Okay, standards, regulations, fine. Now we’re going deeper into the automotive development itself. We have now reached the cybersecurity development phase, or more precisely the concept phase, and are beginning to deal with the Threat Analysis and Risk Assessment Method (TARA), including Cybersecurity goals and Cybersecurity claims. What is this all about?
- I. Quick note: Clarification on Cybersecurity Attributes
- II. Who are the actual stakeholders for Cybersecurity in the Automotive Industry?
- III. So, what is an asset in this context?
- IV. More precise: Now we go to Cybersecurity goals and Cybersecurity claims
- V. Systematized analysis is even more important in order to be able to make decisions
- VI. What is a Cybersecurity goal in Automotive Cybersecurity?
- VII. What is a Cybersecurity claim in Automotive Cybersecurity?
- VIII. The TARA as a ‚living‘ procedure
When we talk about cybersecurity risk assessment for a specific asset, the following fundamental question can be used as a basis: Would a breach of any of the asset’s CIA attributes have a negative impact on at least one stakeholder?
Quick note: Clarification on Cybersecurity Attributes
What sounds like a simple question first requires clarity about the CIA attributes. For IT, this is taken for granted since Day 1, but it still makes sense to keep reminding oneself over and over again:
- Confidentiality: The objective here is to prevent information and data from being made accessible to unauthorized parties.
- Integrity: Among other things, this involves always ensuring the correctness and traceability of changes to information and data. (This aspect in particular distinguishes cybersecurity from functional safety, as intentional manipulation must be explicitly prevented or detected).
- Availability: The objective here is to ensure that the required information and data are always accessible and available.
With a view on authenticity, etc., cybersecurity properties can even be extended.
Who are the actual stakeholders for Cybersecurity in the Automotive Industry?
This question also sounds rather simple at first. It should be primarily about ensuring safety for drivers, passengers, and the environment. While this is correct, but by no means it is sufficient, especially when considering the impact cybersecurity has on the vehicle product lifecycle. Here, it is important to identify who exactly the stakeholders for cybersecurity are in each particular situation.
So, what is an asset in this context?
The answer to this question reveals one of the most important challenges for the entire automotive cybersecurity field: finding out to what extent an asset of a system is actually cybersecurity-relevant?
This can be done in a straightforward approach: Are information and data generated, processed or passed on for which the given cybersecurity attributes (see above) are indispensable to fulfill the respective purpose?
More precise: Now we go to Cybersecurity goals and Cybersecurity claims
If we now know what we have to deal with, it is time to turn to cybersecurity risk assessment (Threat Analysis and Risk Assessment, TARA for short) – one of the most important fields of action in automotive cybersecurity.
Again, two opposing directions for the implementation of cybersecurity must always be kept in mind. While it is clear, along the previously formulated, what exactly is to be achieved to ensure cybersecurity, the question of how is to be answered with two contradictory possibilities:
- Doing too little: Lack of resources, time and cost pressures, missing reference and knowledge, or overwhelming complexity. There are multifaceted realities everywhere that cause aspirations to be slowed down
- Doing too much: So-called „over-engineering“, which wastes resources or makes the asset as well as the entire development behind it too expensive, must also be consistently avoided in order to not unnecessarily put a strain on always required profitability at any point.
Systematized analysis is even more important in order to be able to make decisions
The objective, therefore, is to have a a solid evaluation on hand after TARA has been carried out, in order to be able to design a product in such a way that it becomes „survivable“ on the market in the balancing act between these two positions. This means finding just the right and workable cybersecurity sweet spot.
So, process-wise, we go and perform the TARA with the given information from the previous item definition. This is a systematized analysis (see also Chapter 6 in The Essential Guide to ISO/SAE 21434) to identify potential threats to the item and then perform a systematized evaluation of those threats. This evaluation is about determining a quantifiable Risk Value (which consists of the so-called Impact Rating and the Attack Feasibility Rating).
>> More about this in our video course Cybersecurity Risk Assessment – Summary – Video Course – G6_2
The results of the TARA are (apart from the possibility that a threat may be negligible) the so-called Cybersecurity Goals and the Cybersecurity Claims.
What is a Cybersecurity goal in Automotive Cybersecurity?
The term Cybersecurity goal refers to conceptual requirements for cybersecurity that are concretely associated with one or more threat scenarios of the previous TARA.
Accordingly, Cybersecurity goals can also refer very specifically to the asset, an attack vector or a damage scenario resulting from the threat scenario. For example, a Cybersecurity Goal could state: “The assets integrity shall be protected from tampering attacks based on exploitation of JTAG interface.”
What is a Cybersecurity claim in Automotive Cybersecurity?
In contrast to a Cybersecurity goal, a Cybersecurity claim is a statement to accept a previously identified risk in a certain way and to initiate appropriate handling. The following directions are feasible:
- Reduction: The decision to reduce a risk is most frequently made. The way to deal with an identified risk is on the one hand to reduce the probability of the risk by making adjustments to the design or, on the other hand, to reduce the impact of the risk. A combination of both approaches is also possible.
Note: This results in additional Cybersecurity goals.
- Retention: It is also possible to leave it at a given remaining risk. In this case, the given risk is accepted, for example because it is clear that additional security measures cannot decrease the given risk any further. This could be the case if the feasibility and probability are considered to be extremely low.
- Transfer/Sharing: this approach takes the risk and shifts the responsibility for properly managing the risk to another entity or a neighboring entity. (e.g., when ensuring non-compromised data shall be handled by another ECU).
- Avoidance: This is where an attempt is made to eliminate the risk, for example by completely removing a functionality or a component. This path is often chosen when there is no other option.
The TARA as a ‚living‘ procedure
The idea of ISO/SAE 21434 is to provide a structured guidance framework for cybersecurity risk assessment.
Since automotive development projects are often multidimensional and multi-layered in practice, only an introductory overview can be presented here.
This outlined process of risk assessment with TARA is on the one hand iterated after the introduction of the corresponding cybersecurity controls to ensure that they are sufficient, and on the other hand it is continued iteratively and incrementally along the entire product lifecycle.
Obviously, because general conditions can change, even decisions that have been made based on risk assessments can change if a new risk assessment is carried out.
Setting up is a functioning implementation structure at an early stage is therefore important.
For the actual implementation of TARA and the development and maintenance of Cybersecurity goals and Cybersecurity claims, we recommend that you continue to build the related knowledge in advance with the help of reliable application know-how.
For example, by reading The Essential Guide to ISO/SAE 2434, participating in ACP Level 2 „Advanced Engineering“ or with the on-demand video learning courses of the CYRES Academy learning platform.
Please note: In the ISO/SAE 21434 DIS, related information can be found in Clause 08 Risk Assessment Methods, in the now officially published ISO/SAE 21434:2021 (from August 2021) you will find this in Clause 15 Threat Analysis and Risk Assessment methods. In Annex H (informative) you will find an exemplary application of the TARA method using the example of a headlamp system. (In order to carry out an even more granular TARA with more practical relevance, we rely on specially developed examples in our automotive cybersecurity training).
CYRES Consulting provides cybersecurity services and consultancies, with a focus on engineering and development, particularly in the automotive sector. With a team of experts from all over the world, we bring deep knowledge and hands-on experience to each project. From helping global automotive pioneers to collaborating with top-tier technology providers, we help organizations secure their future through innovative cybersecurity solutions.
Comments are closed.