Quantifying Systemic Cyber Impact in Connected Vehicles: Key Extensions to ISO/SAE 21434 TARA

Winners Consulting Services Co., Ltd. points out that a recent study has revealed a critical blind spot: the current Threat Analysis and Risk Assessment (TARA) framework of the ISO/SAE 21434 standard is still scoped to a single-vehicle boundary. This limitation prevents it from capturing the cascading effects that a compromised connected vehicle can trigger at the traffic system level—a systemic risk gap that is often overlooked by Taiwanese automotive suppliers during their TISAX certification and UNECE WP.29 compliance processes.

About the Authors and This Research

This paper was co-authored by three researchers. The first author, Don Nalin Dharshana Jayaratne, is an emerging researcher with an h-index of 1 and 4 citations. However, his focus on the quantitative assessment of systemic cybersecurity in connected vehicles directly addresses a gap in the existing academic literature. The second author, Qian Lu, with an h-index of 4 and 88 citations, has a more established academic background in transportation system modeling and cybersecurity, providing the core support for the study's quantitative methodology. The third author, Rakhi Manohar Mepparambath, has been deeply involved in research on vehicle communications and V2X technology.

The background of this paper is particularly noteworthy. With the rapid proliferation of Connected and Automated Vehicles (CAV) technology, traditional cybersecurity assessment methods focused on a single vehicle are no longer adequate to reflect the systemic impact of cyberattacks on the entire traffic system. The research team used simulations to recreate three realistic attack scenarios and measured their actual impact on the transportation network using quantitative metrics. This approach is academically forward-looking and holds reference value for policymaking and standard revisions.

It is important to be transparent with Taiwanese business executives: as the first author's academic track record is still in its early stages, the simulation scenario design and statistical validation methods in this study have room for improvement. Readers should view it as an important starting point for exploratory research rather than the final word on a mature methodology, and apply its findings in conjunction with existing standard frameworks.

The Systemic Gap in ISO/SAE 21434: Quantifying the Traffic-Level Cascading Effects of Connected Vehicles for the First Time

This research answers a question that current standards tend to avoid: what happens to the entire traffic system when one car is hacked? The research team constructed three attack scenarios through simulation and defined two sets of quantitative metrics: the "systemic operational impact vector" and the "systemic safety impact vector." This represents the first attempt to use repeatable and comparable data to fill the assessment gap in Threat Analysis and Risk Assessment (TARA) at the system level.

Key Finding 1: Remotely Triggered Emergency Braking Can Cause Multi-Vehicle Pile-ups, with Impacts Far Exceeding the Single-Vehicle Boundary

Scenario one simulates a hacker triggering a vehicle's emergency brake via its telematics system. The results show that a chain-reaction collision effect can quickly spread to multiple vehicles behind, causing a systemic safety event. Scenario two targets a section of the M25 motorway in the UK, simulating a hacker remotely disabling vehicles, leading to a sharp drop in traffic capacity in that section. This demonstrates that a single-point attack can cause a network-level traffic collapse. Together, these two scenarios illustrate that if the impact assessment in the current ISO/SAE 21434 remains confined to the vehicle boundary, it will systematically underestimate the true level of risk.

Key Finding 2: Spoofed Signal Attacks from Compromised Roadside Units (RSUs) Pose the Highest Risk to the Traffic System

Scenario three focuses on a compromised Roadside Unit (RSU) broadcasting forged Variable Speed Limit (VSL) signals and false lane closure messages to Connected and Automated Vehicles (CAVs). The simulation results indicate that such attacks cause far greater traffic flow disruption and safety risks than attacks at the single-vehicle level. This has direct policy implications for Taiwan's ongoing V2X infrastructure planning and introduces new practical requirements for suppliers on how to incorporate risk assessment of V2X communication nodes into their vulnerability and incident handling processes.

The constructive contribution of this research is that the proposed quantitative framework does not replace ISO/SAE 21434 but rather supplements the objective basis for its impact rating step. This reduces the subjectivity of the assessor's judgment and enhances the repeatability and defensibility of the TARA process.

Implications for Automotive Cybersecurity in Taiwan: Suppliers Must Look Beyond the Vehicle Boundary

In their journey towards TISAX certification and ISO/SAE 21434 compliance, Taiwanese automotive suppliers commonly face a shared blind spot: their risk assessment boundaries are too conservative, typically limited to "my component, my system." They often overlook the rapidly escalating demands from Original Equipment Manufacturer (OEM) customers for systemic impact assessments.

This research has at least three practical implications for Taiwanese companies:

First, the boundaries of TARA need to be re-examined. UNECE WP.29 (UN Regulation No. 155) requires manufacturers to establish a Cyber Security Management System (CSMS) for the entire vehicle lifecycle, which explicitly includes assessing "cybersecurity risks in the supply chain." This study serves as a reminder that if the risk assessment reports submitted by Taiwanese component suppliers to OEMs fail to address the potential cascading effects their products could trigger at a systemic level, they will face increasing scrutiny from customers.

Second, V2X communication component manufacturers face the most direct impact. Scenario three of the study clearly identifies RSUs as high-risk attack nodes. Taiwanese companies developing V2X communication modules, RSU components, or related firmware should incorporate a traffic-system-level impact vector analysis into their ISO/SAE 21434 TARA process, rather than merely inventorying assets within the vehicle's internal network.

