Cybersecurity

Threat Modeling with STRIDE: A Practical Guide for Industrial Systems

Threat modeling is essential for identifying security risks early. Learn how to apply the STRIDE methodology to industrial control systems and energy management systems.

10 min read
Threat Modeling with STRIDE: A Practical Guide for Industrial Systems

Threat Modeling with STRIDE: A Practical Guide for Industrial Systems

Security requirements shouldn’t be guessed—they should be derived from a structured analysis of the threats your system faces. Threat modeling provides exactly that: a systematic way to identify, analyze, and prioritize security risks.

What is Threat Modeling?

Threat modeling is a structured process for identifying and documenting security threats early in the development lifecycle. It answers the fundamental question: “What are we protecting against, and why?”

Why Threat Modeling Matters

BenefitDescription
Early risk identificationFind security issues before code is written
Focused security effortsSpend resources on real threats, not hypothetical ones
Better security requirementsRequirements derived from actual threat scenarios
Compliance alignmentRequired by IEC 62443-4-1 SR-2
Stakeholder communicationMakes security risks tangible to non-security experts

When to Threat Model

Development Lifecycle:
Requirements ──► Design ──► Code ──► Test ──► Release
       ▲                                    │
       └──────── Threat Modeling ───────────┘
       (Ideally at Requirements & Design phases)

Best practice: Threat model early, then update as the design evolves.

The STRIDE Methodology

STRIDE is a threat classification model developed by Microsoft that provides a systematic way to think about attacker goals.

STRIDE Acronym Explained

LetterThreatDescriptionIndustrial Example
SSpoofingImpersonating something or someoneFake HMI login to gain system access
TTamperingModifying data or codeAltering control commands to damage equipment
RRepudiationDenying having performed an actionAttacker denies sending dangerous command
IInformation DisclosureExposing information to unauthorized partiesLeaking sensitive process configuration
DDenial of ServiceDisrupting service availabilityFlooding network to disrupt control
EElevation of PrivilegeGaining unauthorized capabilitiesLow-privilege user gaining admin rights

Threat Modeling for Industrial Systems

System Decomposition

Before identifying threats, you must understand your system. For an Energy Management System (EMS):

┌─────────────────────────────────────────────────────────────────┐
│                      EMS System Context                          │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  External Actors                                                │
│  ┌─────────┐  ┌─────────┐  ┌─────────┐  ┌─────────┐           │
│  │Cloud    │  │Grid     │  │Maintenance│ │Attacker  │           │
│  │Platform │  │Operator │  │Technician│  │         │           │
│  └────┬────┘  └────┬────┘  └────┬────┘  └────┬────┘           │
│       │            │            │            │                  │
│       └────────────┴────────────┴────────────┘                  │
│                         │                                       │
│  EMS Boundary                                                  │
│  ┌─────────────────────────────────────────────────────────────┐│
│  │  ┌───────────┐  ┌────────────┐  ┌──────────────────────┐  ││
│  │  │ Web API   │  │ Core Logic │  │ Data Store           │  ││
│  │  └─────┬─────┘  └─────┬──────┘  └──────────┬───────────┘  ││
│  │        │              │                    │              ││
│  │        └──────────────┴────────────────────┘              ││
│  │                       │                                   ││
│  │  Interfaces                                             ││
│  │  ┌──────┐  ┌──────┐  ┌──────┐  ┌──────┐  ┌──────┐   ││
│  │  │Modbus│  │IEC104│  │MQTT  │  │HMI   │  │USB   │   ││
│  │  └──────┘  └──────┘  └──────┘  └──────┘  └──────┘   ││
│  └─────────────────────────────────────────────────────────────┘│
│                         │                                       │
│  External Systems                                               │
│  ┌─────────┐  ┌─────────┐  ┌─────────┐                        │
│  │  BMS    │  │  PCS    │  │  Meter  │                        │
│  └─────────┘  └─────────┘  └─────────┘                        │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

