<!--
Copyright (c) 2025 Milin Patel
Hochschule Kempten - University of Applied Sciences
-->

*Copyright (c) 2025 Milin Patel. All Rights Reserved.*

# Threat Analysis and Risk Assessment (TARA)

**Module 05: Cybersecurity - ISO/SAE 21434**

[![Open In Colab](https://colab.research.google.com/assets/colab-badge.svg)](https://colab.research.google.com/github/milinpatel07/Autonomous-Driving_AI-Safety-and-Security/blob/main/05_Cybersecurity/notebooks/02_tara_methodology.ipynb)

**Author:** Milin Patel  
**Institution:** Hochschule Kempten - University of Applied Sciences

---

## Learning Objectives

By the end of this notebook, you will:
- Understand the TARA methodology from ISO/SAE 21434
- Learn to identify assets and threat scenarios
- Assess attack feasibility and impact
- Determine Cybersecurity Assurance Levels (CAL)
- Define cybersecurity goals and requirements
- Apply TARA to autonomous driving perception systems

In [None]:
# Setup
import numpy as np
import pandas as pd
import matplotlib.pyplot as plt
from matplotlib.patches import Rectangle, FancyBboxPatch
import seaborn as sns
import warnings
warnings.filterwarnings('ignore')

plt.style.use('seaborn-v0_8-whitegrid')
print("Setup complete.")

## 1. Introduction to TARA

**TARA (Threat Analysis and Risk Assessment)** is the cybersecurity counterpart to HARA (Hazard Analysis and Risk Assessment) from ISO 26262.

### Purpose
- Systematically identify cybersecurity threats
- Assess risks from malicious attacks
- Determine required cybersecurity measures
- Support integration with functional safety

### TARA in ISO/SAE 21434

TARA is defined in Clause 15 of ISO/SAE 21434 and consists of:
1. Asset identification
2. Threat scenario identification
3. Attack path analysis
4. Attack feasibility rating
5. Impact rating
6. Risk determination
7. Risk treatment decision

In [None]:
def visualize_tara_process():
    """Visualize the TARA process flow."""
    fig, ax = plt.subplots(figsize=(16, 6))
    
    steps = [
        ('Asset\nIdentification', '#3498db'),
        ('Threat\nScenarios', '#e74c3c'),
        ('Attack\nPaths', '#9b59b6'),
        ('Feasibility\nRating', '#f39c12'),
        ('Impact\nRating', '#e67e22'),
        ('Risk\nDetermination', '#c0392b'),
        ('Risk\nTreatment', '#27ae60')
    ]
    
    x_positions = np.linspace(0.5, 6.5, len(steps))
    
    for i, (label, color) in enumerate(steps):
        box = FancyBboxPatch((x_positions[i]-0.35, 0.3), 0.7, 0.4,
                            boxstyle="round,pad=0.05",
                            facecolor=color, edgecolor='black', alpha=0.8)
        ax.add_patch(box)
        ax.text(x_positions[i], 0.5, label, ha='center', va='center',
               fontsize=9, fontweight='bold', color='white')
        
        if i < len(steps) - 1:
            ax.annotate('', xy=(x_positions[i+1]-0.4, 0.5),
                       xytext=(x_positions[i]+0.4, 0.5),
                       arrowprops=dict(arrowstyle='->', lw=2))
    
    ax.set_xlim(0, 7)
    ax.set_ylim(0, 1)
    ax.axis('off')
    ax.set_title('TARA Process Flow (ISO/SAE 21434)', fontsize=14, fontweight='bold')
    plt.tight_layout()
    plt.show()

visualize_tara_process()

## 2. Asset Identification

**Assets** are anything of value that could be targeted by an attacker.

### Asset Categories

| Category | Description | Examples |
|----------|-------------|----------|
| **Data** | Information processed or stored | Sensor data, maps, user data |
| **Functions** | System capabilities | Object detection, path planning |
| **Hardware** | Physical components | ECUs, sensors, actuators |
| **Software** | Code and algorithms | ML models, firmware |
| **Communication** | Data exchange channels | CAN bus, V2X, cloud links |

