Optimizing Early-Phase Automotive Security Development: ISO/SAE 21434 and TISAX Compliance for Taiwan Suppliers

Winners Consulting Services Co., Ltd. points out that the automotive industry's cybersecurity development process has long faced a fundamental contradiction: vehicle development lifecycles can span five to seven years, while standards like ISO/SAE 21434 and UNECE WP.29 continue to evolve during their formulation. This makes it difficult for companies to establish a solid cybersecurity process foundation in the early design stages. Research published by Christine Jakobs in 2023 systematically addresses this challenge by redesigning the security development process on the left side of the V-Model. It provides a consistent methodology from function-oriented risk analysis to system-level risk assessment, offering direct reference value for Taiwanese automotive supply chain manufacturers in their TISAX certification preparation and ISO/SAE 21434 implementation.

About the Author and This Research

Christine Jakobs (M. Jakobs) is a researcher focusing on automotive systems engineering and functional safety. Her research, published on the arXiv platform, reflects the growing need for dialogue between academia and industry practice. The context of this study is particularly noteworthy: automotive cybersecurity as an independent systems engineering field did not have a comprehensive international standard until the official release of ISO/SAE 21434 in 2021. In the same year, the UNECE WP.29's UN-R155 regulation came into effect, requiring all new vehicle types to comply with Cyber Security Management System (CSMS) requirements. Jakobs' research was formed during this transitional period. Its core question—how to effectively align draft standards with existing corporate development processes—is highly relevant for all Taiwanese manufacturers who began implementing ISO/SAE 21434 between 2021 and 2024.

The study uses the V-Model as the foundational framework for the automotive development process, focusing on the concept design and system requirements analysis phases on the left side. It validates the proposed methodological improvements with specific Use Cases. The research covers four main levels of analysis: security relevance assessment, function-oriented security risk analysis, system-level security risk analysis, and a risk treatment decision framework. This overall structure corresponds closely with the Threat Analysis and Risk Assessment (TARA) requirements in Clause 15 of ISO/SAE 21434.

Optimizing Cybersecurity Processes in the Early V-Model Design Phase: Four Core Findings

The most significant contribution of Jakobs' research is revealing systemic gaps in the early stages of the automotive cybersecurity development process and proposing concrete methods to address them. The study found clear inconsistencies in traditional development processes regarding security relevance identification, function-level threat analysis, and system-level risk integration, which resulted in a lack of a reliable basis for downstream risk treatment decisions.

Core Finding 1: Security Relevance Assessment Must Be Completed Before the Functional Design Phase

The research points out that traditional automotive development processes tend to conduct cybersecurity assessments only after the system architecture is complete. This practice is no longer suitable under the ISO/SAE 21434 framework. The standard requires companies to identify "Security-Relevant Items" during the concept phase to determine which functional domains need to undergo the full TARA process. The security relevance assessment method proposed by Jakobs allows engineers to systematically screen the required functions early in the functional definition stage using predefined criteria. This prevents wasting resources on non-relevant functions while ensuring that truly sensitive functions are not overlooked. This is particularly important for Taiwanese suppliers, as many Tier 2 and Tier 3 suppliers lack sufficient cybersecurity engineering manpower. Accurately defining the assessment scope early on can significantly improve TARA execution efficiency.

Core Finding 2: Function-Oriented Risk Analysis Fills the Granularity Gap in TARA

The TARA method in ISO/SAE 21434 is primarily designed for system-level threat modeling. However, during the functional requirements definition stage, the system architecture is often not yet determined, making it difficult for engineers to effectively perform standardized threat analysis. The "Function-oriented Security Risk Analysis" method proposed by Jakobs establishes a threat category mapping mechanism at the functional requirements level. This enables engineers to conduct a preliminary risk assessment of a function's security attributes (confidentiality, integrity, and availability) without relying on a complete system architecture. Through use case validation, the study demonstrates that the function-oriented method can identify threat vectors that are easily missed in early-stage traditional system-level analysis, especially those involving data flow integrity across functional domains.

Core Finding 3: Attacker Model Classification Needs to Be Synchronized with System Boundary Definition

Appendix A of the study presents a set of attacker model categories and a rating framework, which is of direct practical value to practitioners. Jakobs points out that the assessment of an attacker's capabilities (including the four dimensions of knowledge, resources, opportunity, and motivation) must be conducted immediately after the system boundary is defined, rather than waiting until the later stages of risk assessment. This aligns with the requirements for attack path analysis in Clause 15.3 of ISO/SAE 21434, but the research further refines the operational definitions of attacker categories, allowing engineers to more consistently evaluate the feasibility ratings of different attack scenarios.

