Mastering TARA: Threat Analysis and Risk Assessment According to ISO 21434

As vehicles become increasingly connected and autonomous, cybersecurity risks are a growing concern for the automotive industry. ISO 21434, the global standard for automotive cybersecurity engineering, emphasizes Threat Analysis and Risk Assessment (TARA) as a foundational methodology for identifying, assessing, and mitigating cyber threats. This article explores the TARA methodology in depth and demonstrates its application using a practical example.

What is TARA?

TARA, short for Threat Analysis and Risk Assessment, is a systematic approach to evaluating potential threats to a vehicle's cybersecurity. It helps manufacturers prioritize risks based on their potential impact and likelihood, ensuring efficient resource allocation to protect critical assets.

Goals of TARA

• Identify potential threats and vulnerabilities.
• Assess the risks associated with these threats.
• Develop mitigation strategies to reduce the risks to an acceptable level.

TARA is a cornerstone of ISO 21434, aligning with its focus on a risk-based approach to cybersecurity throughout a vehicle’s lifecycle.

Steps in TARA Methodology

1. Asset Identification

• Identify the assets in a vehicle that require protection, such as data, software, communication channels, or hardware components.
• Example: The Electronic Control Unit (ECU) responsible for braking functions.

2. Threat Identification

• Analyze how an asset could be compromised, considering potential attack vectors.
• Example Threat: Remote access to the braking ECU via a wireless communication interface.

3. Impact Assessment

• Evaluate the consequences of a successful attack on an asset.
• Metrics include safety, financial loss, operational disruption, and legal implications.
• Example: Loss of control over braking could result in accidents, posing significant safety risks.

4. Attack Feasibility Analysis

• Assess the likelihood of an attack by considering factors like attacker skill level, resource availability, and system vulnerabilities.
• Example: A highly skilled attacker exploiting an unpatched vulnerability in the ECU firmware.

5. Risk Determination

• Combine impact and likelihood to estimate the overall risk level.
• Risk can be quantified using a matrix or scoring system.

6. Risk Treatment

• Develop strategies to mitigate identified risks, such as implementing technical controls, updating policies, or redesigning the system.

Demonstrating TARA: An Example Scenario

Scenario: Protecting a Vehicle’s Keyless Entry System

Asset Identification

• Identify the assets in a vehicle that require protection, such as data, software, communication channels, or hardware components.
• Example: The Electronic Control Unit (ECU) responsible for braking functions.

Threat Identification

• Analyze how an asset could be compromised, considering potential attack vectors.
• Example Threat: Remote access to the braking ECU via a wireless communication interface.

Impact Assessment

• Evaluate the consequences of a successful attack on an asset.
• Metrics include safety, financial loss, operational disruption, and legal implications.
• Example: Loss of control over braking could result in accidents, posing significant safety risks.

Attack Feasibility Analysis

• Assess the likelihood of an attack by considering factors like attacker skill level, resource availability, and system vulnerabilities.
• Example: A highly skilled attacker exploiting an unpatched vulnerability in the ECU firmware.

Risk Determination

• Combine impact and likelihood to estimate the overall risk level.
• Risk can be quantified using a matrix or scoring system.

Risk Treatment

• Develop strategies to mitigate identified risks, such as implementing technical controls, updating policies, or redesigning the system.

Demonstrating TARA: An Example Scenario

Scenario: Protecting a Vehicle’s Keyless Entry System

Asset Identification

• Asset: Keyless entry system and associated cryptographic keys.

Threat Identification

• Threat: Relay attacks where attackers amplify key fob signals to unlock the car from a distance.

Impact Assessment

• Impact: Unauthorized access to the vehicle could lead to theft or privacy violations.
• Safety Risk: Minimal, as the vehicle is stationary during the attack.
• Financial Loss: High, considering potential theft.

Attack Feasibility Analysis

• Feasibility: Medium to High. Relay attacks require moderate technical knowledge and equipment.
• System Vulnerability: Keyless systems are inherently susceptible to signal amplification.

Risk Determination

• Impact Score: High.
• Likelihood Score: Medium.
• Risk Level: High.

Risk Treatment

Technical Mitigation:

• Implement ultra-wideband (UWB) technology to verify proximity accurately.Introduce key fob motion detectors to disable signals when stationary.
• Introduce key fob motion detectors to disable signals when stationary.

Process Mitigation

• Educate consumers on storing key fobs in signal-blocking pouches.

Policy Mitigation:

• Regularly update firmware to address emerging threats.

TARA’s Value in Automotive Cybersecurity

• Structured Approach:

Offers a clear framework for systematically identifying and addressing risks.

• Resource Optimization:

Helps allocate resources effectively by prioritizing high-risk areas.

• Regulatory Compliance:

Ensures alignment with global standards like ISO 21434 and UNECE WP.29.

• Enhanced Security:

Strengthens the vehicle ecosystem against evolving cyber threats.

Conclusion

TARA is an indispensable tool for managing cybersecurity in modern vehicles. By systematically identifying, analyzing, and mitigating risks, it ensures that automakers can build resilient systems that protect both drivers and passengers. When integrated with standards like ISO 21434, TARA not only enhances security but also fosters trust in the evolving landscape of connected and autonomous vehicles.