The final step in the TARA process, as outlined in Clause 15 of ISO/SAE 21434, is making a risk treatment decision. This step includes a single requirement: selecting and applying one or more risk treatment options from the provided choices. As a requirement, this step is mandatory and must be implemented. The outcome of this process is a work product known as risk treatment decisions, derived from [RQ-15-17]. In this blog post, we will explore the reasoning behind these risk treatment decisions.
| Risk Treatment Option | Explanation | Example | Justification |
| Avoiding | Mitigating the risk by eliminating its sources, or choosing not to initiate or continue the activity that creates the risk | A car manufacturer identifies a significant cybersecurity risk associated with a specific wireless communication feature that allows remote access to the vehicle’s control systems. This feature, while convenient, poses a potential vulnerability that could be exploited by hackers to gain unauthorized control over the vehicle where the risk level could be considered 4 or 5. | To avoid this risk, the manufacturer decides to remove the wireless communication feature entirely from the vehicle’s design. By eliminating the feature, the source of the cybersecurity risk is removed, thereby avoiding the potential threat of remote hacking attempts |
| Reducing | Removing the cause of the risk | A car manufacturer introduces a new infotainment system that connects to the internet, allowing drivers to access various online services. However, this system introduces potential cybersecurity risks, such as the possibility of remote hacking that could compromise the vehicle’s network | To reduce this risk, the manufacturer implements several cybersecurity measures: Encryption: The data transmitted between the infotainment system and external servers is encrypted, making it difficult for attackers to intercept and manipulate the data. Firewalls: The vehicle’s network architecture is reinforced with firewalls that monitor and control incoming and outgoing traffic, preventing unauthorized access to critical vehicle systems. |
| Sharing | Distributing risk through contracts or transferring it by purchasing insurance | A car manufacturer partners with a third-party supplier to provide software for the vehicle’s autonomous driving system. The manufacturer recognizes that this software could introduce cybersecurity risks, such as vulnerabilities that might be exploited to interfere with the vehicle’s autonomous functions | To manage this risk, the manufacturer and the supplier enter into a contract that includes the following provisions: Liability Sharing: The contract stipulates that the supplier is responsible for any cybersecurity breaches resulting from vulnerabilities in their software. This means that if a cyber incident occurs due to the supplier’s software, the supplier is liable for the associated costs and damages. Cybersecurity Insurance: Both the manufacturer and the supplier purchase cybersecurity insurance policies. The manufacturer’s policy covers general cybersecurity risks associated with the vehicle, while the supplier’s policy specifically covers risks related to their software. This insurance helps to cover financial losses resulting from cyber incidents, thereby transferring part of the financial risk to the insurance company. |
| Retaining | Retaining the risk means accepting it. The reasons for retaining and sharing the risk are documented as cybersecurity claims and are subject to cybersecurity monitoring and vulnerability management in line with Clause 8 (continual cybersecurity activities) | A car manufacturer introduces a new feature that allows drivers to remotely unlock their vehicles using a mobile app. The manufacturer recognizes that this feature could be vulnerable to cyberattacks, such as brute-force attacks or unauthorized access if the app is compromised. Despite these risks, the manufacturer believes that the convenience and market demand for the feature outweigh the potential downsides. | The manufacturer decides to retain the risk because: Cost-Benefit Analysis: A thorough analysis shows that the cost of completely eliminating the risk (e.g., by removing the feature or implementing extremely costly security measures) is prohibitive and might reduce the feature’s usability or appeal. The manufacturer believes that the benefits, including customer satisfaction and competitive advantage, justify retaining the risk. Risk Monitoring & Management: To manage the retained risk, the manufacturer implements continuous cybersecurity monitoring. This includes regular assessments of the mobile app’s security, monitoring for unusual login attempts, checking logs, and promptly addressing any detected vulnerabilities through software updates. |
Further considerations
- Once other steps in the TARA process are completed and the attack feasibility (high, medium, low, or very low) is evaluated, it should become easier to decide which risk treatment option(s) to apply. If attack feasibility is considered very low for example, then perhaps depending on the situation, the appropriate option would be to avoid or reduce the risk. The organization must have a clearly defined policy for which risk scores can be accepted and which ones require reduction or are shared.
- The rationales for retaining the risk and sharing the risk are recorded as cybersecurity claims and are subject to cybersecurity monitoring and vulnerability management. A cybersecurity claim is a statement about a risk. This involves providing justification for the risk treatment option to either share or retain the risk.
- When the decision is to reduce the risk, it may sometimes be difficult to completely eliminate the threat and there might be some residual risk left which must be captured, along with the respective treatment decision (for example, the residual risk may be shared with the system integrator).
- Risks that have been reduced result in the creation of a cybersecurity goal. A cybersecurity goal is a concept-level cybersecurity requirement associated with one or more threat scenarios. The cybersecurity goals are further refined into system-level cybersecurity requirements.
Conclusion
In conclusion, the risk treatment decision is a critical step in the TARA process, as it directly influences how an organization manages potential cybersecurity threats. By selecting from options such as avoiding, reducing, sharing, or retaining risks, organizations can strategically address vulnerabilities while balancing cost, feasibility, and market demands. The process requires thorough evaluation and justification, with decisions documented as cybersecurity claims subject to ongoing monitoring. Even when risks are reduced, some residual risk may remain, necessitating careful management and the establishment of cybersecurity goals that guide the development of specific system-level requirements. This comprehensive approach ensures that cybersecurity measures are not only effective but also aligned with the organization’s overall risk management strategy.
References:
- ISO/SAE 21434
- Automotive Cybersecurity Engineering Handbook by Dr. Ahmad MK Nasser
Need support?
Block Harbor is here to help with any TARA related activities. Block Harbor now offers a TARA package that includes a detailed cybersecurity risk treatment guide as well other guidance and template documentation. Contact us here for more information.