Industrial Internet Security Framework v 1.0 | Page 31
Security Framework
5: Managing Risk
5.2.1 OWASP IOT ATTACK VECTORS
A non-exhaustive collection of potential attack vectors for IoT systems has been compiled from
various sources by the OWASP 1 IoT project, which also compiles attack vectors for web
applications. Each organization, depending on risk tolerance, needs to evaluate the list below to
understand which vectors are applicable. Countermeasures and mitigations to address these
attacks need to be confirmed by formal evaluations that may include static analysis, dynamic
testing, fuzz testing and penetration testing.
The OWASP IoT Top Ten List 2 includes:
1. Insecure web interface
2. Insufficient authentication/authorization
3. Insecure network services
4. Lack of transport encryption
5. Privacy concerns
6. Insecure cloud interface
7. Insecure mobile interface
8. Insufficient security configurability
9. Insecure software/firmware
10. Poor physical security
This list is a good starting point for questions and analysis and to understand the relevant attack
types, but it is not complete and consequences of attacks between IoT and IIoT differ.
5.2.2 STRIDE THREAT MODEL
STRIDE 3, developed by Microsoft, models risks and evaluates threats for the IT environment. The
STRIDE model has also been extended to incorporate IoT threats4 that are applicable to IIoT
systems. The STRIDE model comprises several elements:
An adversary (STRIDE’s term for an attacker) is a malicious entity whose goal is to prevent an
asset from working as designed to compromise the integrity, availability or confidentiality of a
system or its data. Adversaries exploit vulnerabilities in assets. This process comprises a threat.
The threat model describes the set of possible attacks on an asset. These threats are then
classified based on severity, and the potential countermeasures can be evaluated.
Spoofing identity: This is a type of threat where a person or device is using another person’s
credentials such as login and password. A device can use a spoofed device ID.
Tampering with data: Altering the data related to a device or traversing the network.
See [OWASP]
See [OWASP-IOT]
3
See [MS-STRIDE]
4
See [MS-STRIDE-IOT]
1
2
IIC:PUB:G4:V1.0:PB:20160926
- 31 -