TARA: Threat Assessment and Remediation Analysis
Originally developed in 2010, TARA is an “engineering methodology used to assess and identify cyber threats and select countermeasures effective at mitigating the vulnerabilities”
2. • Evolution of vehicles from the stone age to the digital age
• Defence security points
• Automotive risk-oriented security measures
• TARA – Threat Assessment and Remediation Analysis
• Phases of TARA assessment
• Deep analysis of all the phases of the TARA assessment
Content
3. Evolution of vehicles from the stone age to the digital age
Technological disruptions in the Automotive industry
Autonomous systems used in emergency braking, and lane
assistance in vehicles enhance road-safety
Connected vehicles on road generate data which enables
strong predictive analysis of fleet management & maintenance
Electric mobility empowers clean energy and less consumption
of fossil-based combustion engines
Shared service is a part of the MaaS (Mobility-as-as-service)
contributing to the shared economy aspect of smart cities
Like every industry entering into the digital ecosystem, the automotive industry is also transforming its
products and services by leveraging digital offerings and making them more customer-centric
4. Defence security points
End-to-end security
Secure external interfaces
In-vehicle secure network
architectures
Hardware security
modules
People awareness and
training
Secure
supply chain
Security Framework based on defence depth strategy
External interfaces such as driver-dedicated
applications, Bluetooth, OBD, OTA
Physical segregation and isolation using secure
gateways & communication buses such as Ethernet
HSM provides security functions such as secure
boot, key generation, active memory protection
Involving all the stakeholders in the supply chain and
ensuring cybersecurity risk mitigations at every end
Establishing chain-of-trust from the car architecture
to the servers and the cloud
5. Automotive risk-oriented security measures
Cybersecurity Privacy
• Goal: Protect assets
• Risk: External threats, driven by
humans
• Governance: ISO 21434 etc
• Methods:
• TARA, …
• Cryptography
• Key management
• Goal: Protect intellectual property
• Risk: data threats, driven by
humans
• Governance: ISO 27001 etc
• Methods:
• TARA, …
• Cryptography
• Explicit consent
TARA: Threat Assessment and Remediation Analysis
Originally developed in 2010, TARA is an “engineering methodology used to assess and
identify cyber threats and select countermeasures effective at mitigating the vulnerabilities”
6. Phases of TARA assessment
Define scope and
assessment
Cyber threat
susceptibility analysis
Cyber risk
remediation analysis
TARA
Scope
Susceptibility
matrix
Mitigation
recommendations
• TARA Assessment
• Catalog Development
• Toolset development
Workflows
7. Deep analysis of all the phases of the TARA assessment
TARA Scope Susceptibility matrix Mitigation recommendations
• Evaluate the target
• Assess the range of threats
• Analyse the threat actor’s capabilities
and intent
• Prepare the phase of the system
acquisition lifecycle
• Prepare TARA assessment and
scope brief
• Model the attack surface
• Perform the catalog search to identify
candidate AVs
• Eliminate implausible Avs
• Define a scoring model to rank
plausible Avs
• Construct the susceptibility matrix
• Select AVs to mitigate
• Use mitigation mappings to identify
candidate countermeasures (CMs)
• Eliminate implausible CMs
• Define a scoring model to rank CMs
• Select the best CM solution set
• Develop well-formed
recommendations
Vector Groups Attack Vectors Countermeasures
TARA Data model
Vector
groupings
Countermeasure
mappings
8. • https://www.arm.com/blogs/blueprint/aces-future-mobility
• https://www.youtube.com/watch?v=H_J41yopxvE&t=1808s
• https://www.mitre.org/sites/default/files/2021-11/pr-20-0272-tara-training-workshop.pdf
• https://capgemini-engineering.com/as-content/uploads/sites/27/2021/04/compressed_cybersecurity-in-automotive-how-to-stay-ahead-of-cyber-threats_v8.pdf
• This Photo by Unknown Author is licensed under CC BY
• This Photo by Unknown Author is licensed under CC BY-SA-NC: photo used in the introduction slide
References
*author’s intent is not “content generation”