TARA in practice with the Nine2Five TARA Navigator
Do you face the challenge of conducting your very first TARA, the threat analysis and risk assessment required by ISO/SAE 21434, in the concept phase of your electronic automotive development project? You are in the right place and will find the necessary information.
Back to Automotive CybersecurityRisk assessments are the centerpieces of Automotive Cybersecurity. The TARA – Threat Analyses and Risk Assessment is the comprehensive risk assessment for the concept phase. Therefore Clause 8* of the coming ISO/SAE 21434 industry standard outlines the basic elements of a risk assessment. With the Nine2Five TARA navigator I present a practice-proofed approach how you can perform your first risk assessment in a smart and structured manner.
The connected car and its components must be safe and secure during its entire lifetime. For this, you must protect your products against cyberattacks. Otherwise, you accept that your stakeholders will suffer losses in terms of safety, finance, operations, or privacy terms. That is not a good option.
But do you really know all the potential threat scenarios that your vehicle project will be exposed to? You can neither foresee the motivation nor the abilities of an attacker in future. To cope with this challenge, you must continuously find out if, where and how
- your product is vulnerable.
- what harm is associated with the threat, and
- how you intend to manage the impact of the threats.
* The video was made shortly before the publication of ISO/SAE 21434. However, in ISO/SAE DIS 21434, the risk analysis chapter was described in clause 8, so we refer to the previous nomenclature
Image
The Nine2Five TARA navigator
Interested in a summary of the Nine2Five TARA Navigator? Our free white paper provides you with all key information, including figures showing the talked about conduction a TARA in the concept phase of your automotive electronics development project.
A risk analysis is a procedure in which findings are checked and related to each other in a structured and step-by-step manner. The Nine2Five TARA Navigator includes nine steps and five targets.
In this video we will explain this procedure to you. Think of the TARA procedure like a string of pearls: Like another pearl, we always add another analysis or identification step to the previous, from the very left to the right of the string. With each step you only must think about one topic.
In this course we will familiarize you with theoretical and practical knowledge about TARA and risk assessments. After TARA in the concept phase, risk assessments turn into the pivotal point of cybersecurity oriented processes. We therefore recommend that you become accustomed to TARA from the very beginning.
Before you can start with your TARA, you must define your item first. This is a sub-system or a set of sub-systems, for example a function on vehicle level or a control unit. Describe the environment of this system, its functions, interactions, and what interfaces there are.
An asset belongs to your item – and it is worth protecting! It defines a property crucial for a stakeholder. Take for example the internet communication channel – hardly any electronic system is conceivable without this asset. Encryption keys or safety goals are further examples.
However, the asset is very interesting for two parties: for your stakeholder, who thus gets the required functionality, as well as for an attacker to compromise your system.
Therefore, the primary task is to enumerate all your assets.
What can go wrong? Systematically question each of the assets in terms of confidentiality, integrity, and availability as well as non-repudiation, authenticity, and authorization. The ISO/SAE 21434 standard describes these attributes as cybersecurity properties.
Cybersecurity properties
- Confidentiality
- Integrity
- Availability
We recommend to include three additional cybersecurity properties with your investigation.
- Non-repudiation
- Authenticity
- Authorization?
You identify now the damage scenarios by evaluation what can happen if cybersecurity properties or assets are compromised in terms of the cybersecurity properties.
This was the asset identification in short.
Need support with a key project? We’re your first port of call when it comes to management consulting and improvement programmes in electronics development.
Steffen Herrmann and the sales team
Here we evaluate the damage scenarios according to what consequences they may have for your stakeholders. This includes functional safety, finance, operations, and privacy. Tables help to determine the severity of the damage. The catch here is that not every stakeholder is equally affected by every damage scenario.
By the way, we have also achieved our first target: we’ve rated the impact of damage.
In the first step we have spoken about the potential damage for example caused by a compromised cybersecurity property. Now we look at the selected assets again and ask what threat scenario may arise. To make this clear we take a compromised switch as an example. This damage scenario results in a possible threat scenario, namely caused by spoofing or flooding the CAN bus.
We’re proud that we have been one of the pioneers of functional safety since 2008 and that this has given us the opportunity to leverage our experience in developing the ISO 26262 safety standard.
Functional safety in automotive electronics? We’re the experts!
We have a wealth of experience in functional safety according to ISO 26262, having conducted over 700 projects with more than 100 clients worldwide.
Functional safety in automotive electronics? We’re the experts!
To date, we have trained more than 100 specialists under the TÜV Rheinland Functional Safety (Automotive) certification scheme.
Functional safety in automotive electronics? We’re the experts!
