Threat modeling is at the core of any secure engineering process. It is the driver for understanding and prioritizing threats against the system and deriving cybersecurity goals, security controls, and security requirements necessary to treat those threats. Before performing a threat analysis and risk assessment (TARA), teams are essentially blind to most risks that their system is exposed to. They also have no clear vision of which risks are the most urgent to treat. Even when a rudimentary security analysis has taken place through brainstorming or consulting a security expert, there is no guarantee that risks have been analyzed comprehensively. The TARA solves this problem by providing engineering teams with a systematic approach to exposing and prioritizing threats based on a risk management approach. Due to the safety and operational aspects of automotive systems, simply borrowing threat modeling methods from IT is not...

In Chapter 5, we introduced some of the basic tenets of the ISO/SAE 21434 threat modeling approach. But even when following the ISO methodology, it is not uncommon to execute the TARA poorly, producing sub-optimal analysis results while exceeding the allotted time for analysis. It is not uncommon for teams to spend so much time performing the TARA that it makes it impossible to incorporate the risk mitigations within a given project schedule. As we dive deeper into the practical aspects of a TARA, we will keep this in mind to ensure that we are not simply going through the motions of performing the TARA but rather producing a valuable output within a reasonable time frame to elevate the security bar of our automotive systems. But first, let’s review some of the basic terms and definitions that will be repeatedly referenced throughout this chapter.

Assets

ISO/SAE 21434 defines an asset as “an object that has value...

Before discussing the details of the practical TARA methods in this chapter, let’s take a moment to give an honorable mention to the telltale signs that the TARA being prepared will have bad outcomes. By understanding the common pitfalls, we will gain some perspective as to why a better approach is needed.

As we introduced earlier, the lack of agreement on the attacker and threat model is a guaranteed source of heartburn throughout the TARA process. If you are the reviewer of a TARA where the authors cannot articulate which attackers and threat types they are aiming to defend against, then this should raise a red flag. Along the same lines, a lack of correct assumptions about the operational environment is a sign of a likely incomplete analysis or an over-engineered system. In many cases, you do not have the full details about your target system. You may be developing an ECU, a software application, a microcontroller, or even just a library...

ISO/SAE 21434 mandates that the TARA is performed during the concept phase while considering all product life cycles (production, operation, maintenance, and decommissioning). A common pitfall is to focus purely on the operational phase because that is the phase where vehicle safety is directly exposed to cybersecurity threats. The result is an inadequate cybersecurity concept that misses security goals covering how the vehicle is produced, maintained, and taken out of service. That is why it is important to involve all engineering teams across all the product life cycles and assign clear responsibilities when planning out the TARA(s). When there is resistance to expanding the scope of the TARA to cover these life cycle stages, development teams must capture all the assumptions on risks of the other life cycles to ensure that at least the system integrator is aware of those risks. For example, if the manufacturing phase is not adequately analyzed...

Armed with the TARA fundamentals and the common pitfalls, we are now ready to walk through the practical approach of threat modeling automotive systems. Throughout this approach, we will focus on three objectives:

• Producing the highest threat coverage possible for our target system
• Choosing the correct risk treatment decisions
• Finishing the TARA within a reasonable time frame that fits within the project’s allotted time

Know your system

TARA is most effective and streamlined when the security analyst is intimately familiar with the system under analysis. However, given the breadth of knowledge required for accurately analyzing automotive systems, in most cases, the security analyst must collaborate with the domain experts to understand the system functions, uncover damage scenarios, and accurately capture assets that need protection. This can be done in an interview-style setting, where the security analyst asks a series of questions...

Let’s assume that you have been given the task of performing a TARA for a video recording function in an ADAS system that continuously records video data to capture a 20-second window around the time an automatic emergency braking (AEB) event is triggered. The recording is then made available for an external client to download either through the USB interface or the telematics unit. This is needed to analyze the event details and determine responsibility in the case of a crash. Your task is to identify high-risk threat scenarios related to this feature and define the necessary risk treatment decisions. Let’s walk through the steps of applying the practical TARA approach to this use case.

Note

The following analysis is an abridged version of a full TARA and is not meant to be comprehensive.

Before we begin, it helps to capture the use case details in a table format, as shown here. The more details we capture about...

In this chapter, we introduced a practical approach to performing an efficient TARA. Our goal was to explain the fundamentals behind the ISO/SAE 21434 TARA methods while highlighting steps that can improve the results of the TARA and reduce the overall TARA preparation effort. We showed numerous pitfalls that engineering teams can fall into when performing the TARA process and provided tips and best practices to avoid them. The practical approach was broken into several phases, with the first phase starting with knowing the system by defining assumptions, understanding the use case under analysis, and modeling the system context and data flow. In the second phase, assets, damage scenarios, threats, and attack paths are identified and traced to one another. This paves the way for the third phase of attack feasibility and impact rating, which are necessary steps to calculate the risk levels and enable the risk treatment decision-making process. Once the risks have been prioritized...

To learn more about the topics that were covered in this chapter, take a look at the following resources:

• [1] UN Regulation No. 155 - Cyber security and cyber security management system

  https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155-cyber-security-and-cyber-security

• [2] Cyber Security and Resilience of smart cars

  https://www.enisa.europa.eu/publications/cyber-security-and-resilience-of-smart-cars/@@download/fullReport

• [3] Common Enumeration Weaknesses (CWEs)https://cwe.mitre.org/
• [4]Common Attack Pattern Enumeration and Classification https://capec.mitre.org/
• [5] HEAVENS first edition: https://autosec.se/wp-content/uploads/2018/03/HEAVENS_D2_v2.0.pdf
• [6] Proposing HEAVENS 2.0 – an automotive risk assessment model: https://dl.acm.org/doi/pdf/10.1145/3488904.3493378?casa_ token=CkQCLzI4xMkAAAAA:GO4IswB9yKy6lbLujicVslr94Av7MOKzOgt 5sSrLX4x2Z4_vx9FpHlQLu06m9bcl-sN1mxNXqrw