TARA can be performed for a variety of purposes, such as to identify possible vulnerabilities or to assess the likelihood and impact of a cyber-attack. Although TARA is required by the entire supply chain players (OEMs and Tier suppliers alike), for the sake of simplicity, we will use OEMs as the main TARA user.

The primary goal of TARA is to provide insights into the potential risks that an OEM’s system or data may face, and to determine how those risks can be mitigated or managed. Using the TARA process, OEMs are able to identify these potential threats, evaluate their likelihood and potential impact, and determine the risk associated with each threat. This information is then used to develop strategies and plans to manage and mitigate the identified risks. TARA can be used in a variety of contexts, such as cybersecurity, safety, financial risks, and other types of risks that organizations may face.

While many OEMs rely on Microsoft Excel application (app) to automate their TARA process, the limitations of this app become more apparent as the complexity of TARA increases. In this blog post we’ll explore why Excel is not the ideal automation tool for TARA in the automotive industry and offer proper tools and best practices. We’ll also examine crucial aspects such as collaboration, version control, scalability, data visualization and modeling, data integrity, flow and process management, and compatibility with automotive regulations and standards. 

An example for threat analysis and risk assessment (TARA) based on an Excel sheet, Source: Google

1.  A descriptive approach

Excel files are based on a descriptive approach, which means that the security team creates lists to identify potential risks and vulnerabilities. However, this approach can be limiting when dealing with complex TARA processes. It can also make it difficult to monitor lists and perform analytics on unstructured data, compromising the monitoring capabilities of the TARA process. When dealing with TARA, the cyber security team wants to analyze the data in the most granular way possible, which will allow them to identify and isolate the root causes of the potential threats and address them in the most efficient way manner possible.

Furthermore, the descriptive approach used in Excel doesn’t allow for true risk management beyond the initial TARA conducted during the concept phase. This insufficiency is even more acute when OEMs implement a Cybersecurity Management System (CSMS) to be compliant. This is because the CSMS requires continuous monitoring and risk management, which cannot be achieved with Excel’s limited capabilities.

 

2.  Inability to efficiently reuse previous work/best practices

Excel lacks the features and capabilities needed to efficiently and reliably implement current best practices or reuse existing work from other Excel files.

  • Excel files can vary in format and structure, making it challenging to copy and paste data from one file to another.
  • Excel files often contain large amounts of data, making it time-consuming to search for and extract relevant information.
  • Excel files don’t provide a centralized platform for storing and managing TARA data, making it difficult to access and reuse data from previous projects.

These limitations can result in errors and inconsistencies, particularly when dealing with complex TARA processes that require precise and accurate data. Reusing data from multiple Excel files or dealing with multiple data sources can be especially challenging, leading to data silos where relevant information is scattered across different files or stored in different locations. This can make it difficult to access and reuse data from previous projects, resulting in time-consuming searches for relevant information and compromising the efficiency and reliability of the TARA process.

 

3.  No version control

Excel files don’t have built-in version control, which makes it difficult to track changes and ensure that everyone is working with the most up-to-date version of the file.

  • Difficulty in tracking changes. When multiple team members are working on the same Excel file, it’s hard to keep track of who made changes, what changes were made, and when the changes were made.
  • Distribution. Excel files are often shared through email or other file-sharing platforms, making version control even more difficult.
  • Different saved file locations. Excel files are often saved locally, making it difficult to access and share files across different locations or with team members who are working remotely. This can lead to version control issues, where team members are working on different versions of the same file.
  • Easily modified or deleted. Excel files can be easily modified or deleted by accident, leading to the loss of valuable data and additional version control issues.

 

4.  Doesn’t support scalability

Excel files can become large and unwieldy as the TARA process progresses, making them difficult to manage and maintain, and these limitations become increasingly apparent as the size and complexity of the TARA project increase.

  • Limited data capacity: Excel files have limited data capacity, making it challenging to manage large datasets. As the TARA process progresses and more data is collected, Excel files can become large and unwieldy, making it difficult to manage and maintain.
  • Inefficient processing: Excel files can be slow to process large datasets, especially when complex formulas and functions are used. This can result in delays and errors, compromising the accuracy and effectiveness of the TARA process.
  • Limited automation: Excel does not have advanced automation capabilities, making it challenging to automate complex TARA processes. This can result in time-consuming and error-prone manual processes, compromising the efficiency and scalability of the TARA process.

 

5.  Limited data visualization and modeling features

Excel files don’t offer advanced data visualization capabilities, making it difficult to present and communicate TARA results in a clear and meaningful way. This can be particularly challenging when dealing with complex TARA processes that involve models and scenarios.

  • Limited charting capabilities: Excel provides basic charting capabilities, but these are often not sufficient and can make it challenging to communicate TARA results to stakeholders effectively.
  • Inefficient modeling: Excel can be inefficient when it comes to modeling complex TARA scenarios, especially when large datasets are involved. This can result in slow processing times and errors, compromising the accuracy and effectiveness of the TARA process.
  • Limited automation: Excel doesn’t provide advanced automation capabilities for data visualization and modeling, making it time-consuming to create and update charts and models manually. This can result in delays and errors, compromising the efficiency and scalability of the TARA process.

 

6.  Difficulty in maintaining data integrity

Excel files are prone to errors and inconsistencies, which can compromise the efficiency and scalability of the TARA process, as well as the accuracy and reliability of the TARA results.

