TARA

ISO/SAE 21434:2021(en) provides a detailed guideline on how to conduct a TARA (Threat and Risk Assessment) in an automotive context. Here is a summary of the main steps outlined in the standard:

1. Establish the TARA project: Define the scope of the TARA, including the systems and components of the vehicle that will be included, as well as any external systems and networks that the vehicle may interact with. Establish a project plan, including timelines, resources, and deliverables.

2. Collect information: Gather information about the vehicle's systems and components, including hardware and software specifications, network architecture, and communication protocols. This information should be used to create a system architecture diagram.

3. Identify threats: Identify potential threats to the vehicle's systems and components, including physical, electronic, and cyber threats. This should be done using a threat modelling technique, such as STPA (System-Theoretic Process Analysis) or STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege).

4. Assess vulnerabilities: Identify potential vulnerabilities in the vehicle's systems and components, including known vulnerabilities and potential weaknesses. This should be done using a vulnerability assessment technique, such as penetration testing or fuzz testing.

5. Assess impacts: Evaluate the potential impacts of identified threats and vulnerabilities on the vehicle's systems and components, including safety, performance, and functionality. This should be done using a risk assessment technique, such as a FMEA (Failure Modes and Effects Analysis) or HAZOP (Hazard and Operability Study).

6. Prioritize risks: Prioritize the identified risks based on the likelihood and impact of each threat.

7. Develop countermeasures: Develop and propose countermeasures to mitigate the identified risks.

8. Validate countermeasures: Validate the proposed countermeasures by testing them in a controlled environment or by simulating the identified threats and vulnerabilities.

9. Implement countermeasures: Implement the validated countermeasures in the vehicle's systems and components.

10. Monitor and maintain: Continuously monitor the vehicle's systems and components for new threats and vulnerabilities, and update the countermeasures as needed to ensure the security of the vehicle.