MITRE, in collaboration with researchers from three other organizations, this week released a draft of a new threat-modeling framework for makers of embedded devices used in critical infrastructure environments.
The goal with the new EMB3D Threat Model is to give device makers a common understanding of vulnerabilities in their technologies that attacks are targeting — and the security mechanisms for addressing those weaknesses.
The EMB3D Threat Model
“EMB3D is intended to help [embedded device] vendors/OEMs build security in,” says Marie Stanley Collins, department manager at MITRE. “The mitigations are focused on what should be done during the device’s design, rather than bolted on by an asset owner.” However, asset owners and security researchers can use it as well to assess and evaluate the security of a device by reviewing what threats likely exist and what mitigations are included, she says.
Embedded devices in ICS and OT environments present an attractive target for attackers because of their relative lack of proper security and inadequate testing for vulnerabilities. Research that Nozomi Networks released earlier this year showed threat actors have ramped up attacks targeting these devices over the past year, especially in sectors such as food and agriculture, chemical, water treatment, and manufacturing. Over the past year, there has also been a steady increase in advisories and guidance from the US Cybersecurity and Infrastructure Security Agency (CISA) pertaining to threats to ICS and OT environments.
“The security of many embedded devices used to support critical infrastructure is not keeping pace with the threats being observed,” Collins says. “Many asset owners … often have an insufficient understanding about their devices to adequately mitigate these risks.”
Embedded System Equivalent of ATT&CK and CWE?
EMB3D is the embedded system equivalent of other widely used MITRE threat models and frameworks, such as ATT&CK and the Common Weakness Enumeration (CWE) catalog. Just as ATT&CK gives defenders a common vocabulary for threat-actor tactics, techniques, and procedures, and CWE provides a standard way to categorize and describe hardware and software vulnerabilities, EMB3D provides a central knowledge base of threats to embedded devices.
“EMB3D provides a single repository of known threats, properties of a device that are vulnerable to that threat, and key mitigations necessary to address that risk,” Collins says. Such information is critical because, at a high level, embedded devices have more hardware- and firmware-focused threats than typical IT threats. They also have unique technologies, such as those for executing custom logic, like programmable logic controllers, Collins notes.
While embedded device vendors often perform threat modeling as a method to identify security mechanisms in a device, threats to devices are continually evolving as more attacks and vulnerability research surface, she says. “It’s difficult for a product security team to track all of these threats and identify what mitigations are necessary to protect against them,” Collins adds. EMB3D provides a uniform mechanism for tracking and communicating threats and associated security mechanisms in an embedded device.
MITRE and the researchers from ONE Gas, Red Balloon Security, and Narf Industries who developed EMB3D identified threats to embedded systems by reviewing numerous sources, including ATT&CK techniques, research, proof-of-concept demonstration, and vulnerabilities discovered in embedded devices. As with ATT&CK and CWE, the maintainers of EMB3D will keep adding new threats and mitigations to the knowledge base as they emerge. And as with the previous threat models, EMB3D too will be a public community resource to which security stakeholders can contribute additions and revisions, according to MITRE.
“With this announcement comes a call to action to interested vendors, asset owners, researchers, and academics to review this framework before its official public release in early 2024,” MITRE said.
Big Deal for Embedded Security
Chris Grove, director of cybersecurity strategy at Nozomi Networks, says EMB3D could be another MITRE ATT&CK-like game-changer for embedded device security. “What’s exciting about EMB3D is how it’s supposed to take the best parts of existing frameworks and apply them to the world of embedded systems,” Grove says. “This is a big deal for cybersecurity today, where embedded systems have their own unique challenges — quite different than IT, yet more critical.”
Grove perceives EMB3D as being a useful resource for small asset owners who might not always have the resources to tackle threats on their own. EMB3D is like a roadmap that makes navigating cybersecurity a lot simpler. Smaller companies, which might not have the luxury of custom-built security tooling, will find this particularly helpful, he predicts.
At the same time, larger companies could benefit as well because it could save them the hassle and expense of developing their own security metrics and measures. Grove says, “EMB3D offers a standardized, efficient way to handle cybersecurity risks. It’s not just about finding problems; it’s about building security into devices from the start.”
