Improving the cybersecurity of embedded systems requires establishing a series of processes to ensure the systems we design are secure and resilient against various types of cyberattacks. The rapid technological development of recent years has made security not just an option but a necessity.
To secure our system, we must first analyze the weaknesses and threats that may arise in the embedded devices we design. One fundamental and highly effective technique for accomplishing this is threat modeling.
Basic concepts
Threat modeling can be defined as the process of analyzing a system to identify its weaknesses, which may turn into vulnerabilities. An attacker can exploit these weaknesses to create a threat and gain unauthorized access to data. The consequences of such actions can lead to numerous dangers.
The goal of threat modeling is to identify weaknesses before they are exploited. This involves characterizing system components that need to be modified to reduce risk and increase the security level.
In threat modeling, we view the system as a collection of components (memory, communication buses, processors, data) that work together to execute programmed logic. We then try to visualize and predict how these components and their interactions might fail and be exploited by threat actors. The most important aspect of threat modeling is viewing the system from the attacker’s perspective.
The process can be accelerated by answering four key questions:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good job?
Why do we need threat modeling?
Initially, threat modeling may be seen as an additional, unclear cost. This perception stems from a lack of understanding of the long-term benefits, such as:
- Accelerated design and development work.
- Simplified architecture with clearly defined security zones.
- Faster testing processes.
- Higher system security.
- Better understanding of potential threats by the team.
- Positive impact on software quality and implementation time.
A properly conducted threat modeling process changes the team’s approach to security, improving understanding and implementation of security elements.
We must remember that implementing security in our products is not a one-time task but a process of changing mindsets. The costs of threat modeling are significantly lower than the potential costs of a cyberattack, which embedded systems are increasingly vulnerable to.
The process
Threat modeling should be part of the secure software development lifecycle. If such a process hasn’t been defined yet, threat modeling should be performed during:
- Device design.
- Software development (as a recurring activity).
- Preparing official software releases (new features or bug fixes).
Ideally, threat modeling should be performed for each newly implemented feature to identify potential weaknesses.
The time required for the first threat modeling session depends on:
- System complexity.
- Current hardware and software state.
- Knowledge and experience of the team.
Steps in the threat modeling process
The process can be adapted to the project’s needs. Generally, it includes:
- Create a system model – identify key system elements that could be attack targets or used in an attack. These include data, communication buses, system components, and external elements.
- Decompose the system – break the system into individual components, uncover logic, data/control flow, and assess how each element affects the system. Use diagramming techniques to visualize data flow and critical elements.
- Identify threats – use one of the methodologies listed below to identify threats and possible attack paths. Describe all detected scenarios.
- Assess threats, calculate risk, and priorities – evaluate the likelihood and impact of each threat. Use a risk assessment system. The ISO/IEC 62443 standard offers guidance, and the CVSS (Common Vulnerability Scoring System) is another popular method. It calculates scores based on several indicators to estimate exploitability and impact.
- Prepare a mitigation plan – based on identified threats and risks, determine how to minimize or eliminate them. The plan should consider the current product and software state. Don’t limit countermeasures to software – many hardware solutions can effectively enhance security.
Threat modeling methodologies
Creating and decomposing a system model is relatively straightforward. The main challenge is identifying potential threats and weaknesses.
Several methodologies help with this step by providing structured guidance.
Key methods:
- STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) – developed by Microsoft, categorizes threats into six types. Widely used in embedded systems.
- DREAD (Damage potential, Reproducibility, Exploitability, Affected users, Discoverability) – also from Microsoft, evaluates threats based on five criteria and helps prioritize them.
- PASTA (Process for Attack Simulation and Threat Analysis) – a risk-focused methodology with seven stages, from defining business goals to threat modeling and risk assessment.
- TRIKE – focuses on risk assessment from the asset perspective. Unlike other methods that focus on threats or vulnerabilities, TRIKE emphasizes what is being protected.
- VAST (Visual, Agile, and Simple Threat) – designed to integrate with Agile development, offering a scalable approach for both developers and security professionals.
- OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) – developed by Carnegie Mellon University, this comprehensive risk assessment methodology focuses on organizational risk and security practices.
Each methodology offers unique advantages. It’s worth experimenting with different ones to achieve the best results.
Reports
In addition to methodologies, many organizations publish regular threat landscape reports. These can be valuable resources for identifying threats, understanding current trends, and identifying attacker focus areas.
A good example is ENISA (European Union Agency for Cybersecurity), which publishes detailed annual reports on threats, trends, and countermeasures.
What are we looking for?
We can better identify what to focus on with a solid understanding of threat modeling. As experience grows, the process becomes faster and more intuitive.
Initially, focus on areas with:
- Lack of protocol encryption.
- No authorization, login, or authentication.
- Unencrypted stored data.
- No additional authorization for accessing certain services.
- No data integrity checks during transmission or storage.
- Incorrect use of cryptography.
Standards
Beyond methodologies, international standards define structured processes that expand the scope of threat modeling. These standards aim to create repeatable, predictable processes with defined steps and rules.
Key standards include:
- ISO/SAE 21434 – popular in the automotive industry.
- ISA/IEC 62443 – used in general industry and IoT.
- TS 50701 – used in the railway sector.
Conclusion
Threat modeling is a process that requires continuous learning and improvement. With the advancement of technology and AI, new threats constantly emerge. To counter them effectively, we must enhance our skills and adapt our threat modeling processes based on new knowledge and experience.
A good analogy is the classic game of cat and mouse – attackers use technology to find new ways to breach systems, and we must use the same tools to defend against them.
***
If you’re interested in embedded systems and legal regulations, be sure to check out other articles by our experts.
Leave a comment