Threat Analysis and Risk Assessment (TARA) is the first and most important step in automotive cybersecurity. It allows us to identify the threats associated with an item under consideration and analyze the risks. The result of a TARA analysis is the cybersecurity requirements that need to be implemented.  

There is ample literature available that will help one with how to perform TARA analysis. However, there is not much said about how you would know how good your TARA is. Since it is an analysis, it is subjective and one may not have quantitative measures to say whether all possible threats were considered or whether the risk mitigations identified are sufficient. 

So, how do organizations and teams performing TARA make sure they get it all right about TARA? Through our experience with various customers (OEMs/Suppliers), we at Vayavya Labs, follow and ensure certain key points while doing a TARA analysis, which serves as a metric for the TARA. In this article, we explain some of the major points to make sure you make the most out of your TARA analysis. 

Before we get into the details, let us look at some of the questions that we all might have pondered while we started performing a TARA analysis. Some of them are as shown below:

Well, to begin with, TARA is a time-consuming process and requires a clear item definition on which the TARA is performed. That is the reason why most of the time, TARA is only done once at the beginning of every project/product development cycle. As the project progresses, the understanding of the item may evolve and changes to the item under consideration are inevitable. The risk treatment decisions may be based on some trade-offs very similar to an architectural design decision. A TARA can be revisited and updated based on vulnerabilities found later during the development phases. Many times, updating the TARA is overlooked or avoided given the project/product delivery deadlines.

The time needed to perform a TARA analysis depends on the scope and complexity of the item under consideration. For a component like a battery thermal management system or an item of low complexity, it can take between 2-5 weeks. A TARA activity might involve multiple team members and is not done by a single individual. Ideally, a team composed of product/domain experts, cybersecurity engineers, cybersecurity managers, and HW/SW engineers are all involved in a TARA analysis. A team with diverse experience and cross-functional domain knowledge would be most relevant to do a TARA. One needs to be cautious of scope creep while doing TARA and understand that version one is better than version none. The TARA may evolve as you discuss along with your team and as the team matures to perform such analysis. Another very common challenge some customers face is to do a TARA as a part of an agile development sprint. It may not be possible to complete a TARA analysis in one sprint. Also, it may be possible that the functional requirements of the item are not clear while performing a TARA which may lead to incomplete TARA.

At Vayavya Labs, working with multiple customers has helped us to refine our customer’s processes, to get the item definition right. This helps us to reduce the efforts our customers need to do a TARA by reducing the number of iterations. Many organizations do not use any specific tools for TARA and use only MS Excel-based templates that are not very easy to create or navigate. There is no harm in using MS Excel-based templates if version control is in place. While using such customized templates, making use of comments or remarks to note trade-off decisions or any other important considerations helps when you revisit the TARA later in the projects. However, recently multiple tools have been available for TARA analysis. These tools might not only make it easier to maintain the TARA version but also help with pre-populated known threats/vulnerabilities (that are available through various sources like the UNECE / ENISA / MITRE etc). These tools might be helpful to teams who are doing TARA for the first time and help organize all information in one place. Some of the tools available for TARA are EVSec analysis from C2A security, Yakindu, MS Threat modeling tool, and Medini Analyze.

From the discussion points mentioned above, Vayavya has the following metrics or checks to assess the quality of a TARA analysis. These can be used as a TARA assessment checklist apart from other technical assessment checks.

Conclusion

TARA analysis (in Automotive Cybersecurity) is a time-consuming process and if done with the right approach can help to identify threats early in the product development phase. There are no standard metrics to compare the results of a TARA analysis, however, the quality may improve if a cross-functional team performs TARA. At Vayavya, we provide TARA consultancy that not only helps our customers walk through the TARA process but also understand and identify the right tools and methods and define KPIs that lead to better quality output from a TARA activity.

If you’re eager to explore the exciting frontiers of Automotive Cybersecurity and Functional Safety in Automotive and more about our groundbreaking initiatives in ADAS, reach out to us!