Core Finding 4: The Risk Treatment Decision Framework Must Integrate Both Safety and Security Considerations

The risk treatment framework proposed in Chapter 10 of the study specifically emphasizes "dependability" as an umbrella concept to unify safety and security considerations. This perspective has significant practical implications for Taiwanese automotive suppliers: in systems where both ISO 26262 functional safety and ISO/SAE 21434 cybersecurity apply, risk treatment decisions cannot be made in isolation. They must consider the potential impact of security measures on functional safety requirements and the possibility of functional safety mechanisms being exploited by cybersecurity vulnerabilities.

Implications for Automotive Cybersecurity Practices in Taiwan: Early Process Design is Key to Compliance

The Taiwanese automotive supply chain is currently experiencing a rapid increase in demand for TISAX certification, with many Tier 1 suppliers now requiring their Tier 2 and Tier 3 suppliers to provide proof of cybersecurity capabilities. Jakobs' research reveals a common challenge faced by Taiwanese companies when implementing ISO/SAE 21434: cybersecurity activities are often treated as "supplementary work" in the later stages of development, rather than as a core process integrated into early design decisions. This approach not only leads to significant design change costs later on but also makes it difficult to pass the systematic requirements for "process capability" in TISAX assessments.

Specifically, the UNECE WP.29's UN-R155 regulation requires vehicle manufacturers to establish a Cyber Security Management System (CSMS) that covers the entire supply chain, and ISO/SAE 21434 provides the technical implementation framework for this system. If Taiwanese suppliers wish to continue supplying the European market, they must be able to provide customers with cybersecurity engineering evidence that complies with ISO/SAE 21434, including risk analysis records from the early design stages. The function-oriented analysis method proposed in Jakobs' research is an effective tool for filling this evidence chain.

It is worth noting that the research has a methodological limitation that Taiwanese companies should carefully consider: Jakobs' study focuses on the left side of the V-Model and gives less attention to post-production continuous monitoring and incident response (corresponding to Clause 8 of ISO/SAE 21434 on continuous cybersecurity activities). When referencing this methodology, Taiwanese suppliers need to simultaneously establish post-production vulnerability management and security update mechanisms to meet full compliance requirements.

Furthermore, the unique structure of the Taiwanese automotive supply chain—dominated by small and medium-sized suppliers with relatively limited cybersecurity expertise—means that the principles of "consistency, completeness, and efficiency" proposed in the research need further adaptation in the Taiwanese context. In particular, Taiwanese manufacturers require more detailed collaborative process designs for TARA collaboration across suppliers than the single-enterprise scenario envisioned in the study.

How Winners Consulting Helps Taiwanese Companies Transform Early Process Design into TISAX Certification Capabilities

Winners Consulting Services Co., Ltd. assists Taiwanese automotive supply chain manufacturers in obtaining TISAX certification, implementing the ISO/SAE 21434 standard, and complying with UNECE WP.29 vehicle cybersecurity regulations. To address the early process design challenges revealed by Jakobs' research, Winners Consulting offers the following three specific consulting support services:

1. Implementation of Security Relevance Assessment Tools (Months 1-2): We help companies establish asset identification and security relevance judgment criteria that comply with ISO/SAE 21434 Clause 15. This ensures that the TARA scope is accurately defined during the concept phase, avoiding compliance risks and resource waste caused by scope creep later on. Our assessment framework is already aligned with the "VDA ISA 6.0" control requirements in TISAX assessments, ensuring that companies build ISO/SAE 21434 compliance evidence while preparing for TISAX certification.
2. Function-Oriented TARA Workshops (Months 2-5): Based on the function-oriented analysis method from Jakobs' research and tailored to the actual product contexts of Taiwanese suppliers (e.g., ECU design, in-vehicle communication modules, ADAS systems), we design a TARA workflow suitable for small and medium-sized engineering teams. The workshops are driven by specific use cases to ensure that engineers can independently perform standardized threat analysis and risk assessment after completing the training.
3. Establishment of Post-Production Continuous Compliance Mechanisms (Months 6-12): Addressing the post-production phase not fully covered in Jakobs' research, we assist companies in establishing vulnerability monitoring, security patch management, and incident response processes. This corresponds to the requirements of ISO/SAE 21434 Clause 8 and ensures continuous compliance during the TISAX certification maintenance period. The monitoring metrics framework provided by Winners Consulting enables companies to demonstrate the effectiveness of their cybersecurity management to customers and auditors in a quantifiable manner.

