Software Cybersecurity Risks on Embedded Devices/IoT

MITRE has applied its ATT&CK model to enterprise networks, mobile devices and critical infrastructure. However, one area is still weak in terms of the formal classification of threads: embedded devices. For this, they have released the EMB3D threat map, and which integrates the ATT&CK framework and CVE (Common Vulnerabilities) and CWE (Common Weakness Enumeration) data sources [here]:

In this, we split the threats into the classifications of application software, system software, hardware and networking [here]:

There are then 24 software risks:

This can be illustrated with:

--

--

Prof Bill Buchanan OBE FRSE
ASecuritySite: When Bob Met Alice

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. Based in Edinburgh. Old World Breaker. New World Creator. Building trust.