MITRE Debuts ICS Threat Modeling for Embedded Systems

MITRE Debuts ICS Threat Modeling for Embedded Systems

December 13, 2023 at 03:56PM

MITRE and collaborators release the EMB3D Threat Model, aiming to enhance security in embedded devices for critical infrastructure. The model offers vendors, asset owners, and researchers a common understanding of vulnerabilities and security mechanisms. EMB3D is a significant advancement in dealing with evolving threats and providing standardized security measures for embedded systems.

From the meeting notes, it is clear that MITRE, in collaboration with researchers from three other organizations, has released a draft of a new threat-modeling framework called EMB3D for makers of embedded devices used in critical infrastructure environments. The goal of EMB3D is to provide device makers with a common understanding of vulnerabilities in their technologies and the security mechanisms for addressing those weaknesses.

EMB3D is intended to help vendors/OEMs build security into their devices during the design phase, rather than as an add-on by asset owners. It can also be used by asset owners and security researchers to assess and evaluate the security of a device by reviewing existing threats and included mitigations.

The framework is described as the embedded system equivalent of other widely used MITRE threat models and frameworks, such as ATT&CK and the Common Weakness Enumeration (CWE) catalog. EMB3D provides a single knowledge base of threats to embedded devices, properties of vulnerable devices, and key mitigations necessary to address the risks.

The maintainers of EMB3D will continuously add new threats and mitigations to the knowledge base, making it a public community resource to which security stakeholders can contribute additions and revisions. MITRE has also called upon interested vendors, asset owners, researchers, and academics to review this framework before its official public release in early 2024.

EMB3D is perceived as a game-changer for embedded device security, especially for small asset owners who may not have the resources to tackle threats on their own. It is expected to simplify cybersecurity navigation and provide a standardized, efficient way to handle cybersecurity risks for both smaller and larger companies.

Full Article