- The paper introduces CPDFD, integrating Physical Link and Interface primitives to accurately capture IoT hardware-environment interactions.
- It demonstrates significant improvements with more relevant attack scenarios and enhanced privacy threat detection compared to standard DFDs.
- CPDFD maintains efficiency and usability while providing a comprehensive framework validated by empirical studies and industry feedback.
Cyber-Physical Data Flow Diagram: Enhancing IoT Threat Modeling
Introduction
This paper presents the Cyber-Physical Data Flow Diagram (CPDFD) as an extension of classic Data Flow Diagram (DFD) methodologies to address the unique cybersecurity challenges posed by Internet of Things (IoT) devices. Unlike traditional IT systems, IoT devices incorporate embedded hardware interacting with both digital and physical environments, leading to novel attack surfaces and increased risk profiles. The CPDFD framework incorporates two new modeling primitives—Physical Link and Interface—to enable granular representation of hardware and environmental interactions. The effectiveness and practical value of CPDFD are validated through an experimental study and industry-focused survey, demonstrating its superiority over standard DFDs in identifying and contextualizing attack scenarios, particularly those relevant to privacy and physical security.
Motivation and Technical Foundations
Conventional threat modeling approaches in IT (e.g., STRIDE, LINDDUN) are not readily transferable to IoT contexts due to fundamental architectural divergences. IoT devices typically operate in resource-constrained environments, directly interact with physical processes, and leverage diverse protocols, sensors, actuators, and interfaces—necessitating new modeling abstractions. Existing DFDs lack adequate expressivity for these interactions and fail to capture hardware-induced risks (e.g., debug ports, physical sensors). CPDFD addresses this gap by expanding the DFD notation to differentiate logical and physical elements and to model explicit hardware interfaces and environmental links, fostering comprehensive risk visibility.
CPDFD Technique and Element Definition
CPDFD extends classic DFDs by introducing:
- Physical Link: Models data-exchange pathways between the device and its physical environment, e.g., sensors and actuators, thus explicitly representing privacy and safety vulnerabilities due to environmental interaction.
- Interface: Captures device communication endpoints (wired/wireless protocols, debug ports, etc.), highlighting pathways commonly exploited in hardware attacks.
Logical and physical elements are partitioned for constructing DFD and the associated Hardware Diagram (HWD), enabling cross-referencing between software components and hardware realization. These augmentations facilitate disciplined modeling of complex IoT architectures and expedite attack scenario generation, with rule-based threat engine improvements.
Empirical Evaluation
Experimental Study
A quantitative comparison was conducted with 41 fourth-year computer science students assigned to either CPDFD or standard DFD modeling for a voice assistant–health monitor IoT device. The CPDFD cohort exhibited:
- Substantially more relevant attack scenarios: Median of 49 for CPDFD versus 30 for DFD; statistically significant (U=147.0, p=.001, large effect).
- Greater identification of privacy attack scenarios: CPDFD mean of 5 versus DFD mean <1; scenarios primarily tied to Physical Link and Interface elements.
- Enhanced modeling granularity: Higher coverage of hardware-related threats, and explicit modeling of sensors/interfaces, e.g., 93% of CPDFD participants modeled the microphone as Physical Link vs. 42% for DFD.
- Increased efficiency: CPDFD required only 2 minutes per attack scenario (vs. 4 minutes for DFD); hardware model scenarios were identified at a rate of 1 minute per scenario.
- No increase in modeling complexity: The majority of CPDFD participants reported comparable or even improved ease of use versus standard DFDs.
Figure 1: Box plot comparison of relevant attack scenarios identified by CPDFD and DFD groups.
Figure 2: Per-group averages highlighting CPDFD’s additional scenarios tied to Physical Link and Interface elements.
Survey and Industry Interviews
Fifteen professionals from device manufacturers and consultancies validated CPDFD's practical relevance:
- All respondents endorsed the value of hardware modeling in threat assessments.
- 75% agreed that the new Physical Link and Interface elements add tangible modeling value and accuracy for IoT devices.
- Feedback emphasized improved visibility of interfaces (notably debug ports) and clarified abstraction for hardware-centric threats.
- Minor concerns included element overlap between Physical Link and Interface and possible abstraction-induced vagueness, suggesting refinement for future versions.
Quantitative and Qualitative Synthesis
CPDFD's effect was most pronounced in the identification of highly specific ("custom") attack scenarios, privacy-relevant threats, and interface-driven vulnerabilities. It consistently enabled richer hardware-related risk mapping and forced consideration of neglected attack vectors (e.g., analog sensors, debug ports). The results affirm the necessity of hardware-aware threat modeling for IoT security engineering. Notably, CPDFD facilitated improved scenario generation without imposing additional modeling burden, preserving DFD’s usability for stakeholders across hardware, embedded, and software engineering disciplines.
Implications and Future Directions
The CPDFD technique provides a robust foundation for systematic threat analysis in IoT, addressing theoretical gaps in existing modeling paradigms and offering practical benefits for manufacturers, integrators, and security auditors. Its dual modeling (DFD/HWD) and explicit representation of hardware-environment and interface linkages enable nuanced risk articulation and enhance support for security-by-design approaches in IoT product development.
- Practical Implications: Enhanced early-stage identification and mitigation of IoT-specific threats can streamline security assurance and reduce lifecycle costs.
- Theoretical Implications: CPDFD advances the formalization of cyber-physical threat modeling, fostering development of rule-based and automated scenario generation engines.
- Future Developments: Integration between hardware and logical models, improved differentiation of Physical Link and Interface, and synergistic attack scenario cross-referencing between DFD/HWD domains are prospective research avenues. Broader empirical validation with industry practitioners and toolchain integration remain priority objectives.
Conclusion
CPDFD offers significant improvements over existing DFD-based threat modeling for IoT devices, quantitatively and qualitatively demonstrating superior attack scenario identification, particularly for privacy-related and hardware-centric threats. Its additions—hardware modeling, Physical Link, and Interface primitives—have proven benefits without compromising model usability. Adoption of CPDFD has implications for both theoretical progress in cyber-physical modeling and practical efficacy in IoT security engineering. Comprehensive integration of HWD and DFD constructs and refinement of element semantics will further elevate its utility in future applications.