TARA stands for Threat Analysis and Risk Assessment. It is a systematic cybersecurity methodology that identifies potential cyber threats to a system early on, assesses their likelihood, and prioritizes their impact on security. Rather than relying on assumptions, TARA is the central mechanism for deriving security requirements (cybersecurity goals) in a structured way.
Why TARA?
Unlike traditional risk management, TARA focuses specifically on cyber threats. Rather than addressing hardware failures, it focuses on malicious external attacks. The goal is to balance security costs with actual risk exposure.
The TARA Workflow: Achieving Security in 7 Steps
The process (often aligned with ISO/SAE 21434) follows a logical sequence:
1. Item Definition – Define Scope
What are we protecting (architecture), what is relevant (relevance), and what is out of scope? To define the object of analysis:
- Involve relevant stakeholders,
- Define system boundaries (entry/exit points, external interfaces, dependencies, etc.),
- Document scope and boundary decisions in a transparent and traceable way.
UML diagrams can be helpful here.
2. Asset Identification – Evaluate Critical Elements
Which assets need protection? Examples include hardware, software, personnel, user data, and control commands. Assets are not protected arbitrarily; they are evaluated based on the CIA triad: Confidentiality, integrity, and availability. The goal is to strategically prioritize assets to enable targeted protection measures, not just list them.
3. Threat Analysis
What threats exist? The steps in a threat analysis are:
- Identify threat actors, or internal and external attackers.
- Develop threat scenarios to better understand potential risks.
- Continuously update results to reflect emerging threats.
ISO/SAE 21434 Annex 5 provides a comprehensive threat catalog for the automotive sector.
4. Impact Rating – Assess Consequences
In the event of a security incident, how would the identified assets be affected? How severe would the resulting damage be in terms of security, finances, operations, and privacy? Damage scenarios are analyzed. In the automotive sector, the SFOPP model is used for this purpose. This model makes the assessment objective and multidimensional. The model stands for:
- S for Safety: Risk of injury,
- F for Financial: Monetary losses,
- O for Operational: Functional limitations,
- P for Privacy: Loss of sensititve data,
- P for Perception: Loss of trust.
5. Attack Feasibility – Assess Likelihood of Attack Execution
How easy is the attack to carry out, and how realistic is it? Rather than making an estimate, an event tree is often used to calculate the AFR (attack feasibility rating). It is typically divided into the following levels:
- Threat Scenario (Top Event),
- Attack Paths (Attack Paths),
- Individual Steps (Attack Steps).
For each step in the event tree, the effort required by the attacker is assessed. Ultimately, this results in the total AFR.
6. Risk Determination – Risk Classification
The overall risk is calculated based on impact and feasibility. For this purpose, a risk matrix is often created. Risks are entered into the matrix based on the AFR and SFOPP assessments, typically on a scale from 1 (low) to 5 (high).
7. Risk Treatment – Risk Mitigation
What measures should be taken to address the identified risks? Possible strategies include avoiding, mitigating, accepting, or transferring risks and sharing responsibility. Depending on the strategy chosen, the result is either active measures (cybersecurity goals) or documented risk acceptance (cybersecurity claims).
Threats and Vulnerabilities in TARA
In practice, the terms „threat“ and „vulnerability“ are often used interchangeably. However, for a precise TARA analysis in accordance with ISO/SAE 21434, it is essential to distinguish between the two:
- Threat: A potential event that could compromise a cybersecurity property (CIA), such as „manipulation of control data.“
- Vulnerability: A specific weakness in the design or implementation that makes a threat feasible (e.g., „lack of authentication on the CAN bus“).
A well-founded TARA uses the results of the vulnerability analysis to objectively assess the probability of occurrence. Only those who understand their vulnerabilities can accurately evaluate the attack paths in the event tree and establish effective cybersecurity goals.
TARA vs. FMEA: Why Traditional Risk Management Is Not Enough
Many project teams wonder if an existing FMEA can replace a TARA. The answer is no. While the FMEA focuses on safety, the TARA addresses security. Here is a brief comparison:
| FMEA (Functional Safety) | TARA (Cybersecurity) | |
|---|---|---|
| Focus | Safety: Protect the environment from system malfunctions | Security: Protect the system from malicious external attacks |
| Cause | Random hardware failures or systematic software errors | Intentional, intelligent attackers with specific goals |
| Evaluation | Statistical failure probability | Attack likelihood (feasibility and attacker motivation) |
| Goals | Prevent injury and physical damage | Protect confidentiality, integrity, and availability (CIA) |
| Dynamics | Static: Failure rates change little over time | Highly dynamic: New attack methods require continuous updates |
What Are the Key Industries for TARA?
TARA is not a niche product; it is a requirement in regulated industries:
- Automotive: According to the ISO/SAE 21434 standard, TARA is mandatory for modern, connected vehicles (software-defined vehicles).
- Medical Technology: It protects patient data and ensures device functionality against hacker attacks.
- Industry 4.0 (OT): Securing production facilities and critical infrastructure (KRITIS).
- Aerospace: Protecting avionics against unauthorized access.
TARA in Requirements Engineering
Silos between security and development
TARA results often remain isolated in Excel spreadsheets and never make it into the requirements.
With objectiF RPM , you can integrate TARA directly into your requirements engineering process. Identified threats lead immediately to new security requirements, which are visible to all developers.
Lack of Traceability (Traceability)
Auditors ask, “Why was this safety measure implemented?“
Traceability is built right into objectiF RPM. The entire chain is fully traceable, from the asset to the threat, through the technical implementation and the test case.
Cybersecurity built in your Requirements Engineering
Discover how objectiF RPM helps you create TARAs and ensures compliance with ISO/SAE 21434.
FAQ
What is the difference between TARA and HARA?
While HARA (Hazard Analysis and Risk Assessment) focuses on functional safety, such as ISO 26262, TARA focuses on cybersecurity. Safety protects the environment from the system, while security protects the system from the environment.
Is TARA a one-time event or an ongoing process?
TARA is an iterative process. Because the threat landscape is constantly changing with new exploits and AI attacks, TARA must be updated regularly throughout a product’s entire lifecycle.
What methods are useful for identifying threats?
Commonly used frameworks include Microsoft’s STRIDE and the MITRE ATT&CK catalog, which are used to systematically check for known attack patterns.
Do You Want to Know More?
Read more informative articles online or download our white papers.
What is Project Management?
Project management provides structure, transparency, and planning certainty for complex projects. Using the right methods, clear processes, and centralized management, companies can balance time, budget, and quality, whether they use traditional, agile, or hybrid approaches.
objectiF RPM – Whitepaper
Increase your business agility. Get to know objectiF RPM in this whitepaper. From the needs of stakeholders to IT systems for successful business.
objectiF RM – Whitepaper
Requirements Engineering for Software and Systems. Read about benefits and options of objectiF RM in this whitepaper.