We already have 18 experts certified under the TÜV Rheinland Functional Safety (Automotive) scheme, or privately approved as official trainers.
Functional safety in automotive electronics? We’re the experts!
If we add up the experience of our experts in the field of functional safety, it comes to no less than 250 years.
Functional safety in automotive electronics? We’re the experts!
Who wrote the classic manual on Functional Safety in Practice, or Functional Safety Essentials? We did.
Functional safety in automotive electronics? We’re the experts!
The compromised switch from our example is somewhere in the middle of the vehicle. In order to compromise the CAN bus, an attacker has to find a way through the system. The ISO standard now thinks backwards: What path must a potential attacker follow for the threat scenario to occur? This hike is called attack path.
Sidekick
The ISO/SAE 21434 ignores the intruder and his possible motivation. Instead, it encourages fundamental thinking about the technical possibility of an attack. That is, to examine how an attack on a compromised cybersecurity property would have to be configured in order to be successful. In a sense, this is a form of reverse engineering.
You’ll find a list of samples of vulnerabilities provided by UNECE regulations. So, see if these vulnerabilities are relevant in your system. If yes, then check if they can support you to identify further threat scenarios.
Theory is fine. But is this attack realistic?
In practice, not every attack can be conducted. Maybe encryption makes it unlikely. Therefore, we now look at the actual attack potential. There are five key parameters for your evaluation: elapsed time, the required expertise and product know-how as well as equipment and the window of opportunity.
Once we know whether an attacker can conduct an attack successfully, we have achieved target number two: Rating of the feasibility of an attack.
This is also called Ease of attack.
For this step we combine the results of both targets – impact rating (1. target) and attack feasibility rating (2. target).
We therefore have two ratings that determine the risk value:
- the impact of the associated damage scenario and
- the attack feasibility of the attack paths.
Risk value = Impact x Attack feasibilty
However, we usually have different stakeholders. Some of them assess the risks very differently. That makes things tricky – we may have to apply a different risk value for each stakeholder.
In any case, we have achieved the third target: we know the risk value.
Once the risks are on the table, the question is how to deal with them.
There are basically a set of options for dealing with risks:
- avoidance
- reduction
- sharing or transfer to third parties
- acceptance
A proper mode for risk reduction is the specification of a security control (technical or organizational) or the introduction of redundancy. Third parties interested in risk transfers are insurance companies. Now decide, how you want to manage the risk.
Please keep in mind: It is very tricky to judge how effective a cybersecurity control is. However, this is where every risk assessment stands and falls.
The cybersecurity goals and claims are derived from
- the results of the TARA and
- your decisions on how the risks should ultimately be dealt with.
If you decide that you want to avoid a risk, then you go back to square one – you may consider an alternative technical solution.
The cybersecurity goals form the fourth target of the TARA.
Need support with a key project? We’re your first port of call when it comes to management consulting and improvement programmes in electronics development.
Steffen Herrmann and the sales team
The cybersecurity concept is derived from the cybersecurity goals. It describes how to you want to put the cybersecurity goals in practice: Derive requirements from the goals and allocate them to your architecture that means to the relevant components of your systems or to your organization. These requirements and their allocation to the architecture are all described in the cybersecurity concept.
The cybersecurity concepts capture all cybersecurity requirements and their allocation, this is our last target.
Well, that takes us through all the nine steps I recommend performing. You have seen that all steps build on each other. Like a string of pearls, the next step usually refers to its predecessor and evaluates it or develops it further.
Define your item or your system before you start preparing the TARA.
This includes the enumeration of your assets, the alignment with the cybersecurity properties and the identification of a damage scenario.
Target 1: Impact rating
Target 2: Ease of attack
Target 3: Risk level
Target 4: Cybersecurity goals
Target 5: Cybersecurity concept
So, now you know how you can perform a Threat analysis and risk assessment according to the ISO/SAE 21434. Please keep in mind that the international standard expects you to perform a risk assessment not only once but on a regular basis.
WE CAN SUPPORT YOU WITH
- Fostering awareness for the need for comprehensive end-to-end safeguards
- Detailed assessments of any threats posed
- Matching your cybersecurity policies to processes, products and IT requirements; managing involved specialists
- Assessing and improving your development processes with respect to security issues
- Adapting existing workflows and procedures to address key cybersecurity issues
- Ensuring systems conform to UNECE homologation guidelines
- Definition and introduction of new development processes in keeping with the requirements of ISO/SAE 21434
- Evaluation, development and implementation of cybersecurity management systems
- Selection of relevant security technology and industry standards according to your requirements