Data Flow Diagrams

For each interface, document:

  1. Data flows (what is being sent?)
  2. Protocols (how is it sent?)
  3. Trust boundaries (where does trust end?)
InterfaceDataProtocolTrust Boundary
EMS ↔ CloudStatus, commandsMQTT over TLSExternal
EMS ↔ BMSBattery data, limitsModbus RTUInternal
EMS ↔ PCSPower commandsModbus TCPInternal
HMI ↔ EMSUI interactionsHTTP/WebSocketLocal

Applying STRIDE to EMS: A Detailed Example

S - Spoofing Threats

ThreatScenarioRisk LevelCountermeasure
Fake HMI loginAttacker guesses passwordMediumStrong password policy, lockout
Spoofed BMSRogue device sends false battery dataHighDevice authentication, certificate validation
Cloud impersonationMan-in-the-middle cloud connectionMediumMutual TLS, certificate pinning

Security Requirement: “The EMS shall authenticate all external connections using mutually authenticated TLS with certificate validation.”

T - Tampering Threats

ThreatScenarioRisk LevelCountermeasure
Modified control commandsAttacker alters power setpointsCriticalCommand signing, input validation
Firmware replacementMalicious firmware installedCriticalSecure boot, firmware signature verification
Configuration changesUnauthorized setting changesHighChange logging, approval workflow

Security Requirement: “The EMS shall verify the integrity of all received control commands using cryptographic signatures.”

R - Repudiation Threats

ThreatScenarioRisk LevelCountermeasure
Denied command executionOperator denies sending dangerous commandMediumComprehensive audit logging
Deleted logsAttacker covers tracksHighImmutable log storage, log forwarding

Security Requirement: “The EMS shall maintain tamper-evident audit logs of all security-relevant events.”

I - Information Disclosure Threats

ThreatScenarioRisk LevelCountermeasure
Exposed credentialsPasswords sent in clearHighEncrypted storage, no plaintext transmission
Leaked process dataSensitive configuration exposedMediumRole-based access, data encryption at rest
Debug informationError messages reveal system detailsLowGeneric error messages

Security Requirement: “The EMS shall encrypt all sensitive data at rest and in transit.”

D - Denial of Service Threats

ThreatScenarioRisk LevelCountermeasure
Network floodingAttacker overwhelms EMS network interfaceHighRate limiting, traffic filtering
Resource exhaustionMalicious requests consume CPU/memoryMediumResource quotas, connection limits
Protocol abuseExploiting protocol weaknessesMediumProtocol validation, anomaly detection

Security Requirement: “The EMS shall implement rate limiting and resource quotas to prevent service exhaustion.”

E - Elevation of Privilege Threats

ThreatScenarioRisk LevelCountermeasure
Privilege escalationRegular user gains admin rightsHighPrivilege separation, access control
Role confusionUser performs action outside roleMediumRole-based access control, principle of least privilege
Session hijackingAttacker takes over valid sessionMediumSession timeout, secure session management

Security Requirement: “The EMS shall enforce role-based access control with the principle of least privilege.”

Threat Modeling Process

Step-by-Step Workflow

┌─────────────────────────────────────────────────────────────────┐
│                   Threat Modeling Workflow                        │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  1. Decompose System                                            │
│     └─ Create architecture diagram, identify trust boundaries    │
│                                                                  │
│  2. Identify Threats (STRIDE)                                   │
│     └─ Apply STRIDE to each element, data flow, and interaction  │
│                                                                  │
│  3. Analyze Threats                                             │
│     └─ Assess impact, likelihood, and risk for each threat     │
│                                                                  │
│  4. Mitigate Threats                                            │
│     └─ Define countermeasures for prioritized threats          │
│                                                                  │
│  5. Validate                                                    │
│     └─ Confirm mitigations effectively reduce risk              │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

Risk Assessment

For each identified threat, assess:

FactorQuestions
ImpactWhat’s the worst case? Safety impact? Equipment damage?
LikelihoodHow easy is this to exploit? Required skill level?
Existing MitigationsWhat already protects against this?