Frequently Asked Questions

In the automotive cybersecurity development process, how does 'function-oriented risk analysis' differ from traditional TARA? How should Taiwanese suppliers choose?

Function-oriented risk analysis is a threat assessment conducted during the early design phase before the system architecture is finalized, whereas traditional TARA (Threat Analysis and Risk Assessment) typically relies on completed system architecture and data flow diagrams. They are not mutually exclusive but are complementary tools for different development stages. Taiwanese suppliers are advised to initiate function-oriented analysis during the concept phase (corresponding to ISO/SAE 21434 Clause 9) to establish early risk identification records. This can then be followed by a full TARA during the system design phase. This phased approach effectively shortens the overall TARA execution time and provides evidence of cybersecurity activities covering the entire development lifecycle for TISAX certification, meeting the process-oriented assessment requirements of VDA ISA 6.0.

When Taiwanese companies implement ISO/SAE 21434, what are the most common gaps identified during TISAX assessments?

Based on Winners Consulting's experience, the most common gaps for Taiwanese companies in TISAX assessments fall into three areas. First, cybersecurity activities are not systematically embedded into the development process, failing to meet the organizational cybersecurity management requirements of ISO/SAE 21434. Second, there is a lack of a structured mechanism for supply chain cybersecurity management, resulting in an inability to provide records of cybersecurity capability assessments for downstream suppliers, whereas UN-R155 explicitly holds OEMs responsible for the entire supply chain's CSMS. Third, post-production vulnerability management processes are incomplete, lacking systematic monitoring of CVE databases and procedures for releasing security patches, which is a key audit item for TISAX Assessment Level 2 and above.

How long does it take to obtain TISAX certification? What are the specific steps?

The timeline for TISAX (Trusted Information Security Assessment Exchange) certification varies depending on company size and existing cybersecurity maturity, but a typical implementation cycle for a medium-sized Taiwanese automotive supplier is 7 to 12 months. The process generally involves these steps: Months 1-2, conduct a gap analysis against VDA ISA 6.0 controls to identify deficiencies. Months 3-5, design and establish the required cybersecurity management system, including TARA processes and supplier management policies. Months 6-9, implement the system, conduct employee training, and establish monitoring metrics. Months 10-12, perform an internal audit and undergo the formal TISAX assessment by an accredited audit provider. After certification, a re-assessment is required every three years, and continuous compliance must be maintained.

How many resources do small and medium-sized Taiwanese automotive suppliers need to invest to implement ISO/SAE 21434?

For a medium-sized Taiwanese automotive supplier with 100 to 500 employees, the primary investment for implementing ISO/SAE 21434 includes one to two dedicated cybersecurity engineers, TARA tool licensing fees, and external consulting fees. Based on Winners Consulting's case studies, the total cost from initial implementation to the first TISAX certification typically ranges from TWD 2 million to 5 million, depending on product complexity and existing process maturity. In terms of benefits, Taiwanese suppliers with TISAX certification often receive new contract inquiries from European or Japanese Tier 1 suppliers within six months. The return on investment period is approximately 12 to 24 months. It is also recommended that companies assess the risk of losing customers due to non-compliance when evaluating costs.

Why choose Winners Consulting Services for assistance with automotive cybersecurity (AUTO) issues?

Winners Consulting Services Co., Ltd. is one of the few professional firms in Taiwan with both technical consulting expertise in ISO/SAE 21434 and practical experience in TISAX certification coaching. Our team has a deep understanding of automotive development processes (V-Model, ASPICE), enabling us to effectively integrate ISO/SAE 21434 cybersecurity requirements into existing engineering practices rather than adding them as patches. Our services cover the entire lifecycle, from TARA methodology implementation and supply chain security management design to post-production vulnerability monitoring. Winners Consulting offers a free mechanism diagnosis, providing an objective assessment based on VDA ISA 6.0 before formal implementation, which reduces investment uncertainty and helps companies achieve TISAX compliance within 7 to 12 months.