Collaborative Risk-Sharing in Automotive Cybersecurity
Presented at ESCAR USA 2025 by Atefeh Asayesh
As modern vehicles become more connected and software-driven, cybersecurity threats no longer stop at organizational boundaries. Vulnerabilities in Tier 2 supplier components can propagate to Tier 1 supplier systems and all the way to the OEM — yet today’s TARA practices treat these risks in silos.
At ESCAR USA 2025, we introduced a Collaborative Risk-Sharing Framework that addresses this challenge by quantifying shared cybersecurity responsibility across the automotive supply chain.
What’s the Problem?
- ISO/SAE 21434 mentions risk sharing — but provides no technical and practical method to do it.
- Suppliers’ risks often remain hidden or misassigned.
- There’s no consistent way to allocate mitigation responsibility or measure impact reduction efforts across stakeholders (cf. Figure 1). This can lead to a breach as described in Table 1.
Our Proposed Solution
We developed a multi-step framework that enhances standard TARA by:
- Modeling weighted, multi-dimensional impacts across safety, privacy, finance, and operations.
- Applying stakeholder-specific mitigation factors to both impact and feasibility.
- Calculating final residual risk using an extended formula aligned with ALARP (As Low As Reasonably Practicable) principles.
- Clarifying ownership of shared risks and enabling defensible decision-making.
Note: We also recommend introducing a simple Cyber Risk Contract between stakeholders to clearly define roles, responsibilities, and expectations for cybersecurity ownership throughout the supply chain. Our proposed solution is summarized in Figure 2.
Who Benefits?
- OEMs gain better insight into inherited supplier risks and can act accordingly.
- Tier 1 and Tier 2 suppliers can demonstrate proactive risk reduction.
- Auditors and insurers can assess how well risks are being managed collaboratively — before a breach happens.
Download the full paper
Stay Connected with Block Harbor
Keep up with the latest in vehicle cybersecurity through our specialized newsletters. Choose the option that best fits your interests and role.
Thank you for your submission!
Read More
Explore more automotive cybersecurity insights from our experts. Discover best practices, case studies, and emerging trends to strengthen your organization's security posture.
.png)
As medical devices become more connected, the need for structured cybersecurity grows. This post compares how automotive and healthcare industries handle risk—and how TARA can help medical device makers move from reactive compliance to proactive protection.
New firmware scanning feature in VSEC lets OEMs verify country-of-origin for software packages—critical for compliance with Rule 791D’s ban on Chinese and Russian components in connected vehicles.
The Department of Commerce rule banning Chinese and Russian software and hardware in connected vehicles is live and in effect. Automakers and their supply chains have until model year 2027 to comply.
Discover strategies to protect automotive supply chains from cybersecurity threats. Learn how to identify vulnerabilities and implement effective security measures across the vehicle ecosystem.
Try Block Harbor Today
Start protecting your vehicles with the same platform the world’s best hackers and defenders use.
%201.svg){kind=logo}
