<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Artem Sulyma</title>
    <description>The latest articles on DEV Community by Artem Sulyma (@artem_sulyma).</description>
    <link>https://dev.to/artem_sulyma</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4030313%2F0e5b5fbc-6f8f-4c57-a7ca-10d19f4edff0.png</url>
      <title>DEV Community: Artem Sulyma</title>
      <link>https://dev.to/artem_sulyma</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/artem_sulyma"/>
    <language>en</language>
    <item>
      <title>IoT Threat Modeling: A Step-by-Step Guide for Hardware Manufacturers</title>
      <dc:creator>Artem Sulyma</dc:creator>
      <pubDate>Wed, 15 Jul 2026 12:08:15 +0000</pubDate>
      <link>https://dev.to/artem_sulyma/iot-threat-modeling-a-step-by-step-guide-for-hardware-manufacturers-2e7a</link>
      <guid>https://dev.to/artem_sulyma/iot-threat-modeling-a-step-by-step-guide-for-hardware-manufacturers-2e7a</guid>
      <description>&lt;p&gt;Written by CTO at Platanor Technologies.&lt;/p&gt;

&lt;p&gt;Threat modeling is the process of identifying what can go wrong with your device before an attacker does it for you. For IoT and embedded hardware manufacturers, it is the single most cost-effective security activity you can run — because catching a design flaw at the blueprint stage costs a fraction of what it costs to patch devices already shipped to 50,000 customers.&lt;/p&gt;

&lt;p&gt;According to SonicWall's 2025 Annual Cyber Threat Report, attacks on IoT devices rose 124% year-over-year in 2024. The IBM Cost of a Data Breach Report 2024 puts the average cost of a breach in the industrial sector at $5.56 million, 13% above the global average and an 18% jump from 2023.&lt;/p&gt;

&lt;p&gt;These numbers describe companies that did not do threat modeling early enough. This guide explains how to do it right.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What Is a Threat Model and Why It Matters for Device Manufacturers&lt;/strong&gt;&lt;br&gt;
A threat model is a structured document that answers four questions: What are you building? What can go wrong? What are you going to do about it? Did you do a good enough job?&lt;br&gt;
The concept comes from software security, but it applies directly to hardware and firmware. Your device has a microcontroller, a communication interface, a firmware update mechanism, and probably a cloud backend. Each of those components has attack surfaces. Threat modeling forces your engineering team to think like an attacker before the product ships.&lt;br&gt;
For manufacturers, the practical outcome of a threat model is a prioritized list of security requirements. Instead of asking "what security features should we add," you start from "what can break and what does it cost if it does."&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The CRA Factor: Threat Modeling Is Now a Legal Requirement&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;If you manufacture connected devices and sell them in the European Union, the EU Cyber Resilience Act makes threat modeling a compliance obligation, not a best practice. CRA Annex I requires manufacturers to conduct and document a cybersecurity risk assessment covering the full product lifecycle. Annex VII specifies that this documentation must be available for market surveillance authorities.&lt;br&gt;
The deadline for full CRA compliance is December 11, 2027. The vulnerability reporting obligation kicks in earlier, on September 11, 2026.&lt;br&gt;
Threat modeling is the foundation of that documentation. Without it, you cannot produce a credible SBOM, you cannot define your vulnerability management process, and you cannot demonstrate that your design decisions were intentional rather than accidental.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 1: Define the Scope and Identify Your Assets&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Start by drawing a boundary around what you are modeling. The scope of your threat model should match the scope of your CRA risk assessment — the product itself, including its firmware, interfaces, cloud connectivity, and mobile companion app if there is one.&lt;br&gt;
Within that boundary, list your assets. An asset is anything worth protecting. For a connected industrial sensor, the assets typically include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Device firmware and its integrity. If an attacker can replace your firmware with their own, they own the device.&lt;/li&gt;
&lt;li&gt;Cryptographic keys stored on the device. If they are extracted, the entire device fleet is compromised.&lt;/li&gt;
&lt;li&gt;Telemetry data the device collects and transmits.&lt;/li&gt;
&lt;li&gt;The firmware update channel. A compromised update mechanism can push malicious firmware to every device in your fleet simultaneously.&lt;/li&gt;
&lt;li&gt;Provisioning credentials used during manufacturing. If reused across devices, one compromised unit exposes all units.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Step 2: Map Data Flows and Attack Surfaces&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Draw a data flow diagram showing how data moves through your system. What matters is that the diagram shows every interface where external input enters the system.&lt;br&gt;
For most IoT devices, the critical attack surfaces are:&lt;br&gt;
Physical interfaces. UART, JTAG, and USB ports left enabled in production firmware are a known and frequently exploited attack path.&lt;br&gt;
Wireless interfaces. Bluetooth, Wi-Fi, Zigbee, and cellular all present network-facing attack surfaces.&lt;br&gt;
Firmware update mechanism. If your OTA update process does not verify the cryptographic signature of incoming firmware, an attacker on the same network can push arbitrary code to your device.&lt;br&gt;
Cloud API. If device authentication relies on a shared secret embedded in firmware, extracting that secret from one device gives access to your entire backend.&lt;br&gt;
Supply chain. A growing share of IoT incidents trace back to third-party suppliers. The manufacturing step — when cryptographic keys are generated and injected into devices — is a significant risk point.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 3: Apply STRIDE to Identify Threats&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;STRIDE maps six threat types to your system components: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.&lt;br&gt;
Spoofing — Can an attacker impersonate your device to your backend, or vice versa?&lt;br&gt;
Tampering — Can an attacker modify firmware, configuration, or data in transit?&lt;br&gt;
Repudiation — Can an attacker perform an action and deny it happened?&lt;br&gt;
Information Disclosure — Can an attacker read sensitive data? Hardcoded credentials in firmware, unencrypted telemetry, or private keys in plaintext flash all appear in real device audits regularly.&lt;br&gt;
Denial of Service — Can an attacker make the device unavailable? This is a safety issue in industrial and medical applications.&lt;br&gt;
Elevation of Privilege — Can an attacker gain capabilities beyond what they should have?&lt;br&gt;
For each threat, write one specific sentence describing the scenario. Vague threats are not actionable.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 4: Rate Each Threat by Risk Level&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A useful scoring approach is DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability). The point is to end up with a ranked list.&lt;br&gt;
High-priority threats are easy to exploit, affect many devices, and cause significant damage. Low-priority threats require significant attacker resources and have low real-world impact.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 5: Define Mitigations for Each High-Priority Threat&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Firmware tampering: implement cryptographic signature verification in the bootloader before any application code executes.&lt;br&gt;
Device identity spoofing: provision each device with a unique certificate or key at manufacture time, stored in a hardware security element if possible.&lt;br&gt;
Exposed physical debug interfaces: disable UART and JTAG in production firmware builds.&lt;br&gt;
Insecure OTA updates: enforce signature verification, use TLS, implement rollback protection.&lt;/p&gt;

