Threat modeling an IoT system

A valuable reference for threat modeling can be found in Adam Shostack's book, Threat Modeling: Designing for Security.

Microsoft also defines a well-thought-out threat modeling approach, using multiple steps to determine the severity of threats introduced by a new system.

Note that threat modeling is the larger exercise of identifying threats and threat sources; attack modeling, described earlier, is attacker-focused and designed to show the nuances of how vulnerabilities may be exploited. The threat modeling process that we will follow in this example is illustrated in the following diagram:

To illustrate the threat modeling process, we will evaluate threats to a smart parking system. A smart parking system is a useful IoT reference system because it involves deploying IoT elements into a high-threat environment (some individuals would cheat a parking payment system if they could and laugh all the way home). The system contains multiple endpoints that capture and feed data to a backend infrastructure for processing. The system provides data analytics to provide trend analysis for decision makers, correlation of sensor data to identify parking violators in real time, and exposes an API to smartphone applications that support customer features such as real-time parking spot status and payments. Many IoT systems are architected with similar components and interfaces.

In this example, our smart parking system is differentiated from a real-life smart parking solution. Our example system provides a richer set of functionalities for illustrative purposes:

• Consumer-facing service: This allows customers to determine vacancy status and pricing for nearby parking spots
• Payment flexibility: The ability to accept multiple forms of payment, including credit cards, cash/coins, and mobile payment services (for example, Apple Pay, and Google Wallet)
• Entitlement enforcement: The ability to track the allocated time purchased for a spot, determine when the entitlement has expired, sense when a vehicle has overstayed the purchased period, and communicate the violation to parking enforcement
• Trend analysis: The ability to collect and analyze historical parking data and provide trend reports to parking managers
• Demand-response pricing: The ability to change pricing depending on the demand for each space

For more information, see https://www.cisco.com/web/strategy/docs/parking_aag_final.pdf.

Given that the system is designed to collect payment from consumers, alert enforcement officials when non-payment has occurred, and provide appropriate pricing based on the current demand for parking, the appropriate security goals for the system could be stated as follows:

• Maintain integrity of all data collected within the system
• Maintain confidentiality of sensitive data within the system
• Maintain the availability of the system as a whole and each of its
  individual components

Within the smart parking system, sensitive data can be defined as payment data as well as data that can leak privacy information. Examples include video recordings that capture license plate information.