...
The following sections give a short description of how to create a new TARA document and how to add content.
Working with documents, tables and views
Create a new TARA document
To create a new TARA, right-click your TARA folder, which performance will prompt you to Create new TARA. Acknowledge this prompt by left-clicking it.
...
Outcome: your new TARA file will be listed as expected. Open the same by double-clicking. As indicated on-screen, the content constitutes an initially empty table structure designed to take input for TARA according to the applicable industry standard ISO 21434.
...
Organize TARA table and views
TARA main table
Your TARA documents are located in folder TARA associated with your project located in the Project Navigator.
...
Basically the TARA document provides a main table accompanied with context specific views. Initially the tara table is empty, as you would expect.
TARA element views
In addition to the TARA main table all TARA elements like assets and threat scenarios that exist in the project are listed in an element specific view. You can source these project views from the RM folder.
...
As an example the figure shows TARA document “TARA Head Lamp” located on top and several element specific views arranged below it.
...
The TARA Workflow
Asset Identification
Starting with a system model assets can be defined by assigning the stereotype “Asset” to a model element as described in section https://enco-software.atlassian.net/wiki/spaces/WIPHCSUD/pages/34378056533440591758/new+Item+Definition+System+Design+in+Security+Analysis#Asset-Identification. Assets defined based on system model are available in the TARA document and can be selected from a drop down list by double clicking in a cell in column “Model Element” in project view Asset. Add a new row and fill in name and description or select content from drop-down menu.
...
To further analyze an asset add a cybersecurity property by selection from drop-down menu in corresponding column Cybersecurity Property.
...
Description of damage scenarios and impact rating
To finalize asset identification you need to identify damage scenarios that might be realized in case an asset’s cybersecurity property is compromised. For a detailed description please go to page https://enco-software.atlassian.net/wiki/spaces/WIPHCSUD/pages/34377969413440579453/new+Identifying+Assets+And+Damage+Scenarios#Step-2%3A-Cybersecurity-assets-and-damage-scenarios of SOX TARA user guide.
...
The next figure suggests a possible outcome:
...
Threat scenario identification
Each combination of cybersecurity asset and damage scenario can be related to n threat scenarios. For a detailed description please go to page new Identifying Threat Scenarios of SOX TARA user guide.
...
The next figure suggests a possible outcome:
...
Identifying Attack Paths
Each threat scenario can be related to n attack paths. For a detailed description please go to page new Attack Path Analysis of SOX TARA user guide.
Add a nested table for attack paths to a threat scenario via right-click on a threat scenario and select “Add Attack Path” from the context menu.
Fill all columns as needed. AF Rating Approach providesa drop-down menu with three different rating methods.
...
The Attack Feasibility is derived from processing the relevant input. Note that the highest value, in this case, “High”, propagates to the Threat Scenario.
Identifying Attack Steps
Each attack path can consist of several attack steps. For a detailed description please go to page https://enco-software.atlassian.net/wiki/spaces/WIPHCSUD/pages/34377970573440579569/new+Attack+Path+Analysis#Identifying-Attack-Steps of SOX TARA user guide.
Add a nested table for attack steps to an attack path via right-click on an attack path and select “Add Attack Step” from the context menu.
Fill all columns as needed.
...
Next figure shows an example outcome:
...
Risk values and risk treatment
Risk Treatment is done for each combination of damage and threat scenario. For a detailed description please go to page Risk Treatment of SOX TARA user guide.
...