Defining the appropriate TARA scope
ISO/SAE 21434 mandates that the TARA is performed during the concept phase while considering all product life cycles (production, operation, maintenance, and decommissioning). A common pitfall is to focus purely on the operational phase because that is the phase where vehicle safety is directly exposed to cybersecurity threats. The result is an inadequate cybersecurity concept that misses security goals covering how the vehicle is produced, maintained, and taken out of service. That is why it is important to involve all engineering teams across all the product life cycles and assign clear responsibilities when planning out the TARA(s). When there is resistance to expanding the scope of the TARA to cover these life cycle stages, development teams must capture all the assumptions on risks of the other life cycles to ensure that at least the system integrator is aware of those risks. For example, if the manufacturing phase is not adequately analyzed...
