A repository for templates and things related to automotive threat modeling
If you have done threat modeling and used the Microsoft Threat Modeling Tool (MSTMT), you would know how much a good template can help you and your team to conduct threat enumeration. A large part of automotive threat modeling could be automated if templates are created and shared among the security engineers. Until now, the automotive template from NCC Group is often used. It seems to be skewed toward the ADAS system, and there are many false positives in threat generation.
This template is created to encode the threat catalog from the UN Task Force on Cyber Security and OTA issues (CS/OTA). The CS/OTA cybersecurity threat table has a good description of the threats related to automotive OTA update. To my opinion, it is more intuitive and self-explanatory for high-level automotive threat modeling. This template encodes the threats from the CS/OTA table as-is. I have made several necessary extensions when converting it to a MSTMT template.
- Stencils. Most stencils in the template are directly taken from the CS/OTA table. Some stencil names are slightly modified to comply with the MSTMT rules. A few stencils are added for common automotive components. Other stencil information from the CS/OTA table is added as stencil properties.
- Threat types. Not all threats in the CS/OTA table are categorized according to STRIDE. Missing STRIDE categories are added.
- Threat properties. Each threat in the CS/OTA table has some additional information. This information is added as threat properties. The explanation can be found in the CS/OTA table.
- Threat generation expressions. Threat generation expressions are added based on my analysis and interpretation of each of the threats in the CS/OTA table. The goal is to minimize false-positive and false-negative when MSTMT automatically generates applicable threats.
Download the tb7 file. Run Microsoft Threat Modeling Tool 2016. If you just want to use the template, choose it under "Template For New Models". If you want to modify or add your own stencils and threat types, choose it under "Open Template".
You can also merge this template with other templates to increase your threat repository.
A few things to know before you start:
- Use existing stencils if possible. If not, use the "generic" ones instead. You can always change the "Name" of a stencil to suit your needs. It does not affect threat generation.
- Place trust boundaries.
- Create different threat models for different use cases/scenarios.
- Note that automatically generated threats are just a starting point. The resulting list is not exhaustive, but it gives you a good start for further enumeration.
- You probably need to review and delete irrelevant threats. Note that the same threats can be seen in different processes and data flows.
This automotive threat modeling template contains publicly available threat information and is offered "as-is", without warranty. It was created in my personal capacity and reflects my own opinion.
If you like the template or want to improve it, send me an email dr.zhendong.ma [at] gmail [dot] com
- Updating threat library for SDVs, V2X, and IVIs, the goal is to make a holistic library.