RESOURCE GUIDE
ISO/SAE 21434 Guide for Automotive Cybersecurity Engineering.
A practical guide for engineering teams implementing cybersecurity activities across the vehicle lifecycle — from organizational governance and concept phase through development, validation, production, operations, and post-development activities.
Key Takeaways
TL;DR — ISO/SAE 21434 is the international standard for cybersecurity engineering in road vehicles and is commonly used as an engineering evidence framework supporting UNECE R155 cybersecurity assessment readiness. At its core is TARA (Threat Analysis and Risk Assessment), defined in Clause 15, which runs a five-step workflow — asset identification, threat scenario identification, impact rating, attack path analysis, and risk determination — and produces work-product evidence across the cybersecurity engineering lifecycle.
- 1.ISO/SAE 21434 was jointly published by ISO and SAE International and covers the full vehicle lifecycle — concept, development, production, operation, maintenance, and decommissioning — and is commonly used as an engineering evidence framework supporting UNECE R155 cybersecurity assessment readiness in the EU, UK, Japan, South Korea, and other UNECE member countries.
- 2.TARA, defined in Clause 15, is mandatory for every item or component with cybersecurity relevance — typically ECUs, communication buses (CAN, Ethernet), external interfaces (OBD, V2X, Bluetooth), and cross-component data flows.
- 3.The five TARA steps are: (1) asset identification, (2) threat scenario identification using frameworks like STRIDE plus databases such as EMB3D, AutoISAC, and NVD, (3) impact rating across safety, financial, operational, and privacy dimensions (rated negligible / moderate / major / severe per Annex H), (4) attack path analysis to derive attack feasibility, and (5) risk determination with treatment decisions (avoid, reduce, share, retain).
- 4.ISO/SAE 21434 defines a set of work products — including asset identification report, threat scenario list, impact and feasibility reports, risk determination and treatment decision reports, cybersecurity goals and claims, cybersecurity concept, verification reports, and the cybersecurity case — each traceable from asset to verification.
- 5.ISO/SAE 21434 and UNECE R155 are complementary: ISO/SAE 21434 defines how to do cybersecurity engineering; R155 is a regulation requiring a CSMS — in practice the ISO/SAE 21434 work products serve as the evidence base supporting R155 cybersecurity assessment readiness.
- 6.Manual spreadsheet-based TARA faces five structural problems — time (4–8 weeks per system), rating inconsistency between engineers, poor scalability across 100+ ECU modern vehicles, fragile traceability across lifecycle work products, and incomplete threat coverage across EMB3D / AutoISAC / NVD databases.
- 7.KAVACH supports architecture-aware ISO/SAE 21434 workflows by connecting assets, damage scenarios, threats, attack paths, controls, and cybersecurity evidence in one reviewable workspace.
CHAPTER 1
What Is ISO/SAE 21434?
ISO/SAE 21434 “Road vehicles — Cybersecurity engineering” is the international standard that defines requirements for cybersecurity risk management throughout the entire vehicle lifecycle. Published jointly by ISO and SAE International, it covers concept, development, production, operation, maintenance, and decommissioning.
The standard is commonly used to structure cybersecurity engineering evidence that supports UNECE R155 assessment readiness, making it widely adopted by OEMs and Tier-1 suppliers selling vehicles in UNECE member countries (which includes the EU, UK, Japan, South Korea, and many others).
Key areas covered by ISO/SAE 21434 include: organizational cybersecurity management, project-dependent cybersecurity management, distributed cybersecurity activities, continual cybersecurity activities, concept phase, product development, and post-development phases.
CHAPTER 2
What Is TARA?
TARA — Threat Analysis and Risk Assessment — is the core cybersecurity analysis method defined in ISO/SAE 21434 Clause 15. It is the process by which automotive teams systematically identify what can go wrong (threats), how likely it is (attack feasibility), how bad it would be (impact), and what to do about it (risk treatment).
TARA is mandatory for every “item” or “component” that has cybersecurity relevance in a vehicle. This typically includes ECUs, communication buses (CAN, Ethernet), external interfaces (OBD, V2X, Bluetooth), and data flows between components.
