search menu icon-carat-right cmu-wordmark

Threat Modeling for Cyber-Physical System-of-Systems: Methods Evaluation

White Paper
This paper compares threat modeling methods for cyber-physical systems and recommends which methods (and combinations of methods) to use.

Software Engineering Institute


Addressing cybersecurity for а complex system, especially for а cyber-physical system-of-systems (CPSoS), requires the strategic view of and planning for the whole lifecycle of the system. For the purpose of this paper, cyber-physical system-of-systems is defined as a system, components of which operate and are managed independently. Thus, components of a system-of-systems (i.e., systems by themselves) should be able to function fully and independently even when the system-of-systems is disassembled. These components are typically acquired separately and integrated later. Components of a system-of-systems may have a physical, cyber, or mixed nature. For the sake of simplicity, we will use the term cyber-physical system instead of cyber-physical system-of-systems.

The nature of a cyber-physical system (CPS) implies a diversity of potential threats that can compromise the integrity of the system, targeting different aspects ranging from purely cyber-related vulnerabilities to the safety of the system as a whole. The traditional approach used to tackle this matter is to employ one or more threat modeling methods (TMMs) early in the development cycle. Choosing a TMM can be a challenging process by itself. The TMM you choose should be applicable to your system and to the needs of your organization. Therefore, when preparing for the task, it makes sense to answer two questions. First, what kind of TMMs exist and what are they? And second, what criteria should a good TMM satisfy? We explored answers to the first question in Threat Modeling: A Summary of Available Methods. This paper addresses the second question and will evaluate TMMs against the chosen criteria.