Franz-Josef Schuermann, Chairman of the Board itemis Inc., shares his vision for TARA Automation
September 7th marked the start of the sixth annual Auto-ISAC Cybersecurity summit in Dearborn Michigan. Leading figures within the automotive cybersecurity field were in attendance to discuss the current state; and future of the industry. As the automotive industry continues to demonstrate its commitment to the cybersecurity of their products through the implementation of ISO/SAE 21434 regulations; new solutions must be created to handle the documentation and rapid changes of threats. Hackers are constantly looking for methods to improve the chances of their attacks being successful and having a greater return on their investment. Updating the vehicle's software can help or eliminate risks within pre-existing products, but the frequency for the updates is always increasing. Tesla, for example, has had fifty-two over-the-air updates to their fleet last year. Detecting new risks, formulating a defense plan, and then implementing a solution is a time-consuming process and the frequency increase in necessary updates will make the task impossible. A solution is needed; Franz-Josef Schuermann, Chairman of the Board of itemis, presented how usage of a model based approach to Threat Analysis and Risk Assessment (TARA) utilizing Security Analyst would allow this traditionally manual process to be automated.
The TARA process will have to be completed by both OEMs and suppliers, and the information that is generated must be easily shareable and integrate well within testing suites for R155 validation and verification. To achieve this, a machine-readable open exchange format was created. This format: OpenXSAM, is capable of retaining all information requirements listed within ISO/SAE 21434, while allowing for the direct implementation into other platforms. Where as a spreadsheet baked approach would require the manual mapping of TARA information into other applications. The benefits of OpenXSAM in this use case ensures that the entire supply chain from tier 3 suppliers to OEMs can freely share their relevant work with one another and ensure that no information is lost when transitioning from group to group.
The constant development of threats provides a unique challenge for the TARA process. It is a deliverable that must be maintained for fifteen years of the product's life and with daily changes of cybersecurity threats; automation is going to be mandatory to sustain a project that amount of time. Security Analyst supports the automation of threat catalogs through the cloud based repositories and self-updating configurations within Security Analyst. With this method, any change can be made to a single threat catalog, and those changes will then be propagated to all TARA projects that utilize the same catalog. This completely eliminates the need for manual search, modification, and recalculation of pre-existing TARA’s as Security Analyst fully automates that process. This allows for daily updates, and this increased frequency will help ensure the most up-to-date security considerations for all projects.
The ability to automate aspects of the TARA process will play a vital role in the future of automotive cybersecurity, and Franz-Josef emphasized that a spreadsheet based approach could never be automated. He described attempting to use an outmoded method as being equivalent to digging yourself into a hole, and he ended the presentation stating that he wanted to help everyone get out of the hole.
If you need more information, please check our