About the Authors and This Research

The WOLVES paper is co-authored by three researchers whose combined expertise bridges academic modeling and automotive cybersecurity standards application. Suraj Harsha Kamtam, the primary author, has an h-index of 2 with 44 cumulative citations, and has published consistently in the domain of attack feasibility quantification for connected vehicles. Qian Lu brings stronger academic impact with an h-index of 4 and 88 cumulative citations, focusing on V2X communication security and autonomous vehicle threat modeling. Rakhi Manohar Mepparambath contributes expertise in automotive cybersecurity standards compliance. The research has been published in Computers & Security, a peer-reviewed journal indexed in major academic databases, giving this framework a level of methodological credibility that supports direct citation in enterprise compliance documentation. The DOI reference is: https://doi.org/10.1016/j.cose.2025.104549.

Core Research Findings: Quantifying Attack Probability Through Simulation

The central problem WOLVES addresses is straightforward but consequential: ISO/SAE 21434 requires TARA practitioners to assess attack feasibility, but the standard provides no prescribed quantitative method for doing so. Historically, this has meant that two threat analysts working independently on the same vehicle system could arrive at significantly different feasibility ratings, undermining the reproducibility and defensibility of TARA outputs.

Finding 1: Bayesian Inference Enables Data-Driven Attack Feasibility Estimation Without Historical Incident Data

WOLVES employs a Bayesian statistical approach, combining prior information about attacker capabilities and communication technology parameters with likelihood information generated through simulation. The key innovation is that this method does not require a large repository of historical cyberattack incidents—a dataset that essentially does not exist for vehicle-specific attacks. Instead, the framework uses simulation-generated scenario data to iteratively update the probability estimate of a successful attack. The Bluetooth case study demonstrates this clearly: by modeling one attacker and one target vehicle on two different UK motorway segments, WOLVES outputs a concrete probability figure for attack success under each scenario condition, rather than a categorical label.

Finding 2: The Window of Opportunity Is Dynamic, Location-Dependent, and Technology-Specific

One of the most practically significant findings is that attack opportunity windows are not uniformly distributed across a vehicle's operating environment. The simulation reveals that the spatial and temporal co-presence of attacker and target vehicle within Bluetooth communication range (approximately 10 to 100 meters depending on device class) varies substantially between motorway segment types. Sections with lower average speeds, such as merge zones or toll approach areas, generate statistically more frequent and longer-duration attack windows. This directly challenges the implicit assumption in many current TARA implementations that attack feasibility is a fixed attribute of a technology, rather than a context-dependent probability distribution. The framework is designed to extend beyond Bluetooth to Wi-Fi, 4G LTE, and 5G V2X interfaces, making it applicable to the full breadth of connectivity technologies now entering Taiwan's automotive component supply chain.

Implications for Taiwan's Automotive Cybersecurity Practice

Taiwan's automotive suppliers are navigating a compliance landscape that is tightening simultaneously from multiple directions. UNECE WP.29 Regulation 155 mandates that vehicle manufacturers and their supply chains implement Cybersecurity Management Systems (CSMS) covering the full vehicle lifecycle—and that TARA outputs are traceable, maintainable, and capable of responding to new threat intelligence. ISO/SAE 21434 Clause 15 requires systematic attack path analysis with documented feasibility assessment methodology. TISAX assessors evaluating Level 2 and Level 3 certifications are increasingly scrutinizing whether TARA documents reflect genuine analytical rigor or merely formal compliance box-checking.

The WOLVES framework's contribution to this landscape is to make "attack feasibility quantification" a tractable engineering problem rather than a judgment call. For Taiwanese suppliers manufacturing Bluetooth modules, OTA gateway components, Wi-Fi connectivity units, or V2X communication systems, the implication is direct: the next generation of TARA documentation expected by European OEM customers will need to demonstrate scenario-based, quantitatively supported feasibility assessments. Suppliers who begin developing this capability now—even through partial adoption of WOLVES-style simulation principles—will be better positioned when Tier 1 customers begin enforcing these requirements through their supply chain security questionnaires, typically with 18 to 24 months of lead time before hard deadlines.

The external threat context reinforces this urgency. CISA's December 2025 advisory AA25-343A, warning of opportunistic attacks on critical infrastructure including transportation systems by pro-Russian threat actors, underscores that the threat landscape facing connected vehicle infrastructure is not merely theoretical. The attack opportunity window concept that WOLVES quantifies—waiting for favorable spatial and temporal conditions—mirrors precisely the opportunistic attack patterns CISA describes. Taiwan suppliers with European market exposure cannot treat vehicle cybersecurity as an internal compliance exercise disconnected from the global threat environment.

