Validatable IT security threat models for development of critical infrastructure control products

Threat modeling is an essential part of the design of any secure application or system. A number of threat modeling methodologies exist, e.g. Octave or the Microsoft approach. These approaches are mainly targeted towards larger IT systems that are already implemented and deployed in a certain unique environment with clear business scenario and, in consequence, with the ability to more or less clearly evaluate the (financial) risk of incidents. These methods are less applicable for threat modeling at design time of product-like systems that will be used in a variety of different application scenarios. Examples for such systems are embedded controllers and control software products produced by ABB and others, which may be used in systems like industrial bakeries, refineries, chemical plants, electric power grid protection, regional/national power grid supervision, or control of nuclear power plants. Another severe problem with current methodologies is that the resulting documentation describes existing threats found during threat modeling, but is typically not usable by somebody who was not involved in the threat modeling process to quickly gain confidence that all possible/relevant threats have actually been investigated. ABB and other prospective partners are looking for a threat modeling (or threat model documentation) methodology that is applicable to product-type systems and that allows a second party to assess and validate the assumptions, decisions, and choices that have been made by the original threat modelers without having to actually independently redo the threat assessment and compare results.