The TARA table gathers all elements that have been modeled in the previous steps and gives a global overview of the threat scenario that has to be mitigated, retained, shared, or avoided. The risk value is automatically calculated according to the ISO/SAE 21434:2021 standard.

Cybersecurity Risk

An effect of uncertainty on road vehicle cybersecurity expressed in terms of attack feasibility and impact.

Cybersecurity Control

A measure that is modifying risk.

Cybersecurity Claim

A statement about a risk.

Cybersecurity Goal

A concept-level cybersecurity requirement associated with one or more threat scenarios.

Creating a TARA Table

If you create a new project using the ISO 21434 Project template, then a TARA table already exists in the 1.4 Risk Treatment and Cybersecurity Control package.


To create a TARA Table


  1. In the Containment tree, right-click Risk Treatment and Cybersecurity Control and select Create Diagram.



  2. Do one of the following:
    • In the dialog, expand ISO 21434 and select TARA Table.



    • In the search tab, type the keyword TARA and then select TARA Table.



      The TARA Table is displayed in the diagram pane of the modeling tool.

Adding Threat Scenarios

To add Threat Scenarios to the TARA Table


  1. In the TARA Table, click Add Existing.



  2. From the Select Threat Scenario dialog, select the required Threat Scenario.



    A row is added to the TARA Table, which shows the existing Threat Scenario.

    • Threat Type, Impacted Asset, and Damage Scenarios are automatically added to the TARA Table based on the Damage Scenario Table and Threat Scenarios Table. The association between Threat Scenarios and Damage Scenarios tables is done through failure. The Damage Scenarios which have the same Failure Modes as a given Threat Scenario are taken into account for Risk Values computation.
    • The risk values are automatically computed according to ISO/SAE 21434:2021 standard. Risk values are read-only values.

Assigning Risk Treatment Decision

To assign Risk Treatment Decision


  •   Double-click the cell in the Risk Treatment Decision column and the required Threat Scenario's row. From the drop-down list, assign Risk Treatment Decision.


    The Risk Treatment Decision is assigned in the TARA Table.


    If the risk treatment decision is Retain, adding a claim is mandatory. In those cases, the cybersecurity goals and controls are not required.

Adding Cybersecurity Goal

To add a Cybersecurity Goal to the TARA Table


  1. Double-click the designated cell in the Cybersecurity Goals column and the required Threat Scenario's row and click .



  2. From the Select Element dialog, select Cybersecurity Goal.



    The Cybersecurity Goal is added to the TARA Table.

  • You can also add a safety goal from another project (HARA analysis) as a cybersecurity goal. Doing this will create a clone of the safety goal in your project. To add a safety goal as a cybersecurity goal, follow the same procedure as defined above.
  • If the ASIL value of the safety goal is inconsistent with the Safety Risk Value of the threat scenario, a validation rule is triggered and the particular row is displayed in red. You can view the error message in the Active Validation Results pane.
  • You can mitigate the error by making the ASIL value and the Safety Risk Value consistent with each other.

To Generate/Synchronize the Cybersecurity Goals to the TARA Table


  • Right-click  the threat scenario in the TARA table and select Generate/Synchronize Cybersecurity Goals.



  • The cybersecurity goal is autogenerated based on the following formula:
    •  [Asset Name] of the [Item] shall be protected against [Threat type]

  • If you add an item, asset or a threat type for a threat scenario, the command autogenerates a cybersecurity goal.
  • If you update an item, asset or a threat type for a threat scenario, the command synchronizes the autogenerated cybersecurity goal. Following are the two scenarios in which synchronization happens:
    • If you rename an item, asset or a threat type, then the existing autogenerated cybersecurity goal is renamed.
    • If you add/remove an item, asset or a threat type, then an autogenerated cybersecurity goal is added/removed.

Adding Controls

To add Controls to the TARA Table


  1. Double-click the designated cell in the Controls column and the required Threat Scenario's row and click .



  2. From the Select Elements dialog, select Controls.


    The Controls are added to the TARA Table.


     

    Controls are a list of Cybersecurity Requirements. There are 4 types of Cybersecurity Requirements: Functional, Technical, Hardware, and Software.

To ease the process of adding controls, the plugin provides a feature to add the controls with the aid of the Recommend Control command. The controls are recommended on the basis of assigned cybersecurity goals and CWE elements used as attack path steps.

To add controls using the Recommend Control command to the TARA Table


  1. Right-click the threat scenario in the TARA table and select Recommended Control, as follows:



  2. From the Select Elements dialog, select or remove the recommended controls.


    For requirements to be reflected as recommended controls in the Select Elements dialog, either of these conditions should be satisfied:

    • A Threat scenario should have assigned cybersecurity goals with all the derived requirements.



    • A Threat Scenario should have an Attack Path, which itself has a step, which is either a CWE or a Technique. In such case, if the CWE or Technique has a Recommendation from a Cybersecurity Requirement, then that requirement will be automatically proposed by Recommend control command.

     

    The recommended controls are added to the TARA Table.


Adding Claim

To add a Claim to the TARA Table


  • Double-click the cell in the Claims column and the required Threat Scenario's row and type in the necessary Claim. 

    If the risk treatment decision is Retain, adding a claim is mandatory. In those cases, the cybersecurity goals and controls are not required and cannot be specified.

    Due to some performance reason, the claim does not appear in the containment tree directly after specifying it in the claim's cell. You must save the project to see the claims in the containment tree under the smart package 2.3 Cybersecurity Claims.

TARA Table Example

  • The Safety, Financial, Operational, Privacy risk values are calculated automatically by using following formula:
    • Risk Value =  1 + Maximum(Impact) * Aggregated Attack Feasibility Rating



  • The maximum value among all the risk values viz. Safety, Financial, Operational, Privacy is considered as the Global Risk Value.