https://insights.sei.cmu.edu/sei_blog/2019/02/evaluating-threat-modeling-methods-for-cyber-physical-systems.html

软件系统的威胁模型https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=524448

CPS 威胁模型评估白皮书https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_526372.pdf

CPSoS are connected through one or more cyber networks and run by one or more human operators. The components of those systems are often distributed and are sometimes partially autonomous, with multi-level control and management. Since CPSoSs are safety and/or life critical, threat modeling for these kinds of systems should address the full spectrum of threats: kinetic, physical, cyber-physical, cyber-only, supply chain, and insider threats.

 In this post, I describe criteria for evaluation and make recommendations about adopting a TMM. The criteria are: strengths and weaknesses, adoptability, tailorability, application to cyber-physical systems, and automation.

One of the main characteristics of CPS is complexity. Applying the TMMs recursively is critical. This approach helps account for the relationships between subsystems, address hardware-software dependencies, and address safety-security interdependencies.

Studies of railway communication networks, drone systems, and the automotive industry for connected cars indicate that combinations of two or more TMMs seem to perform better. Combining methods and adding domain-specific techniques allows for deeper analysis of the system, and thus, better threat discovery.

CPS require focused attention not only on the application or system-software-related threats, but also on hardware and physical threats. Malware installed on a hardware component or physical tampering with a component can cause cyber or cyber-physical impact and put a system into an undesirable state.

Use PASTA as Basis of Framework

Evaluation of existing TMMs showed that no one method can cover all pieces. Therefore, a framework that employs a combination of methods and techniques should be used. Our recommendation is to apply the PASTA modeling method as the basis of this framework.

PASTA provides the most detailed guidance for the process of threat modeling, including resources that can be easily adapted to different kinds of systems. It can be incorporated into the existing SDLC and allows for easy addition or removal of activities from stages as needed. PASTA also mitigates the threat-explosion weakness of STRIDE and LINDDUN by utilizing risk and impact analysis. This flexibility makes this combination a foundation for a comprehensive framework.

Some modification should be done to this combination of methods to accommodate the scope of the problem. To start, PASTA should be implemented for the whole system using high-level architecture and treating subsystems as black boxes. This initial round will not require the user to go through every activity, but it should effectively define all inputs and outputs for each subsystem.

PASTA should then be implemented recursively for each subsystem--and, in turn, each subsystem of the subsystems. All discoveries from a higher level should be passed to the next level as an input. Expect to encounter quite a few levels of subsystems, depending on the complexity of the system.

In addition to the base PASTA stages, we provide in our white paper a list of activities that should be added to address the full spectrum of threats. In addition to PASTA, we recommend using components of STRIDE and LINDDUN. We also recommend using other tactics that address threat aspects not covered by these three models, such as

• identify system-critical dependencies from the supply chain, including dependencies from trusted third-party systems

• identify physical boundaries (direct and indirect access) to the system's components

• apply internal threat-identification methods

• generate attack ports

Recommendations for Adopting Threat-Modeling Methods

The following recommendations will help with the process of adopting a TMM:

• Threat modeling works best if applied in early stages of the project, i.e., the requirements and design phase.

• Threat modelling is an ongoing process. It is hard to perfect it on the first run, and you cannot refine it indefinitely. You need milestones along the way. It does not stop after your system is delivered. Some steps must be repeated when the system changes.

• In threat modeling, it is dangerous to concentrate exclusively on threats. Modeling users and attackers, and controlling impact on requirements and mitigations, are just as important.

• Threat modeling is not an innate skill. It is learnable and improves with practice. With each iteration, it become better and deeper.

We believe that combining components of PASTA, STRIDE, and LINDDUN with tactics that address additional aspects of CPSoS will provide better coverage of threats than any one model by itself. Adoption of the proposed framework will be a laborious and time-consuming process, but will allow for the creation of a flexible and comprehensive structure for modeling a wide range of threats.