TARA

The TARA table gathers all elements that have been modeled in the previous steps and gives a global overview of the threat scenario that has to be mitigated, retained, shared, or avoided. The risk value is automatically calculated according to the ISO/SAE 21434:2021 standard.

Cybersecurity Risk

An effect of uncertainty on road vehicle cybersecurity expressed in terms of attack feasibility and impact.

Cybersecurity Control

A measure that is modifying risk.

Cybersecurity Claim

A statement about a risk.

Cybersecurity Goal

A concept-level cybersecurity requirement associated with one or more threat scenarios.

Creating a TARA Table

To create a TARA Table

1. In the Containment tree, right-click Risk Treatment and Cybersecurity Control and select Create Diagram.
   
   
   
   
2. Do one of the following:
   • In the dialog, expand ISO 21434 and select TARA Table.
     
     
     
     
   • In the search tab, type the keyword TARA and then select TARA Table.
     
     
     
     The TARA Table is displayed in the diagram pane of the modeling tool.
     
     

Adding Threat Scenarios

To add Threat Scenarios to the TARA Table

1. In the TARA Table, click Add Existing.
   
   
   
   
2. From the Select Threat Scenario dialog, select the required Threat Scenario.
   
   
   
   

   A row is added to the TARA Table, which shows the existing Threat Scenario.
   
   

   • Threat Type, Impacted Asset, and Damage Scenarios are automatically added to the TARA Table based on the Damage Scenario Table and Threat Scenarios Table.
   • The risk values are automatically computed according to ISO/SAE 21434:2021 standard. Risk values are read-only values.

Assigning Risk Treatment Decision

To assign Risk Treatment Decision

•   Double-click the cell in the Risk Treatment Decision column and the required Threat Scenario's row. From the drop-down list, assign Risk Treatment Decision.
  
  
  The Risk Treatment Decision is assigned in the TARA Table.
  
  
  

  If the risk treatment decision is Retain, adding a claim is mandatory. In such cases, the cybersecurity goals and controls are not required.

Adding Cybersecurity Goal

To add a Cybersecurity Goal to the TARA Table

1. Double-click the designated cell in the Cybersecurity Goals column and the required Threat Scenario's row and click .
   
   
   
   
2. From the Select Element dialog, select Cybersecurity Goal.
   
   
   
   The Cybersecurity Goal is added to the TARA Table.
   
   

Adding Claim

To add a Claim to the TARA Table

• Double-click the cell in Claims column and the required Threat Scenario's row and type in the necessary Claim. 
  
  

  If the risk treatment decision is Retain, adding a claim is mandatory. In such cases, the cybersecurity goals and controls are not required and cannot be specified.

  Due to some performance reason, the claim does not appear in the containment tree directly after specifying it in the claim's cell. You have to save the project to see the claims in the containment tree under the smart package 2.3 Cybersecurity Claims.

Adding Controls

To add Controls to the TARA Table

1. Double-click the designated cell in the Controls column and the required Threat Scenario's row and click .
   
   
   
   

2. From the Select Elements dialog, select Controls.
   
   
   
   The Controls are added to the TARA Table.
   
   
   

   Controls are a list of Cybersecurity Requirements. There are 4 types of Cybersecurity Requirements: Functional, Technical, Hardware, and Software.

To ease the process of adding controls, the plugin provides you a feature to add the controls with the help of the Recommend Control command. The controls are recommended on the basis of assigned cybersecurity goals and CWE elements used as attack path steps.

To add controls using the Recommend Control command to the TARA Table

1. Right-click the threat scenario in the TARA table and select Recommended Control as follows:
   
   
   
   

2. From the Select Elements dialog, select or remove the recommended controls.
   
   
   

   For requirements to be reflected as recommended controls in the Select Elements dialog either one of the conditions should be satisfied:

   • A Threat scenario should have assigned cybersecurity goals with derived requirements.
   • A Threat scenario should have an attack path where the CWE elements are used in attack path steps.

   
   

   The recommended controls are added to the TARA Table.
   
   
   

TARA Table Example