Collaborative Risk-Sharing in Automotive Cybersecurity
Presented at ESCAR USA 2025 by Atefeh Asayesh
As modern vehicles become more connected and software-driven, cybersecurity threats no longer stop at organizational boundaries. Vulnerabilities in Tier 2 supplier components can propagate to Tier 1 supplier systems and all the way to the OEM — yet today’s TARA practices treat these risks in silos.
At ESCAR USA 2025, we introduced a Collaborative Risk-Sharing Framework that addresses this challenge by quantifying shared cybersecurity responsibility across the automotive supply chain.
What’s the Problem?
- ISO/SAE 21434 mentions risk sharing — but provides no technical and practical method to do it.
- Suppliers’ risks often remain hidden or misassigned.
- There’s no consistent way to allocate mitigation responsibility or measure impact reduction efforts across stakeholders (cf. Figure 1). This can lead to a breach as described in Table 1.
Our Proposed Solution
We developed a multi-step framework that enhances standard TARA by:
- Modeling weighted, multi-dimensional impacts across safety, privacy, finance, and operations.
- Applying stakeholder-specific mitigation factors to both impact and feasibility.
- Calculating final residual risk using an extended formula aligned with ALARP (As Low As Reasonably Practicable) principles.
- Clarifying ownership of shared risks and enabling defensible decision-making.
Note: We also recommend introducing a simple Cyber Risk Contract between stakeholders to clearly define roles, responsibilities, and expectations for cybersecurity ownership throughout the supply chain. Our proposed solution is summarized in Figure 2.
Who Benefits?
- OEMs gain better insight into inherited supplier risks and can act accordingly.
- Tier 1 and Tier 2 suppliers can demonstrate proactive risk reduction.
- Auditors and insurers can assess how well risks are being managed collaboratively — before a breach happens.
Download the full paper
Stay Connected with Block Harbor
Keep up with the latest in vehicle cybersecurity through our specialized newsletters. Choose the option that best fits your interests and role.
Thank you for your submission!
Read More
Explore more automotive cybersecurity insights from our experts. Discover best practices, case studies, and emerging trends to strengthen your organization's security posture.
Announcement of Block Harbor’s selection for the Google AI Academy: American Infrastructure, highlighting our mission to secure AI-powered mobility systems like connected vehicles, drones, and robots through the VSEC cybersecurity platform.
Explore how VSOC and PSIRT work together to enhance cybersecurity in connected vehicles—balancing real-time monitoring with long-term vulnerability management.
.png)
As medical devices become more connected, the need for structured cybersecurity grows. This post compares how automotive and healthcare industries handle risk—and how TARA can help medical device makers move from reactive compliance to proactive protection.
Try Block Harbor Today
Start protecting your vehicles with the same platform the world’s best hackers and defenders use.
%201.svg){kind=logo}
