Threat Modeling for Cyber-Physical Systems: A Two-dimensional Taxonomy Approach for Structuring Attack Actions

Monika Maidl, Gerhard Münz, Stefan Seltzsam, Marvin Wagner, Roman Wirtz, Maritta Heisel


Cyber-physical systems (CPSs) include devices that interaction with the physical world. Hence, attacks against CPSs can lead to substantial damage and endanger life and limb. It is important to consider possible attacks already in the early stages of system development, i.e. during the design phase, by performing threat modeling. Threat modeling aims at identifying, analyzing and documenting potential attacks and threats against a given CPS in a structured way. However, the systematic identification of all relevant threats is not trivial. One challenge is that knowledge about threats or potential attack actions is not documented in a way that makes it easily accessible. To address this challenge, we propose a taxonomy approach for structuring attack actions. The distinguishing feature of the taxonomy approach is the use of two dimensions: attack action types and the attack surface. The attack surface consists of those points of a system at which interaction is possible. Attackers can perform attack actions instead of the intended interaction at these points. As a CPS consists of a range of heterogeneous, connected components that can be accessed in various ways, the attack surface of a CPS is typically large. The attack surface of a specific CPS is defined by its system architecture model. We developed the taxonomy approach to support threat modeling for CPSs. Starting from existing approaches in the context of threat modeling, we extended and modified those in several iterations to meet the challenges of threat modeling for CPSs in industrial projects. While the focus in this paper is on CPSs, the two-dimensional taxonomy approach can be easily applied to other domains.


Paper Citation