CHAPTER 3
The 5 Steps of TARA
Step 1: Asset Identification
Identify all assets (items, components, data flows) that have cybersecurity properties worth protecting. Define damage scenarios — what happens if confidentiality, integrity, availability, or authenticity is compromised for each asset.
Step 2: Threat Scenario Identification
For each damage scenario, identify specific threat scenarios — concrete attack vectors that could cause the damage. This typically uses threat modeling frameworks like STRIDE adapted for automotive, combined with known threat databases (EMB3D, AutoISAC, NVD).
Step 3: Impact Rating
Assess the impact of each threat scenario across four dimensions: safety, financial, operational, and privacy. Each dimension is rated on a severity scale (negligible, moderate, major, severe) per ISO/SAE 21434 Annex H.
Step 4: Attack Path Analysis
Evaluate the feasibility of each threat scenario being realized. This considers elapsed time, specialist expertise, knowledge of the item, window of opportunity, and equipment required. The result is an attack feasibility rating.
Step 5: Risk Determination
Combine impact ratings and attack feasibility ratings into a risk value for each threat scenario. Based on the risk value, determine the appropriate risk treatment: avoid, reduce, share, or retain. Define cybersecurity goals for each risk that requires treatment.
CHAPTER 4
ISO/SAE 21434 Work Products
ISO/SAE 21434 defines a set of work products across the cybersecurity engineering lifecycle. Key work products from TARA include:
- Asset identification report
- Threat scenario list
- Impact rating report
- Attack feasibility rating report
- Risk determination report
- Risk treatment decision report
- Cybersecurity goals
- Cybersecurity claims
- Cybersecurity concept
- Verification reports
- Cybersecurity case
Each work product must be traceable to its inputs and outputs, creating a continuous audit trail from asset identification through risk treatment and verification.
CHAPTER 5
ISO/SAE 21434 vs. UNECE R155
ISO/SAE 21434 and UNECE R155 are complementary but distinct. ISO 21434 defines how to do cybersecurity engineering — the processes, methods, and work products. UNECE R155 is a regulation that requires OEMs to demonstrate they have a Cybersecurity Management System (CSMS) for vehicle type approval.
In practice, ISO/SAE 21434 compliance is the most common way to satisfy UNECE R155 requirements. The TARA outputs and work products from ISO/SAE 21434 serve as the evidence package for R155 certification.
CHAPTER 6
Common Challenges in Manual TARA
Manual TARA using spreadsheets faces several critical challenges:
- Time: A single TARA typically takes 4–8 weeks per system, with significant engineering hours consumed by documentation.
- Consistency: Risk ratings vary between engineers and across projects, creating audit vulnerabilities.
- Scalability:Modern vehicles have 100+ ECUs. Manual TARA doesn't scale across platforms and variants.
- Traceability: Maintaining continuous asset-to-verification traceability across lifecycle work products in spreadsheets is error-prone and fragile.
- Threat coverage: Manual research cannot systematically cover the full landscape of automotive threats across EMB3D, AutoISAC, NVD, and other databases.
CHAPTER 7
Automating TARA With KAVACH
KAVACH is an AI-native platform that automates the entire TARA process. Using model-based security engineering (MBSE), a curated automotive Threat Database, and AI-powered retrieval across a curated automotive security corpus, KAVACH transforms TARA from a months-long manual process into a structured, automated workflow that takes hours.
Key automation capabilities:
- Visual architecture modeling with interactive MBSE canvas
- AI-powered threat identification from curated automotive scenarios
- Automated risk scoring aligned to ISO/SAE 21434 Clause 15
- Automated preparation of ISO/SAE 21434 work-product evidence
- Full traceability from asset to threat to control to verification
- UNECE R155 evidence package mapping
Request a demo to see KAVACH automate TARA for your specific use case.
Related Pillar Guides
- AIS 189 and AIS 190: India's Automotive Cybersecurity Framework — the domestic Indian derivation of UNECE R155 and R156, with scope, enforcement timeline, and a 12-to-18 month implementation roadmap.
FAQ
ISO/SAE 21434 TARA Frequently Asked Questions
Contact Us.
Agnile supports safety-, security-, and mission-critical engineering programmes across automotive, aerospace, embedded, IoT, enterprise software, cybersecurity, safety, V&V, digital engineering, and KAVACH.