Threat Modeling of Cyber-Physical Systems in Practice

TL;DR

This paper investigates how security experts perform threat modeling on cyber-physical systems, highlighting challenges and calling for improved methods for continuous and quality-assured threat analysis.

Contribution

It provides empirical insights into current threat modeling practices for CPSs and identifies key challenges faced by practitioners, emphasizing the need for new research in this area.

Findings

Practitioners use a combination of threat modeling methods and standards.

Challenges include knowledge transfer, model updates, and quality assurance.

Reliance on peer evaluation and checklists for model quality.

Abstract

Traditional Cyber-physical Systems(CPSs) were not built with cybersecurity in mind. They operated on separate Operational Technology (OT) networks. As these systems now become more integrated with Information Technology (IT) networks based on IP, they expose vulnerabilities that can be exploited by the attackers through these IT networks. The attackers can control such systems and cause behavior that jeopardizes the performance and safety measures that were originally designed into the system. In this paper, we explore the approaches to identify threats to CPSs and ensure the quality of the created threat models. The study involves interviews with eleven security experts working in security consultation companies, software engineering companies, an Original Equipment Manufacturer (OEM),and ground and areal vehicles integrators. We found through these interviews that the practitioners use a combination of various threat modeling methods, approaches, and standards together when they perform threat modeling of given CPSs. key challenges practitioners face are: they cannot transfer the threat modeling knowledge that they acquire in a cyber-physical domain to other domains, threat models of modified systems are often not updated, and the reliance on mostly peer-evaluation and quality checklists to ensure the quality of threat models. The study warns about the difficulty to develop secure CPSs and calls for research on developing practical threat modeling methods for CPSs, techniques for continuous threat modeling, and techniques to ensure the quality of threat models.