Enhancing ICS Security: The Rise of Threat Modeling Frameworks

As research into device and industrial control system (ICS) security advances, frameworks designed to help manufacturers identify and mitigate potential threats are gaining widespread adoption.

One such initiative is MITRE's EMB3D framework, introduced in late 2023, which categorizes various threats and now includes mitigation strategies for manufacturers. According to Marie Stanley Collins, senior principal at MITRE's Critical Infrastructure Initiative, device makers are leveraging EMB3D to strengthen threat modeling, researchers are using it to standardize communication, and cybersecurity vendors have begun incorporating it into their products.

The Role of EMB3D in Security

"Manufacturers can apply EMB3D during the design phase to systematically evaluate embedded device threats and implement appropriate defenses," Collins explains. End users can also use it to make more informed purchasing decisions by requiring vendors to outline security risks and protective measures.

EMB3D is not the only available framework. Microsoft's STRIDE helps manufacturers classify threats into six major categories—spoofing, tampering, repudiation, information disclosure, denial of service, and privilege escalation. Meanwhile, ATT&CK for ICS, commonly used by firms like Dragos, focuses on cataloging real-world attack techniques targeting industrial control systems.

According to Kate Johnson, director of intelligence research at Dragos, frameworks like ATT&CK help organizations learn from past incidents, allowing defenders to anticipate and mitigate similar threats in their own environments. However, she emphasizes that frameworks only provide value if the cybersecurity community adopts them broadly.

A Structured Approach to Embedded Security

The latest EMB3D update focuses on mapping threats to specific mitigation strategies, aligning with the Secure by Design principles advocated by CISA. For instance, the mitigation Software-Only Bootloader Authentication (MID-001) helps protect against threats like Inadequate Bootloader Protection (TID-201) and Unauthenticated Firmware Installation (TID-211).

MITRE’s Adam Hahn, a principal in the OT device security group, highlights that EMB3D aims to proactively strengthen device security rather than shifting responsibility to end users. While STRIDE is useful for initial threat assessments, EMB3D is geared towards building security-hardened devices that can withstand long-term threats.

"Cybercriminal techniques evolve, moving from theoretical concepts to proof-of-concept (PoC) exploits and ultimately real-world attacks," Hahn says. "Manufacturers need to think long-term, beyond just responding to current cyber threats."

Real-World Adoption & Industry Integration

MITRE employs EMB3D in its CIDER Lab, which simulates critical infrastructure scenarios to assess interdependencies and vulnerabilities. Additionally, cybersecurity firms such as IriusRisk and Red Balloon Security have begun integrating EMB3D into their product assessments and risk communication processes, according to Wyatt Ford, an engineering manager at Red Balloon Security and a co-founder of EMB3D.

Choosing the Right Threat Model

Not all organizations have identical threat modeling requirements. While Dragos primarily relies on ATT&CK for ICS, Johnson stresses that companies should adopt a threat-driven, consequence-aware approach that aligns with their specific risks and operational environments.

"Our method involves using intelligence to identify the most credible threats, determining which systems are likely targets, evaluating security controls, and conducting focused threat-hunting activities," she explains.

The Future of Threat Modeling

MITRE envisions EMB3D as a collaborative effort that brings together cybersecurity vendors, manufacturers, and infrastructure operators to continuously expand the knowledge base of threats and mitigations.

"As adversaries refine their attack techniques, threats progress from theoretical risks to PoCs and, eventually, real-world exploitation," Hahn notes. "The challenge lies in identifying which threats are most critical, which depends on a device's function and deployment context."

With threat actors becoming increasingly sophisticated, frameworks like EMB3D, STRIDE, and ATT&CK are crucial in helping organizations stay ahead of emerging risks and designing more resilient industrial systems.