In [None]:
# Asset identification for perception system
assets = pd.DataFrame({
    'Asset ID': ['A-01', 'A-02', 'A-03', 'A-04', 'A-05', 'A-06', 'A-07', 'A-08'],
    'Asset Name': [
        'Camera sensor data',
        'LiDAR point cloud',
        'Object detection model',
        'Sensor fusion algorithm',
        'Perception ECU',
        'CAN bus messages',
        'HD map data',
        'OTA update channel'
    ],
    'Category': ['Data', 'Data', 'Software', 'Software', 'Hardware', 
                'Communication', 'Data', 'Communication'],
    'Cybersecurity Properties': [
        'Integrity, Availability',
        'Integrity, Availability',
        'Integrity, Confidentiality',
        'Integrity, Availability',
        'Integrity, Availability',
        'Integrity, Authenticity',
        'Integrity, Availability',
        'Integrity, Authenticity'
    ],
    'Safety Relevance': ['High', 'High', 'High', 'High', 'High', 
                        'High', 'Medium', 'High']
})

print("Asset Identification for Perception System")
display(assets)

## 3. Threat Scenario Identification

Use structured methods to identify threats:

### STRIDE Model
- **S**poofing - Impersonating something/someone
- **T**ampering - Modifying data or code
- **R**epudiation - Denying actions
- **I**nformation disclosure - Exposing information
- **D**enial of service - Making unavailable
- **E**levation of privilege - Gaining unauthorized access

In [None]:
# Threat scenarios for perception system
threat_scenarios = pd.DataFrame({
    'Threat ID': ['T-01', 'T-02', 'T-03', 'T-04', 'T-05', 'T-06'],
    'STRIDE': ['Tampering', 'Spoofing', 'DoS', 'Tampering', 'Spoofing', 'Tampering'],
    'Asset': ['A-03', 'A-01', 'A-02', 'A-06', 'A-08', 'A-07'],
    'Threat Scenario': [
        'Adversarial patch causes object misclassification',
        'Camera blinding/dazzling attack',
        'LiDAR jamming causes sensor unavailability',
        'CAN message injection triggers false AEB',
        'Malicious OTA update compromises perception',
        'HD map manipulation causes wrong path'
    ],
    'Damage Scenario': [
        'Collision with undetected obstacle',
        'Loss of visual perception, collision',
        'Loss of 3D perception, collision',
        'Unnecessary braking, rear collision',
        'Persistent perception failures',
        'Vehicle driven into unsafe area'
    ]
})

print("Threat Scenarios")
display(threat_scenarios)

## 4. Attack Feasibility Rating

ISO/SAE 21434 defines attack feasibility based on:

| Parameter | Description | Scale |
|-----------|-------------|-------|
| **Elapsed Time** | Time required to identify and exploit | 0-19 |
| **Expertise** | Attacker knowledge needed | 0-6 |
| **Knowledge of Item** | Information about target system | 0-11 |
| **Window of Opportunity** | Access conditions required | 0-10 |
| **Equipment** | Tools and resources needed | 0-9 |

**Attack Potential = Sum of all parameters**

| Attack Potential | Feasibility Rating |
|------------------|--------------------|
| 0-9 | Very High |
| 10-13 | High |
| 14-19 | Medium |
| 20-24 | Low |
| 25+ | Very Low |

In [None]:
def calculate_attack_feasibility(elapsed_time, expertise, knowledge, 
                                  window, equipment):
    """Calculate attack feasibility rating."""
    attack_potential = elapsed_time + expertise + knowledge + window + equipment
    
    if attack_potential <= 9:
        return attack_potential, 'Very High'
    elif attack_potential <= 13:
        return attack_potential, 'High'
    elif attack_potential <= 19:
        return attack_potential, 'Medium'
    elif attack_potential <= 24:
        return attack_potential, 'Low'
    else:
        return attack_potential, 'Very Low'

