Accession Number:



Threat Modeling for Cyber-Physical System-of-Systems: Methods Evaluation

Descriptive Note:

Technical Report

Corporate Author:

Carnegie Mellon University Software Engineering Institute Pittsburgh United States

Report Date:


Pagination or Media Count:



Addressing cybersecurity for complex system, especially for cyber-physical system-of-systems CPSoS, requires the strategic view of and planning for the whole lifecycle of the system. For the purpose of this paper, cyber-physical system-of-systems is defined as a system, components of which operate and are managed independently 46. Thus, components of a system-of-systems i.e., systems by themselves should be able to function fully and independently even when the system-of-systems is disassembled. These components are typically acquired separately and integrated later. Components of a system-of-systems may have a physical, cyber, or mixed nature. For the sake of simplicity, we will use the term cyber-physical system instead of cyber-physical system-of-systems. The nature of a cyber-physical system CPS implies a diversity of potential threats that can compromise the integrity of the system, targeting different aspects ranging from purely cyber-related vulnerabilities to the safety of the system as a whole. The traditional approach used to tackle this matter is to employ one or more threat modeling methods TMMs early in the development cycle. Choosing a TMM can be a challenging process by itself. The TMM you choose should be applicable to your system and to the needs of your organization. Therefore, when preparing for the task, it makes sense to answer two questions. First, what kind of TMMs exist and what are they And second, what criteria should a good TMM satisfy We explored answers to the first question in Threat Modeling A Summary of Available Methods 47. This paper addresses the second question and will evaluate TMMs against the chosen criteria.

Subject Categories:

  • Computer Systems Management and Standards

Distribution Statement: