Written by Jordan Hardy

Threat Modeling & Embedded Systems

In modern society, everywhere we look, we see examples of embedded systems at work: IoT devices in our homes, critical controllers in industrial facilities, medical devices, and all kinds of vehicles. Despite their ubiquity and importance, these systems often lack robust security frameworks comparable to those in traditional IT systems. This is where threat modeling becomes critical, providing a way to think about secure design and focusing on understanding and mitigating embedded system threats.

Embedded Systems Need Special Attention

Embedded systems present unique security challenges:

Resource Constraints: Typically, embedded devices have limited processing power, memory, and storage. This makes it challenging to implement robust security controls such as encryption or complex authentication mechanisms.
Long Lifecycles: Unlike other systems that may be replaced every few years (such as your laptop), embedded systems in industrial control systems or medical devices can remain in service for decades, often without regular security updates.
Physical Accessibility: Embedded devices are frequently deployed in locations that are easy to access physically, enabling attackers to gain direct access to hardware.
Real-Time Requirements: Many embedded systems utilize strict timing requirements when responding to inputs, which leaves little room for security overhead that might introduce latency.
Diverse Attack Surfaces: Embedded systems can be attacked through software vulnerabilities, hardware manipulation, side-channel attacks, supply chain compromises, and more.

Introducing MITRE EMB3D

The MITRE Embedded Device Security (EMB3D) Threat Model is a comprehensive framework specifically designed to address the unique security challenges of embedded systems. Released as an open-source knowledge base in September 2024, EMB3D (most recently updated to v2.0.1 in April 2025) provides a structured approach to identifying and mitigating threats throughout the embedded device lifecycle.

Key Threats in EMB3D

EMB3D organizes threats into a hierarchical taxonomy, which makes it easier to analyze embedded systems systematically:

Device Properties: High-level groupings of related threats (Hardware, Application Software, System Software, and Network – see Figure 1 below)
- Threats: Specific security concerns within each device property (cataloged through Threat Identifications – TIDs)
  - Mitigations: Countermeasures to reduce or eliminate threat impacts (cataloged through Mitigation Identifications – MIDs)

This structure allows security teams (and threat modelers) to methodically review potential threats and vulnerabilities rather than relying on ad-hoc analysis.

The EMB3D Framework Structure

Threat type

Examples

Hardware Threats

Hardware is one of the most challenging attack surfaces for embedded systems, as physical access can bypass many software protections.

Debug interface exploitation (JTAG, UART)
Side-channel attacks that extract secrets by analyzing power consumption or electromagnetic emissions
Fault injection attacks that use voltage manipulation to bypass security checks
Physical tampering with components or traces

Application and System Software Threats

Embedded systems run software that can contain vulnerabilities.

Buffer overflows and memory corruption in firmware
Insecure boot processes that allow malicious code to load · Inadequate code signing and verification.
Privilege escalation vulnerabilities
Insecure update mechanisms that could allow malicious firmware installation

Network and Communication Threats

As embedded devices increasingly connect to networks, they inherit all the network security challenges of traditional systems, often without defenses.

Unencrypted communications exposing sensitive data
Weak or default credentials
Vulnerable protocols and services
Interception attacks
Denial of service vulnerabilities

Using EMB3D in Your Threat Modeling Process

Here is a practical approach to using EMB3D for embedded system threat modeling:

1. Define Your System Scope

Document what you are analyzing. Create a system architecture diagram showing all components, interfaces, data flows, and trust boundaries. Identify what assets you are protecting (user data, cryptographic keys, control functionality, safety features) and document any assumptions about the operational environment.

2. Map to EMB3D Device Properties

Work through each EMB3D device property systematically. For each component in your architecture, ask which threats from the framework apply. Consider the entire lifecycle from development through decommissioning.

3. Assess Threat Severity

Not all threats pose equal risk. Evaluate each identified threat based on the likelihood of exploitation (considering attacker capability requirements, accessibility, and existing controls) and the potential impact on confidentiality, integrity, availability, and safety.

4. Identify Gaps and Mitigations

Compare your current security controls against EMB3D’s recommended mitigations. This gap analysis reveals where the embedded system is exposed to security threats and helps prioritize security investments. Document why you accept specific threats if you choose not to mitigate them.

5. Validate and Test

Threat models are only valuable if they reflect reality. Conduct penetration testing and security assessments focused on the threats you have identified. Review and update your threat model as the system evolves or new threats emerge.

Getting Started

Get started with MITRE EMB3D today! Here are five practical next steps:

1. Access the Framework:

Visit the MITRE EMB3D website to explore the complete threat taxonomy and documentation.

2. Train Your Team:

Ensure your security team, developers, and architects understand both general threat modeling principles and the specifics of embedded system security.

3. Start Small:

Begin with a pilot project on a single embedded system to learn the framework before rolling it out more broadly.

4. Integrate with Development:

Make threat modeling a standard part of your secure development lifecycle, not a one-time exercise.

5. Stay Current:

MITRE EMB3D continues to be updated with new or updated threats and mitigations.

MITRE EMB3D Terms of Use

One item to be aware of in using MITRE EMB3D is its Terms of Use. The EMB3D framework is free to use for internal business purposes, academic purposes by public or non-profit educational organizations, and for research. It is not to be used for commercial purposes (i.e., turned into or used as a “for-profit” tool). Please consider these requirements when using the framework.

Conclusion

Embedded systems are becoming increasingly critical to our infrastructure. Rigorous threat modeling is no longer optional. One solution is to check out MITRE EMB3D and its comprehensive, structured approach, specifically tailored to the unique challenges of embedded device security. By systematically working through hardware, software, and

network threats, security teams and threat modelers can identify threats and vulnerabilities before attackers do and implement effective mitigations.

Ready to master threat modeling?

About the Author

Robert Hurlbut, a Principal Product Security Architect and Threat Modeling Trainer at Toreon, has over 30 years of experience in secure coding and software architecture. Before joining Toreon, he initiated and led threat modeling programs at Bank of America and Aquia. Robert is passionate about empowering teams to identify, communicate, and understand threats and mitigations, ultimately enhancing the security of workloads through effective threat modeling. He is an ISC2 Certified Secure Software Lifecycle Professional (CSSLP), holds a Master of Science in Cyber Security from Southern New Hampshire University, and is pursuing a Ph.D. in Space Cybersecurity at Capitol Technology University. Additionally, Robert is a co-author of the Threat Modeling Manifesto and the Threat Modeling Capabilities Model, and he co-hosts the Application Security Podcast. Globally recognized as an expert in threat modeling, he regularly contributes thought leadership and delivers workshops and training at industry events.