What is a Threat Model?
A secure development framework emphasizes that security requirements be integrated into the development process from the beginning. Starting with an initial concept, onto product development, through to product maintenance, and on to end-of-life, every stage of a product’s life cycle must incorporate device security.
Selecting secure hardware and software components at the beginning of development is crucial as mis-steps at this stage can lead to significant challenges and costs later. Development teams may be tempted to base decisions during these early phases on fixed requirement lists, which may lead to deviations from an optimal security level, either by overlooking necessary features or implementing unnecessary ones.
To establish security requirements effectively, it is essential to understand what threats the product, in its use environment, may encounter. Without a clear understanding of what we are protecting against, it is not possible to identify and implement countermeasures.
This is where Threat Modeling plays a crucial role. By identifying, evaluating, and prioritizing potential threats early in the development process, the Threat Model methodology helps to establish a strong basis for secure device development, as it identifies security vulnerabilities early on.
How to Create a Threat Model?
There are many Threat Modelling methods available. A common approach is the OWASP (Open Web Application Security Project). From OWASP: “The Threat Model works to identify, communicate, and understand threats and mitigations…A threat model is a structured representation of all the information that affects the security of an application…[that] can be applied to…software, applications, systems, networks, distributed systems, Internet of Things (IoT) devices, and business processes…A threat model typically includes:
Description of the subject to be modeled
Assumptions that can be checked or challenged in the future as the threat landscape changes
Potential threats to the system
Actions that can be taken to mitigate each threat
A way of validating the model and threats, and verifying the success of actions taken
[The]...typical threat modeling efforts also produce a prioritized list of security improvements to the concept, requirements, design, or implementation of an application.”
The process of Threat Modeling begins with a description of the medical device system. Start with a Data Flow Diagram (DFD) to map out how data moves through the system, then identify entry points to understand where an attacker may interact with the system, identify system assets, develop trust levels, as well as, abuser stories or misuse cases.
To identify threats, a variety of tools and methodologies are available such as Microsoft STRIDE and MITRE ATT&CK. The well-known STRIDE rubric stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, and Elevation of Privilege. STRIDE helps threat modelers think through the different types of threats in a structured manner. For instance, given a Spoofing type threat, knowing the medical device system and its assumptions, what are the likely ways a Spoofing threat could manifest itself. Security control measures are a natural outcome of this effort. The message here is do not just jump in and work haphazardly. Threat Models help identify threats from the attacker as well as identify targets of value. The value of the Threat Model is in its detail. Take time to identify entry and exit points of the device system, use a known method, such as OWASP, to guide your effort.
Again, you do not have to use nor like the OWASP or STRIDE tools, the point is to use some known method. A known rubric will help you identify threats in a structured manner.
What does FDA require?
From FDA guidance (2023): “Threat modeling includes a process for identifying security objectives, risks, and vulnerabilities across the medical device system, and then defining countermeasures to prevent, mitigate, monitor, or respond to the effects of threats to the medical device system throughout its lifecycle.”
Threat Models allow development teams to be thorough in understanding device system threats, but the Threat Model also is a crucial input to the Cybersecurity Risk Analysis (CRA). Manufacturers are given the flexibility to choose from a variety of threat modeling methodologies, but a selection rationale must be provided.
Threat modeling considerations include:
Systems approach: Develop the Threat Model from a systems point of view, including the use environment, to inform the risk identified within the Cybersecurity Risk Analysis.
Environment assumptions: Pay attention to the medical device system’s operating environment. For instance, if the device operates in the context of a hospital network, it should be assumed that the network may be insecure, as an adversary could control and manipulate data transmissions. Based on this assumption, the device system should incorporate protection against such threats.
Supply chain: The threat model should account for cybersecurity risks introduced through various stages such as supply chain, manufacturing, deployment, maintenance, and even decommissioning of the device.
Once the Threat Models have been completed, and reviewed with the appropriate experts, the information generated is supplied to the Cybersecurity Risk Analysis (CRA). The CRA is an additional process of leveraging the threats identified within the Threat Model, estimating Severity and Exploitability levels, as well as developing and implementing cybersecurity Risk Control Measures (RCM). In our next blog post, we get into the details of a robust CRA.
How Security Pattern can help
We offer various consultancy services and training modules to support your organization with cybersecurity challenges. For the topic covered in this article, we highly recommend:
The Threat modeling training
The Threat Modeling and Risk Assessment consultancy service
About the Author
Dr. John Salvato, President, Design Quality Services LLC
Design Quality Services (DQS) was established to support large and small innovators' product development endeavours, resolve quality system challenges, and provide technical training. The pathway to commercialization is complex, regulatory expectations can be ambiguous, and quality management systems (QMS) may become unstable. DQS brings a pragmatic approach to enable these pathways, fostering business growth and market success. We are here to help you solve your toughest challenges. John has an impressive 30-year career spanning quality assurance, manufacturing, and product development in the medical device and automotive industries. As the president of DQS, he brings exceptional engineering abilities and unparalleled global management experience. His leadership has led to successful development projects globally. John leverages his many years of professional experience with his academic work.
Comments