Threat Analysis and Risk Assessment (TARA) for implementers guide for ECUs.

“If you know the enemy and know yourself, you need not fear the result of a hundred battle”.

What and why of TARA?

In Automotive industry cybersecurity is governed by these 2 standards bodies and depending on the market they are asked to comply by car manufacturers to suppliers of ECUs.

• ?ISO/SAE 21434 is a standard developed collaboratively by the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE) to address cybersecurity risk management in road vehicles. "ISO/SAE 21434: Road vehicles — Cybersecurity engineering," provides a structured framework for managing cybersecurity risks across the entire lifecycle of automotive systems, from initial concept through production, operation, maintenance, and eventual decommissioning.
• UNECE WP.29 R155 is a cybersecurity regulation established by the United Nations Economic Commission for Europe (UNECE) that provides mandatory requirements for cybersecurity in road vehicles. Formally known as "UNECE WP.29 Regulation No. 155 (R155) on Cyber Security and Cyber Security Management System," this regulation mandates that automotive manufacturers implement cybersecurity management systems (CSMS) to ensure the cybersecurity of vehicles throughout their lifecycle, from design to decommissioning.

Threat Analysis and Risk Assessment (TARA) is a cybersecurity process used in the automotive industry and other safety-critical domains to identify and assess potential threats and risks to a system, like a vehicle's electronic control units (ECUs), communication networks, or software components.

The TARA process ensures that cybersecurity measures are adequately designed to address relevant risks, supporting regulatory compliance, and improving system resilience. The goal of TARA is to pinpoint the Vulnerabilities within an ECU architecture, communication network, software architecture and to develop strategies to reduce the RISK of exploitation.

What is achieved by TARA?

• Asset identification:?Determine the security properties of each asset and damage scenarios.?
• Impact measurement:?Measure the impact of damage scenarios from negligible to severe.?
• Threat identification:?Identify threats against the damage scenarios.?
• Protective measures:?Develop tailored protective measures specific to the identified risks.?
• Security measures monitoring:?Continuously monitor and adapt security measures to keep pace with new threats.?

Workflow of the Risk analysis

1. Define threat types and severity and likelihood scale for your products that will allow you to make decision. Identify Stakeholders owning these risks.
2. Identifying Assets and threats
3. Privacy Threshold Analysis, Privacy Threat Analysis
4. Risk Assessment Report.
5. Risk Treatment (Mapping the risk to requirements, Decision matrix and conclusion, Ready for Audit)

Tools for doing TARA.

Below are the tools that provide different capabilities to do different things and connecting your TARA workflow to make your life easy depending on the complexity that you are handling.

• ESCRYPT CycurRISK: Identify and analyze potential attack surfaces in automotive systems.?It can be used to prioritize risks and countermeasures and create a security concept.?
• itemis SECURE Supports TARA throughout the life cycle of vehicles.?It complies with ISO/SAE 21434 and UNECE WP.?29 R155.?
• Ansys medini analyze Allows users to perform functional safety analysis and cybersecurity analysis in one project.?It can also create reports in any format to summarize TARA, attack trees, and security requirements.?
• VERZEUSE? An ISO/SAE 21434-compliant threat analysis system that automates the threat analysis process.?
• EnCo SOX Has a modular design and bidirectional cross-module capabilities.?It allows users to create or edit requirements in the Requirements module, which can then be used in TARA.?
• Security AutoDesigner Performs threat analysis and risk assessment for vehicle architectures, systems, and components.?It supports the creation of work products that comply with regulations.

On a vehicle level tool are more efficient as they do model standards provide standard library and generic threat library.

Using a tool to conduct an ECU (Electronic Control Unit) threat analysis can bring efficiency, but it also presents several limitations and challenges. Here are some common issues that may arise when relying heavily on a tool.

In my personal experience, tools may lack of contextual understanding, may lack insights into the specific functional and operational context of the ECU system. They often rely on pre-defined threat models that may not fully capture the ECU's unique environment, use cases, or interactions with other components internally or in the vehicle. They put boundaries. If the situation is complex, Tools can struggle to accurately model and analyze these interdependencies. One more issue is now you need to understand the tool and loose focus of subject.