&lt;p&gt;Document the mitigation decision alongside the threat. If you accept a risk rather than mitigate it, document that reasoning — this is what regulators expect to see.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 6: Document and Keep It Updated&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A threat model is not a one-time document. Update it when your product design changes, when a new CVE affects a component you use, and at least once per year.&lt;br&gt;
This document becomes part of your CRA technical documentation under Annex VII and is the starting point for penetration testing.&lt;br&gt;
Common Mistakes Manufacturers Make&lt;/p&gt;

&lt;p&gt;Doing it after the design is finalized. The point is to influence design decisions, not document them after the fact.&lt;br&gt;
Modeling the happy path only. Threat modeling requires thinking about malformed inputs and active attackers.&lt;br&gt;
Treating it as a security team responsibility. It works best when firmware engineers and security professionals work through it together.&lt;br&gt;
Using generic threat lists without adapting to your product.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Frequently Asked Questions&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;When should we start threat modeling?&lt;br&gt;
At the architecture design phase, before firmware development begins.&lt;br&gt;
Does STRIDE work for hardware as well as software?&lt;br&gt;
Yes. Physical tampering is a STRIDE Tampering threat. Side-channel attacks fall under Information Disclosure.&lt;br&gt;
How long does a threat model take to produce?&lt;br&gt;
For a mid-complexity connected device, an initial workshop takes two to three days. Documentation and review adds another day or two.&lt;br&gt;
Is threat modeling required by the EU Cyber Resilience Act?&lt;br&gt;
CRA Annex I requires a documented cybersecurity risk assessment covering threat scenarios. A formal threat model is the most defensible way to satisfy this requirement.&lt;br&gt;
What tools can we use?&lt;br&gt;
Microsoft Threat Modeling Tool (free, STRIDE-based), OWASP Threat Dragon (open-source), IriusRisk (IoT-specific). A structured spreadsheet works fine at early stages.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>iot</category>
      <category>tutorial</category>
      <category>embeddedsystems</category>
    </item>
  </channel>
</rss>