Risk Matrix:

                High Impact

        High  │    ┌───┐
        Risk  │    │ █ │ ← Priority for mitigation
              │    └───┘
     Medium    │  ┌─────┐
        Risk   │  │ ██  │
              │  └─────┘

     Low     │  ┌───────┐
        Risk  │  │ ███  │
              │  └───────┘
              └────────────────────────────▶
                 Low Likelihood      High Likelihood

From Threats to Security Requirements

Each mitigated threat should result in one or more security requirements:

Example Traceability

Threat IDThreat DescriptionMitigationRequirement IDSecurity Requirement
EMS-T-001Tampered control commandsCommand signingSR-01Verify command signatures
EMS-I-001Exposed credentialsEncryption at restSR-02Encrypt stored passwords
EMS-D-001Network floodingRate limitingSR-03Implement rate limiting

This creates the threat-to-requirements traceability required by IEC 62443-4-1.

Industrial-Specific Considerations

Safety vs. Security

In industrial systems, always consider the safety impact:

Threat: Unauthorized firmware update
Security Mitigation: Require signature verification
Safety Consideration: What if verification fails mid-update?
Refined Mitigation: Verify before installation, allow rollback

Availability Priority

Some security measures may conflict with availability:

Security MeasureAvailability ConcernCompromise
Account lockoutLegitimate user locked outTime-based lockout, override
Strict authenticationEmergency access delayedLocal emergency accounts
Network isolationMaintenance access blockedConfigurable zones

Threat Modeling Tools

Manual Approaches

ToolDescriptionBest For
Whiteboard diagramsCollaborative threat identificationBrainstorming sessions
Excel spreadsheetsStructured threat documentationSmall teams, simple systems
STRIDE-per-elementSystematic applicationComprehensive coverage

Automated Tools

ToolDescriptionConsideration
Microsoft Threat ModelFree threat modeling toolDesigned for Azure, adaptable for OT
IriusRiskOpen-source threat modelingGood for risk management integration
OWASP PyTMPython-based frameworkDeveloper-friendly

Note: Manual threat modeling often yields better insights for OT systems where domain expertise matters.

Common Threat Modeling Mistakes

Mistake 1: Threat Modeling Too Late

Wrong: Threat modeling after implementation
Right: Threat modeling during requirements and design

Mistake 2: Only Considering External Threats

Wrong: "Attackers come from the internet"
Right: Consider insider threats, supply chain, physical access

Mistake 3: Ignoring Legacy Constraints

Wrong: "Use modern security protocol X"
Right: "What can we secure with existing protocols?"

Key Takeaways

  1. Threat modeling is essential for IEC 62443-4-1 compliance (SR-2 requirement)
  2. STRIDE provides structure for systematic threat identification
  3. Industrial context matters—always consider safety and availability
  4. Create traceability—from threats to requirements to testing
  5. Iterate continuously—update as system and threats evolve

Getting Started Checklist

□ Assemble threat modeling team (security, engineering, operations)
□ Define system scope and boundaries
□ Create system architecture diagram
□ Identify trust boundaries
□ Apply STRIDE to each element
□ Document threats in threat register
□ Assess and prioritize threats
□ Define mitigations and security requirements
□ Get stakeholder review and approval
□ Plan for periodic re-modeling

Conclusion

Threat modeling transforms security from guessing to engineering. By systematically identifying threats using STRIDE, you build security requirements that actually address the risks your industrial systems face.

In the world of industrial cybersecurity, understanding your threats isn’t optional—it’s foundational. Start threat modeling early, and make it a continuous practice throughout your product lifecycle.


Effective threat modeling is the bridge between “we need security” and “here’s what we need to secure against.”

Tags

#cybersecurity #threat-modeling #STRIDE #IEC-62443 #risk-assessment #industrial