FDA is Working on a Threat Modeling Playbook

The Food and Drug Administration (FDA), as part of a collaborative effort with industry, is developing and will soon release a playbook of best practices for threat modeling to bolster cybersecurity postures across industry and government.

Threat modeling is a structured process that works to identify potential security threats and vulnerabilities, quantify the seriousness of each and prioritize techniques to mitigate attack and protect IT resources. This type of modeling enables FDA to move toward verifiable security control.

Over the past year, FDA has engaged with the Medical Device Innovation Consortium (MDIC) and industry to conduct threat modeling bootcamps to drive adoption of threat modeling throughout the medical device ecosystem. The team is currently developing a playbook based on its lessons learned to increase the outreach and adoption of threat modeling best practices for medical devices.

“Threat modeling has become a recognized cybersecurity best practice,” Jessica Wilkerson, Cyber Policy Advisor at FDA, said during the agency’s Webinar for Medical Device Cybersecurity Threat Modeling. “Many organizations in both private and public sectors recommend threat modeling to help manage and respond to cyber security risks … but it’s very complex and requires an incredibly involved and an incredibly specialized set of knowledge and expertise to really effectively apply.”

The playbook is divided into four parts, focusing on different threat modeling techniques as well as the challenges organizations face in applying these techniques:

• Understand the medical device and how it operates
• Understand where an organization’s weaknesses and vulnerabilities lie
• Understand how to manage threats by eliminating, mitigating, accepting or transferring risk
• Understand that threat modeling is a continuous process.

To implement these recommendations for threat modeling, throughout both the development life cycle and organization, the playbook focuses on three elements: cybersecurity risk assessment, design controls and continuous improvement. These elements will ensure that organizations are continuously evaluating IT environments, development processes and vulnerabilities to bolster security and inform risk assessments.

“It’s the cousin to hazard analysis. The idea is that it’s very difficult to make scientific claims about medical device security if a manufacturer doesn’t provide a reasonable and reputable threat model specific to the device,” Kevin Fu, acting director for medical device cybersecurity at FDA’s Center for Devices and Radiological Health, said during FDA’s Science Forum earlier this year.

While the threat modeling playbook is catered to medical devices, the techniques used in the playbook can also be applied to software and other domains, then integrated throughout the development life cycle.

The playbook is meant to focus on threat modeling and how it fits into an organization’s larger processes, as opposed to serve as a prescriptive or best practice for overall cyber security risk-assessment processes, said FDA Cybersecurity Policy Analyst Matthew Hazelett.

“We just wanted to do some level setting and framing. The primary focus of the playbook is around threat modeling,” Hazelett said. “The playbook itself is not intended to provide or serve as a best practice on overall cybersecurity, risk assessment methodology.”

Wilkerson said that the playbook is not intended to be a “how-to” guide or checklist, but instead to be used as an educational resource. It will be very comprehensive and walk organizations through, from beginning to end, how they might effectively model. The playbook team plans to publish its work in the fourth quarter of 2021.

“This has been quite the undertaking and we are incredibly excited to be able to share this work with you,” Wilkerson said.