Threat Modeling: A General Introduction

2 years ago

In this article, we will provide a general overview of Threat Modelling (why medical device manufacturers should use it, how it works and what the regulatory requirements are). Nowadays, Threat Modeling is a topic for all medical devices with embedded software or standalone software. This is because threat modeling is a structured process to analyse the cybersecurity risks that auditors consider to be “state of the art”.

Why should you use threat modeling?

There are several reasons why you should use threat modeling to analyze the IT security of your medical device.

Develop Secure Device

Threat modeling is a structured process that helps you to evaluate and mitigate cybersecurity risks and guarantee the IT security of your device.

Fulfilling legal requirements

IT security is not only an ethical question but also from the legal point of the view, the manufacturers are obligated to guarantee the security of their medical devices.

Speed up development and reduce costs

Usually, IT security costs money, and it becomes more expensive when vulnerabilities are found in a late stage of development or even when the device is already on the market. The sooner the manufacturer discovers vulnerabilities, the sooner it is more economic to fix them. This means manufacturers should integrate threat modeling as mandatory activity into their development process.  

How does threat modeling work?

Scope and target

The first step is to define the scope and the subject of the threat modeling. This step is very important to analyze at a great level of detail, the possible vulnerabilities of the medical device developing a secure architecture.

Creating the model

The manufacturers need to put together all the elements of the medical device’s ecosystem, such as:

  • System process
  • Data flows
  • External entities
  • Data store
  • Trust Boundaries

The picture below shows a possible example of threat modeling:

Picture: Threat Modeling

The table below explain all the type of entities that can be used to create a model:

Notation Element



External Entity

People (ex: users)

Systems (ex: other devices)

Cloud Services

Control Unit




Web Services

Virtual Machine

Generic Data Store

Data Storage







Http Request

CAN Bus 

UDP Communication 


Trust Boundaries

Device boundary 

Process boundary

The manufacturers should consider all the possible entities involved and usage scenarios of their devices, in this way the model can be considered effective.

Identify Threats


Once the model has been created, the identification of all the possible threats can start. Usually, this exercise is made using one of the most popular tool on the market Microsoft’s Threat Modeling Tool.

 Those threats can be assigned to the following categories following the STRIDE model:


Desired Property




Tricking a system into believing a falsified entity is a true entity



International modification of a system in an unauthorized way




Disputing the authenticity of an action taken

Information disclosure


An attacker accesses data from the device while not begin authorized to see it

Denial of Service


An attacker absorbs or destroys resources of the devices needed to provide the intended service

Elevation of Privilege


An attacker accesses functions of the device while not begin authorized to do it

This step generates a list of threats that should be evaluated.

Vulnerabilities & Countermeasures

Not every potential threat has to result in measures begin taken. However, the manufacturer should provide a statement to justify the missing counter measure for that threat.

In case the risk is not acceptable, the manufacturer should define and implement a counter measure. There are standards actions for each threat according to the STRIDE classification:

Mitigation Technique


Mitigation Control



External devices have to authenticate themselves using X.509 certificates

Digital Signature


Secure Boot



Device role is part of the certificates





I, T, D


Message authentication code


Append an HMCA to each Log Record

Physical tamper resistant


Protect the chassis of the device

Protect secrets and secret data

I, T

AES-256 Encryption

Input sanitization

I, T, D

Sanitize data received from external device

Least privileges


Role concept

Audit trail


Security Event Log

It is in the responsibility of the manufacturer to define the correct measure for each possible threat.

Reviewing full implementation

Before releasing the medical devices, the manufacturer should ensure that all the defined counter measures have been implemented and their effectiveness demonstrated. This means that the counter measure should be easily tracked into the technical file and the effectiveness can be demonstrated having the relative penetration tests executed.

Continuous process

Threat modelling is not a straightforward one-time task, it should be an iterative process and after each iteration a retrospective should take place to check the completeness and effectiveness. The manufacturers should take in account that new threats and new attack techniques emerge over time.


What are the regulatory requirements for threat modeling?

Neither the MDR nor the FDA require explicitly manufactures to perform threat modeling, however they do require manufacturers to minimize IT security risks. A list of guidelines and playbook currently available:

All these documents mention threat modeling. This means manufacturers will have a hard time justifying not using threat modeling.

The fundamentals of threat modeling can be learned quickly, in part because there are good tools and the modeling language only involves few notational elements.

The system provides manufacturers, as well as notified bodies and regulatory authorities, with the necessary confidence in the IT security of the medical device.

Therefore, threat modeling should be an indispensable part of the secure development life cycle for all medical devices that are or contain software.


Author: Alessandro Vitiello
Head of Software & Hardware at Software


Share this post