Section 15. Threat Analysis and Risk Assessment (TARA)
This section describes how to assess the impact of threat scenarios that road users may experience and how to systematically manage the resulting risks. Threat Analysis and Risk Assessment (TARA) is carried out primarily from the road user perspective and includes methods such as:
Main methods and activities:
- Asset Identification: Identify critical assets that need protection inside and outside the vehicle. These assets form the basis of scenario analysis.
- Identify Threat Scenarios: Identify possible threat scenarios and understand the impact these threats could have on your assets.
- Impact Rating: Rates the severity of the impact each threat scenario may have on road users.
- Attack path analysis: Analyzes attack paths through which threats can be realized and identifies security vulnerabilities.
- Attackability Rating: Evaluates and ranks the feasibility of each attack vector.
- Determine risk value: Calculate the risk value for each scenario by combining the impact and attack probability.
- Risk Action Determination: Determine appropriate risk mitigation actions based on calculated risk values.
Documentation and Integration:
- These methods are composed of general modules and can be used at any point in the life cycle of an item or component.
- Work products are documented together with those produced in other sections, systematically mapped and applied according to specific metrics.
![[Cyber Security] 2. TARA 1 This is explain sequence of TARA](https://i0.wp.com/www.autosyseng.com/wp-content/uploads/2024/07/image-18-optimized.png?resize=731%2C1024&ssl=1)
The item definition document, which is an output of the concept phase (Section 9), is used as input to the TARA methodology. In other words, Asset Identification is performed using item definition information. (see picture above)
For reference, the item definition, Asset Identification, Damage Scenarios, and Impact Rating steps are performed by the controller developer, and the remaining steps are performed by the TARA team with extensive TARA experience.
As a result of performing the item definition step, item boundaries, item functions, preliminary architecture, assets, networks, etc. can be identified.
Item Definition
1. Item Basic Definition:
- Purpose: Set the basic information of the TARA target controller.
- Details: Enter the vehicle model code, abbreviation, and item name to clearly identify the controller.
2. Perform TARA Pre-Assessment:
- Purpose: To evaluate the need to conduct TARA.
- Details: Review the presence or absence of external communication interfaces for the target controller, presence of safety functions, presence of user-related data, network components, etc.
3. Item Boundaries & Preliminary Architecture:
- Preliminary Architecture:
- Purpose: Configure TARA target controller, including possible attack points.
- Details: Demonstrates connectivity to external networks and operating environments.
- Item Boundaries:
- Purpose: Clearly define the system configuration of the controller.
- Details: Create a system configuration diagram that includes networks, sensors, switches, actuators, and other controllers.
4. Item Features:
- Purpose: Clearly identify and describe the main function of the item.
- Details: List features based on design specifications and evaluate each feature’s cybersecurity relevance.
5. Description of Assumptions and Operating Environment:
- Assumption:
- Purpose: Establish constraints to consider when performing TARA.
- Details: Enter constraints that may occur due to the operating environment of the controller.
- Operating Environment:
- Purpose: Describes the operating environment of the controller in detail.
- Details: Describes the components identified in the preliminary architecture and their interactions.
6. Asset Identification Checklist:
- Purpose: Systematically identify assets that need to be protected.
- Details: List your key assets and assess the security needs for each.
Asset Identification
1. Asset Identification:
- Purpose: Identify assets requiring protection, based on the capabilities of the TARA target controller.
- Details: Review preliminary architecture and design documentation to identify critical physical or logical objects within the controller. This may include data, software components, hardware devices, network connections, etc.
2. Identify asset properties:
- Purpose: Identify the critical attributes of identified assets and evaluate the importance of cybersecurity according to each attribute.
- Details: Asset attributes include whether the asset is connected to an internal or external network, part of software, or physical hardware. The properties of each asset have a direct impact on cybersecurity threat and risk assessment. (Examples of asset properties: Bluetooth, CAN/LIN, Celluar, Radio, RF/LF, NFC, Ethernet, SW, USB/SD Card, etc.)
3. Asset Evaluation and Selection:
- Purpose: To finally select assets of high importance for cyber security risk assessment.
- Details: Evaluate the criticality, threat exposure, and functional value of each asset to determine which assets will be prioritized in the TARA process. This serves as a key basis for developing risk management strategies and action plans.
Impact Rating
Based on Asset Identification, the Impact Rating step is performed to derive damage scenarios and impact ratings.
