Tooling and Automation:** Many companies rely on manual, spreadsheet-based TARA, which is inefficient, error-prone, and fails to provide the traceability required by the standard throughout the product lifecycle. **Solutions:** To overcome these, companies should establish cross-functional teams, mandate clear Cybersecurity Interface Agreements (CIAs) with suppliers from project kickoff, and invest in dedicated TARA software tools to automate the process and ensure consistency and traceability.

Winners Consulting specializes in ISO/SAE 21434 TARA for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact