Ontology-driven Threat Modeling for IoT Systems

The Internet of Things (IoT) is rapidly expanding, connecting billions of devices and offering new possibilities in many different contexts. However, it is also exposed to significant cybersecurity risks due to the unique characteristics of such interconnected and complex systems. Existing threat modeling approaches are often designed for traditional ICT environments and they struggle to address the complexity of IoT systems. This thesis proposes an ontology-driven framework to automate threat modeling for IoT systems, enabling more effective and efficient security assessments. This framework is built upon an ontology, developed using OWL 2 (Web Ontology Language) and Protégé. The ontology provides a formal representation of IoT systems, modelling their components, interactions, and potential threats. The ontology consists of three linked sub-ontologies. The IoT System sub-ontology is based on the ISO/IEC 30141 standard. This sub-ontology defines the physical and virtual components of an IoT infrastructure. It includes IoT devices, networks, data stores, services, and users. It aims to provide the foundation for understanding the system’s architecture and security-related elements. The Data Flow sub-ontology models how information is exchanged within the IoT system. It describes communication paths, data exchanges, and trust boundaries, which are points where security risks might arise due to changes in privilege levels. The Threats sub-ontology, using the CAPEC and STRIDE frameworks, categorizes potential security threats specific to IoT. By mapping CAPEC attack patterns to STRIDE categories, the ontology connects detailed descriptions of specific attack techniques (from CAPEC) to broader categories of threats (from STRIDE). This mapping provides a more in-depth analysis of how different threats could impact the IoT system under analysis. To automate the process of identifying threats, the framework employs a set of inference rules expressed in SWRL (Semantic Web Rule Language). These rules examine the relationships and properties defined within the ontology to deduce potential threats based on the characteristics and interactions of system components. The use of inference rules enables automated reasoning, meaning that the framework can analyse the IoT system's ontology and identify potential threats without manual intervention. To evaluate the framework's effectiveness, it is applied to the HArMoNICS infrastructure, a digital replica of a smart polygeneration microgrid. The case study demonstrates how the framework can automatically generate a detailed threat model, identifying relevant CAPEC entries and associated STRIDE categories linked to specific components and data flows in HArMoNICS. This evaluation underscores the framework’s crucial role in real-world applications, demonstrating its capacity to significantly enhance the risk assessment process and drive the development of more effective mitigation strategies, ultimately strengthening IoT system security.