IoT Threat Modeling for Greater Security

The Internet of Things – or IoT – is growing at an explosive rate. A recent international study sponsored by the US Chamber of Commerce indicates that in just two years as many as 85% of organizations will utilize IoT to add value to their operations.[1] Consumer adoption of connected devices is currently growing by about a million new devices per hour. It is estimated that by the end of this year there will be 8.3 billion active consumer devices. By 2020, analysts predict the number of IoT devices globally to be between 20.4 and 60 billion.[2] The pervasiveness of IoT technology is difficult to comprehend. The connected sensors, tags, devices, communication networks, and data are everywhere, adding value to organizations and convenience for consumers. However, without proper IoT threat modeling, the rapid growth of the IoT leads to out of control expansion of organizational attack surfaces.

Consider Virgin Atlantic’s new fleet of Boeing 787 aircraft. Every single component of the aircraft is IoT enabled. According to David Bulman, Virgin Atlantic’s CIO, the value gained by the nearly 1/3 terabyte of data generated by each IoT aircraft during each flight is exceptionally high.[3] For example, point out Bulman, an engine with suboptimal in-flight operations is sending a constant stream of data to the ground staff. When the aircraft lands, engineers will be standing by, ready to fix whatever is wrong.

However, that level of connectivity in even a single aircraft – engines to flaps to landing gear to anything else that is connected to the 787 – represents a huge attack surface. Unless the entire IoT ecosystem is properly secured through proper IoT threat modeling, the expanded attack surface is a “playground” of opportunities for anyone wishing to compromise the safety and security of the flight.

Because the IoT is an ecosystem, not just the embedded devices proper, IoT threat modeling is necessary to secure both the data and the physically controlled systems. Consider an architectural diagram of an IoT-enabled aircraft ecosystem in which the aircraft has just four connected devices:

IoT threat modeling

The threat model generated from this diagram, excluding the threats caused by the aircraft, include 57 potential threats. The aircraft without IoT devices adds only three more threats. However, the four IoT systems added to the aircraft – which could be for engines, flaps, landing gear, and the galley stove – add an incredible 218 threats to the attack surface. Without IoT threat modeling, the attack surface of a single IoT-immersed Boeing 787’s undoubtedly rivals that of any Fortune 500 enterprise’s entire IT system.

Without IoT Threat Modeling, Security is Short-Sighted

A large organization may have anywhere between 50k and 500k IT endpoints that need to be secured. When adding the IoT devices connecting to the organization’s cyber system, that number can quickly jump to tens of millions. It is well known that IoT devices are generally lagging in security, either because of lax manufacturing standards or because the devices do not have the computational horsepower and storage space to be secured. Moreover, even if one device is properly secured, unsecured or devices that cannot be secured not only exist in the organization’s ecosystem – all these devices can communicate with each other through various communication protocols, some of which entirely bypass the scope and reach of IT security teams. Architecturally-based IoT threat modeling can reveal these IT security bypasses.

Without specific IoT threat modeling, the ubiquity and pervasiveness of the organization’s IoT ecosystem means organizations can easily lose control of their attack surface. Organizations can, for example, dictate and enforce policy that no personal smart devices are brought into the work environment. However, all that care and monitoring can be thrown out the window if one employee logs into the IT system while working from their (smart) home. Furthermore, while it is theoretically possible to prevent employees from bringing smart devices into the work environment, it would be impossible to prevent everyone with an IoT medical device such as a hearing aid or pacemaker from entering the building. Securing the IoT ecosystem simply cannot be done by policy mandates.

IoT Regulations and Standards also Fall Short

Some – including the US Chamber of Commerce[4] – are working to implement an international security standard for the IoT.[5] Standards and regulations are necessary and inevitable – however, their implementation is glacial compared to the speed at which the threat landscape evolves.

The newly formed “Trusted IoT Alliance” is proposing an interesting implementation of blockchain technology to secure the IoT.[6] Their goal is to create a “trusted IoT ecosystem with improved security and trust protocols.” However, blockchain is not a preventative security technology – it is a decentralized, distributed ledger. The Alliance’s proposal is to use blockchain, not as a means of shrinking the attack surface, but merely to create a tamper-resistant event log. While this proposal does mitigate the risk of system logs being modified by attackers,[7] it can do nothing to prevent attacks or stop attacks in progress. A tamper-resistant security log is ideal for forensic purposes, but it has the same weaknesses as all security logs: a system event needs to trigger the logging process, and security must then sort out the significant events from false-positive “noise.” Security logs are of little help to the 143 million US adults whose critical information was recently loosed from the Equifax vaults, nor will it comfort the crew and passengers of an IoT-immersed aircraft compromised by cyber-terrorists.

Need an Architectural Threat Modeling Tool for IoT Threats

A recent McKinsey survey of enterprise security experts indicated that securing IoT is a top priority for 75% of organizations. Interestingly, though, only 16% of organizations are ready to implement IoT security.[8] The reason for the significant gap is simple – decision makers do not understand their IoT threats nor what to do about them.

