Page History
Table of Contents | ||
---|---|---|
|
The TARA table gathers all elements that have been modeled in the previous steps and gives a global overview of the threat scenario that has to be mitigated, retained, shared, or avoided. The risk value is automatically calculated according to the ISO/SAE 21434:2021 standard.
Cybersecurity Risk
An effect of uncertainty on road vehicle cybersecurity expressed in terms of attack feasibility and impact.
Cybersecurity Control
A measure that is modifying risk.
Cybersecurity Claim
A statement about a risk.
Cybersecurity Goal
A concept-level cybersecurity requirement associated with one or more threat scenarios.
Creating a TARA Table
Info |
---|
If you create a new project using the ISO 21434 Project template, then a TARA table already exists in the 1.4 Risk Treatment and Cybersecurity Control package. |
To create a TARA Table
- In the Containment tree, right-click Risk Treatment and Cybersecurity Control and select Create Diagram.
- Do one of the following:
- In the dialog, expand ISO 21434 and select TARA Table.
- In the search tab, type the keyword TARA and then select TARA Table.
The TARA Table is displayed in the diagram pane of the modeling tool.
- In the dialog, expand ISO 21434 and select TARA Table.
Adding Threat Scenarios
To add Threat Scenarios to the TARA Table
- In the TARA Table, click Add Existing.
- From the Select Threat Scenariodialog, select the required Threat Scenario.
A row is added to the TARA Table, which shows the existing Threat Scenario.
Note - Threat Type, Impacted Asset, and Damage Scenarios are automatically added to the TARA Table based on the Damage Scenario Table and Threat Scenarios Table. The association between Threat Scenarios and Damage Scenarios tables is done through failure. The Damage Scenarios which have the same Failure Modes as a given Threat Scenario are taken into account for Risk Values computation.
- The risk values are automatically computed according to ISO/SAE 21434:2021 standard. Risk values are read-only values.
Assigning Risk Treatment Decision
To assign Risk Treatment Decision
Double-click the cell in the Risk Treatment Decision column and the required Threat Scenario's row. From the drop-down list, assign Risk Treatment Decision.
The Risk Treatment Decision is assigned in the TARA Table.Note If the risk treatment decision is Retain, adding a claim is mandatory. In those cases, the cybersecurity goals and controls are not required.
Adding Cybersecurity Goal
To add a Cybersecurity Goal to the TARA Table
- Double-click the designated cell in the Cybersecurity Goals column and the required Threat Scenario's row and click
- From the Select Elementdialog, select Cybersecurity Goal.
The Cybersecurity Goal is added to the TARA Table.
Note |
---|
|
To Generate/Synchronize the Cybersecurity Goals to the TARA Table
- Right-click the threat scenario in the TARA table and select Generate/Synchronize Cybersecurity Goals.
Note |
---|
|
Adding Controls
To add Controls to the TARA Table
- Double-click the designated cell in the Controls column and the required Threat Scenario's row and click
From the Select Elementsdialog, select Controls.
The Controls are added to the TARA Table.Note Controls are a list of Cybersecurity Requirements. There are 4 types of Cybersecurity Requirements: Functional, Technical, Hardware, and Software.
To ease the process of adding controls, the plugin provides a feature to add the controls with the aid of the Recommend Control command. The controls are recommended on the basis of assigned cybersecurity goals and CWE elements used as attack path steps.
To add controls using the Recommend Control command to the TARA Table
- Right-click the threat scenario in the TARA table and select Recommended Control, as follows:
From the Select Elements dialog, select or remove the recommended controls.
Info For requirements to be reflected as recommended controls in the Select Elements dialog, either of these conditions should be satisfied:
- A Threat scenario should have assigned cybersecurity goals with all the derived requirements.
- A Threat Scenario should have an Attack Path, which itself has a step, which is either a CWE or a Technique. In such case, if the CWE or Technique has a Recommendation from a Cybersecurity Requirement, then that requirement will be automatically proposed by Recommend control command.
- A Threat scenario should have assigned cybersecurity goals with all the derived requirements.
Adding Claim
To add a Claim to the TARA Table
Double-click the cell in the Claims column and the required Threat Scenario's row and type in the necessary Claim.
Note If the risk treatment decision is Retain, adding a claim is mandatory. In those cases, the cybersecurity goals and controls are not required and cannot be specified.
Info Due to some performance reason, the claim does not appear in the containment tree directly after specifying it in the claim's cell. You must save the project to see the claims in the containment tree under the smart package 2.3 Cybersecurity Claims.
Assigning Residual Risk Value
To assign the Residual Risk value in the TARA Table
- Double-click Residual Safety Risk value cell in the Threat Scenario row. From the drop-down list, select the Residual Safety Risk Value. Follow the same procedure to assign Financial, Operational and Privacy Residual Risk Values.
Note |
---|
|
TARA Table Example
Info |
---|
|