An Introductory Guide to Threat Modeling from Nova Leah 

In recent times a huge emphasis has been placed on threat modeling when it comes to securing a connected medical device. The integration of threat modeling (TM) is viewed as an integral means of managing medical device and diagnostic cybersecurity risks.  

Threat modeling is an extension to long-standing risk management practices and is now expected as part of cybersecurity risk management when developing connected medical devices. In April 2022, FDA published an overhauled draft guidance on medical device cybersecurity for submitting a premarket submission. Within this draft guidance, FDA earmarked five key protocols for managing risk, one of which was threat modeling.

But what is threat modeling and what are its objectives when it comes to medical device security?  

What is Threat Modeling?  

Threat modeling is a method used for identifying security objectives, risks, and vulnerabilities across a system, and then defining countermeasures to prevent, or mitigate the effects of, threats to a system throughout its lifecycle.  

A threat model is a structured representation of all the information that impacts the security of an application. In essence, a threat model is a view of an application and its environment through the lens of security. Threat modeling can be applied to a wide range of things, including software, applications, systems, networks, distributed systems, Internet of Things (IoT) devices, and business processes. 

As part of the risk assessment, FDA recommends that threat modeling be performed throughout the design process and be inclusive of all system elements. To achieve maximum benefit, a high-level threat model should be defined in the planning phase, and then refined throughout the product life cycle.  

As more details are added to the system, new attack vectors are created and exposed. The ongoing threat modeling process should thus examine, diagnose, and processes should be put in place to mitigate these threats. In this way threat modeling provides a blueprint to strengthen security throughout the product life cycle, thereby ensuring the safety and effectiveness of medical devices. 

MITRE’s Playbook for Threat Modeling Medical Devices

For years, FDA has recognized the value of threat modeling as an approach to strengthen the cybersecurity and safety of medical devices. To increase knowledge and understanding of threat modeling throughout the medical device ecosystem, FDA engaged with MITRE, the Medical Device Innovation Consortium (MDIC), and Adam Shostack to conduct a series of threat modeling bootcamps and develop a playbook based on the learnings from those bootcamps. 

The resulting playbook discusses best practice for applying modern threat modeling techniques within the medical industry. The playbook can be viewed in full here 

A Simple 4 Question Framework for Implementing Threat Modeling

Threat modeling is intended to be a systematic and repeatable method of identifying cybersecurity threats and identifying processes for mitigating those threats. The threat modeling process can be broken down into four key questions. This Four Question Framework was developed by Adam Shostack as part of the MITRE Playbook and is intended to add structure to the threat modeling process. This framework is detailed in full within the MITRE Playbook.   

The four questions run as follows, with extracts provided from the MITRE Playbook itself: 

1. What are we working on? 

“To help answer the first question, this section focuses on structured brainstorming and modeling techniques for diagramming medical devices that are being threat modeled. While unstructured brainstorming can certainly be productive, using a more structured approach can help identify gaps in an understanding of the system that might not be apparent with a more ad-hoc approach. More importantly, using a structured methodology can make it easier to share results with others who are also familiar with these techniques.” 

2. What can go wrong? 

 In the MITRE Playbook, “the techniques and approaches highlighted are intended to help organizations avoid common pitfalls that occur during the threat modeling process. The Playbook focuses on structured threat modeling techniques and will minimize asking threat modeling teams to “think like an attacker.” Thinking like an attacker is a loaded phrase that often comes up in threat modeling discussions and revolves around the idea of defenders trying to get inside the mind of attackers and predicting what strategies those attackers are going to follow.” 

3. What are we going to do about it? 

“At this point in the threat modeling process, the question of “what are we going to do about it?” is better understood as “how do we manage the risk from the threats we have identified?”. It is tempting to focus on defensive techniques. For example, if there is a threat “X”, then apply solution “Y” to mitigate it. But threats are continuously evolving, and the systems being developed all have their unique features. Therefore, this Playbook will instead focus on the broader problem that frequently pops up in threat modeling: the silent acceptance and transferral of risk. Overall, there are four main strategies for addressing threats; eliminate, mitigate, accept, transfer.” 

4. Did we do a good job?  

“The question “Did we do a good job?” serves two purposes. The most immediate impact of this question is to ask, “Is the current threat modeling task complete?” While threat modeling is a continuous process and is most effective when updated and refined over the lifetime of a product, there is a time to finalize documentation. The second, longer term goal of this question is to ask if a threat modeling process is working as desired, or whether there can be improvements made. The challenge involves identifying where and how to receive feedback on the effectiveness of threat modeling processes. 

SelectEvidence™ And Threat Modeling  

SelectEvidence® is an expert cybersecurity risk assessment platform from Nova Leah that guides medical device manufacturers through the process of identifying applicable vulnerabilities and identifying the right security controls to mitigate those risks.   

Establishing a secure design architecture is at the core of SelectEvidence’sfunctionality. By easily integrating threat modeling with risk management and evaluation, an automated and phased security-by-design lifecycle is achievable. In terms of general resources for risk assessment, SelectEvidencehas the following industry standards built-in, all related to threat modeling: 

                    • ISO 14971 (safety risk management) 
                    • TIR 57 (security risk management derived from ISO 14971) 
                    • NIST 800-30  
                    • ISO 31111 

ISO 14971 is a cornerstone standard to the safety and risk management processes widely used by medical device manufacturers. Derived from this standard, TIR 57 specifically addresses cybersecurity risk management. The standard helps manufacturers establish procedures to identify and mitigate threats that may result in “physical injury or damage to the health of people, or damage to property or the environment”.  

To learn more about SelectEvidence™, and its role in security risk management, you can organize an obligation-free demonstration here.