1. Complete Impact Assessment:
- Purpose: Derive damage scenarios by considering the cybersecurity properties of assets and define the scope of resulting damage.
- Detail:
- Assess the cybersecurity properties (confidentiality, integrity, availability, authenticity, non-repudiation, authorization) of each asset and develop scenarios that could threaten them.
- Consider a scenario where, for example, if the integrity of vehicle speed data is compromised, this could cause the driving regulation function to malfunction.
![[Cyber Security] 2. TARA 2 image 19](https://i0.wp.com/www.autosyseng.com/wp-content/uploads/2024/07/image-19-optimized.png?resize=1024%2C350&ssl=1)
2. Complete Impact Rating:
- Purpose: Based on the identified damage scenarios, evaluate the impact in various areas such as safety, finance, operations, and privacy.
- Detail:
- The impact in each area is evaluated as ‘Severe’, ‘Major’, ‘Moderate’, and ‘Negligible’.
- Safety area evaluation can be performed by reflecting the safety rating of ISO 26262-3, which may be different from the evaluation of other areas.
- For each damage scenario, the item with the highest final impact rating is set as the Impact Rating.
Example Scenarios and Impact Assessment
- Security Property: Integrity
- Damage scenario: If the [integrity] of [receiving vehicle speed data] received from [AVN] is damaged, the attacker obtains and modifies information about [CAN message] to function as [driving regulation in video mode] causes malfunction of
- Impact Assessment:
- Safety: Rated ‘Severe’ because malfunction of the driving control system due to falsified information can cause serious accidents.
- Finance: ‘Major’ rating due to increased costs due to equipment damage and re-summoning.
- Operation: ‘Moderate’ rating as operation interruption may occur due to system error.
- Personal Information: Graded as ‘Negligible’ as there is no direct personal information leakage.
Threat Scenario
Perform threat scenario steps to derive threats that could lead to damage scenarios for assets.
1. Threat scenario derivation:
- Purpose: Identify and define threat scenarios for critical security attributes of assets.
- Details: We use the STRIDE methodology to analyze the specific threat types that address each damage scenario. This methodology consists of the following elements:
- Spoofing: Threats that bypass authentication.
- Tampering: Data integrity violation.
- Repudiation: Denial of an action.
- Information Disclosure: Exposure of sensitive information.
- Denial of Service: Causes service interruption.
- Elevation of Privilege: System control through elevation of privilege.
2. Example threat scenario:
- STRIDE Classification: Tampering
- Threat Scenario:
- The attacker damages the [integrity] of [vehicle speed data reception] received from [AVN] through [Tampering] attack, which obtains and modifies information about [CAN message], thereby causing [driving regulation in video mode] ] Causes malfunction of the function.
3. Ensure Threat Credibility:
- Purpose: Ensure the reliability of the derived threat scenarios and ensure consistency with international standards.
- Details: URN 155 – Annex5, PartA threat listing and mapping to verify that the identified threat scenarios meet internationally recognized standards. This process ensures the accuracy of the threat model and assesses the applicability of cybersecurity measures in line with international standards.
Attack Feasibility Rating
Perform an attack feasibility assessment step to derive feasible attack paths for the threat scenario and evaluate them using the attack potential approach.
1. Derived attack path:
- Purpose: Identify specific attack vectors that can realize a threat scenario.
- Details: Leverage the Attack Library to document possible attack methods. This includes information about how an attacker can access the system and what weaknesses they can exploit.
- Example attack vector:
- The attacker gains access to the vehicle’s gateway diagnostic device.
- Tamper with the firmware of the vehicle gateway.
- Manipulate CAN messages through a hijacked gateway.
- Transmits a modulated CAN message to the target controller, causing specific functions to malfunction.
2. Attack Potential Assessment:
- Purpose: Evaluate the required conditions for each attack vector and determine the feasibility of the attack.
- Evaluation Items:
- Time Required: The time between preparing and executing an attack. (0 to 19 points)
- Expertise: The level of technical expertise required to carry out the attack. (0 to 8 points)
- System Knowledge: Understanding of the target system. (0 ~ 11 points)
- Window of Opportunity: The possibility of launching an attack. (0 to 10 points)
- Equipment Required: Tools or skills required to perform an attack. (0 to 9 points)
![[Cyber Security] 2. TARA 3 image 21](https://i0.wp.com/www.autosyseng.com/wp-content/uploads/2024/07/image-21-optimized.png?resize=1024%2C306&ssl=1)
3. Derive attack probability rating:
- Purpose: Compile the evaluated items to rank the likelihood of each attack vector. (As shown in the table below, it is divided into High, Moderate, Low, and Very Low.)
