Integrating Functional and Component-Level Threat Analyses in Automotive Systems: A Holistic Approach to Risk Assessment

Threat Analysis Risk Assessment (TARA) for automotive systems is standardized in ISO/SAE 21434. Traditionally these analyses have been bifurcated into either analysis focused on system functionality identifying impacts to assets based on the mission of the product, or analysis targeting vulnerabilities associated with the hardware and software of interfaces selected to be a part of a product. Furthermore, in the age of Software Defined Vehicles, the challenges to decouple use cases and the software that implements such from specific fixed hardware designs magnifies the disconnect between these risk methods. Use Case Based threat analysis, grounded in understanding features, stakeholders, and user stories, inherently yields security requirements tailored to specific functionalities and their contexts. While component-based threat analysis, derived from enumerations of vulnerabilities associated with interface choices, inherently yields security requirements tailored to specific defenses of these vulnerabilities. This paper will outline how a Use Case Based TARA partitions a user story into its assets and stakeholders and maintains traceability to risk through the development of that user story. This method's detailed approach ensures that cybersecurity requirements can be readily implemented as a part of feature design, addressing the concerns of feature owners directly. This paper will discuss the merits of asset based approach to cybersecurity over attack based recognizing the inherent strengths and limitations of both methods and underscores the need for a unified approach. Combining these analyses fosters a holistic view, ensuring that security requirements are both actionable and comprehensive. This paper provides the opportunity to point out the shift toward agile development and the need to provide incremental value on short intervals. This article delves into the intricacies of these concurrent threat analysis processes, highlighting the potential gaps and overlaps that may arise when treated in isolation. We argue that a fragmented approach not only leads to potential vulnerabilities but also results in redundancies, making the threat mitigation process inefficient.