1403  Worked Examples: Threat Modeling and Incident Response

1403.1 Worked Examples

This chapter provides detailed, step-by-step worked examples for threat modeling and incident response in IoT security.

1403.2 Worked Example: Threat Modeling for Connected Medical Device

Scenario: MedTech Innovations is developing “GlucoSmart Pro,” a connected insulin pump for Type 1 diabetes patients. The device communicates via Bluetooth LE to a smartphone app, which syncs with cloud services for remote monitoring by healthcare providers.

Goal: Systematically identify threats using STRIDE, build attack trees for critical threats, prioritize risks, and document mitigations with residual risk acceptance for FDA cybersecurity documentation.

Step 1: System Decomposition

What we do: Map all components, data flows, and trust boundaries in the insulin pump ecosystem.

System Components:

Component	Description	Trust Level
Insulin Pump	MCU (ARM M4), BLE radio, insulin reservoir	Device
Mobile App	iOS/Android app for display, dose adjustment	User
Cloud API	AWS API Gateway, patient database	Cloud
Provider Portal	Healthcare provider web interface	External

Data Flow Inventory:

Flow ID	Source	Destination	Data Type	Sensitivity
DF-1	Pump	Mobile App	Glucose readings, dosing	PHI - HIGH
DF-2	Mobile App	Pump	Dose commands	Safety-Critical
DF-3	Mobile App	Cloud	Sync data	PHI - HIGH
DF-4	Cloud	Provider Portal	Patient history	PHI - HIGH
DF-5	Pump	Pump	Firmware updates	Integrity-Critical

Step 2: STRIDE Analysis

STRIDE Threat Matrix:

Component	S	T	R	I	D	E
Insulin Pump	S1, S2	T1, T2	R1	I1	D1, D2	E1
BLE Connection	S3	T3, T4	R2	I2, I3	D3	-
Mobile App	S4	T5	R3	I4	D4	E2
Cloud API	S5	T6	R4	I5	D5, D6	E3

Key Threats Identified:

• S1: Attacker spoofs legitimate mobile app to pump
• T1: Firmware modification via debug interface
• T3: BLE packet modification in transit (MITM)
• T4: Replay attack of previous dose commands
• I2: BLE sniffing exposes health data
• D1: Battery exhaustion attack
• E1: Debug mode enables unauthorized commands

Step 3: Risk Prioritization (DREAD)

Threat ID	Threat Description	D	R	E	A	D	Score	Priority
T-001	BLE MITM dose injection	10	7	5	1	7	30	CRITICAL
T-002	Firmware tampering via JTAG	10	8	3	1	5	27	CRITICAL
T-003	BLE replay attack	10	6	7	1	8	32	CRITICAL
T-005	Cloud API credential theft	5	7	6	10	8	36	CRITICAL
T-006	SQL injection patient data	5	8	7	10	6	36	CRITICAL

Step 4: Mitigation Design

Critical Threat Mitigations:

T-001: BLE MITM Dose Injection

• M1.1: Implement BLE Secure Connections (LESC) with numeric comparison (90% effective)
• M1.2: End-to-end encryption with device-specific keys (95% effective)
• M1.3: Command authentication with HMAC-SHA256 (85% effective)
• M1.4: Dose command timeout - 10 second validity (70% effective)

T-002: Firmware Tampering via JTAG

• M2.1: Disable JTAG in production fuses (95% effective)
• M2.2: Secure boot with RSA-2048 signed firmware (90% effective)
• M2.3: Hardware tamper detection - mesh sensor (80% effective)
• M2.4: Firmware integrity monitoring (75% effective)

T-003: BLE Replay Attack

• M3.1: Sequence numbers on all commands (95% effective)
• M3.2: Timestamp validation - 10 second window (85% effective)
• M3.3: Session tokens with 15-minute refresh (90% effective)

Step 5: Residual Risk Acceptance

Residual Risk Summary:

Threat	Initial Score	Post-Mitigation	Reduction	Status
T-001 BLE MITM	30	8	73%	ACCEPT
T-002 Firmware Tamper	27	5	81%	ACCEPT
T-003 Replay Attack	32	6	81%	ACCEPT
T-005 Credential Theft	36	10	72%	ACCEPT
T-006 SQL Injection	36	4	89%	ACCEPT

Compensating Controls:

• All dose commands logged with millisecond timestamps
• Anomaly detection flags unusual patterns
• 24/7 clinical support hotline
• Hardware override button on pump
• Automatic glucose monitoring with alerts

Final Result

Outcome: Comprehensive threat model documenting 10 significant threats, STRIDE analysis, attack trees, and mitigations reducing critical threat scores by 72-89%.

Key Decisions:

1. Chose BLE over Wi-Fi for proximity-based security
2. Allocated budget for secure elements despite 40% BOM increase
3. Required minimum 3 mitigations per critical threat
4. Accepted narrow residual risks with compensating controls

FDA Submission Artifacts:

• Threat model documentation
• STRIDE threat matrix with CVSS scores
• Attack trees for life-threatening scenarios
• Mitigation effectiveness analysis
• Residual risk acceptance with clinical justification

1403.3 Worked Example: Incident Response for IoT Breach

Scenario: SmartTower Properties manages a 45-story commercial building with 2,400 IoT devices. At 2:47 AM, the SOC detects that 23 HVAC controllers are communicating with an unknown external IP address in Eastern Europe.

Goal: Execute structured incident response following NIST SP 800-61 guidelines while maintaining building operations and tenant safety.

Step 1: Detection and Analysis

Detection Timeline:

Time	Event
02:47:00	SIEM alert: Unusual outbound traffic from HVAC subnet
02:47:15	SOC analyst reviews, sees 23 devices affected
02:48:00	Analyst confirms traffic to known C2 server
02:52:00	Incident declared, IR team lead notified
02:55:00	IR team assembles, initial briefing
03:00:00	Severity classified as HIGH

Initial Indicators of Compromise:

• Outbound HTTPS to 185.xx.xx.xx:443
• Modified firmware hash on affected controllers
• New user account “svc_maintenance” with admin rights
• Scheduled task executing at 02:45 daily

Business Impact Assessment:

• No immediate safety risk (HVAC has fail-safe)
• Tenant comfort may be affected if HVAC disabled
• Data exfiltration includes occupancy patterns (GDPR concern)

Step 2: Containment

Short-Term Containment Actions (03:00 - 03:45):

1. Network Isolation (03:05)
   • Block outbound traffic to C2 IP at perimeter firewall
   • Enable ACL on BACnet switch: deny non-essential traffic
   • Affected controllers can still reach BMS internally
2. Evidence Preservation (03:15)
   • Capture network traffic from affected VLAN
   • Snapshot memory of 3 affected controllers
   • Export SIEM logs for 72-hour window
3. Prevent Lateral Movement (03:25)
   • Disable BACnet routing between floor segments
   • Reset BBMD (BACnet Broadcast Management Device)
   • Enable enhanced logging on unaffected floors
4. Maintain Operations (03:35)
   • Switch affected floors to manual HVAC schedules
   • Notify building operations team
   • Document degraded mode procedures

Containment Decision: Segment rather than full isolate - maintains safe operations for ~2,000 workers while containing threat.

Step 3: Eradication

Root Cause Analysis:

Root Cause: Default credentials on HVAC controllers

Attack Vector: "All affected units had factory password 'trane123'"
Timeline: Likely compromised 3+ months ago

Persistence Mechanisms Found:
- Modified firmware with backdoor
- Scheduled task "svc_daily_sync" (runs 02:45 daily)
- Backdoor account "svc_maintenance"

Eradication Steps (04:00 - 08:00):

Phase	Time	Actions
Firmware Recovery	04:00-06:00	Obtain clean firmware, test on single device
Mass Remediation	06:00-07:30	Reflash all 23 controllers with clean firmware
Credential Rotation	07:30-08:00	Change passwords on ALL 180 HVAC units
Verification	08:00-09:00	Verify no C2 traffic, check firmware hashes

