Issue link: https://resources.mouser.com/i/1437738
included in their TOE descriptions. The good news is that engineers can find several published sources that can help with this part of the process. Developers can use public resources such as the Common Attack Pattern Enumeration and Classification (CAPEC) list to review, from the top down, the most likely types of attacks. Then, they can work, from the bottom up, to identify the likely targets of attack listed in the Common Weakness Enumeration (CWE) list, which describes inherent flaws in system design approaches, such as the use of hardcoded credentials. As designers identify specific hardware or software components utilized in their designs, they can turn to the Common Vulnerabilities and Exposures (CVE) list, which lists specific software flaws or potential exploits in available hardware or software components. For risk assessments, resources such as the Common Vulnerability Scoring System (CVSS) provide a consistent approach for rating the risks associated with specific vulnerabilities. Although a risk relates to the nature of a specific vulnerability, it also includes other factors such as the avenue (vector) used to perform the attack, the complexity of the attack required to exploit the vulnerability, and others. For example, an attack that can be performed through a network brings considerably more risk than one that requires physical access. Similarly, an attack that is simple to perform carries significantly more risk than an attack that is highly complex in nature. Using a CVSS calculator, engineers can quickly account for these various contributing factors, arriving at a numeric score for the risk level associated with a particular threat or class of threats. For Arm's water meter, the CVSS calculator finds that the combination of factors involved in a firmware attack represents a critical risk score of 9.0 (Figure 4). | 4 | | 26 | Figure 4: Using the CVSS calculator, development teams can assign specific risk levels that correlate with different vulnerabilities for TOE assets, such as the firmware in Arm's water-meter threat model. (Source: FIRST.org) Because of the broad range of requirements and techniques, automated tools such as Open Web Application Security Project's (OWASP's) Threat Dragon Project, Mozilla's SeaSponge, and Microsoft's Threat Modeling Tool exist to help developers work through the modeling process. Each uses a different threat modeling methodology, ranging from system diagramming in the Threat Dragon Project and SeaSponge to Microsoft's detailed STRIDE (translated as "Spoofing," "Tampering," "Repudiation," "Information disclosure," "Denial of service," and "Elevation of privilege") approach. Though these tools are several years old and generally built for enterprise software systems, threat modeling is a broadly applicable, evergreen process that depends more on the current lists of attack vectors, weaknesses, and vulnerabilities than on specific methodologies. Nevertheless, newer tools are now emerging that promise a tighter link between a system description and threat identification. Despite the rapid emergence of deep learning technologies in other areas, however, significant challenges remain in applying these technologies to automated threat and risk assessments. Even so, the availability of smart modeling and assessment tools is likely soon to come. In the meantime, developers can find various collections that list security weaknesses, vulnerabilities, and attack patterns—so much so that all the available detail can seem overwhelming, particularly to those just starting to engage in threat modeling. In fact, one of the excuses commonly used to avoid threat modeling is that it is simply too complicated. Rather than jumping into the full depth of details, engineers can start with a more modest approach that focuses just on the most common threats. OWASP's list of top 10 IoT security threats provides a useful starting point. In fact, developers need to go no further than their preferred news sites to find a ready catalog of top vulnerabilities and exploits.