| Asset | Asset Function | Cybersecurity Property(CIA) | I | A | Damage Scenario |
|---|---|---|---|---|---|
| BT/WLAN | Wireless communication | X | X | X | Data communication via Bluetooth/WLAN could be intercepted, leading to unauthorized access or control of the system. |
| Analog and Digital Radio Tuner | Receives audio broadcast signals | X | An attacker could manipulate radio content, sending misleading traffic updates or emergency broadcasts. | ||
| GPS/GLONASS | Navigation and positioning data | X | X | X | GPS data spoofing could mislead navigation, directing the vehicle to incorrect or unsafe routes. |
| HDMI/USB | Multimedia input/output interface | X | X | Malware introduced via USB could compromise the infotainment system or spread to other vehicle systems. | |
| CAN Transceiver | Vehicle control network communication | X | X | X | CAN bus messages could be intercepted and manipulated, causing unintended vehicle behavior such as braking or acceleration. |
| LIN Transceiver | Low-speed vehicle network communication | X | X | X | Manipulated LIN signals could disable or alter the behavior of comfort systems like lighting or seat controls. |
| Ethernet Transceiver | High-speed in-vehicle communication | X | X | X | Network traffic could be intercepted, affecting real-time data exchanges and safety-critical functions. |
| DSP/Microcontroller | Main controller handling processing and control | X | X | X | Compromising the microcontroller could lead to full system control, disabling safety features or controlling media outputs. |
| Audio Codec (ADC/DAC) | Audio signal conversion | X | Altering audio output could interfere with important auditory cues or navigation instructions. | ||
| Human Machine Interface (HMI) | User interface for controlling the infotainment | X | X | HMI compromise could confuse the driver, leading to incorrect input or unresponsiveness in critical situations. | |
| Rear Seat Monitor | Provides entertainment for rear passengers | X | X | Malicious content could be displayed, or the screen could be disabled, affecting passenger experience. | |
| Analog/Digital Camera | Captures visual data | X | X | X | Camera feeds could be tampered with, providing incorrect images to the driver or turning off critical safety systems. |
1. Item Definition (Section 7 of ISO 21434)
Objective: Define the system or component (the "item") under consideration, including its architecture, functionality, and context.
Key Activities
:
- Define the item scope (e.g., ECU, infotainment system, powertrain, etc.).
- Identify the functions of the system.
- Consider interfaces and interactions with other components.
2. Asset Identification
Objective: Identify the assets within the defined item that need to be protected.
Key Activities
:
- Identify the assets within the system (e.g., ECU firmware, communication links, user data, cryptographic keys).
- Classify assets based on their importance to vehicle safety, security, and privacy.
3. Threat Scenario Identification (Threat Analysis)
Objective: Identify potential threat scenarios that can compromise the identified assets.
Key Activities:
- Perform a threat analysis by identifying possible threat scenarios that could exploit vulnerabilities in the system.
- Define the attack paths and methods that an attacker might use (e.g., physical access, remote hacking).
- Consider different attacker types, capabilities, and attack motivations (e.g., theft, privacy invasion, disruption).
4. Impact Assessment
Objective: Assess the potential consequences of each identified threat scenario.
Key Activities:
- Determine the potential impact on the system in terms of safety, financial loss, privacy, operation, or regulatory compliance.
- Rate the impact level (low, medium, high) based on consequences like system malfunction, data breach, or operational failure.
- Assess how the failure impacts confidentiality (C), integrity (I), and availability (A).
5. Vulnerability Identification
Objective: Identify the vulnerabilities that could be exploited by attackers to compromise the system.
Key Activities:
- Evaluate weaknesses in system design, software, hardware, or protocols that could be exploited.
Use industry knowledge, past incidents, and vulnerability databases to identify common and emerging vulnerabilities (e.g., unpatched software, open communication ports).
6. Attack Feasibility Rating
Objective: Assess how feasible it is for an attacker to exploit the identified vulnerabilities.
Key Activities:
- Analyze the attacker’s capabilities and required resources (e.g., time, tools, access level).
- Rate attack feasibility based on complexity, accessibility, knowledge required, and attacker motivation.
- Use a scale such as low, medium, or high feasibility.
7. Risk Determination
Objective: Evaluate the overall risk for each threat scenario by combining the impact assessment and attack feasibility rating.
Key Activities:
- Calculate the risk based on the combination of impact and feasibility (ISO 21434 uses a risk matrix or similar method).
- Determine which risks are high, medium, or low based on this combination.
- Focus on high-risk scenarios that require immediate mitigation.
8. Risk Treatment Decision
Objective: Decide how to manage the identified risks (accept, mitigate, transfer, or avoid).
Key Activities:
- For high-risk scenarios, define appropriate cybersecurity controls (e.g., encryption, secure boot, access controls).
