Insight: A simulation framework for automotive cybersecurity risk ass

About the Authors and This Research

This research was co-authored by Don Nalin Dharshana Jayaratne, Suraj Harsha Kamtam, and Qian Lu, published in Elsevier's Simulation Modelling Practice and Theory journal (DOI: 10.1016/j.simpat.2024.103005). The paper has accumulated 4 academic citations since its 2024 publication, reflecting early but growing recognition within the vehicle cybersecurity research community. Jayaratne's research focus centers on connected vehicle cybersecurity simulation and risk assessment methodologies. What distinguishes this team's work is their decision to frame vehicle cybersecurity not as an isolated engineering problem, but as a transport infrastructure resilience challenge—a perspective that aligns with evolving regulatory expectations under UNECE WP.29.

The journal's editorial focus on simulation methodology applications in engineering lends credibility to the framework proposed. For Taiwan's Tier 1 and Tier 2 automotive suppliers, the research's significance lies less in providing an immediately deployable compliance tool, and more in articulating a methodological gap that current ISO/SAE 21434 implementations leave unaddressed.

The Boundary Problem in ISO/SAE 21434: Why Single-Vehicle TARA Is No Longer Sufficient

The paper's central argument is precise: ISO/SAE 21434's Threat Analysis and Risk Assessment (TARA) methodology, as currently structured, evaluates cybersecurity risks at the asset level within the vehicle boundary. This approach was adequate when vehicles operated as isolated systems. However, as connected vehicles become nodes in a broader cellular network and transport infrastructure, a cyberattack on a single vehicle's systems carries the potential to propagate failures across the traffic network—creating what the authors term "systemic risk."

Finding One: Remote Cellular Network Attacks Can Cascade Into Traffic System Failures

The research demonstrates this through a simulation case study: a remote attack delivered via the cellular network targeting the in-vehicle communication bus (such as a CAN bus system) of a connected vehicle. The simulation quantifies how this single-vehicle security event translates into measurable degradation of transport network safety and operational performance. This finding carries immediate relevance given CISA's December 9, 2025 advisory (AA25-343A), which warned that pro-Russian hacker groups are conducting opportunistic attacks against critical infrastructure globally—including transportation systems. The intersection of geopolitical cyber threats and connected vehicle infrastructure represents a risk vector that Taiwan's automotive suppliers cannot afford to treat as theoretical.

Finding Two: A Simulation Framework That Extends TARA to the Transport Network Dimension

The paper's methodological contribution is a simulation framework that retains ISO/SAE 21434's TARA foundation while adding a transport network simulation layer. This enables risk assessors to evaluate two additional impact vectors beyond the vehicle itself: systemic safety impacts (potential for physical harm to traffic participants beyond the attacked vehicle) and systemic operational impacts (degradation of traffic network efficiency and throughput). The framework was validated across three attack scenarios, providing the first quantified evidence of how individual vehicle component vulnerabilities translate into network-level systemic failures. This approach also aligns with the Cybersecurity Management System (CSMS) design requirements under UNECE WP.29 R155, which implicitly requires OEMs and their supply chains to consider broader operational context when assessing cybersecurity risks.

Implications for Taiwan's Automotive Cybersecurity Practice

Taiwan's automotive supply chain faces an increasingly convergent set of compliance pressures. ISO/SAE 21434:2021 has become a de facto procurement threshold in Tier 1 supplier contracts with major OEMs. UNECE WP.29 R155 extends CSMS requirements through the supply chain, meaning Taiwan suppliers' cybersecurity posture is now subject to OEM audit. TISAX certification is increasingly a supplier qualification requirement for European automotive customers, particularly those in the German OEM ecosystem.

What this research adds to that compliance picture is a forward-looking signal: the next evolution of automotive cybersecurity regulation and customer requirements will likely demand that suppliers demonstrate awareness of their components' role in the connected vehicle ecosystem, not just the component-level risk profile. Trend Micro's report on 5G connected vehicle security vulnerabilities similarly highlights that attack surfaces for autonomous driving technology now extend through cellular network interfaces—precisely the attack vector modeled in this paper.

For Taiwan suppliers, this translates into three practical near-term priorities: first, audit current TARA documentation to assess whether connected exposure surfaces (CAN bus, OTA update interfaces, V2X modules) are evaluated with sufficient consideration of their network-level attack propagation potential; second, align TARA scope with TISAX assessment requirements and UNECE WP.29 R155 CSMS documentation standards; and third, begin developing supplier cybersecurity requirement specifications that extend TARA responsibilities appropriately to sub-suppliers.

