It happened during one of the monthly telco’s of the IoF2020 Dairy Trial. Experts from NXP were discussing the update of the use of the STRIDE analysis by the Use Cases in the Dairy trial and it became clear that only 3 out of 7 of the use cases were trying to use the STRIDE analysis. Enough reason for me to write this BLOG.
Why STRIDE analysis
IoT systems per definition are connected to the Internet. Therefore it is good to be aware of security, privacy and trust aspects. Historical examples show that it is quite common that systems are designed and introduced in the market where they are confronted with attacks. Loss of data, assets, reputation and trust are solved for each attack separately and in the end you might have a spaghetti like system. In software development companies were confronted with the same challenge. To overcome this ‘Security by Pain’ new methods were developed. The idea is that if you follow a structured method already in the design phase of your system and you try to identify all kind of potential threats and risks and try to imagine how your system copes with these risks you will develop more robust systems. This pro-active approach is called ‘Security by Design’. It appears that this is less expensive and more effective than late adds-on. The STRIDE analysis is originating from Microsoft and was developed for software systems. Recently it is adapted for the development of embedded systems and IoT systems too. STRIDE is an acronym that stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Thinking by threats related impact is then estimated for Authentication, Integrity, Non-Repudiation, Confidentiality, Availability and Authorization. Security by design brings people (users, designers), technology and processes together in a structured and balanced way. It offers you grip and guidance on a subject that has the potential to derail because of the abundant degrees of freedom you have if you want to discuss the topic of security.
STRIDE in IoF2020
In the Dairy Trial of the IoF2020 project 7 different challenging IoT solutions are being developed. Mostly SME’s and start-ups are driving these developments. They are working concurrently on development, testing, marketing and promotion of their solutions. Within the IoF project they have to test their solutions in different countries and on several locations. Quite a challenge and effort. When they are asked to perform a STRIDE analysis for their system they show a natural reaction. Why should I do that? It seems to be a lot of additional work that I did not planned? Do I have time for it? They ask a lot of questions? What is the benefit for me? Indeed new methods that are not known in front take more energy than you like. You have to gain experience in using the method and you also need good examples that it really works. Only few of the use case had the guts to experiment with the method. Floris Ruiterkamp from Qlip and Henning Lyngsø Foged from the Organe Institute ApS UC started using the method and they are now working together with the NXP experts to improve their products. Their first experience is that the method really helps you to think of all kind of threats that you never thought of before and the methodology structures the discussion. Although it took indeed some time to become acquainted with the method and the used terminology they were really positively surprised by the added value. It was an eyeopener and very rewarding.
Recommendation
To my opinion it is a unique chance when you are active in a project like IoF2020. The Use Case owners are connected to experts and have the luxury position to experiment with these new concepts and tools. My advice is to take this opportunity. Do not wait till others have tried, but start building your own experience. I have seen it more often that structured methods in the design phase of systems really helps to come with creative and practical solutions. See it as an investment. I hope that the Use Cases who did not had the time or energy to start with using the STRIDE method will do that in the near future.
