(Linking Vulnerability Analysis to Risk Management)

In the ever-evolving world of cybersecurity, TARA is an approach for identifying and mitigating risks in automotive industry that can be used for component and systems. While Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS) can be factors in this process, relying solely on these can leave critical gaps in the security posture. By expanding TARA to incorporate both non-CVE vulnerabilities and frameworks like SSVC (Stakeholder-Specific Vulnerability Categorization), organizations can adopt a tailored approach to risk prioritization, improving response times and resource allocation.

Understanding TARA

TARA is a structured approach to identifying potential threats, assessing their impact, and evaluating the risks they pose to an organization’s assets. By systematically analyzing threats and potential damage scenarios, TARA helps prioritize security measures and develop effective mitigation strategies, ensuring a robust cybersecurity posture. Unlike other risk assessments, such as HARA (Hazard Analysis and Risk Assessment) used for functional safety, TARA specifically targets cybersecurity risks, making it an important part of a comprehensive automotive risk management approach.

The Limitation of CVEs

CVE provides a standardized way to identify and describe known vulnerabilities. The CVSS assigns a severity score to these vulnerabilities, helping organizations assess their potential impact. However, CVEs and CVSS only capture reported vulnerabilities, often missing newly discovered, proprietary, or industry-specific threats that can affect automotive systems. This limitation highlights the need for a broader assessment that includes less visible but equally dangerous risks.

1. Expanding Beyond CVEs – Uncovering Hidden Threats:

• Non-CVE Vulnerabilities: In the automotive industry, there are vulnerabilities that aren’t listed in CVE databases, such as new attack methods targeting specific technologies or communication systems. Suppliers might also face risks from their own custom software and firmware, which may not have CVE identifiers but can still pose serious security issues. Additionally, vulnerabilities in third-party components and libraries used in automotive systems might not be widely reported. By paying attention to these non-CVE vulnerabilities, suppliers can better protect their components and ensure overall vehicle security.
• Source Exploration: Platforms like GitHub Security Advisory (GHSA), the Global Security Database (GSD), and Open-Source Vulnerabilities (OSV) feeds provide information on non-CVE vulnerabilities. By actively monitoring these sources and using SSVC to assess urgency and priority, cybersecurity teams gain a deeper, more contextualized understanding of emerging risks.

2. Incorporating Static Application Security Testing (SAST):
   • Analyzing Custom Code: SAST tools analyze proprietary code to identify vulnerabilities that might not be covered by CVE databases. This helps in uncovering issues unique to the organization’s custom software.
   • Comprehensive Coverage: By integrating SAST into the TARA process, we can address vulnerabilities that arise from the complexity of modern software development, including those in code and lesser-known components. This aligns with industry standards like ISO/SAE 21434, which emphasizes the importance of considering a wide range of vulnerabilities throughout the product life cycle. 
3. Broaden the Risk Assessment Framework:
   • Expand the risk assessment framework to include both CVE and non-CVE related vulnerabilities. This ensures a more comprehensive evaluation of potential threats and their impacts.
   • Prioritization and Mitigation: Use TARA to prioritize vulnerabilities based on their risk level, including those not covered by CVEs. Develop and implement mitigation strategies that address both well-documented and emerging threats.

Practical Tips for Implementing an Expanded TARA Approach

• Leverage Multiple Sources: Regularly consult platforms like GHSA, GSD, and OSV feeds to stay informed about non-CVE vulnerabilities. Our own Block Harbor Threat Library provides valuable insights into a wide range of threats, ensuring comprehensive risk management. 
• Integrate SAST Tools: Incorporate Static Application Security Testing into development lifecycle to identify vulnerabilities in proprietary code.
• Update TARA Regularly: Continuously update the TARA process to reflect new insights and emerging threats, keeping the risk assessments current and effective. This continuous alignment with evolving cybersecurity and standards ensures the systems are prepared for both current and future challenges.

Conclusion

Expanding the scope of TARA to include non-CVE vulnerabilities is essential for a comprehensive and proactive approach to automotive cybersecurity. At Block Harbor, our VSEC platform exemplifies this vision by integrating diverse data sources and addressing a broader spectrum of risks through its Risk Manager module. This approach not only enhances alignment with industry standards like ISO/SAE 21434 and HARA but also strengthens vehicle safety and reliability. By adopting tools like VSEC and focusing on non-CVE vulnerabilities, the industry can build a more secure and resilient foundation for the future of modern automotive development.

Need Support?

Block Harbor is here to help with any automotive cybersecurity related activities. Block Harbor now offers a TARA package that includes guidance and template documentation. Contact us here for more information.