Beyond TARA: How STPA Strengthens Automotive Cybersecurity
This article, written by an SRES automotive cybersecurity expert, explores how System-Theoretic Process Analysis (STPA) can complement ISO/SAE 21434. While TARA remains the standard approach for identifying threats, increasingly software-driven vehicle functions require a broader, system-level view of risk. STPA helps reveal how cyber influence can lead to unsafe behavior—even when systems operate as intended.
Looking to go deeper? SRES provides expert-led automotive cybersecurity training, including certificate-based programs, as well as hands-on consulting support to help organizations implement cybersecurity requirements across the product lifecycle.Automotive Cybersecurity: Why Structure Matters
The automotive industry has evolved tremendously, with standards such as ISO 26262, and ISO 21448 (SOTIF) shaping safety engineering practices. However, modern vehicles are increasingly software-driven, and autonomous vehicles are no longer a fantasy. The rise of software and connectivity has introduced new risks that cannot be addressed by safety engineering alone. The industry recognized a need for automotive cybersecurity which led to the development of ISO/SAE 21434 Road Vehicles – Cybersecurity engineering.
Automotive cybersecurity exploits can lead to unsafe system behavior without any component failure, making cybersecurity a critical part of ensuring overall vehicle safety.
ISO/SAE 21434: State of the Art
The automotive industry recognizes that cybersecurity is essential to overall vehicle safety, leading to the development of ISO/SAE 21434, which is widely considered the state-of-the-art for automotive cybersecurity engineering.
A central activity defined in ISO/SAE 21434 is Threat Analysis and Risk Assessment (TARA). TARA is a systematic approach consisting of 7 activities, including identifying assets, threat scenarios, and attack paths. TARA analysis is widely adopted across the automotive industry. As a result, TARA has become the primary method for evaluating cybersecurity risk and defining cybersecurity goals. However, as vehicles are becoming more software-driven, it is worth considering whether asset-based threat analysis alone is sufficient to capture all cybersecurity threats.
STPA: A Control-Based Perspective on Cybersecurity
System-Theoretic Process Analysis (STPA) is a hazard analysis method based on systems theory and has been widely applied in safety-critical domains such as aerospace and automotive engineering. Unlike traditional failure-based methods, STPA focuses on how unsafe system behavior can emerge from interactions between system components, even when individual elements function as intended.
At its core, STPA treats safety as a control problem. Systems are modeled as interacting control loops consisting of controllers, control actions, controlled processes, and feedback. Accidents and losses occur when safety constraints on these control actions are not adequately enforced.
This perspective is also very relevant to automotive cybersecurity. A cyberattack does not need to cause a software failure to be dangerous. By influencing sensor inputs, feedback signals, timing, or assumptions within a control loop, an attacker can enable unsafe control actions (UCA) without any component being detected as compromised.
STPA helps identify these unsafe control actions by asking whether control commands are provided when they should not be, not provided when they should be, or provided too early, too late, or for too long. Framing cyber threats in terms of unsafe control allows engineers to reason directly about how cybersecurity issues can translate into hazardous vehicle behavior.
STPA Process:
The STPA process consists of four steps, as seen in the diagram below [1].
The first step is to define the purpose of the analysis by identifying unacceptable losses and the hazardous system states that could lead to those losses. In a cybersecurity context, this helps frame the threat analysis around unsafe vehicle behavior such as unintended steering or disabling brakes, rather than focusing solely on component vulnerabilities.
The second step is to model the system as a control structure. STPA represents the system as interacting control loops that include controllers, control actions, controlled processes, and feedback loops. This step is valuable because it makes explicit where control decisions and feedback can be influenced without causing the system to fail.
The third step is to identify unsafe control actions, which are control commands that are missing, incorrect, provided too late, or provided too early.
The final step of the STPA analysis is to create scenarios for the unsafe control actions and identify how these UCAs can lead to a hazardous scenario.
STPA in Action: Lane Keep Assist System Example
To demonstrate how STPA can be applied in automotive cybersecurity, consider a simplified Lane Keep Assist System (LKAS). The overall vehicle function is to keep the vehicle within lane boundaries by applying steering torque based on perception and vehicle state feedback.
Step 1 – Define the purpose of the analysis: The objective of performing STPA on the LKAS is to determine how unsafe steering control actions could occur under cyber influence.
Step 2 – Model the control structure:
The diagram above is an example of a control structure that includes two controllers: the driver (highest authority) and the LKAS controller (lower authority), the controlled process (vehicle lateral dynamics), and the external environment (lane markings). Feedback flows from perception sensors to the LKAS and to the driver.
Step 3 – Identify Unsafe Control Actions: The steering torque command may not be provided when required, may be provided when not required, or may be provided too early, too late, or for too long.
Step 4 – Identify Loss Scenarios: An attacker may influence perception inputs, inject steering commands over a vehicle network, or manipulate timing information. These actions could enable unsafe steering commands that result in lane departure or loss of control, even if all components operate as designed.
How STPA Fills Gaps Left by TARA
STPA can be used to complement TARA by providing a system-level perspective on unsafe control. The unsafe control actions and loss scenarios identified through STPA can serve as valuable inputs to TARA helping define more complete and behavior-driven threat scenarios.
While TARA helps engineers understand how systems can be attacked, STPA helps engineers understand how cyber influence can lead to unsafe vehicle behavior. Used together, they provide stronger coverage of cyber-induced safety risks in modern vehicles.
Reference
[1] STPA Handbook
Have insights or questions? Send us an email at info@sres.ai or leave a comment below—we welcome thoughtful discussion from our technical community.
Interested in learning more about our approach? Explore why teams choose SRES training and how we help automotive organizations with consulting support across functional safety, cybersecurity, autonomy safety, and EV development.