# Assess feasibility for each threat
feasibility_data = [
    # T-01: Adversarial patch
    {'Threat': 'T-01', 'Elapsed': 1, 'Expertise': 3, 'Knowledge': 3, 'Window': 4, 'Equipment': 0},
    # T-02: Camera blinding
    {'Threat': 'T-02', 'Elapsed': 0, 'Expertise': 0, 'Knowledge': 0, 'Window': 4, 'Equipment': 0},
    # T-03: LiDAR jamming
    {'Threat': 'T-03', 'Elapsed': 1, 'Expertise': 3, 'Knowledge': 3, 'Window': 4, 'Equipment': 4},
    # T-04: CAN injection
    {'Threat': 'T-04', 'Elapsed': 4, 'Expertise': 6, 'Knowledge': 7, 'Window': 1, 'Equipment': 4},
    # T-05: Malicious OTA
    {'Threat': 'T-05', 'Elapsed': 7, 'Expertise': 6, 'Knowledge': 11, 'Window': 0, 'Equipment': 4},
    # T-06: Map manipulation
    {'Threat': 'T-06', 'Elapsed': 7, 'Expertise': 6, 'Knowledge': 7, 'Window': 0, 'Equipment': 4}
]

for item in feasibility_data:
    potential, rating = calculate_attack_feasibility(
        item['Elapsed'], item['Expertise'], item['Knowledge'],
        item['Window'], item['Equipment']
    )
    item['Potential'] = potential
    item['Feasibility'] = rating

feasibility_df = pd.DataFrame(feasibility_data)
print("Attack Feasibility Assessment")
display(feasibility_df[['Threat', 'Potential', 'Feasibility']])

## 5. Impact Rating

Impact assessment considers multiple dimensions:

| Dimension | Description |
|-----------|-------------|
| **Safety** | Physical harm to people |
| **Financial** | Economic losses |
| **Operational** | Service disruption |
| **Privacy** | Personal data exposure |

**Impact Levels**: Negligible, Moderate, Major, Severe

In [None]:
# Impact assessment
impact_data = pd.DataFrame({
    'Threat ID': ['T-01', 'T-02', 'T-03', 'T-04', 'T-05', 'T-06'],
    'Safety Impact': ['Severe', 'Severe', 'Severe', 'Major', 'Severe', 'Major'],
    'Financial Impact': ['Major', 'Moderate', 'Major', 'Major', 'Major', 'Major'],
    'Operational Impact': ['Moderate', 'Moderate', 'Major', 'Moderate', 'Severe', 'Major'],
    'Privacy Impact': ['Negligible', 'Negligible', 'Negligible', 'Negligible', 'Moderate', 'Negligible']
})

# Determine overall impact (highest of all dimensions)
impact_order = {'Negligible': 0, 'Moderate': 1, 'Major': 2, 'Severe': 3}
reverse_order = {v: k for k, v in impact_order.items()}

def get_overall_impact(row):
    impacts = [row['Safety Impact'], row['Financial Impact'], 
               row['Operational Impact'], row['Privacy Impact']]
    max_impact = max(impact_order[i] for i in impacts)
    return reverse_order[max_impact]

impact_data['Overall Impact'] = impact_data.apply(get_overall_impact, axis=1)

print("Impact Assessment")
display(impact_data)

## 6. Risk Determination and CAL

**Risk Level** is determined by combining Feasibility and Impact:

| | Severe | Major | Moderate | Negligible |
|---|---|---|---|---|
| **Very High** | 5 | 4 | 3 | 2 |
| **High** | 4 | 3 | 2 | 1 |
| **Medium** | 3 | 2 | 2 | 1 |
| **Low** | 2 | 2 | 1 | 1 |
| **Very Low** | 1 | 1 | 1 | 1 |

**Cybersecurity Assurance Level (CAL)** is derived from risk level:
- Risk 5 → CAL 4 (Highest assurance)
- Risk 4 → CAL 3
- Risk 3 → CAL 2
- Risk 2 → CAL 1
- Risk 1 → No CAL required

