The Threat Analysis and Risk Assessment (TARA) methodology is, in principle, an excellent idea. As a specific work product of ISO/SAE 21434, it has established itself as an indispensable tool for ensuring cyber security in the automotive industry for both OEMs and suppliers.
Jan-Peter von Hunnius
As modern vehicles become increasingly connected and autonomous ( among other capabilities), the complexity of the systems and components used increases, and so does the potential threat landscape.
Although the industry’s love-hate relationship with Excel has been enhanced by a number of advanced tools for managing the TARA process, there are still plenty of shortcomings that overshadow the day-to-day TARA work of automotive engineers and cybersecurity experts.
Tip for beginners: Discover our 10 minute video tutorial on Threat Analysis and Risk Assessment (TARA) and ISO/SAE 21434
- Learning Advice
These challenges are not just minor stumbling blocks, but are often tangible obstacles to effective threat management and consistent risk assessment across the value chain.
Here is a look at five of the most pressing challenges we encounter in practice, along with some initial thinking on possible improvements. Let’s get started.
The challenges of cybersecurity collaboration between suppliers and customers in the automotive ecosystem
Despite the numerous challenges inherent to the collaboration between suppliers and customers in the multi-layered automotive industry, cybersecurity is emerging as a critical issue. This is particularly pertinent given the industry’s increasing reliance on extensive and complex supply chains.
Modern vehicles are composed of innumerable subsystems that are supplied by a multitude of different entities, including but not limited to Tier-1, Tier-2, and Tier-n suppliers. Each of these suppliers has its own set of security requirements, established standards, competencies, processes, and procedures.
In theory, all these suppliers would work together seamlessly to guarantee the management of cybersecurity risks.
In addition to the political dimensions of information exchange (keyword: intellectual property), it is primarily the TARA tools that present an obstacle to this and often provide inadequate functionality for seamless collaboration in these diverse cooperation models.
The absence of standardised, interoperable tools results in the fragmentation of workflows, the occurrence of manual data entry errors and the potential for communication failures, which can subsequently lead to difficulties in the identification and mitigation of cybersecurity threats.
A more integrated approach, whereby tools provide enhanced support for data exchange and communication across the automotive supply chain, would enhance both the efficiency and effectiveness of the risk assessment process. The implementation of an exchange format, such as ReqIF (Requirements Interchange Format), or a collaborative platform that would facilitate the involvement of all stakeholders, including automotive manufacturers and their suppliers, in a unified model, would notably optimise the TARA process.
Improve attack path analysis: Reusing and sharing attack paths
One of the major challenges in applying TARA to automotive systems and components is the ability to reuse parts of the attack tree within the same model and to take advantage of small variations.
Attack trees are essential for visualising potential attack paths and thus identifying weaknesses in the architecture of a system or vehicle. Different damage scenarios often share common steps or sequences. For example, unauthorised access to the vehicle’s network can lead to different scenarios, which in turn can affect different subsystems.
These common parts of the attack paths can be reused, but often not exactly as they are – the parameters may vary slightly depending on the context or target subsystem.
For example, an attack on the infotainment system may require different parameters or conditions than an attack on the braking system, even though the initial access steps are similar.
The challenge with standard TARA tools is that they do not support dynamic reuse of attack path components with customisable parameters.
As a result, users often simply copy these common parts, resulting in multiple static versions that are out of sync with each other.
If one version of a reused attack path is updated or modified due to new knowledge or changes in system design, the other copies may not be automatically updated. The result is inconsistency and increased maintenance overhead.
A more efficient approach would be to support the dynamic linking of reusable attack path parts and allow parameter variability. At the same time, a single source of truth should be created. This would avoid the inconsistencies mentioned above.
This would allow users to adjust parameters as needed without having to create multiple, potentially conflicting versions of the same attack-path element.
Such functionality would increase consistency, reduce redundancy and significantly improve the efficiency of the risk assessment process in TARAs.
Integration of TARA in automotive PLM solutions
In the context of automotive development, a particular problem with conventional TARA tools is that they cannot be integrated into Product Lifecycle Management (PLM) tools, such as requirements management and architecture tools.
