Why does the topic of cybersecurity become more and more important in the field of product development? How can a tool make carrying out a TARA easier? Jana Karina von Wedel, cybersecurity expert, answers these and further questions in our interview.
Ms. von Wedel, the topic of cybersecurity, and in this context especially cybersecurity analyses, is meeting with growing interest from our customers. Why?
Products developed today are becoming more and more complex. They have a constantly growing number of interfaces to the outside world. These can be a USB port, for example, or a Bluetooth or WLAN connection. As a result, products are becoming increasingly susceptible to attacks from the environment. Personal or even internal company data can be lost. Additionally, people could be put in danger. For example, when we think of autonomously driving vehicles, if such a vehicle could be externally controlled, people would be put in mortal danger in the worst-case.
What need does this create for development projects?
Naturally, when companies develop a product, they should have the goal of producing a secure product.
This means that they have to conduct security analyses for their products. This task is usually performed by security engineers. They ask themselves questions like: What are the aspects of the technical system worth protecting, the so-called assets? What would be the results of an attack on them? And how would such attacks be possible? How well are the assets already protected and what needs to be done to make the system sufficiently „secure“? The corresponding risks must then be prioritized, and necessary countermeasures must be taken.
With ISAT 4.0, INVENSITY recently introduced a tool that is supposed to simplify this work of security engineers in development projects considerably. What exactly is ISAT 4.0 about?
ISAT stands for INVENSITY Security Assessment Tool. It supports security engineers in the analysis and concept phases of security development. Over the years, in our own consulting activity as security experts for our customers, we have found that the creation of the necessary Threat Analyses and Risk Assessments (TARAs), a systematic procedure to analyze and evaluate security risks, can be very work-intensive and time-consuming.
Depending on the number of assets to be considered, a TARA can become very complex. Meanwhile, certain process steps must be followed in order to ensure conformity with the relevant norms and standards, such as ISO 21434 or ISO 27001.
The subsequent decision on where to implement risk reduction measures, the so-called Risk Treatment Decision, as well as the concrete selection of measures to be implemented, can also prove to be extremely time-consuming without suitable tools.
ISAT 4.0 supports security engineers in this work by providing clarity and user-friendliness and enabling them to reuse partial results both within a project and across several projects, which in turn ensures consistency.
So far, it seems that it has been possible to carry out a TARA without a tool?
Of course, it is possible without a tool. However, it costs the person to perform a TARA much more time and nerves. Defining the scope of security and deriving the assets still works very well without a dedicated tool.
But as I said, a TARA can become very complex. Up to now, they were mostly carried out in Excel. You build a tree structure in which the risks for each asset are reflected – and it gets quite branched. At some point you end up working with huge Excel wallpapers, in which you hardly find your way around. And that, of course, increases the susceptibility to errors. It is then no longer possible to clearly see whether you have considered all possible scenarios and have analyzed them in the necessary detail or whether you have forgotten something.
This can be quite frustrating for a security engineer. A tool can help here.
How does ISAT 4.0 help to avoid these frustrations?
ISAT 4.0 has a web-based user interface that guides security engineers quickly and clearly step by step through a TARA. They can easily understand whether they have sufficiently considered all scenarios.
The biggest advantage of the tool is that entire projects or even individual elements, such as partial attack trees or controls, can be reused again and again. ISAT 4.0 thus not only increases the speed, but also the quality of a TARA, because it reduces error-proneness and guarantees consistency.
Also, it supports the cooperation with the own management: at first glance, a traffic light system shows which risks exist, i.e. which effects (impact) can occur how likely (likelihood /attack feasibility) and how countermeasures affect them. In addition, it is possible to visually compare the impact of different combinations of measures on the remaining risk. You no longer need to be a security expert to see what risks exist where and how countermeasures can transform red areas into green areas.
What does the 4.0 behind ISAT mean?
Very simple: it is the fourth version and thus the third revision. In 2015, several of our security experts were assigned to perform TARAs. They were confronted with exactly the challenge just mentioned: to perform a confusing and tedious work in Excel. The frustration over this resulted in the motivation to develop a tool that would simplify their work. The idea for ISAT was born.
While the first generations were Java tools with local installation, ISAT is now web-based. This makes it possible for several people to work on one TARA at the same time from different locations.
We first used ISAT internally for our security projects. More and more customers then became aware of the tool while we were using it for our TARAs. The positive feedback showed us that we were not alone in desiring a more helpful resource. That is why we wanted to make ISAT a product that every company could buy and benefit from.
A lot of practical experience and development work went into ISAT 4.0 to define the current state-of-the-art.
What do interested parties have to do to learn more about ISAT 4.0?
They should simply contact us. We will gladly answer their questions and also explain the possibility of testing the tool as a demo version. Of course, we are always happy to receive feedback to make ISAT even more efficient for us and our customers.
Thank you very much for your time, Ms. von Wedel.