Automotive Cybersecurity and the Role of Threat and Risk Assessment- TARA

The dawn of a new era in the automotive industry, marked by the rise of autonomous vehicles, electrification, and shared mobility, brings with it a severely critical challenge: cybersecurity.

As vehicles transform into highly connected, software-driven machines, protecting them from cyber threats has become paramount.

This transformation has led to the emergence of stringent regulations such as UNECE R155. The regulation mandates OEMs and their suppliers to incorporate comprehensive automotive cybersecurity measures throughout the project lifecycle. These measures are crucial not only for ensuring the security of the systems but also for obtaining the necessary certifications.

Central to this cybersecurity landscape is the ISO/SAE 21434 standard, which introduces a pivotal process known as Threat Analysis and Risk Assessment (TARA). TARA stands out as a specialized, automotive-specific risk assessment procedure, meticulously designed to ensure that every vehicle, system, and component is resilient against cyber threats.

The TARA Process in Automotive Cybersecurity Landscape: A Closer Look

TARA begins with a clear definition of the item that needs to be fortified against cyber threats. It then proceeds to identify potential damage scenarios and threats. Each identified threat is then evaluated for its impact and feasibility, culminating in a risk value that dictates the necessary countermeasures. This process is not a one-time activity; it is an ongoing, integral part of the product lifecycle, continuously evolving with the development of the project.

Let’s understand with a simple ADAS example:

In the development of Advanced Driver-Assistance Systems (ADAS) in vehicles, applying Threat Analysis and Risk Assessment (TARA) is crucial. TARA involves identifying critical software components, assessing potential cyber threats, and analyzing the impact and feasibility of these threats. For example, it could evaluate the risk of unauthorized access to ADAS software, which might manipulate sensor inputs or vehicle behaviour. Based on this assessment, strategies such as improved encryption, access controls, and anomaly detection are implemented to mitigate these risks. This approach ensures that ADAS software is not only functionally advanced but also secure from cyber threats, enhancing overall vehicle safety.

Performing TARA: A Standardized Approach

ISO/SAE 21434 provides a structured approach to performing TARA, ensuring consistency and comparability across organizations in the automotive supply chain. The process includes several key steps:

Who Should Perform TARA?

The quality of TARA is heavily reliant on the expertise of cybersecurity engineers. These professionals must possess not only a thorough understanding of the standard and method but also in-depth knowledge of the automotive systems under evaluation. Their familiarity with current attack methods and exploitation techniques in the automotive domain is equally critical. Moreover, effective communication skills are essential for collaborating with development teams, architects, and other stakeholders.

Tips for TARA Excellence/

Best Practices To Achieve TARA Excellence

In TARA, attention to detail is crucial. Experienced cybersecurity engineers know where to focus, identify common attack paths, and create useful information for subsequent stages. The description of threats needs to be precise and informative, aiding in the derivation of cybersecurity goals and effective countermeasures.

As an iterative process, TARA must adapt as projects evolve. Initially, it might rely on assumptions to guide the analysis, which are then refined as more information becomes available. For instance, assuming security access for an ECU can initially exclude certain threats, with the scope expanding as the project develops.

Conclusion

TARA is not just a regulatory requirement; it is a cornerstone of modern automotive cybersecurity. Its systematic approach to managing risks, combined with the expertise of cybersecurity engineers, is essential for the development of secure automotive solutions. As the automotive industry continues to innovate, the role of TARA in ensuring the safety and security of vehicles will only grow in importance, making it an indispensable element of automotive.