Structured system threat modeling and mitigation analysis for industrial automation systems

Abstract

Industrial control systems are an important part of critical infrastructures and their uninterrupted operation is important for many aspects of society. In recent years these systems have come under more scrutiny, as reports about attacks on them have become more frequent. There is therefore a need to better secure them, and the first step to achieve this is to identify the threat landscape for such systems. This is typically done by creating a threat model of a system, enumerating the potential threats, and then devising mitigation options based on the discovered threats. However, many of the available threat modeling methods and tools target very specific systems (e.g., software components), and do not lend themselves well to evaluating diverse systems or abstract reference architectures of systems. In this paper we present a methodology for system threat modeling that addresses this gap, by enabling the modeling of a diverse range of systems and reference architectures of systems. Furthermore, the methodology provides additional functionality, such as guiding the user in the completion of a threat model and automatically detecting unmitigated threats in a system. In addition, our methodology also takes mitigation into account by modeling the security components in a system. We have implemented the methodology in a web-based tool, and also evaluated the tool on a reference architecture of a complex automation system, validating both the approach and the tool.