AgentSkillsCN

Threat Modeling

威胁建模

SKILL.md
--- frontmatter
skill_id: SEC-THREAT-MODELING
version: 1.0.0
last_updated: 2026-01-04
applies_to: [Class A, Class B, Class C]
jurisdiction: [Global]
prerequisites: [REG-ISO14971]

Threat Modeling for Medical Devices

Purpose

Identify, prioritize, and mitigate security threats for medical devices, integrating with risk management and informing control selection.

When to Apply

  • New features, interfaces, protocols, or deployment models.
  • Architectural changes or introduction of third-party components.
  • Periodic review or after security incidents.

Requirements (testable)

  1. Scope & Assets: Define assets (PHI, credentials, control channels) and trust boundaries. Rationale: focus analysis.
  2. Methodology: Apply STRIDE (or equivalent) to data flows/components; document threats and mitigations. Rationale: structured coverage.
  3. Prioritization: Rate threats by likelihood/impact; align with risk criteria; focus on high/critical. Rationale: actionable output.
  4. Controls Mapping: Map threats to controls (auth, crypto, logging, rate limits, updates); ensure ownership and implementation path. Rationale: closure.
  5. Validation: Include verification activities (tests, pen/DAST/fuzz) for high-risk threats. Rationale: evidence of mitigation.
  6. Update & Trace: Update threat model on changes; keep versioned; link to requirements and tests. Rationale: current and auditable.

Recommended Practices

  • Use DFDs to visualize flows; include physical ports and debug interfaces.
  • Consider safety impacts of security failures (link to ISO 14971 hazards).
  • Capture abuse cases (e.g., radio flooding, spoofing, replay).
  • Keep a concise threat model summary with top risks for quick consumption.

Patterns

Threat entry (YAML):

yaml
# REQ-THM-01
threat_id: TH-07
component: BLE Control Service
stride: Spoofing
description: Attacker pairs via Just Works and sends control commands.
mitigations:
  - REQ-BLE-SEC-01 (LESC + MITM)
  - REQ-AUTH-RBAC-03 (role checks)
verification:
  - TEST-BLE-05 (pairing)
  - PEN-02 (spoof attempt)

DFD elements:

text
External: Clinician App
Process: Device Control Task
Data Store: Config Flash (encrypted)
Boundary: BLE link (encrypted/authenticated)

Anti-Patterns (risks)

  • No threat model or outdated one -> risk: missed controls, audit finding.
  • Listing threats without mapping to controls -> risk: no mitigation.
  • Ignoring verification -> risk: unproven controls.
  • Not updating after major change -> risk: stale mitigations.

Verification Checklist

  • Assets and trust boundaries defined; DFDs updated.
  • STRIDE (or equivalent) applied to components/flows.
  • High/critical threats prioritized with rationale.
  • Threats mapped to implemented controls; owners assigned.
  • Verification (tests/pen/fuzz) planned/executed for high risks.
  • Threat model versioned and updated after changes.

Traceability

  • Threat IDs (TH-###) linked to controls (REQ-###/RISK-CTRL-###) and tests (TEST-###, PEN-###, FUZZ-###).
  • Store threat model artifacts with release; reference in risk management file.

References

  • STRIDE (Microsoft), attack surface reduction concepts.
  • FDA Cybersecurity Premarket Guidance (threat modeling).
  • IEC 62443 threat concepts (zones/conduits).

Changelog

  • 1.0.0 (2026-01-04): Initial threat modeling skill with STRIDE application, control mapping, and verification linkage.

Audit History

  • 2026-01-04: Audit performed. Verified:
    • STRIDE methodology correctly attributed to Microsoft
    • DFD-based threat modeling approach accurately described
    • Integration with FDA cybersecurity guidance correctly noted