Reasons for these issues include:

  • Human error. Excel files are often manually updated, making them susceptible to human error.
  • Limited validation. Excel doesn’t provide advanced validation capabilities, making it difficult to ensure that the data is accurate and consistent.
  • Limited automation. Excel files aren’t designed for automation, making it challenging to automate data validation and cleaning tasks.
  • Limited collaboration. Excel files aren’t designed for collaboration, making it challenging to ensure that everyone is working with the same data.

 

7.  Limited integration abilities

Excel files aren’t designed for integration with other systems, making it difficult to import or export data from other sources, such as threat intelligence feeds or asset management systems.

Reasons for these issues include:

  • Limited import/export capabilities: Excel doesn’t provide advanced import/export capabilities, making it challenging to import or export data from other sources.
  • Limited collaboration: It’s challenging to share and integrate data across multiple teams and systems using Excel.
  • Inefficient data mapping: Excel can be inefficient when it comes to mapping data from different sources, especially when dealing with complex data structures.
  • Limited automation: Since Excel files aren’t designed for automation, it can be extremely challenging to automate the import/export of data from other sources.

 

8.  Limited flow and process management

Excel files don’t have built-in workflow and process management tools, making it difficult to track the progress of the TARA process and ensure that tasks are being completed in a timely manner.

Reasons for these issues include:

  • Limited task management capabilities: Excel doesn’t provide the advanced task management capabilities needed to efficiently and reliably track the progress of a TARA process.
  • Inefficient collaboration: It’s difficult to assign and track tasks across multiple teams and projects in Excel.
  • Limited automation: Again, since Excel files aren’t designed for automation, automating task management and workflow processes is extremely challenging. This means relying on error-prone and time-consuming manual processes.
  • Limited visibility: Excel files are lacking dashboarding capabilities, so you don’t have that high-level view for managerial purposes.

 

9.  Limited collaboration and sharing

One significant limitation of using Excel for TARA automation is its lack of collaboration and sharing capabilities with different stakeholders. Even with Excel Online, files are simply not designed for real-time collaboration, making it difficult for multiple team members to work on the TARA process simultaneously. This can result in time-consuming and error-prone processes, where team members default need to share files back and forth manually.

Furthermore, Excel files are often saved locally, making it challenging to share files and work on them in real time. This can lead to version control issues, where team members are working on different versions of the same file, resulting in confusion and errors.

This limitation of collaboration and sharing capabilities in Excel can be especially problematic for large teams working on complex TARA projects, where different team members need to contribute their expertise and insights. Using Excel for collaboration can result in delays, miscommunication, and errors that can impact the accuracy and effectiveness of the TARA process, resulting in both revenue risks and high operational costs.

 

10.  Incompatibility with automotive regulations and standards

Excel files are plain data sheets and don’t provide relevant guidelines for the regulations and standards that are relevant to the automotive industry. This can result in non-compliance, risking legal liabilities, fines, and penalties, while compromising the reputation and financial stability of the organization.

  • Limited guidance: Excel doesn’t provide guidance on automotive regulations and standards, making it challenging to ensure that the TARA process is compliant with industry regulations and standards.
  • Limited tracking: Excel files aren’t designed for tracking compliance with regulations and standards, making it challenging to demonstrate compliance to auditors and regulatory bodies.
  • Limited collaboration: Excel files aren’t designed for collaboration, making it challenging to ensure that everyone is working towards compliance with automotive regulations and standards.

 

11.  Security

Excel files are vulnerable to cyber attacks, such as malware infections and ransomware attacks. If an Excel file is compromised, the information it contains (and other privileges) could be exposed to unauthorized parties, which could have serious consequences for the organization. The following are some reasons why security is difficult when using Excel for TARA:

  • Limited security features: Excel doesn’t provide advanced security features, making it challenging to protect TARA data from cyber attacks.
  • Limited encryption capabilities: Excel does not provide advanced encryption capabilities, making it challenging to protect TARA data from unauthorized access, risking the possible compromise of sensitive information.
  • Limited access controls: Excel files make it challenging to limit access to TARA data to authorized personnel only. This can result in unauthorized access to sensitive information, compromising the reputation and financial stability of the organization.
  • Limited collaboration control: Excel’s lack of collaboration capabilities makes it almost impossible to ensure that everyone follows security protocols and policies.

 

12.  Difficulty working with a DevSecOps extension

Excel doesn’t allow the kind of direct and intuitive use of the gathered data required for additional automation in the CSMS and in the Cybersecurity DevOps processes. These types of processes include prioritizing security implementation tasks for developer projects, efficiently prioritizing and mitigating vulnerabilities in different software versions, and more.

The following are some reasons why DevSecOps extension is so difficult with Excel:

  • Limited automation capabilities: Excel’s lack of automation makes it challenging to integrate with other tools and perform additional automation in the CSMS and DevSecOps processes.
  • Limited collaboration: This makes it challenging to share and integrate data across multiple teams and systems.
  • Limited data analytics capabilities: Excel doesn’t provide advanced data analytics capabilities, making it challenging to analyze the TARA data and perform additional automation in the CSMS and DevSecOps processes. This can result in incomplete and inaccurate data analysis.

In summary, the EVSec ANALYSIS module is a comprehensive TARA automation tool that offers advanced automation, collaboration, data analytics, security, integration, workflow and process management, data validation and cleaning, risk management, data visualization and modeling capabilities, as well as compliance tracking and reporting.

In addition, EVSec ANALYSIS also enables OEMs to meet WP.29 regulation easily and ISO/SAE 21434 requirements with scalable TARA for risk management across the entire organization and supply chain, making it a powerful tool for organizations looking to improve their TARA process and ensure the security of their systems.