Winners Consulting Services Co. Ltd.: Supporting Taiwan's Automotive Supply Chain

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）provides comprehensive TISAX certification support, ISO/SAE 21434 implementation guidance, and UNECE WP.29 compliance advisory services for Taiwan's automotive suppliers. Drawing on the systemic risk perspective highlighted in this research, we recommend the following concrete actions:

1. Extend TARA Scope to Include Transport-Network Impact Assessment: Review existing TARA documentation to confirm that high-risk connected assets (in-vehicle communication buses, 5G/LTE modules, OTA update interfaces) include analysis of their potential systemic impact in connected vehicle deployment scenarios. This directly strengthens compliance with ISO/SAE 21434 Clause 15 advanced requirements and supports CSMS documentation under UNECE WP.29 R155.
2. Conduct a TISAX Gap Analysis Focused on Connected Asset Supply Chain Risk: Supply chain information security management—including controls over sub-suppliers—is a frequent assessment deficiency in TISAX evaluations. Develop a Cybersecurity Requirements for Suppliers document that clearly defines TARA responsibilities, connected asset disclosure requirements, and audit rights across your supply chain.
3. Establish Simulation-Based Tabletop Exercises for Connected Vehicle Attack Scenarios: Drawing on the simulation framework concept in this paper, conduct periodic tabletop exercises modeling cellular network remote attack scenarios. Validate that your Business Continuity Plan (BCP) and Incident Response Plan (IRP) address systemic transport infrastructure attack scenarios—a recommendation aligned with CISA Advisory AA25-343A for all critical infrastructure-adjacent organizations.

Frequently Asked Questions

Does the current ISO/SAE 21434 TARA process adequately address systemic risks from connected vehicle cyberattacks?

ISO/SAE 21434:2021's TARA framework is designed for asset-level analysis within the vehicle boundary and does not provide explicit methodology for evaluating cascading failures at the transport network level. This paper directly addresses that gap by proposing a simulation-based extension of the TARA process. For Taiwan suppliers, the practical implication is that TARA documentation should be augmented to include connected exposure surface analysis and potential system-level impact assessment for high-risk assets such as CAN bus systems, OTA interfaces, and V2X modules—particularly as OEM customers begin incorporating these requirements into supplier audit criteria aligned with UNECE WP.29 R155 CSMS expectations.

What are the most common compliance challenges for Taiwan companies implementing ISO/SAE 21434?

The three most common challenges are: first, talent gaps—professionals with combined automotive engineering and cybersecurity expertise are scarce in Taiwan's labor market; second, documentation integration—aligning existing FMEA, ISO 26262 functional safety, and ISO/SAE 21434 cybersecurity documentation requires cross-functional coordination that most suppliers underestimate; third, supply chain extension requirements—ISO/SAE 21434 Clause 6.4 requires companies to assess sub-supplier cybersecurity capabilities, but many Taiwanese SME suppliers lack established mechanisms for this. A structured gap analysis before beginning implementation significantly reduces wasted effort and resource misallocation.

What are TISAX's core requirements, and how should Taiwan companies prepare?

TISAX (Trusted Information Security Assessment Exchange), governed by the German Association of the Automotive Industry (VDA), has become a de facto market access requirement for European automotive supply chains, particularly for German OEM programs. Its assessment covers three domains: information security management (aligned with ISO/IEC 27001), vehicle cybersecurity (aligned with ISO/SAE 21434), and supply chain security. A typical preparation timeline for Taiwan suppliers is: months one through three for gap analysis and governance framework design; months four through eight for documentation system build and staff training; months nine through twelve for internal audit and third-party assessment preparation. TISAX preparation can be integrated with UNECE WP.29 R155 CSMS documentation to avoid redundant effort.

What resource investment and expected ROI should companies anticipate for automotive cybersecurity compliance?

Resource requirements vary by company size and existing security baseline. For a mid-sized Taiwan automotive parts manufacturer (200–500 employees) building a TISAX-compliant vehicle cybersecurity management system from scratch, a 7-to-12-month implementation timeline is typical. Expected benefits include: qualification for European OEM supplier programs (particularly German OEM supply chains where TISAX is a prerequisite), reduced product recall risk attributable to cybersecurity vulnerabilities, and measurable improvements in overall cybersecurity governance maturity. Suppliers that establish comprehensive TARA documentation typically report significantly improved outcomes in annual OEM cybersecurity audits, which increasingly follow ISO/SAE 21434 audit criteria.

Why should companies engage Winners Consulting Services Co. Ltd. for automotive cybersecurity matters?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) provides cross-domain expertise spanning automotive engineering, information security, and regulatory compliance—a combination that general cybersecurity consultants typically lack. We have deep working knowledge of UNECE WP.29 R155/156 regulatory requirements and can help companies simultaneously satisfy TISAX, ISO/SAE 21434, and CSMS requirements without redundant effort. Our service model covers the full implementation lifecycle: gap analysis, documentation development, staff training, and third-party assessment preparation. We offer a complimentary mechanism diagnostic as an engagement starting point, enabling Taiwan suppliers to understand their current compliance posture and build a realistic, resource-appropriate implementation roadmap within 7 to 12 months.

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、ISO/SAE 21434のTARAフレームワークが単一車両の資産レベル分析に留まり、コネクテッドカーへのサイバー攻撃が交通システム全体に引き起こす連鎖的障害を評価できていないという重大な方法論上の空白を指摘します。2024年に発表されたシミュレーション研究は、この空白を埋めるべく、ISO/SAE 21434のTARA手法を交通ネットワーク次元に拡張した新しいフレームワークを提案し、車両へのサイバー攻撃が交通インフラに与えるシステミックリスクを初めて定量化しました。台湾の自動車サプライチェーン企業にとって、この研究は単車レベルのリスク評価からシステミックな回復力管理への進化を促す重要なシグナルです。