Charles Marrow
|
Head of Center of Excellence - Embedded Device Security
November 26, 2024

Elevating Embedded Device Security: The EMB3D™ Threat Modeling Framework

As embedded devices increasingly form the backbone of critical infrastructure—from industrial control systems to medical devices—their security is more crucial than ever. Yet, despite this importance, many embedded systems lack comprehensive protection against basic and sophisticated cyber threats. This is where the EMB3D™ threat modeling framework comes in, offering a structured approach to identify, evaluate, and mitigate embedded device vulnerabilities.

Why Threat Modeling for Embedded Devices is Essential

Embedded devices, while powerful, are also uniquely vulnerable due to their distinct hardware and software configurations, as well as their often limited ability to undergo frequent updates. These devices are deployed in diverse environments such as manufacturing, energy, healthcare, and transportation, each with its own specific risks. As cyber threats evolve, embedded systems must be designed with robust security measures from the outset.

According to the MITRE Corporation's research on embedded systems, organizations often struggle to understand the threats these devices face and how to mitigate them effectively​ . EMB3D™ addresses this gap by creating a framework that helps identify known vulnerabilities, map them to specific device properties, and implement corresponding mitigations.

What is EMB3D™?

EMB3D™ is a threat model designed specifically for embedded devices, mapping known cyber threats to device features and proposing mitigations that can protect these systems from exploitation ​. By focusing on the characteristics that make embedded devices unique—such as hardware interfaces, system software, and networking protocols—EMB3D™ enables a more targeted approach to security.

Key features of EMB3D™ include:

  1. Device Properties Enumeration: Identifies key hardware, firmware and software components that could expose a device to specific vulnerabilities.
  2. Threat Mapping: Maps threats with the properties, making it easier to see where the device may be vulnerable.
  3. Mitigation Strategies: Provides a range of solutions to secure the device, categorized into foundational, intermediate, and leading tiers based on difficulty and effectiveness​ .

EMB3D™ x IriusRisk Threat Modeling Workflow

The EMB3D™ framework helps security teams follow a structured process for securing embedded devices. This workflow includes three main steps:

  1. Enumerating Device Properties: The first step involves identifying the key properties of a device, such as its hardware architecture, system software, and networking capabilities. These properties are then mapped to known threats. IriusRisk provides these properties as components, which are used to create an architectural representation of the embedded system/device. IriusRisk automates the threat modeling output for each device property and provides it as a readable output. 
  2. Evaluating Threats: Once the device's vulnerabilities are mapped, the next step is to assess the potential risks associated with these threats. This step also involves prioritizing threats based on their severity and likelihood. The identified threats are displayed in IriusRisk for review and also provides an inherent risk score based on predetermined CIA and ease of exploitation values.  
  3. Implementing Mitigations: Finally, teams must apply mitigations to address the identified threats. EMB3D™ offers tiered recommendations, ranging from basic protections that are easy to implement to advanced strategies that require significant hardware or software changes​ . A comprehensive mapping of EMB3D™ controls to ISA/IEC 62443 4-2 Security for Industrial Automation and Control Systems: Technical Security Requirements for IACS Components, has been provided to enable organizations using 62443-4-2 to identify which EMB3D™ mitigations are necessary to fulfill the intent of the controls. IriusRisk provides a platform to manage the controls for the identified device threats. 

    Table 1 Mitigation Tiers and Associated Categorization Criteria
FOUNDATIONAL INTERMEDIATE LEADING
Demonstrated feasibility The mitigation is already in use on comparable embedded devices Has been demonstrated on devices within other sectors (e.g., mobile), but may not be prevalent within comparable embedded devices Viable proof of concept exists in any domain but may not be publicly available
Open design Public documentation, practices, or reference architectures exist on how it can be implemented on comparable devices Insufficient well-documented artifacts discussing implementation on embedded systems Research demonstrating the concept of a design
Technology dependencies/ complexity Should not require additional hardware or dependencies on integration of proprietary/commercial technology May require additional or more capable hardware, increased software complexity, and the integration of publicly available and/or proprietary technologies No dependency restrictions

Here is an example threat model from https://www.geeksforgeeks.org/introduction-of-embedded-systems-set-1/ that we then replicated in IriusRisk:

Geeks for Geeks Threat Model Image
Replicated Threat Model Inside IriusRisk

Use Cases for EMB3D™

EMB3D™ isn’t just for one type of user. It’s designed to support a broad spectrum of stakeholders in the embedded device ecosystem, from manufacturers to security researchers and asset owners:

  • Product Vendors: For developers, EMB3D™ helps prioritize security features during the product development lifecycle. By understanding the risks associated with specific device properties, vendors can make informed decisions about which security features to implement first.
  • Asset Owners: For asset owners, such as companies deploying these devices in critical infrastructure, EMB3D™ provides a roadmap to evaluate device security and ensure that vendors are delivering products that meet required standards.
  • Security Researchers: EMB3D™ also supports security researchers by offering a common framework for evaluating device vulnerabilities and testing the effectiveness of mitigations​ .

The Future of Embedded Device Security

As the cyber threat landscape continues to evolve, frameworks like EMB3D™ will become essential tools for securing the next generation of embedded systems. By adopting a comprehensive threat modeling approach, organizations can proactively protect their devices, rather than relying on reactive measures after a device vulnerability has been exploited.

For those responsible for the security of embedded devices/systems, whether in development or deployment, EMB3D™ offers a way to stay ahead of attackers, ensuring that these critical devices remain secure in an increasingly connected world.

Ready to start strengthening your embedded device security? Learn more about how EMB3D™ can help protect your critical infrastructure through the IriusRisk automated threat modeling platform.

Reference

- The EMB3D™ Threat Model for Embedded Devices