IoT threat modelingArchitecturally-based IoT threat modeling provides the answers these decision makers need. By examining the IoT aircraft system threat model diagram, for example, the numerically greatest source of cyber threats to the aircraft – excluding consideration of the IoT systems for the moment – is the Airfone VOIP / SatComm Internet system. In this subsystem, the threat model identified 24 of the 60 total non-IoT threats. Examination of these threats, though, indicates that they primarily target the endpoint users – those individuals using their cell phone or laptops during a flight. For the safety of the aircraft, then, such threats are a low priority.

ThreatModeler’s architecturally-based IoT threat modeling can identify specific threats throughout the IoT ecosystem and how such threats impact the larger system. Considering the IoT aircraft system threat model again, the threats causing the most significant risk to the physical aircraft come from the embedded IoT systems. These systems directly are used to directly monitor and control critical aspects of the physical aircraft system. The specific threats identified from architecturally-based IoT threat modeling include:

  • Action Spoofing;
  • Alteration of installed BIOS;
  • Device Hijack;
  • Denial of Service;
  • Faking the Data Source;
  • Insecure WiFi Channel;
  • Manipulating Writable Configuration Files;
  • Targeted Malware; and
  • WiFi Jamming.



Engineering-Based Threat Modeling is Insufficient to the Task

Engineering-based threat modeling driven by data flow diagrams (DFD) –as exemplified by Microsoft’s Threat Modeling Tool (TMT) – is inadequate to help decision makers understand and mitigate IoT-related threats.

IoT threat modeling

The above IoT threat modeling DFD was created per Microsoft’s example[9] with TMT using their newest Azure and IoT template. It identified 46 potential categorical threats, most of which revolve around the compromise of sensitive data. Information of such a generalized nature is virtually useless to helping organizations secure their IoT ecosystem – unless, of course, the organization is convinced that terrorists are interested in how many operational hours have transpired since the engine’s last scheduled maintenance.

If the airline’s decision makers depended on the outputs of Microsoft’s TMT threat model, they might conclude that the embedded devices on their 787 fleet do not come with serious threats to the safety of their crew and passengers. However, even the recent demonstrations of attackers’ ability to remotely compromise an IoT-immersed automobile[10] should serve as a clear indication that attackers could compromise their aircraft.

Engineering-based IoT threat modeling, whether built upon DFDs or checklists, cannot provide the specific analytical insights as can be gained from architecturally based IoT threat modeling for one simple reason: Threat modeling a cyber-physical ecosystem is beyond their scope. DFDs and checklists are designed only to identify potential categorical threats or “obvious” threats associated with single applications operating in isolation. Such a limited scope, though, is a far cry from the reality of an IoT ecosystem.


IoT Threat Modeling with ThreatModeler Provides Understanding

However, by considering just one of the IoT systems included in the IoT aircraft threat model, the powerful outputs of ThreatModeler’s IoT threat modeling can be seen. The architectural process flow diagram, for IoT System 1, shown below and included as an architectural component in the “big picture” threat model, identified 75 potential threats.

IoT threat modeling

Understanding that the above diagram is not a DFD, but an architecturally-based where do you see specific threats directly to the aircraft that could impact the lives and safety of those aboard? Watch the video to see where specific threats to the physical aircraft system were identified.


Ready to experience for yourself ThreatModeler’s architecturally based IoT threat modeling?

Click here for a live demo.

[1] Brown, Megan L, “The IoT Revolution and our Digital Security: Principles for IoT Security.” Wiley Rein, LLP. U.S. Chamber of Commerce: Washington D.C. 2017.

[2] Baker, Sarah. “Cybersecurity and the Internet of Things.” Applied Cybersecurity Strategy for Managers. Essec Business School: Clergy, France. July 1, 2016.

[3] Simmons, Clare. “How the Internet of Things is Transforming Business.” Global Intelligence for the CIO. Fujitsu: Minato, Tokyo, Japan. January 2015.

[4] Goovaerts, Diana. “US Chamber of Commerce calls for international IoT security standards.” Mobile World Live. GSM Association: London. September 19, 2017.

[5] “Why is an IoT Security Standard Needed.” IoT.Business.News: Le Cannet, France. September 19, 2017.

[6] Osborn, Charlie. “New alliance advocates the blockchain to improve IoT security, trust.” ZD Net. CBS Interactive: San Francisco. September 19, 2017.

[7] Cohen, Roi. “CyberArk Labs: Can Incident Response and Audit Teams Always Trust Windows Security Event Logs?” Cyber Ark. CyberArk Software Ltd: Newton. May 19, 2016.

[8] Bauer, Harald, et. al. “Six ways CEOs can Promote Cybersecurity in the IoT Age.” McKinsey & Company Internet of Things. McKinsey & Company: New York. August 2017.

[9] Diogenes, Yuri & Dominic Betts. “Internet of Things security architecture.” Microsoft Azure. Microsoft: Redmond. July 3, 2017.

[10] Greenburg, Andy. “The FBI Warns That Car Hacking Is a Real Risk.” Wired. Condé Nast: New York. March 17, 2016.