Vehicle, System, and Component Level Threat Analysis & Risk Assessment (TARA).

The automotive industry is undergoing cybersecurity standardization and regulation that enforces consistent analysis to provide work products to auditors.

Vehicles and their components that are cyber relevant must have a threat analysis and risk assessment (TARA) performed as a part of the cybersecurity design process.

Identify, Analyze, and Minimize.

What is TARA?

A TARA is an automotive-specific risk assessment process that fits within the ISO/SAE 21434 vehicle cybersecurity standard. Like any risk assessment, it starts with item definition to understand the assets being protected and where the boundaries exist. Then, damage scenarios for the item definition are identified based on safety, financial, operational, and privacy considerations.
Then, threat scenarios are defined that may realize those damage scenarios and a likelihood is documented. Finally, a set of risks are documented based on the security analysis that is the outcome of the TARA. Those
risks should guide the cybersecurity design.

Why perform a TARA?

Instead of checking cybersecurity after the product has been developed, security by design is magnitudes more efficient and effective at ensuring the end product is secure. Plus, due to ISO/SAE 21434, your customers will ask for a TARA for your product. You need to be able to effectively secure the vehicle and adjust the TARA based on a changing threat and vulnerability landscape.

Challenges with TARA


Many companies are forced to create their own TARA template using tools like Excel because existing risk assessment tools do not fit automotive.

At Block Harbor, we used industry-leading tools that specifically focus on ISO/SAE 21434 that let us focus on doing our job well.


Many items and components have very similar Threats.

If you’re managing multiple projects, being able to reuse different parts of TARA’s will speed up the process significantly.


A cybersecurity design is only as good as the experts that are performing the TARA. Because TARA is done so early in the design process, it’s critical that it’s done right the first time.


Each TARA may be different based on the knowledge and expertise of the security analyst performing the TARA. Being able to consistently perform, edit, and manage TARA’s with a team of subject matter experts and Security analysts is critical to consistent cybersecurity.

Our Method

Cyber Security objectives and and detailed designs are discussed with the feature owner to ensure accuracy before performing the security analysis.

Security by Design

Threat modeler will review documentation to details item functions and technical design details from the vehicle to the component level to document cyber-physical assets relevant to unintentional or malicious threats.

Our Security analysts propose damage scenarios and threats based on their understanding of the target item.

Damage scenarios used consider Safety, Financial, Operational, and Privacy dimensions to compute an impact level.

Common threats and otherwise research proven exploits are allocated as possible threat scenarios to realize damage scenarios contributing impact.

A set of risks to the Target item examined is generated in a report.

The Threat Analysis and Risk assessment (TARA) report is provided with consideration that expert reviewers may be reviewed for compliance with ISO21434 and UNECE WP.29 for vehicle type-approval.

Ensure practical, cost-effective

Understand the Risk

Determine the likelihood and damage of a threat

A threat needs to be well understood to determine the likelihood and impact of its realization.

Risk Rating

Ranking the most critical to the least

Derive the most-to-least critical order of the risks. This will provide the basis for allocating resources to mitigate and prevent.