Step 4: Recovery

Phased Recovery (09:00 - 12:00):

Floor 15 (Pilot):

• 09:00: Reconnect 3 HVAC units to BACnet VLAN
• 09:15: Verify BMS communication restored
• 09:30: Enable automated schedules
• 10:00: Monitor for 30 minutes
• 10:30: Confirm normal operation, proceed to next floor

Floors 16-22 (Rolling):

• 10:30-12:00: Restore remaining floors (20 min each)
• Each floor gets 15-min monitoring period
• Any anomaly triggers immediate rollback

Security Enhancements Deployed:

• Permanent VLAN separation by floor
• BACnet traffic inspection at boundaries
• Outbound internet blocked for all BACnet devices
• Unique passwords per device (stored in PAM)
• 90-day rotation schedule
• BACnet-aware IDS rules

Step 5: Lessons Learned

Root Cause (5 Whys):

Why did the breach occur?
-> Attackers gained access to HVAC controllers

Why could attackers access controllers?
-> Controllers had default passwords and internet access

Why did controllers have default passwords?
-> No password change process during 2019 installation

Why was there no password change process?
-> Building systems not included in IT security policies

Why were building systems excluded?
-> OT/IT security silos; no IoT security program

ROOT CAUSE: Lack of unified IT/OT security governance

Remediation Actions:

Finding	Owner	Due Date
Credential audit for all building systems	Facilities + IT	30 days
Network segmentation project	Network team	60 days
Firmware verification tooling	Security Ops	45 days
Update InfoSec policy for OT/IoT	CISO	14 days
Vendor access management	IT Ops	30 days
OT-specific IR procedures	Security Ops	45 days

Final Result

Metrics:

Metric	Value
Time to detection	18 minutes
Time to containment	48 minutes
Time to eradication	5.5 hours
Time to full recovery	9 hours
Tenant-impacting downtime	0 hours
Total incident cost	~$125,000

Security Posture Improvements:

Before	After (60 days)
40% default credentials	0% default credentials
Flat network (2,400 devices)	12 segments with inspection
No OT security monitoring	BACnet-aware IDS (47 rules)
Building systems excluded from policy	Unified IT/OT policy
No IR playbook for building systems	Tested playbook (tabletop completed)

1403.4 Knowledge Check

{
  const container = document.getElementById('kc-defense-12');
  if (container && typeof InlineKnowledgeCheck !== 'undefined') {
    container.innerHTML = '';
    container.appendChild(InlineKnowledgeCheck.create({
      question: "After an IoT breach, the post-incident review reveals the root cause was default credentials on HVAC controllers. The CISO proposes implementing network segmentation, device certificates, and anomaly detection. A board member asks: 'Which single control would have prevented this breach?' What is the BEST response?",
      options: [
        {text: "Network segmentation alone would have stopped the attack", correct: false, feedback: "Segmentation limits lateral movement but doesn't prevent initial compromise of devices with default credentials."},
        {text: "Device certificates would have prevented unauthorized access", correct: false, feedback: "Certificates authenticate devices but don't address the default credential issue."},
        {text: "No single control prevents all attacks - defense in depth requires multiple layers", correct: true, feedback: "Correct! Defense in depth is fundamental. Each control addresses different attack vectors. Multiple controls ensure no single failure leads to complete compromise."},
        {text: "Better antivirus on the HVAC controllers would have caught the malware", correct: false, feedback: "IoT devices typically can't run traditional antivirus. The issue was access control, not malware detection."}
      ],
      difficulty: "medium",
      topic: "iot-security"
    }));
  }
}

1403.5 What’s Next

Now that you’ve studied detailed worked examples, continue to:

• Visual Reference Gallery - Review security diagrams and attack visualizations
• Interactive Security Tools - Use risk calculators and visualizers
• Practice Exercises - Apply your knowledge with hands-on exercises