Threat Analysis and Risk Assessment (TARA)

Threat Analysis and Risk Assessment (TARA) is a structured cybersecurity risk management methodology specifically designed for the automotive industry, with its core framework defined in Clause 15 of the ISO/SAE 21434 standard, "Road vehicles — Cybersecurity engineering." It was developed to address the escalating cyber threats in modern connected vehicles. The TARA process involves identifying assets within a vehicle component or function, analyzing potential damage scenarios (e.g., impacts on safety, privacy, or operations), identifying threat scenarios, and analyzing potential attack paths. Finally, it combines the impact rating of each threat with its attack feasibility rating to determine a comprehensive risk value. Within a cybersecurity management system, TARA serves as the foundational step for risk identification and analysis, providing the essential input for subsequent risk treatment decisions and the formulation of cybersecurity goals.

In practice, enterprises apply TARA by integrating it into the product development lifecycle as guided by ISO/SAE 21434. The key steps are: 1. **Item Definition & Asset Identification**: At the concept phase, define the scope (the 'item'), such as an ECU. Identify its critical assets (e.g., firmware, personal data) and analyze damage scenarios if compromised. 2. **Threat Scenario & Attack Path Analysis**: Systematically identify threats (e.g., remote exploit via Bluetooth) and map the detailed attack paths an adversary could take. Assess the feasibility of each path based on factors like expertise, time, and equipment required. 3. **Risk Determination & Treatment**: Combine impact and feasibility ratings using a risk matrix to calculate a risk value. For unacceptable risks, define cybersecurity goals and derive security controls to mitigate them. For example, a supplier might use TARA, identify a high-risk vulnerability in an infotainment unit, and decide to implement a Hardware Security Module (HSM) to protect cryptographic keys, thereby meeting OEM requirements and achieving compliance.

Taiwanese automotive suppliers often face three main challenges when implementing TARA: 1. **Lack of Interdisciplinary Talent**: TARA requires a unique blend of expertise in automotive engineering, functional safety (ISO 26262), and cybersecurity, which is scarce. 2. **Inertia of Traditional Development Processes**: Many companies struggle to shift from a 'security as an afterthought' culture to the 'Security by Design' principle required by TARA, facing resistance when trying to integrate it into existing V-model lifecycles. 3. **Resource and Tool Constraints**: Small and medium-sized enterprises (SMEs) in the supply chain may lack the budget for specialized TARA software and dedicated cybersecurity teams. To overcome these, enterprises should prioritize partnering with expert consultants for training, start with pilot projects to integrate TARA into the development process, and initially leverage open-source tools to manage costs before investing in commercial solutions.

Winners Consulting specializes in Threat Analysis and Risk Assessment (TARA) for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact