Skip to content

Mind the (Interpretation) gap: Another reason why threat modeling is important

The interpretation and implementation of security standards and guidelines often pose challenges and leave questions unanswered. This gap between standards and requirements can lead to vulnerabilities and security issues, even in certified products and environments. Being compliant with standards does not necessarily mean being secure. The interpretation of guidelines and requirements in standards is not an easy task, as they can be generic and open to interpretation. Specific requirements may also lead to conflicting interpretations among stakeholders, affecting the implementation process.

Threat modeling is a solution to avoid shortcomings in the implementation of standards and security policies. It helps enforce the proper implementation of requirements by considering relevant threats to the system and identifying mitigations to reduce or avoid associated risks. Each requirement is mapped to a set of threats and mitigations based on specific conditions and context. This approach is crucial because concerns about the interpretation of technical requirements still persist even after companies have been audited against them.

An analysis of disclosed vulnerabilities in Industrial Control Systems (ICS) and their alignment with the technical requirements of the IEC 62443 standard demonstrates the challenges faced by implementers and assessors. The analysis of CISA ICS advisories data reveals the top weaknesses and their mapping to IEC 62443 requirements. It also highlights the sectors most affected by vulnerabilities and the severity distribution of these vulnerabilities.

The analysis shows that vulnerabilities often map to requirements at different levels of abstraction. This leads to increased complexity in interpreting and implementing requirements. While a high level of granularity allows for the definition of security mechanisms, a low level of granularity is necessary for better understanding of threats and failures specific to a system. The case of the “Input validation” requirement exemplifies this complexity, as it encompasses various properties of data and input use cases that need validation.

Another interesting use case is the “Improper access control” weakness, which is high-level and maps to foundational requirements in the IEC 62443 standard. This highlights the misuse of high-level abstraction weaknesses in vulnerability reports, making trend analysis difficult.

Threat modeling can help address these challenges. It allows software developers, system architects, and security professionals to understand requirements and address predictable security issues. Threat modeling tools can generate relevant threats and mitigations automatically, based on specific assumptions and threat intelligence data. The set of mitigations can be tailored to meet different needs, such as the strength of potential adversaries, as defined in the IEC 62443 standard.

In conclusion, the gap between security standards and requirements interpretation and implementation poses challenges and leads to vulnerabilities. Threat modeling is a valuable tool to ensure the proper implementation of requirements and mitigate risks. It allows for a better understanding of threats and failures specific to a system, and helps address predictable security issues.

Leave a Reply

Your email address will not be published. Required fields are marked *