What is TARA in Automotive Cybersecurity? A Practical Guide

TARA (Threat Analysis and Risk Assessment) is the systematic Cybersecurity Engineering analysis methodology defined in ISO 21434 Clause 15. It is the process by which automotive engineering teams identify cybersecurity threats to vehicle systems, assess the feasibility and impact of each threat, determine risk levels, and define appropriate risk treatments. TARA is widely considered the backbone of automotive cybersecurity engineering — without it, there is no structured basis for making cybersecurity decisions.

Every vehicle system that falls within the scope of ISO/SAE 21434 requires a TARA. This includes ECUs, communication interfaces, external connectivity modules, sensor systems, and any component that processes, stores, or transmits data relevant to vehicle cybersecurity. For a modern connected vehicle with 50-100+ ECUs, this means dozens of TARAs must be performed across the vehicle program.

Why TARA Is Mandatory

TARA is not optional under ISO/SAE 21434. Clause 15 explicitly requires that a Threat Analysis and Risk Assessment be performed for each item or component within the cybersecurity scope. The results of the TARA drive all downstream cybersecurity activities: Cybersecurity Goals, cybersecurity requirements, verification criteria, and validation test cases.

Beyond ISO/SAE 21434, TARA results are essential for UNECE R155 compliance. When an OEM submits evidence for Vehicle Type Approval, the type approval authority expects to see structured threat analysis results that demonstrate systematic identification and treatment of cybersecurity risks. TARA Work Products serve as that evidence.

For Tier-1 suppliers, OEMs increasingly require TARA deliverables as part of the component or system delivery package. The Cybersecurity Interface Agreement (CIA) between OEM and supplier — defined in ISO/SAE 21434 Clause 7 — typically specifies TARA responsibilities and expected Work Products.

The 5 Steps of TARA in Detail

ISO/SAE 21434 Clause 15 defines the TARA process in five distinct steps. Each step builds on the outputs of the previous one, creating a traceable chain from asset identification to risk treatment.

Step 1: Asset Identification.The first step is to identify the cybersecurity-relevant assets within the system under analysis. An asset is anything that has value and requires protection — this includes data (firmware, calibration data, cryptographic keys, personal data), functions (diagnostic services, OTA update mechanisms, safety-critical control functions), and interfaces (CAN bus connections, Ethernet ports, Bluetooth, Wi-Fi, OBD-II). Each asset is characterized by its cybersecurity properties: confidentiality, integrity, availability, and authenticity.

Step 2: Threat Identification.For each identified asset, the team identifies potential threats — actions or events that could compromise the asset's cybersecurity properties. Threat identification can be performed using structured methodologies such as STRIDE, attack trees, or catalog-based approaches. A comprehensive threat library is critical here — experienced teams maintain catalogs of hundreds of known automotive threats mapped to specific asset types and architectures.

Step 3: Impact Assessment.Each identified threat is assessed for its potential impact if successfully exploited. ISO 21434 defines four impact categories: safety (potential for physical harm), financial (economic loss to stakeholders), operational (disruption of vehicle functions), and privacy (exposure of personal data). Each category is rated on a scale — typically negligible, moderate, major, or severe. The overall impact rating is the highest rating across all four categories.

Step 4: Attack Feasibility Assessment. This step evaluates how feasible it is for an attacker to actually carry out each identified threat. ISO/SAE 21434 provides several approaches for assessing attack feasibility, with the attack potential-based approach being the most commonly used. This evaluates factors such as elapsed time (how long the attack takes), specialist expertise required, knowledge of the target, window of opportunity, and equipment needed. The result is a feasibility rating: low, medium, high, or very high.

Step 5: Risk Determination and Treatment. The final step combines the impact rating and Attack Feasibility rating to determine the overall risk level for each threat. ISO/SAE 21434 defines risk levels from 1 (lowest) to 5 (highest), determined by a risk matrix. For each risk, the team then selects a Risk Treatment decision: avoid (eliminate the threat source), reduce (implement cybersecurity controls), share (transfer risk to another party), or accept (acknowledge and document the residual risk). Risk reduction decisions generate Cybersecurity Goals, which flow into cybersecurity requirements for the development phase.

TARA Inputs and Outputs

A high-quality TARA requires well-defined inputs. The most critical input is the item definition — a comprehensive description of the system under analysis, including its boundaries, interfaces, functions, data flows, and operational context. Other inputs include the system architecture description, relevant cybersecurity information from vulnerability databases and threat intelligence sources, and any prior TARA results from related systems.

The outputs of a TARA are structured Work Products that serve as both engineering artifacts and compliance evidence:

• Asset identification report: A catalog of all cybersecurity-relevant assets with their properties and protection requirements.
• Threat list: A comprehensive enumeration of identified threats mapped to specific assets, with descriptions of attack vectors and affected cybersecurity properties.
• Impact assessment report: Documented impact ratings across safety, financial, operational, and privacy dimensions for each threat.
• Attack feasibility assessment: Documented feasibility ratings with supporting rationale for each threat.
• Risk determination results: The risk matrix application results showing the risk level for each threat-impact-feasibility combination.
• Risk treatment decisions: Documented treatment decisions (avoid, reduce, share, accept) for each identified risk, with justification.
• Cybersecurity Goals: High-level cybersecurity objectives derived from risk reduction decisions, which drive cybersecurity requirements in the development phase.

Common Challenges in Performing TARA

Despite its systematic structure, TARA is one of the most challenging activities in Automotive Cybersecurity Engineering. Teams frequently encounter the following difficulties:

• Incomplete asset identification: Teams often miss assets because the system boundary is poorly defined, or because they focus only on obvious data assets while overlooking functional and interface assets.
• Inconsistent threat identification:Without a structured methodology and comprehensive threat catalog, the threats identified depend heavily on the individual engineer's experience and knowledge. Two engineers analyzing the same system may produce very different threat lists.
• Subjective ratings: Impact and feasibility assessments involve engineering judgment, and different assessors often arrive at different ratings for the same threat. This inconsistency undermines the credibility of the TARA results.
• Traceability gaps: Maintaining full traceability from assets through threats, impacts, feasibility, risks, and treatment decisions to Cybersecurity Goals is complex, especially in spreadsheet-based workflows.
• Scale: A single ECU TARA can involve 20-50 assets, 100-300 threats, and corresponding impact and feasibility assessments. Across a vehicle program with dozens of systems, the total volume of TARA work products is enormous.

Manual TARA vs Automated TARA

Historically, TARA has been performed manually using spreadsheets, documents, and workshops. A typical manual TARA for a single system takes 4-8 weeks of engineering effort, involving multiple workshops, iterations, and review cycles.

The limitations of manual TARA are well-documented: inconsistency between analysts, difficulty maintaining traceability, high effort per system, and challenges in updating TARAs when system designs change. These limitations have driven the development of automated TARA tools that use structured databases, AI-powered threat identification, and automated report generation. For a deeper comparison, see our article on manual TARA vs automated TARA.

How KAVACH Automates the TARA Process

KAVACH is Agnile Technologies' AI-native TARA automation platform, purpose-built for ISO/SAE 21434 compliance. KAVACH transforms the TARA process from a manual, workshop-driven exercise into a structured, AI-augmented workflow that produces consistent, auditable results.

KAVACH's approach addresses each TARA step:

• Asset identification: KAVACH uses system architecture inputs to automatically identify cybersecurity-relevant assets based on component types, interfaces, and data flows.
• Threat identification:KAVACH's AI engine, powered by a curated catalog of thousands of automotive threat scenarios and a RAG (Retrieval-Augmented Generation) architecture, maps relevant threats to identified assets based on the system context.
• Impact and feasibility assessment: KAVACH provides structured assessment frameworks with guided scoring criteria, reducing subjectivity and improving consistency across analysts.
• Risk determination: Automated risk matrix application ensures consistent risk level calculation.
• Work Product generation: KAVACH automatically generates ISO/SAE 21434-compliant TARA Work Products, maintaining full traceability from assets through to Cybersecurity Goals.

By automating the repetitive and judgment-intensive aspects of TARA, KAVACH reduces the cycle time from weeks to hours while improving consistency and traceability. This enables engineering teams to focus their expertise on reviewing, refining, and validating the AI-generated analysis rather than building it from scratch.

For more information on the ISO/SAE 21434 standard and its requirements, explore our comprehensive ISO/SAE 21434 guide or request a KAVACH demo to see automated TARA in action.

Agnile Technologies specializes in Automotive Cybersecurity Engineering and TARA automation. Learn more about our Cybersecurity services.