![[Cyber Security] 2. TARA 4 image 22](https://i0.wp.com/www.autosyseng.com/wp-content/uploads/2024/07/image-22-optimized.png?resize=1024%2C494&ssl=1)
- Details: As a result of the evaluation, the rating reflecting the highest risk is set as the final attack probability. This provides an important basis for prioritizing these threats and planning appropriate security measures.
4. Expert Verification:
- Purpose: To ensure accuracy and objectivity in the assessment of attack potential.
- Details: The evaluation is performed by experienced security experts (white hackers) who can carry out real-world attacks. This increases the reliability of the assessment and allows you to establish an appropriate security response strategy based on the results.
Risk Determination & Treatment Decision
Perform risk treatment decision steps to derive risk treatment options and Cybersecurity Assurance Level (CAL).
1. Calculate risk value:
- Purpose: Calculate risk values based on impact assessment and attackability assessment results.
- Details: The highest value among the impact assessment results in each area (safety, finance, operations, privacy) is determined as the final risk value. This value reflects the severity of the risk and serves as a basis for selecting risk treatment options.
![[Cyber Security] 2. TARA 5 image 26](https://i0.wp.com/www.autosyseng.com/wp-content/uploads/2024/07/image-26-optimized.png?resize=1024%2C359&ssl=1)
2. Determining risk treatment options:
- Details: Depending on the risk value, determine the following risk treatment options:
- X < 3: Risk Retaining or Risk Sharing – These options apply at relatively low risk levels and deal with the risk by managing it internally or sharing it with other parties.
- X ≥ 3: Risk Reducing or Risk Avoiding – These options are required at high risk levels and take action to reduce or completely avoid the risk.
3. Cybersecurity Assurance Level (CAL) Determination:
- Purpose: To provide appropriate development and assurance of asset protection by selecting the highest CAL value as the final CAL rating.
- Details: Impact assessment and attack vectors (asset attributes) determine CAL rating. CAL stands for Cybersecurity Assurance Level, which sets the appropriate level for an organization to protect its assets based on the stringency of its security requirements.
![[Cyber Security] 2. TARA 6 image 24](https://i0.wp.com/www.autosyseng.com/wp-content/uploads/2024/07/image-24-optimized.png?resize=1024%2C341&ssl=1)
Cybersecurity Goal
We carry out security goal steps to mitigate asset security threats through cybersecurity goals.
1. Set your security goals:
- Purpose: Set specific cybersecurity goals for assets determined to be risk-reduced in risk treatment options.
- Details: Set clear goals for mitigating security threats to your assets, focusing on strengthening specific aspects of security (e.g. integrity, availability).
- Example security objectives:
- Integrity Protection: “[Integrity] protection must be provided to prevent [Tampering] for [receiving AVN SW updates].” This goal focuses on preventing data tampering during software updates and maintaining system integrity.
- Availability Guarantee: “[Availability] for [receiving AVN SW updates] must be guaranteed from [Denial of Service].” This goal is to ensure that software update services remain accessible and usable.
2. Mitigation Mapping:
- Purpose: Derive effective cybersecurity requirements to meet established security goals.
- Details: Utilizing the Mitigation approach from UNR.155 – Annex5, PartB, C, maps specific mitigation measures for each security objective. In this process, each requirement for security goals is specified, and appropriate security technologies and methods are selected based on these.
This concludes this post about TARA (Threat and Risk Analysis). From the next post, we will discuss in detail the technical details to achieve cybersecurity goals.
If you are interested in other articles about Cyber Security Series, please refer to the links below!
[Cyber Security] 1. ISO/SAE 21434 Basic
[Cyber Security] 3. cyber security cryptography technology
[Cyber Security] 4. External, internal communication security and GATEWAY security
[Cyber Security] 5. Security Controls : Diagnostic Security Features
[Cyber Security] 6. Access Control : Diagnostic Security Features
[Cyber Security] 7. Security Updates : Diagnostic Security Features
[Cyber Security] 8. Secure Boot, Secure Debug, Secure Storage