Automotive development is highly iterative, with continuous updates to vehicle requirements and architectures.
Effective risk management ideally needs to be tightly integrated into these processes to ensure that cybersecurity considerations are addressed throughout the vehicle development lifecycle.
However, many TARA tools today operate in silos. They lack the necessary integration with PLM tools and therefore do not provide a comprehensive view of vehicle development and associated risks.
This system-related separation and the associated silo working can lead to (sometimes serious) discrepancies between security assessments and technical requirements or design changes. Gaps in security mechanisms can be the result.
Only by better integrating TARA tools with PLM solutions will automotive companies be able to create a coherent risk management process in which the results of risk assessments are directly linked to system requirements and architecture decisions.
Comprehensive TARAs and the associated difficulties of scalability and usability
Professionals know: A fully comprehensive TARA, properly set up and executed, is an effort not to be underestimated, especially given the increasing complexity and size of modern vehicles.
Therefore, TARA solutions need to be easy to use and scalable.
A typical vehicle today can contain dozens of interconnected electronic systems, each with its own potential vulnerabilities and threat vectors.
However, as vehicle complexity increases, TARA solutions often struggle to efficiently process the vast amounts of data. This results in a loss of application performance and associated difficulties for the user in navigating the TARA structure.
This should not be dismissed as a trivial software usage issue. For vehicle engineers and cybersecurity experts, it can mean that they struggle to understand the overall structure of TARA or to find specific aspects within a large model.
This lack of usability becomes particularly problematic when trying to perform comprehensive risk assessments across the vehicle architecture.
Improving scalability through better data management and performance optimisation, and improving usability through more intuitive interfaces and visualisation tools is therefore essential. This is the only way to manage the complexity of large TARA systems in the automotive industry.
Understanding attack trees: Improving navigation and interpretation of complex attack trees
Within TARA, the handling of attack trees is fundamental to the visualisation and analysis of possible attacks on a system.
Attack trees are an essential part of the TARA process as they represent different ways in which an attacker could compromise a vehicle system. However, as vehicle systems become more complex, the corresponding attack trees become more branched and multi-layered.
This increasing complexity can make it difficult for users to navigate these trees, interpret them and use them effectively for risk assessment. Accordingly, TARA tools are of particular importance in the automotive context. Usability, the ability to navigate through the attack trees and the presentation of information are crucial.
Otherwise, it will be difficult for users to maintain a clear overview of the entire tree, identify critical nodes or understand the relationships between different attack paths and system vulnerabilities.
A clean information architecture is essential, including more intuitive ways to explore large attack trees, such as hierarchical views that allow users to collapse and expand branches, or dynamic filtering options that make it easier to focus on specific areas of interest.
The integration of automated analysis capabilities that highlight the most critical paths or nodes within the tree could also help users quickly identify important threats and vulnerabilities.
- Collaboration on cybersecurity risks in vehicle development between OEMs and suppliers is hampered by insufficiently interoperable TARA tools, which can lead to fragmented processes, errors and potential cyber risks.
- Reuse of attack vectors: TARA tools often do not support dynamic adaptation of reusable attack paths, resulting in inconsistent attack scenarios that are difficult to evaluate.
- Integration with PLM systems: TARA solutions often operate in isolated silos and are not integrated with PLM systems, which can lead to gaps in cybersecurity management and inconsistencies between security assessments and design decisions.
- Scalability and usability: The increasing complexity of modern vehicles is overwhelming many TARA tools, which are not sufficiently scalable and intuitive to use, making comprehensive risk assessment difficult.
- Navigating complex attack trees: Effective use of attack trees requires improvements in visualisation and navigation to quickly identify critical paths and vulnerabilities.
- Key Learnings
Sum up and perspectives
The weaknesses observed in practice in the handling of TARA in various OEM and Tier N organisations and development projects show that there is still a need for action.
Leading OEMs and their suppliers around the world are looking for TARA solutions that meet their requirements. Identifying one’s own requirements is an important first step.
At the same time, the providers of solutions and tools have a duty to take the requirements of the value chain seriously and provide appropriate remedies.
The market is likely to evolve accordingly, as will the requirements for cybersecurity in vehicle development.
