MITRE Unveils Full Release of EMB3D Threat Model that Introduces Mitigations

Expanded model helps identify threats and implement tailored security for embedded devices

McLean, Va., & Bedford, Mass., October 1, 2024 — The full public release of the EMB3D™ Threat Model is now available at https://emb3d.mitre.org/. Initially launched in spring 2024, the model now includes essential mitigations and security mechanisms to effectively address cyber threats to embedded devices. Embedded device security is vital for safeguarding critical infrastructure, as these devices often control essential services such as energy, water, and transportation systems. A breach in security can lead to catastrophic disruptions, safety hazards, and significant economic repercussions, making robust protection measures essential to ensure resilience and reliability in our interconnected world.

"In today’s rapidly evolving landscape, understanding and mitigating risks to embedded devices is crucial," said Yosry Barsoum, MITRE, vice president and director, Center for Securing the Homeland. "With the release of EMB3D's mitigations, we are not only addressing an industry challenge but also empowering stakeholders to adopt a proactive approach to security."

The EMB3D Threat Model enables vendors, asset owners/operators, and security researchers to identify relevant threats to embedded devices and incorporate the necessary mitigations for robust protection—essentially adopting a "secure by design" philosophy. It serves as a uniform method and common language for organizations to track and communicate threats alongside their corresponding security mechanisms.

New Features in the Full Release Include:

Tiered Mitigation Guidance: Each threat entry now includes detailed mitigations, focusing on security mechanisms that can be implemented directly within devices to minimize threat impact. These mitigations are categorized into three tiers—Foundational, Intermediate, and Leading—to help device vendors and original equipment managers assess the challenges of deploying mitigations and prioritize their security strategies effectively.

Alignment with ISA/IEC 62443-4-2: Mitigations are mapped to the security controls specified in the ISA/IEC 62443-4-2 standard for Industrial Automation and Control Systems, aiding organizations in identifying which EMB3D mitigations are necessary to meet the standard's requirements.

The EMB3D Threat Model is the result of a collaborative effort by MITRE, Niyo Little Thunder Pearson, Red Balloon Security, and Narf Industries

For more information, visit https://emb3d.mitre.org.

About MITRE

MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation. Learn more at mitre.org.

Media Contact: Sarah Lytle, media@mitre.org