natural gas refinery at sunset

MITRE, Red Balloon Security, and Narf Announce EMB3D – A Threat Model for Critical Infrastructure Embedded Devices

Collaborative framework provides common understanding to mitigate cyber threats

McLean, Va. & Bedford, Mass., December 13, 2023 — Our nation’s critical infrastructure depends on embedded devices across industries such as oil and natural gas, electric, water management, automotive, medical, satellite, autonomous systems, and unmanned aircraft systems. However, these devices often lack proper security controls and are insufficiently tested for vulnerabilities. Sophisticated cyber adversaries increasingly attempt to exploit these devices, as evidenced by a growing number of CISA ICS advisories identifying significant threats to many life- and safety-critical devices. The EMB3D™ Threat Model, a collaborative effort by MITRE, Niyo Little Thunder Pearson (ONEGas, Inc.), Red Balloon Security, and Narf Industries, provides a common understanding of the threats posed to embedded devices and the security mechanisms required to mitigate them.

EMB3D aligns with and expands on several existing models, including Common Weakness Enumeration, MITRE ATT&CK®, and Common Vulnerabilities and Exposures, but with a specific embedded device focus. EMB3D provides a cultivated knowledge base of cyber threats to devices, including those observed in the field environment or demonstrated through proofs-of-concept and/or theoretic research. These threats are mapped to device properties to help users develop and tailor accurate threat models for specific embedded devices. For each threat, suggested mitigations are exclusively focused on technical mechanisms that device vendors should implement to protect against the given threat, with the goal of building security into the device. EMB3D is intended to offer a comprehensive framework for the entire security ecosystem—device vendors, manufacturers, asset owners, security researchers, and testing organizations.

"The EMB3D framework stands as a perfect example of MITRE's role as both an innovator and a connector, working hand-in-hand with industry leaders to develop cutting-edge tools,” said Beth Meinert, senior vice president, general manager, MITRE Public Sector. “Together, we are committed to enhancing the cyber posture of critical infrastructure sectors that rely on Operational Technology technologies. This collaboration exemplifies the power of collective expertise and underscores MITRE's dedication to advancing the resilience and security of vital systems in today's interconnected world.”

“Utilities like mine have been forced to extreme measures to secure our infrastructures because of concerns about ICS device insecurities,” says Niyo Little Thunder Pearson, ONEGas, Inc., and sponsor of the research. “The EMB3D model will provide a means for ICS device manufacturers to understand the evolving threat landscape and potential available mitigations earlier in the design cycle, resulting in more inherently secure devices. This will eliminate or reduce the need to ‘bolt on’ security after the fact, resulting in more secure infrastructure and reduced security costs.”  

EMB3D is intended to be a living framework, where new threats and mitigations are added and updated over time as new threat actors emerge and security researchers discover new categories of vulnerabilities, threats, and security defenses. Anticipated to be released in early 2024, EMB3D will be a public community resource, where all information is openly available and the security community can submit additions and revisions.

“We encourage device vendors, asset owners, researchers, and academia to review the threat model and share feedback, ensuring our collective efforts remain at the forefront of safeguarding our interconnected world,” said Yosry Barsoum, vice president and director, Center for Securing the Homeland at MITRE. “Insights, expertise, and a collaborative spirit are invaluable as we work together to strengthen the resilience of our digital infrastructure. Together, we can build a safer and more secure future.”

The threat model is currently in a pre-release review period. Interested device vendors, asset owners, researchers, and academics who can commit to a review of this framework are encouraged to send their inquiry to


MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and as an operator of federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation. Learn more at

About Red Balloon Security

Founded in 2011, Red Balloon Security ( is a leading cybersecurity provider and research firm that specializes in the protection of embedded devices across all industries. The company’s technology defends embedded systems with a suite of host-based firmware security solutions that provide continuous runtime protection of firmware and secure embedded systems against exploitation. Red Balloon Security’s pioneering R&D is led by a team of world-class academic researchers and developers who have published seminal research papers in the fields of embedded security and intrusion detection, led U.S. Department of Defense-funded research activities, ethically disclosed vulnerabilities within hundreds of millions of ubiquitous embedded devices, and worked as embedded security researchers within various intelligence agencies.          

About Narf Industries

Founded in 2009, Narf Industries ( is a cadre of cybersecurity researchers and engineers tackling some of the most important cybersecurity problems facing society, industry, and government. We work with U.S. government agencies such as DARPA, DHS, DOE, and ARPA-H to battle emerging threats to critical infrastructure, healthcare, and open source supply chains. We combine cutting-edge research with real-world, large-scale deployments of that work.

Narf’s expertise in computer and network security spans most areas of cyberspace operations involving both host-based analysis and control along with network communications analysis, modeling, and manipulation. We are adept at applying formal language analysis to network protocols and file formats to discover bugs in input handlers and data processing pipelines. Bridging the theoretical and practical in this way provides for more resilient, longer-lasting capabilities. All our researchers have experience in CNO, have been trained at some of the top information assurance schools in the country, and have technical skills that bridge the gap between fundamental research and building real systems.

Media Contact: Sarah Lytle,