The MITRE ATT&CK Framework has built a reputation among threat researchers and security teams seeking to understand the tactics, techniques, and procedures (TTPs) of threat actor groups. Although hugely beneficial in terms of understanding common attack chains and threat vectors, the ATT&CK Framework has focused on networking, endpoints, servers, and other traditional IT equipment and software. 

This left a gap with regard to the Internet of Things (IoT) and embedded devices like those in industrial control systems (ICS) and operational technology (OT). The new MITRE EMB3D Framework seeks to fill that need with a set of TTPs focused on IoT and other embedded systems. Using this dedicated methodology of understanding attack chains in connected devices, defenders can better understand what types of attacks to protect against and how threat actors are likely to act when attempting to compromise connected devices. 

What Is the MITRE EMB3D Framework? 

First announced in December 2023, the MITRE EMB3D Framework is a threat model specifically designed to cover embedded devices within critical infrastructure industries like oil, natural gas, water/wastewater management, automotive, medical, satellite, autonomous, and unmanned aircraft systems. 

The goal of the framework is to provide a shared, cultivated knowledge base of cyber threats to embedded devices. EMB3D includes security mechanisms to mitigate these threats in addition to providing a common understanding of the threats themselves. 

The framework aligns with and expands on Common Weakness Enumeration, MITRE ATT&CK®, and Common Vulnerabilities and Exposures, specifically as they relate to embedded devices like those included in ICS, OT, and Internet of Things (IoT) equipment. The focus on embedded devices makes it distinct from the MITRE ATT&CK model that emphasizes more traditional information technology like workstations and network controllers. 

The MITRE EMB3D framework includes a few different components: 

• Device properties that describe a device’s hardware and software components and its capabilities such as physical hardware, network services and protocols, software, and firmware. Each of these categories is then divided into sub-properties that are mapped to a set of threats. Mapping properties enables users to identify the threats associated with each one.
• EMB3D threats define how threat actors can achieve their objective or cause an effect on a system or device. Each description of a threat includes (i) information about the targeted technical features; (ii) the actions that must be taken, including what will happen when the threat is successful; and (iii) the vulnerabilities or weaknesses within that mechanism required for the threat to succeed. The two components of each mentioned threat are evidence of the threat from a reputable source, and the maturity of the threat based on whether it’s been observed in the wild or is theoretical in nature. 
• Mitigation strategies and techniques for each threat. Device vendors can use these to prevent and reduce the risk of a threat, and end users can use them to validate that devices are sufficiently protected. The mitigations define the mechanisms or technologies that can defend against the threat while also providing flexibility in how mitigations can be implemented within any unique device constraint.

Source: MITRE Corporation

The framework is meant to be used by device vendors, in-house security teams, and security researchers within distinct contexts. Device vendors can use it to test their products and produce roadmaps for specific mitigations, in-house security teams can use the framework to inform acquisition requirements and decisions about risk, and security researchers can use it to scope assessment activities for their work. Security product vendors can also use the framework to map which threats their security solution defends against in a common language that their potential customers would understand. 

EMB3D is meant to be a living framework that evolves along with the threat and mitigation landscape. It’s not static because the cybersecurity world is not static. As with the MITRE ATT&CK Framework, EMB3D will be updated in the future with information on new threat actors, new mitigations, and new vulnerabilities as they relate to embedded systems. 

Why Does the MITRE EMB3D Framework Matter? 

Security has been a major gap in OT and IoT technology for a number of years. Device manufacturers have often ignored or downplayed security in favor of bringing their products to market quickly, while security teams have struggled to determine how to protect their OT, ICS, and IoT systems in the face of rising threat actor focus. 

The EMB3D Framework won’t necessarily solve those problems. What it will do is provide a common language and a common starting point for in-house teams, device manufacturers, and security vendors to have a conversation about which threats are extant against embedded systems and what known mitigations are available to them. 

This is a transformative move in the marketplace. The common language that MITRE ATT&CK has provided in the traditional IT security space cannot be understated. Understanding the TTPs that threat actors use to compromise systems, and providing a way to visually comprehend common attack chains means that defenders can create better security strategies and vendors can more cohesively communicate what they protect against. 

For MITRE EMB3D to provide the same type of shared vocabulary among OT/IoT defenders means that the industry is taking the security of these systems more seriously. It’s not a mandated security standard for device manufacturers, but it does provide a framework for security solution vendors to communicate what attacks they protect against and for in-house cybersecurity teams to build better defensive strategies. 

The Challenging Future of IoT/OT Security

Embedded systems in critical infrastructure are a major attack vector for threat actors, whether they are financially motivated or nation-state-supported. Security teams at commercial entities and governments of all levels need to better understand, and place in context, the many known ways that OT, IoT, and ICS technology can be compromised. With more than 15 billion IoT devices worldwide, it’s imperative that companies understand how best to defend these systems. 

MITRE EMB3D empowers security teams to become more attentive and provides a shared context for asking questions of vendors when seeking a new product. As the world becomes more connected and threat actors become more adaptable, defenders need as much intelligence as they can get to better protect themselves. With MITRE EMB3D, defenders gain the ability to add much-needed context and ensure they can better protect critical systems, critical devices, and critical data.

To find out how Asimily can help minimize the risk of connected devices at your organization, download our white paper: IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper. To get started immediately, contact us today.