MITRE, in collaboration with researchers from three other organizations, this week released a draft of a new threat-modeling framework for makers of embedded devices used in critical infrastructure environments.
The goal with the new EMB3D Threat Model is to give device makers a common understanding of vulnerabilities in their technologies that attacks are targeting - and the security mechanisms for addressing those weaknesses.
Embedded devices in ICS and OT environments present an attractive target for attackers because of their relative lack of proper security and inadequate testing for vulnerabilities.
Research that Nozomi Networks released earlier this year showed threat actors have ramped up attacks targeting these devices over the past year, especially in sectors such as food and agriculture, chemical, water treatment, and manufacturing.
Over the past year, there has also been a steady increase in advisories and guidance from the US Cybersecurity and Infrastructure Security Agency pertaining to threats to ICS and OT environments.
Just as ATT&CK gives defenders a common vocabulary for threat-actor tactics, techniques, and procedures, and CWE provides a standard way to categorize and describe hardware and software vulnerabilities, EMB3D provides a central knowledge base of threats to embedded devices.
Such information is critical because, at a high level, embedded devices have more hardware- and firmware-focused threats than typical IT threats.
They also have unique technologies, such as those for executing custom logic, like programmable logic controllers, Collins notes.
While embedded device vendors often perform threat modeling as a method to identify security mechanisms in a device, threats to devices are continually evolving as more attacks and vulnerability research surface, she says.
EMB3D provides a uniform mechanism for tracking and communicating threats and associated security mechanisms in an embedded device.
MITRE and the researchers from ONE Gas, Red Balloon Security, and Narf Industries who developed EMB3D identified threats to embedded systems by reviewing numerous sources, including ATT&CK techniques, research, proof-of-concept demonstration, and vulnerabilities discovered in embedded devices.
As with ATT&CK and CWE, the maintainers of EMB3D will keep adding new threats and mitigations to the knowledge base as they emerge.
Big Deal for Embedded Security Chris Grove, director of cybersecurity strategy at Nozomi Networks, says EMB3D could be another MITRE ATT&CK-like game-changer for embedded device security.
Grove perceives EMB3D as being a useful resource for small asset owners who might not always have the resources to tackle threats on their own.
EMB3D is like a roadmap that makes navigating cybersecurity a lot simpler.
Smaller companies, which might not have the luxury of custom-built security tooling, will find this particularly helpful, he predicts.
At the same time, larger companies could benefit as well because it could save them the hassle and expense of developing their own security metrics and measures.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 13 Dec 2023 20:50:07 +0000