- For medium-risk scenarios, decide whether to accept the risk or apply mitigations.
- For low-risk scenarios, document the rationale for accepting the risk.
9. Risk Treatment Implementation
Objective: Implement the necessary cybersecurity controls to mitigate the identified risks.
Key Activities:
- Implement security controls in the system design, such as software updates, firewalls, or physical security measures.
- Ensure that countermeasures protect the system from identified threat scenarios.
- Conduct testing and validation to ensure the controls are effective in mitigating risks.
10. Residual Risk Assessment
Objective: Evaluate the residual risk after mitigation measures have been applied.
Key Activities:
- Reassess the risk levels after applying cybersecurity controls.
Ensure that residual risks are acceptable or have been properly documented for ongoing management.
11. Monitoring and Update (Cybersecurity Lifecycle)
Objective: Continuously monitor and update the system’s security posture over its lifecycle.
Key Activities:
- Regularly update threat models, vulnerabilities, and risk assessments.
- Perform regular security audits and penetration testing.
- Apply software updates, patches, and new mitigations as new threats and vulnerabilities emerge.
12. Documentation
Objective: Maintain thorough documentation throughout the TARA process for compliance, auditing, and future reference.
Key Activities:
- Document threat scenarios, risk assessments, mitigation decisions, and test results.
Ensure that all cybersecurity measures and justifications are traceable and well-documented.
TARA Framework in ISO 21434:
| Step | Key Output |
|---|---|
| Item Definition | System architecture and context definition. |
| Asset Identification | List of critical assets and their functions. |
| Threat Scenario Identification | Set of potential attack scenarios and attack vectors. |
| Impact Assessment | Evaluation of the impact of each threat on C, I, and A. |
| Vulnerability Identification | Identification of system vulnerabilities that can be exploited. |
| Attack Feasibility Rating | Estimation of the feasibility of exploiting each vulnerability. |
| Risk Determination | Calculation of overall risk level for each threat scenario. |
| Risk Treatment Decision | Decisions on risk mitigation strategies (accept, mitigate, transfer, or avoid). |
| Risk Treatment Implementation | Application of cybersecurity controls to reduce or eliminate risks. |
| Residual Risk Assessment | Reassessment of risks post-mitigation to ensure they are within acceptable levels. |
| Monitoring and Update | Continuous monitoring and updating of the cybersecurity posture throughout the lifecycle of the system. |
Key Concepts in ISO 21434:
- Cybersecurity Goals: Confidentiality (C), Integrity (I), and Availability (A) are key properties that should be protected.
- Risk Levels: Risks are classified based on the combination of attack feasibility and impact severity.
- Lifecycle: ISO 21434 emphasizes cybersecurity as a continuous process that extends throughout the lifecycle of the vehicle, from development to decommissioning.
| STRIDE Category | Analysis of the Scenario |
|---|---|
| S - Spoofing | The attacker could spoof the GPS signals or the GPS system itself, making the vehicle’s navigation believe the altered route is accurate, misleading the driver. |
|---|---|
| T - Tampering | The attacker tampered with the GPS data, modifying the navigation route to direct the vehicle to an unsafe or unintended destination. |
|---|---|
| R - Repudiation | The attacker could deny responsibility for altering the GPS data, and there may be no logging or proof of who manipulated the GPS route or system. |
|---|---|
| I - Information Disclosure | The attacker could access the vehicle’s GPS data, tracking the driver’s location, and potentially revealing sensitive information about the driver’s movements. |
|---|---|
| D - Denial of Service | The attacker could prevent the GPS system from functioning correctly, leaving the driver without navigation or causing confusion by showing no available routes. |
|---|---|
| E - Elevation of Privilege | The attacker might exploit vulnerabilities to gain unauthorized access to the GPS system, which they would not typically be allowed to control or manipulate. |
|---|---|
| S - Spoofing | The hacker might spoof the identity of legitimate users or services, making the vehicle’s system believe that the braking system was disabled by a trusted entity or service. |
|---|---|
| T - Tampering | The attacker directly tampers with the braking system's controls or commands, disabling the brakes and preventing the driver from being able to slow down or stop the vehicle. |
|---|---|
| R - Repudiation | The attacker could deny their actions, and there may be insufficient logging or evidence to prove that they were responsible for disabling the braking system. |
|---|---|
| I - Information Disclosure | The attacker could gain access to sensitive data related to the braking system’s control, revealing how it functions and exposing vulnerabilities in the system architecture. |
|---|---|
| D - Denial of Service | Disabling the braking system constitutes a Denial of Service (DoS) attack, preventing the driver from using a critical vehicle function that directly impacts their ability to stop. |
|---|---|
| E - Elevation of Privilege | The attacker may have exploited a vulnerability in the vehicle’s software or control system to gain access to privileged functions such as controlling or disabling the brakes. |
|---|---|