Threat modeling

It is not possible to eliminate threats. Threats exist regardless of the security measures employed to mitigate the risks of an attack. In real-world deployments, security measures are all about managing risks while acknowledging the existence of threats. However, unless we know the threats for a specific use case, we cannot mitigate them (OWA-TRM).

Threat modeling is a systematic technique to effectively manage and communicate risks. In threat modeling, based on a solid understanding of the architecture and implementation of a system, we identify and rate the threats according to their probability of occurrence. This allows us to mitigate risks in a prioritized order, which can be both cost-effective and efficient (MST-TRM).

Microsoft developed a threat modeling approach for applications, which can also be applied to IIoT systems. So, we shall treat IIoT threat modeling in this section according to Microsoft's approach, which involves the steps shown in Figure 2.4:

The steps are explained as follows:

1. Identify assets: Identify a list of assets that must be protected.
2. Create an architecture overview: Document the overall IIoT system architecture, which includes subsystems, platforms, applications, trust boundaries, control and data flows, and so on.
3. Decompose the architecture: Decompose this architecture into system (application, IoT endpoints) and infrastructure (communication protocols, data centers, network protocols) components. Use this to create a security profile for this specific IIoT use case with the goal to uncover vulnerabilities in the design, implementation, or deployment configuration.
4. Identify the threats: Based on the attack surfaces and vectors, and by using attack trees and FTA (discussed earlier in the chapter), identify the threats. Two commonly used threat identification techniques are STRIDE and DREAD (discussed in upcoming sections). Both of these techniques were developed by Microsoft, and can be used at this stage.

5. Document the threats: Document each threat, using a common threat template that defines a core set of attributes to capture for each threat.
6. Rate the threats: Rate each threat and prioritize the threats based on their impact. The rating process weighs on the probability of the threat against the damage that could result from an attack. This allows us to effectively direct investments and resources.
   Rating and ranking of threats can be done using several factors. Figure 2.5 shows a risk-centric approach that can be applied at a high level for IIoT deployment use cases: