Site Search
Semiconductor business menu
Semiconductor business
HOME
Macnica 's
Products & Services
Technical Information
Case Study
event·
seminar
Handling Manufacturer
Support

Narrow down by specifying conditions

現在2147件がヒットしています。check

New article
foundation
design
product pick up
ETAS Foundation Software

Automotive cybersecurity measures are now at a major turning point: from "measures implemented just in case" to "mandatory requirements required by law."
At the heart of this is TARA (Threat Analysis and Risk Assessment).

In this article, we will provide an easy-to-understand explanation of what TARA is and why it is considered so important now from the perspective of complying with regulations.


🟪 3-line summary
✔ Cybersecurity measures for automobiles have become a legal requirement under UN-R155
✔ The premise is TARA (Threat Analysis and Risk Assessment) to identify and assess risks.
✔ Failure to systematically implement and explain TARA may affect type approval and trade requirements

Introduction: The era of "self-response" in cybersecurity is over

In the past, automotive safety was centered around collision safety and functional safety. However, today's vehicles are constantly connected to networks through dozens, even hundreds, of ECUs, external communications, OTA updates, cloud connectivity, and more. As a result, automobiles have become both "physical products" and "systems connected to cyberspace." UN-R155 (Cybersecurity Regulation) was enacted in response to this change.

In this rule,

Identifying cyber risks

- Assessing risks

- Take appropriate measures

・Continuous management

It is clearly required that "measures be taken" and "measures be selected based on risk" are not what is required here. The core of this "risk-based decision-making" is TARA. So, what exactly does it mean to "identify and assess risks"?

Related article

WP.29 UN-R155 CSMS Compliance Guide | Differences from ISO/SAE 21434 and Implementation Points

What is TARA? - The starting point for risk-based design

Here, we will discuss what TARA (Threat Analysis and Risk Assessment) is. TARA means threat analysis and risk assessment in Japanese.

1. Identifying assets to be protected

2. Identifying potential threats

3. Evaluating the likelihood of a successful attack

4. Impact assessment (safety, finances, brand, etc.)

5. Determining the risk level

6. Defining the necessary security goals

 This is a series of processes, not simply "creating a list of threats." The purpose of TARA is to "rationally determine which risks require what level of countermeasures," which leads to security goals and technical requirements.

In other words, TARA is the very basis for security design, and is not just an analytical method, but the starting point for design that supports compliance with regulations. So, how exactly is TARA linked to regulations?

Relationship between UN-R155, ISO/SAE 21434 and TARA

For automobiles, the international standard ISO/SAE 21434 has been established for CSMS (Cyber Security Management System) throughout the entire life cycle from planning and development to disposal.

・ Concept phase

・ System design phase

In addition, UN-R155 requires OEMs to establish a CSMS and

- Identifying risks

- Conducting risk assessments

・Explanation of the validity of the measures

 It is necessary to demonstrate a system in place to carry out this.
In other words, companies that do not systematically implement TARA cannot logically explain their compliance with regulations. This is not just a technical issue, but also a business continuity issue. From this, we can see that TARA is not an "activity that is good to do," but rather an "activity that cannot be explained unless it is implemented."

So, what problems would arise if TARA were insufficient?

Related article

WP.29 Compliance and CSMS/SUMS Implementation Guide

Potential risks if TARA is insufficient

TARA does not simply need to be implemented formally; if it is not implemented properly, the following problems will arise.

Variation in risk assessment criteria The evaluation criteria differ for each project, and the level of countermeasures against similar threats is not uniform.
Lack of traceability The connection between risk → security objectives → technical requirements → implementation cannot be proven.
Difficulty in responding to audits There is a lack of objective evidence to answer the question, "Why are these measures sufficient?"
Lack of reusability

Inefficient operations that require identifying threats from scratch every time.
*In particular, UN-R155 audits confirm the reproducibility and consistency of risk management processes.

Considering the risks above, there is a possibility that TARA's personal Excel management will not be able to withstand the increase in projects in the future. These are not theoretical concerns, but issues that can arise in actual development sites. Suppliers who receive requests from OEMs are particularly susceptible to this.

The reality of TARA for suppliers

TARA affects not only OEMs but also suppliers.

・Request for submission of TARA results

・Explanation of security concepts

・ Sharing the basis for risk assessment

Increasingly, there are also cases where TARA is included in the terms of business. If TARA is not implemented or cannot be explained, it may lead to lost order opportunities, additional design requests, and development delays. Therefore, TARA is not just a matter for the technical department, but has become an element that is directly linked to competitiveness.

However, even if you understand the importance of TARA, it is not easy to keep it running steadily in practice. This is the next hurdle that many companies face.

The challenge of "putting TARA into practice"

Although TARA is easy to understand in theory, the following issues arise in practice:

- Ensuring comprehensiveness of threat patterns

・Validity of risk scores

・Reuse of past project assets

- Document management and audit trails

- Maintain consistency across projects

Managing these things manually is becoming more difficult every year. If compliance with regulations is a given, simply implementing TARA is not enough; a system for continuously running explainable TARA is required. So how do we overcome this challenge? What is needed is a reproducible TARA implementation system that is based on compliance with regulations.

Implementing TARA in compliance with regulations

To achieve this, we use specialized tools that systematically support the implementation of TARA. In particular, CyclurRISK by ETAS, which is available at Macnica,

・ Support for TARA process in accordance with ISO/SAE 21434

- Standardization of risk assessment

- Ensuring traceability

Reusable threat library

・Document management with audit preparedness in mind

To achieve this, TARA is a solution that evolves from a task dependent on an individual to an organizational risk management system that is premised on compliance with regulations. Furthermore, these efforts are not simply about improving efficiency, but can be seen as building a foundation that simultaneously supports corporate competitiveness and compliance with regulations.

Implement TARA efficiently

Collaborative work is possible

TARA Implementation Tool - CycurRISK

Summary

Cybersecurity measures for automobiles are no longer optional; UN-R155 has made risk identification, assessment, and management mandatory. TARA is the starting point and an activity that serves as the basis for security design. However, what's important is not just that TARA has been implemented, but that it is being implemented continuously in an accountable manner. In future automobile development, TARA will be the foundation for complying with regulations and a source of competitiveness.

Please consider CycurRISK, the TARA implementation tool that supports your work!

Inquiry

If you have any questions about this product, please contact us using the information below.

Contact Us