Threat models and modeling methods are used to understand how to investigate and deal with threats to software, solutions and services. For smaller systems, they do not need to be overly complex but for something as complex as a Smart City they will need at least the following:
- an architectural view (people, process & technology) of the systems being studied – there will be a lot of systems in a Smart City!
- profiles or personas of threat attackers, including assumptions about their motivations and methods
- a catalogue of threat scenarios that may arise
- a view of how the attack will be detected, responded to and recovered from
There are several useful standards that can be used to interrogate or help build a threat model. Sadly, there is not yet a standard for threat modeling but there are many good methods to consider. I use a combination of several methods and types of best practice as i am generally threat modeling systems and services rather than software so i favour:
- STRIDE
- PASTA
- NIST CF
- STIX
- MITRE Att&ck
- MITRE CAPEC
The diagram below shows that each method or best practice creates a particular view of the threat model as well as helps to create it.
The table below shows the relationships between the components of threat model and supporting guidance. I will in time begin to develop a threat model for a Smart City to provide examples of what i see being required.
| Components of Threat Model | Supporting guidance |
| Objectives | Stakeholders, Strategy, PASTA |
| Scope | Architecture, assets, systems, PASTA |
| Threat Actors | STIX, MITRE ATT&CK |
| Threat Landscape | STRIDE, PASTA |
| Vectors | CAPEC, STIX, MITRE ATT&CK |
| Vulnerabilities | Threat Intelligence, CVSS |
| Threat Trees | STRIDE, PASTA |
| Risk and Impact Analysis | FAIR, OCTAVE, CIS Controls |
| Mitigation Strategy | NIST CF |
| Mitigation Tactical | NIST CF |
Smart City Cyber Security 