In [None]:
# Risk matrix
RISK_MATRIX = {
    'Very High': {'Severe': 5, 'Major': 4, 'Moderate': 3, 'Negligible': 2},
    'High': {'Severe': 4, 'Major': 3, 'Moderate': 2, 'Negligible': 1},
    'Medium': {'Severe': 3, 'Major': 2, 'Moderate': 2, 'Negligible': 1},
    'Low': {'Severe': 2, 'Major': 2, 'Moderate': 1, 'Negligible': 1},
    'Very Low': {'Severe': 1, 'Major': 1, 'Moderate': 1, 'Negligible': 1}
}

def determine_risk_and_cal(feasibility, impact):
    """Determine risk level and CAL."""
    risk = RISK_MATRIX[feasibility][impact]
    cal = max(0, risk - 1)  # CAL 0-4
    return risk, f"CAL {cal}" if cal > 0 else "No CAL"

# Combine feasibility and impact
tara_results = threat_scenarios.copy()
tara_results = tara_results.merge(feasibility_df[['Threat', 'Feasibility']], 
                                   left_on='Threat ID', right_on='Threat')
tara_results = tara_results.merge(impact_data[['Threat ID', 'Overall Impact']], 
                                   on='Threat ID')

# Calculate risk and CAL
tara_results['Risk'], tara_results['CAL'] = zip(*tara_results.apply(
    lambda row: determine_risk_and_cal(row['Feasibility'], row['Overall Impact']), axis=1))

print("TARA Results Summary")
display(tara_results[['Threat ID', 'Threat Scenario', 'Feasibility', 
                      'Overall Impact', 'Risk', 'CAL']])

In [None]:
def visualize_risk_matrix(tara_df):
    """Visualize threats on risk matrix."""
    fig, ax = plt.subplots(figsize=(10, 8))
    
    # Create heatmap background
    feasibility_levels = ['Very Low', 'Low', 'Medium', 'High', 'Very High']
    impact_levels = ['Negligible', 'Moderate', 'Major', 'Severe']
    
    risk_values = np.array([
        [RISK_MATRIX[f][i] for i in impact_levels]
        for f in feasibility_levels
    ])
    
    im = ax.imshow(risk_values, cmap='RdYlGn_r', aspect='auto', 
                   vmin=1, vmax=5, alpha=0.7)
    
    # Add risk values
    for i in range(len(feasibility_levels)):
        for j in range(len(impact_levels)):
            ax.text(j, i, str(risk_values[i, j]), ha='center', va='center',
                   fontsize=14, fontweight='bold', alpha=0.5)
    
    # Plot threats
    feas_map = {f: i for i, f in enumerate(feasibility_levels)}
    imp_map = {i: j for j, i in enumerate(impact_levels)}
    
    for _, row in tara_df.iterrows():
        x = imp_map[row['Overall Impact']] + np.random.uniform(-0.2, 0.2)
        y = feas_map[row['Feasibility']] + np.random.uniform(-0.2, 0.2)
        ax.scatter(x, y, s=200, c='blue', edgecolors='black', linewidths=2, zorder=5)
        ax.annotate(row['Threat ID'], (x, y), xytext=(5, 5), 
                   textcoords='offset points', fontsize=10, fontweight='bold')
    
    ax.set_xticks(range(len(impact_levels)))
    ax.set_xticklabels(impact_levels)
    ax.set_yticks(range(len(feasibility_levels)))
    ax.set_yticklabels(feasibility_levels)
    ax.set_xlabel('Impact', fontsize=12, fontweight='bold')
    ax.set_ylabel('Attack Feasibility', fontsize=12, fontweight='bold')
    ax.set_title('Cybersecurity Risk Matrix with Threat Locations', 
                fontsize=14, fontweight='bold')
    
    plt.colorbar(im, ax=ax, label='Risk Level')
    plt.tight_layout()
    plt.show()

visualize_risk_matrix(tara_results)

## 7. Risk Treatment and Cybersecurity Goals

### Risk Treatment Options
1. **Avoid** - Remove the threat source
2. **Reduce** - Implement countermeasures
3. **Share** - Transfer risk (insurance, contracts)
4. **Retain** - Accept residual risk

