← Engineering scenarios

Engineering scenario · Automotive Cybersecurity

Architecture-aware TARA for a connected body domain controller

How Agnile structures an ISO/SAE 21434 TARA for a body domain controller with cellular connectivity, CAN-FD networks, OTA capability, and UDS diagnostics.

An illustrative engineering scenario — the type of cybersecurity engineering workflow Agnile supports.

Problem context

A body domain controller integrating connected services (telematics, OTA), CAN-FD subnetworks, and a privileged diagnostic surface concentrates the cybersecurity-relevant assets of a modern body architecture. Spreadsheet TARA approaches lose track of which signals cross trust boundaries and which threat scenarios already have controls in place. The team needs an architecture-grounded TARA whose coverage and gaps are visible at any time.

Engineering approach

  1. Capture the system context — ECUs, in-vehicle networks, external interfaces (cellular, USB, OBD-II), trust boundaries, and key data flows — as a structured architecture model.
  2. Derive cybersecurity assets and properties (CIA/AN) per element and reference them in damage scenarios with SFOP impact ratings per ISO/SAE 21434 Annex F.
  3. Build threat scenarios using STRIDE-style categories anchored to the architecture (spoofing on the diagnostic interface, tampering on OTA payloads, replay on body CAN messages, etc.).
  4. Develop attack paths as attack trees that reference real entry points (cellular, OBD-II, USB, debug headers) and intermediate compromises (ECU code execution, key extraction).
  5. Score attack feasibility per Annex G factors, derive risk values per Annex H, and prepare risk-treatment recommendations with mapped controls.
  6. Draft cybersecurity goals, claims, and concept-level requirements that close the residual risk; capture them in a cybersecurity case stub ready for formal authoring.

Outputs / evidence

  • Item Definition with operational environment, assumptions, and external interfaces
  • Asset register linked to cybersecurity properties and SFOP impact ratings
  • Damage and threat scenario set anchored to architecture elements
  • Attack-tree set with feasibility scoring and risk values
  • Risk-treatment register with mapped controls (secure boot, secure flashing, SecOC, secure diagnostics)
  • Cybersecurity goal / claim / concept skeleton aligned with ISO/SAE 21434 Clauses 9–10

Standards touched

  • ISO/SAE 21434 (Clauses 9, 15)
  • UNECE R155 Annex 5 threats and mitigations
  • AUTOSAR SecOC for in-vehicle communication authentication

Where KAVACH helps

KAVACH structures the architecture model, asset register, damage / threat scenario chain, and attack trees, retrieves automotive threat patterns from a curated corpus, and exports the artefacts as ISO/SAE 21434 work-product evidence with traceability to source.

Related pages

Next step

Discuss this scenario for your programme

If a similar workflow fits your architecture, scope, or standards, we can scope an engagement against your specifics.

Contact UsRequest KAVACH Demo