We present a threat modelling approach to represent changes to the attack paths through an Internet of Things (IoT) environment when the environment changes dynamically, i.e., when new devices are added or removed from the system or when whole sub-systems join or leave. The proposed approach investigates the propagation of threats using attack graphs. However, traditional attack graph approaches have been applied in static environments that do not continuously change such as the Enterprise networks, leading to static and usually very large attack graphs. In contrast, IoT environments are often characterised by dynamic change and interconnections; different topologies for different systems may interconnect with each other dynamically and outside the operator control. Such new interconnections lead to changes in the reachability amongst devices according to which their corresponding attack graphs change. This requires dynamic topology and attack graphs for threat and risk analysis. In this paper, we develop a threat modelling approach that cope with dynamic system changes that may occur in IoT environments and enables identifying attack paths whilst allowing for system dynamics. We develop dynamic topology and attack graphs that are able to cope with the changes in the IoT environment rapidly by maintaining their associated graphs. To motivate the work and illustrate our approach we introduce an example scenario based on healthcare systems. Our approach is implemented using a Graph Database Management Tool (GDBM) -- Neo4j -- which is a popular tool for mapping, visualising and querying the graphs of highly connected data, and is efficient in providing a rapid threat modelling mechanism, which makes it suitable for capturing security changes in the dynamic IoT environment.

翻译：我们提出一种威胁建模方法，用于表示物联网环境动态变化时（即系统中添加或移除新设备，或整个子系统加入或离开系统）攻击路径的演变情况。该方法利用攻击图研究威胁传播机制。然而，传统攻击图方法主要应用于企业网络等静态环境，其拓扑结构不会持续变化，导致生成的攻击图静态且通常极其庞大。相比之下，物联网环境常以动态变化和互联互通为特征：不同系统的异构拓扑可能在外界操作控制之外动态互连，这种新型互联关系会改变设备间的可达性，进而导致对应攻击图的变化。因此，威胁与风险分析需要动态拓扑和动态攻击图。本文开发了一种能够应对物联网环境中可能发生的系统动态变化的威胁建模方法，在允许系统动态特性的同时实现攻击路径识别。我们构建的动态拓扑与攻击图能够通过维护关联图快速适应物联网环境的变化。为阐释研究动机与该方法，我们以医疗系统为例构建应用场景。该方法采用图数据库管理工具Neo4j实现——该工具广泛用于高连接性数据的映射、可视化与查询操作，能高效提供快速威胁建模机制，因而适用于捕获动态物联网环境中的安全变化。