Abstract
Within complex IoT ecosystems and network structures, hard to find vulnerabilities have potential to cause significant disruption and damage. In addition, device tampering and re-purposing can threaten business models of service providers. The vulnerability surface area of the ecosystem ranges across the entire system architecture, from the cloud to the IoT device. These can be introduced at any stage of the device life-cycle, including design, programming, manufacturing, integration, operation and maintenance of the device. While threat modelling during the design phase can alleviate some potential vulnerabilities, it is more difficult or even impossible to mitigate problems for devices already in the market. A policy-based device security model is proposed as an approach, that can be enforced using hardware and software security architectures.
This paper reflects on existing literature on threat modelling and how derived security models can influence the design phase. This contribution proposes that by using the threat modelling to define specific use case security policies within the security model, OEMs will be able to tailor their solution to conform to the user’s security requirements. Platform vendors, on the other hand, will have reduced design costs as they can offer generic solutions for differing levels of criticality.
An example scenario is provided using an industrial PLC as the attack target. While threat modelling can establish countermeasures for both the design process and policy defining, the policy can be introduced quickly, whereas the design method approach requires extensive modification to the system firmware.
This paper reflects on existing literature on threat modelling and how derived security models can influence the design phase. This contribution proposes that by using the threat modelling to define specific use case security policies within the security model, OEMs will be able to tailor their solution to conform to the user’s security requirements. Platform vendors, on the other hand, will have reduced design costs as they can offer generic solutions for differing levels of criticality.
An example scenario is provided using an industrial PLC as the attack target. While threat modelling can establish countermeasures for both the design process and policy defining, the policy can be introduced quickly, whereas the design method approach requires extensive modification to the system firmware.
| Original language | English |
|---|---|
| Title of host publication | IEEE International Conference on Secure and Dependable Systems: Proceedings |
| Place of Publication | Kaohsiung, Taiwan |
| Publisher | IEEE |
| Number of pages | 8 |
| ISBN (Electronic) | 9781538657904 |
| ISBN (Print) | 9781538657904 |
| DOIs | |
| Publication status | Published - 24 Jan 2019 |
| Event | IEEE International Conference on Dependable and Secure Systems - Kaohsiung, Taiwan, Province of China Duration: 10 Dec 2018 → 13 Dec 2018 https://dsc2018.nsysu.edu.tw/ |
Conference
| Conference | IEEE International Conference on Dependable and Secure Systems |
|---|---|
| Abbreviated title | DSC |
| Country | Taiwan, Province of China |
| City | Kaohsiung |
| Period | 10/12/2018 → 13/12/2018 |
| Internet address |
Keywords
- access control
- attack trees
- SDLC
- Secure by design
- Security Modelling
- Security policy
- SELinux
- STRIDE
- Threat Modelling
- Trusted Computing
ASJC Scopus subject areas
- Electrical and Electronic Engineering
- Information Systems
- Safety, Risk, Reliability and Quality