Third, CISA's recent alert (AA25-343A) regarding pro-Russian hacker groups targeting critical infrastructure reinforces the policy context of this research. Transportation infrastructure is classified as critical, and the cybersecurity resilience of the connected vehicle ecosystem is no longer a compliance issue for a single company but a systemic risk that the entire industry chain must address collectively. When strengthening their incident handling mechanisms, Taiwanese companies should incorporate traffic-system-level cascading effects into their scenario planning.

How Winners Consulting Services Helps Taiwanese Companies Build Systemic Vehicle Cybersecurity Assessment Capabilities

Winners Consulting Services Co., Ltd. assists Taiwanese automotive suppliers in achieving TISAX certification, implementing the ISO/SAE 21434 standard, and complying with UNECE WP.29 vehicle cybersecurity regulations. In response to the systemic risk gap revealed by this research, we offer the following specific assistance:

1. Expanding TARA Boundaries to the System Level: We help Taiwanese companies add qualitative and quantitative assessment steps for "systemic impact vectors" to their existing ISO/SAE 21434 TARA process, ensuring their risk assessment reports can pass OEM second-party audits and meet the CSMS requirements of UNECE WP.29 UN R155.
2. Cybersecurity Threat Modeling for V2X and Connected Components: For Taiwanese companies involved in V2X communication modules, RSU components, or OTA update mechanisms, we provide scenario-based threat modeling services to identify cross-domain attack surfaces between roadside equipment and in-vehicle systems, establishing a defensible basis for impact ratings.
3. Gap Analysis and Action Roadmap for TISAX Certification: With a target implementation timeline of 7 to 12 months, we guide companies through the entire process from current state diagnosis, system design, and personnel training to TISAX assessment application, reducing the risk of failing the initial assessment.

Frequently Asked Questions

Is the TARA process in ISO/SAE 21434 sufficient to address the systemic attack risks of connected vehicles?

The current ISO/SAE 21434 TARA process is not sufficient on its own, as it is scoped to a single-vehicle boundary. While it provides a robust framework for identifying threats to in-vehicle assets, the standard itself does not offer a quantitative method for assessing systemic, cascading effects across multiple vehicles and the broader road network. This research proposes a supplementary framework to fill this gap. We recommend that Taiwanese suppliers proactively add traffic-system-level impact scenario analysis to their TARA impact rating step, especially for product lines involving V2X communication, OTA updates, or remote diagnostics. This not only enhances the defensibility of TARA documentation but also preemptively addresses the growing number of OEM inquiries about systemic risks during supplier audits.

What are the most common practical challenges for Taiwanese automotive suppliers when implementing ISO/SAE 21434?

Taiwanese suppliers typically face three main challenges. First, they often misapply ISO 27001 IT security risk assessment methods directly to the TARA process, overlooking the fundamental differences of automotive attack surfaces like CAN bus, OBD-II, and V2X communication. This results in compliant documentation but poor-quality risk assessment. Second, a lack of in-house personnel with automotive cybersecurity expertise makes it difficult to independently conduct TARA and vulnerability analysis. Third, there is often a poor understanding of the relationship between UNECE WP.29 R155's CSMS requirements and ISO/SAE 21434, leading to documentation structures that fail OEM second-party audits. We advise clarifying these three points early in the implementation to avoid extensive rework later.

What are the core requirements of TISAX certification, and how long does it typically take for Taiwanese companies to implement?

TISAX (Trusted Information Security Assessment Exchange) is the European automotive industry's information security standard, centered on the VDA ISA questionnaire. It covers three assessment objectives: information security, prototype protection, and data protection. For most mid-sized Taiwanese suppliers, a reasonable timeline from project kickoff to completing the initial TISAX assessment is 9 to 12 months. This includes 3 months for a gap analysis, 4 to 6 months for establishing the management system and documentation, and a final 2 to 3 months for internal audits and assessment preparation. If implementing ISO/SAE 21434 concurrently, the significant overlap in the foundational information security management system can lead to considerable resource savings.

What is the typical resource investment required to implement TISAX and ISO/SAE 21434?

The required resource investment varies significantly based on company size and existing ISO 27001 maturity. For a mid-sized Taiwanese supplier (200-500 employees) with an existing ISO 27001 certification, the additional investment for TISAX is estimated at 6 to 12 person-months, plus external consulting fees. If implementing ISO/SAE 21434 concurrently, the primary costs are associated with establishing the TARA methodology and personnel training. In terms of benefits, TISAX certification significantly increases the success rate of qualification audits for European OEM supply chains and reduces the preparation costs for individual customer audits. We recommend that Taiwanese companies include market access opportunities in their ROI calculation when evaluating this compliance investment.

Why choose Winners Consulting Services for automotive cybersecurity (AUTO) matters?

Winners Consulting Services Co., Ltd. possesses interdisciplinary expertise in Taiwan's automotive cybersecurity landscape, with practical familiarity across the three core frameworks: TISAX, ISO/SAE 21434, and UNECE WP.29. We also actively monitor the impact of emerging European regulations like the EU CRA on Taiwanese auto parts manufacturers. Our focus extends beyond just completing compliance documentation; we emphasize building sustainable, in-house cybersecurity management capabilities to ensure long-term conformity after certification. For suppliers needing to address audit requirements from multiple OEMs simultaneously, we provide integrated consulting services to establish a defensible and scalable automotive cybersecurity framework with the most efficient resource allocation.

Related Services & Further Reading

Related Services

▶Automotive Cybersecurity📋TISAX Certification