How Winners Consulting Services Co. Ltd. Translates WOLVES Insights Into Compliance Advantage

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）provides end-to-end support for Taiwan's automotive supply chain in achieving TISAX certification, implementing ISO/SAE 21434, and demonstrating UNECE WP.29 R155 compliance. In the context of the WOLVES framework and the broader shift toward quantitative attack feasibility assessment, Winners offers the following structured support:

1. TARA Quality Gap Assessment: A structured review of existing TARA documentation against ISO/SAE 21434 Clause 15 requirements, specifically identifying whether attack feasibility assessments have documented methodological foundations. This diagnostic identifies whether a supplier's current TARA outputs would withstand TISAX auditor scrutiny or OEM customer review, and provides a prioritized improvement roadmap.
2. Connected Interface Threat Scenario Modeling: For suppliers manufacturing Bluetooth, Wi-Fi, OTA update, or V2X components, Winners assists in building scenario-based attack feasibility assessment frameworks aligned with the WOLVES methodology. This includes defining simulation parameters appropriate to the supplier's product context, establishing reproducible assessment procedures, and documenting outputs in formats compatible with both ISO/SAE 21434 evidence requirements and TISAX assessment criteria.
3. CSMS Integration and UNECE WP.29 R155 Alignment: Quantified attack feasibility results must be integrated into the broader CSMS documentation structure to satisfy UNECE WP.29 R155's lifecycle monitoring requirements. Winners provides the framework integration work that connects TARA outputs to risk treatment decisions, monitoring procedures, and supplier communication protocols, creating the complete evidence chain required for TISAX Level 2 or Level 3 certification.

Frequently Asked Questions

How does the WOLVES framework specifically improve ISO/SAE 21434 TARA attack feasibility assessment?

WOLVES replaces subjective expert scoring with a Bayesian simulation-driven probability estimate for attack success. ISO/SAE 21434 Clause 15.6 requires attack path feasibility assessment, but prescribes no quantitative method. WOLVES addresses this by combining prior knowledge of attacker capabilities with simulation-generated scenario data to output reproducible probability figures. For Taiwan suppliers, this means TARA documents can provide defensible, methodology-backed feasibility values rather than categorical ratings—a significant quality upgrade when European OEM customers or TISAX assessors request audit evidence.

What are the most common TARA documentation deficiencies found in Taiwan suppliers preparing for TISAX?

Three deficiencies appear most frequently. First, attack feasibility assessments lack a documented methodology, relying on undocumented expert judgment that cannot be independently verified. Second, threat scenarios fail to cover dynamic connected interface attack conditions—Bluetooth, OTA update paths, and V2X interfaces are often excluded or treated with generic low-feasibility ratings inconsistent with UNECE WP.29 R155's full lifecycle threat monitoring requirement. Third, TARA outputs are not integrated into the CSMS evidence chain, creating a documentation gap between risk identification and risk treatment decisions. All three deficiencies can generate non-conformance findings in TISAX Level 2 assessments, extending certification timelines by three to six months.

What is the realistic timeline for a Taiwan supplier to achieve TISAX Level 2 certification from scratch?

A Taiwan mid-size automotive supplier starting from no formal ISMS foundation typically requires 9 to 12 months for TISAX Level 2 certification readiness. The critical path includes: three months for gap analysis and system design, four to six months for implementation and staff training, and two to three months for internal audit and pre-assessment preparation. Suppliers with existing ISO/IEC 27001 certification can reduce this to six to nine months. Winners Consulting's experience with Taiwan supply chain clients indicates that 7 to 12 months is the realistic preparation window, with ISO/SAE 21434 TARA implementation quality being the most common source of timeline extension.

Is ISO/SAE 21434 and TISAX compliance cost-justified for small and medium Taiwanese automotive suppliers?

For suppliers with more than 30% of revenue from European or Japanese OEM customers, TISAX certification has already shifted from a differentiator to an entry requirement—several major European Tier 1 suppliers have notified their Taiwan component vendors of certification deadlines between 2025 and 2026. Total investment for TISAX Level 2 preparation typically ranges from NT$1.5 million to NT$3.5 million depending on company size and existing baseline, covering consulting, assessment fees, and tooling. A single supply disruption or product recall triggered by a cybersecurity incident can exceed this investment by a factor of 10 or more. For suppliers with European market exposure, the risk-adjusted return on compliance investment is clear.

Why engage Winners Consulting Services Co. Ltd. for automotive cybersecurity matters?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) is one of Taiwan's few consulting firms with simultaneous depth in ISO/SAE 21434 standards interpretation, TISAX certification audit preparation, and UNECE WP.29 R155 regulatory application. Winners' practical advantage is the ability to translate cutting-edge academic frameworks—such as WOLVES—into actionable compliance procedures sized for Taiwan's supply chain realities, rather than delivering generic standards summaries. The complimentary diagnostic service identifies the highest-priority improvement areas at initial engagement, allowing clients to sequence investments efficiently and complete TISAX certification within 7 to 12 months without costly rework cycles from documentation quality failures.

WOLVES フレームワーク：シミュレーション駆動の攻撃可能性定量化がISO/SAE 21434 TАRAを変革する

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、2025年に発表されたWOLVESフレームワークが、コネクテッドビークル（CV）へのサイバー攻撃における「攻撃機会ウィンドウ」をシミュレーションで定量化する初の試みであり、ISO/SAE 21434のTARAが長年抱えてきた課題——動的なV2X環境における攻撃可行性評価の主観依存——に対する重要な解決策を提示していると評価しています。台湾の自動車サプライヤーがTISAX認証取得とUNECE WP.29 R155規制対応を進める上で、この研究は定性的リスク評価から再現可能なデータ駆動型評価への移行が不可避であることを示しています。