This also many be dictated by the organizational QA level. Tool or not tool, the fundamentals of RISK analysis are same.

TARA practical way...

The TARA Framework is a Tool that helps to Assess Risks and How to Manage them. To do so, it proposes to classify Risks according to 2 variables:

• The Probability of these Risks occurring.
• The Impact these Risks would have.

Defines 4 scenarios depending on whether these variables have High or Low values.

1. You should take all the majors and if the result is probability is still high and impact is low, When the Probability is reduced, people are willing to share Risks. You can take decision accordingly.
2. You should take all the majors and if the result is probability and impact are still high, you should not even analyze potential gains. This risk just cannot be taken.
3. Your main Goal is not to have a large exposure to the Risk. You should always try to take at most care here to reduce the impact.
4. You should only worry about the Outcome of impact and not Risks.

Doing a risk analysis a practical example.

Example use-case: Most common example is external or internal entry to the ECU in subject. After the SDV (software defined vehicle architecture )most of the time TCU is providing the direct access to the ECU to communicate with a communication channel. And the use case possible is Spoofing done by External Entity.

There could be many possibilities, we choose one condition out of use-case example “OEM Backend Server (OMA-DM server maybe ) compromised by an attacker, and this may lead to unauthorized access to SMS sender (spoofed) user of the ECU software who consider using a standard authentication mechanism to identify the work with external entity”.

Define threat types and severity, likelihood scale and stakeholder.

Start by defining stake holder (OEM and End user ...), threat class of spoofing..., Asset in target say SMS handler, this could cause financial and operation ? privacy and legislation could be compromised? also identify what is the effect. Recode these things in the tool you are using. ?These decisions and findings should help you making decisions.

Identifying Assets and Threats

Start identifying assets (SMS handler) as indicated above is the main component, but it should be connected to many and the real work is done her to make sure the process in focus is secure enough. Tool may help you but judge yourself if the tools is enough.

example :

Here you start your analysis for the threat identification. The aim her is to find the scores for Safety, Financial damage, operational damage and privacy and legislation issues.

There may be lot of things happening here depending on use-case, many processes are coming together to make the use-case happen. Until here we ware only scratching the surface, from here you start seeing the issues and results.

"Penetration testing" for embedded systems in Operational Technology (OT) environments involves several specialized techniques to ensure the security and reliability of these critical systems.

• Vulnerability Scanning: This involves automated tools to scan for known vulnerabilities in the embedded systems and network components.
• Network Mapping: Identifying and mapping out the network topology to understand the communication paths and potential entry points for attackers.
• Traffic analysis of all branches of specifically communication and patterns if needed to identify.
• White box testing if needed to identify the code paths loops buffer overflow, exceptions …
• Black box/Gray box testing if white box is not the aim of the test depending on who is doing it
• Evaluating the security of wireless communications used by the embedded systems to ensure they are not susceptible to interception or tampering.

If such a test is done use report of them or ask the design team to come up with the details for there system. We shall discuss them sometime in future posts in detail.

Privacy Threshold Analysis, Privacy Threat Analysis

Privacy Threshold Analysis (PTA) is a preliminary assessment used to determine whether a system, project, or process involves the collection, use, or storage of Personally Identifiable Information (PII) and, if so, whether further privacy analysis is required, such as a Privacy threat Analysis.

Refer to the tools and ask question like collection example, is user data collected with consent, Storage is user allowing you to store the data purpose of this personal data, are you archiving or passing this data to other process or external entity.

Risk Assessment Report.

A security risk assessment report for Operational Technology (OT) devices typically covers several key areas to ensure comprehensive evaluation and mitigation of risks.

Here are the main topics, Asset inventory, threat landscape, vulnerability assessment, Risk matrix. recommendation and compliance issues if any, it should contain all the specific needs of the system and sub-system and assessed risks.

Here you map the risk to requirements and make sure that you meet the specs. Threat matrix is used to take the action if system needs improvement and reassessment after audit which the system or sub-system is usable.

Hope this gives you a practical idea what is being achieved here in TARA and what benefits it brings to the product. Depending on the tool used you may be needed to have more learning on tools specific.