Based on Jbair, M., Ahmad, B., Maple, C. and Harrison, R. (2022)
1. What are the key elements and interdependencies in a cyber-physical system that must be captured in a comprehensive threat model?
A comprehensive threat model for Cyber-Physical Systems (CPS) must move beyond simple asset lists to capture the dynamic relationships between physical and digital components. Jbair et al. (2022) propose a data model that links ten critical parameters: Threat Actors (insider/outsider), Assets (classified by the Purdue Model), Vulnerabilities, Threats (using STRIDE), and Cyber-Attacks (using ICS ATT&CK tactics).
Critically, these elements are interdependent: a Threat Actor exploits a Vulnerability via specific Tactics, Techniques, and Procedures (TTPs) to manipulate an Asset. The accuracy of the risk analysis depends on capturing these links because the Attack Impact varies depending on the asset’s physical function (e.g., a PLC at Level 1 has a higher safety impact than a workstation at Level 4). Failing to map these interdependencies results in a “siloed” view that misses cascading physical risks.
2. How can threat modelling help identify attack entry points and system vulnerabilities in cyber-physical energy systems?
Threat modelling identifies entry points by mapping the “attack surface” exposed by the convergence of IT and OT (Operational Technology). By utilizing frameworks like ICS ATT&CK, analysts can model specific attack trees—such as a “Man-in-the-Middle” attack on a PLC or a “Denial of Service” on an HMI. This structured approach moves beyond ad-hoc vulnerability scanning to identify complex attack paths where an adversary might pivot from a corporate network (Level 4) to control systems (Level 1).
However, a major challenge is that traditional threat modelling tools are often “static” and do not integrate with the engineering tools used to build CPS. Jbair et al. (2022) highlight that existing methodologies often lack the ability to determine risk severity or provide a roadmap for mitigation, making it difficult to justify security investments to engineering stakeholders.
3. How can scenario-specific metrics and risk assessment methodologies be used to prioritise vulnerabilities?
To effectively prioritize vulnerabilities, organizations must move from qualitative “guesswork” to quantitative metrics. The paper proposes a formulaic approach where Risk (R) is the product of the Attack Vector (AV) and Attack Likelihood (AL) (R = AV \times AL).
- Attack Vector (AV): Calculated using the geometric mean of threat actor skills, threat exposure, and impact severity.
- Attack Likelihood (AL): Derived from historical data of similar attacks in the sector (e.g., assessing if a specific malware strain is trending in the energy sector).
By applying these metrics to a Risk Heat Map, vulnerabilities can be classified from “Very Low” to “Very High.” This allows security teams to automate the generation of Mitigation Controls (such as firmware monitoring or password enforcement) specifically for the highest-risk assets, ensuring that limited resources are targeted where they prevent the most significant physical and digital damage.
References
- Jbair, M., Ahmad, B., Maple, C. and Harrison, R. (2022) ‘Threat modelling for industrial cyber physical systems in the era of smart manufacturing’, Computers in Industry, 137, p. 103611. Available at: https://doi.org/10.1016/j.compind.2022.103611
Nikunj Bhalotia 