### Cybersecurity Goals
For each threat requiring treatment, define cybersecurity goals.

In [None]:
# Define cybersecurity goals
cybersecurity_goals = pd.DataFrame({
    'CG ID': ['CG-01', 'CG-02', 'CG-03', 'CG-04', 'CG-05'],
    'Threat ID': ['T-01', 'T-02', 'T-03', 'T-04', 'T-05'],
    'Cybersecurity Goal': [
        'Perception shall detect and reject adversarial inputs',
        'System shall detect sensor blinding and activate fallback',
        'System shall detect LiDAR jamming and use redundant sensors',
        'CAN messages shall be authenticated and integrity-protected',
        'OTA updates shall be cryptographically signed and verified'
    ],
    'CAL': ['CAL 3', 'CAL 4', 'CAL 3', 'CAL 2', 'CAL 3'],
    'Treatment': ['Reduce', 'Reduce', 'Reduce', 'Reduce', 'Reduce'],
    'Countermeasures': [
        'Adversarial training, input validation, ensemble methods',
        'Saturation detection, multi-camera redundancy, driver alert',
        'Jamming detection, radar/camera fusion, graceful degradation',
        'SecOC (Secure Onboard Communication), message authentication',
        'Code signing, secure boot, rollback protection'
    ]
})

print("Cybersecurity Goals and Countermeasures")
display(cybersecurity_goals)

## 8. Integration with ISO 26262 (Safety-Security)

Cybersecurity threats can cause safety hazards. Integration points:

| HARA (Safety) | TARA (Security) | Integration |
|---------------|-----------------|-------------|
| Hazard | Damage Scenario | Security threat causes safety hazard |
| ASIL | CAL | Combined assurance requirements |
| Safety Goal | Cybersecurity Goal | Aligned mitigation strategies |
| FTTI | Attack detection time | Response time requirements |

In [None]:
# Safety-Security integration example
integration_table = pd.DataFrame({
    'Threat': ['T-01', 'T-02', 'T-03'],
    'Cybersecurity Goal': [
        'CG-01: Detect adversarial inputs',
        'CG-02: Detect sensor blinding',
        'CG-03: Detect LiDAR jamming'
    ],
    'CAL': ['CAL 3', 'CAL 4', 'CAL 3'],
    'Related Safety Hazard': [
        'H-001: Pedestrian not detected',
        'H-001: Pedestrian not detected',
        'H-001: Pedestrian not detected'
    ],
    'ASIL': ['ASIL D', 'ASIL D', 'ASIL D'],
    'Combined Requirement': [
        'ASIL D + CAL 3: Highest integrity for detection',
        'ASIL D + CAL 4: Dual monitoring with failsafe',
        'ASIL D + CAL 3: Redundant perception path'
    ]
})

print("Safety-Security Integration")
display(integration_table)

## 9. Exercise: Perform Your Own TARA

**Task:** Perform a TARA for a V2X (Vehicle-to-Everything) communication system.

Consider these attack scenarios:
1. GPS spoofing causing incorrect position
2. V2V message injection (fake collision warning)
3. Traffic signal spoofing
4. Denial of service on V2X channel

In [None]:
# Exercise: Your TARA for V2X system

# TODO: Identify assets for V2X
# v2x_assets = [...]

# TODO: Define threat scenarios
# v2x_threats = [...]

# TODO: Assess feasibility and impact
# TODO: Determine risk and CAL
# TODO: Define cybersecurity goals

print("Implement your V2X TARA in the cells above.")

## Summary

In this notebook, you learned:

- **TARA Process**: Systematic cybersecurity risk assessment per ISO/SAE 21434
- **Asset Identification**: Identifying valuable system components
- **Threat Analysis**: Using STRIDE to identify attack scenarios
- **Risk Assessment**: Combining feasibility and impact for risk determination
- **CAL Determination**: Deriving cybersecurity assurance levels
- **Safety Integration**: Aligning cybersecurity with functional safety

### References

- ISO/SAE 21434:2021 - Road vehicles - Cybersecurity engineering
- ISO 26262:2018 - Road vehicles - Functional safety
- SAE J3061 - Cybersecurity Guidebook for Cyber-Physical Vehicle Systems

---

*Notebook created by Milin Patel | Hochschule Kempten*  
*Last updated: 2025-01-22*