TARA, in Automotive, sometimes referred to as ACRA (Automotive Cybersecurity Risk Assessment) is an analysis elected to identify, evaluate and prioritize the possible cybersecurity risks of a SW or HW function/component, with the purpose of defining the actions to be taken in order to avoid risks or in order to handle them.
In a product life cycle, TARA must be performed after the definition of the Functional Requirements, so that the implementation of any necessary measures can be early integrated in the subsequent development phase: the more this analysis is postponed, the more the implementation of any measures that proved necessary, could introduce significant changes to the solution, and could have serious repercussions in terms of extra budget and/or overrunning of the deadlines. In TARA both, information security and protection of sensitive data, are considered.
In the following, the consolidated 4-steps process that exida proposes:
For each considered function/component, determination of the actual relevance for Cybersecurity purposes.
Analysis of the protection level that the relevant function/component needs (depending on the security requirements).
Analysis of all the possible threats (potential risk identification and risk category definition), with prioritization.
Definition of the necessary actions and final report issue, as a summary reference for planning and implementing these actions.
The main usually referred inputs are:
SW, HW, SYS Architecture.
FuSa Analyses (FMEA/FMEDA).