Threat Modelling of Cyber Physical Systems: A Real Case Study Based on Window Cleaning Business

Threat modelling Cyber-Physical System built on cloud infrastructure to monitor and manage the window cleaning operation using Window Cleaning Warehouse as a case study. Focusing on IoT data collection and cloud infrastructure security and the connections with the Cyber-Physical System. External dependencies and trust levels are defined before using trust boundaries and data flow diagrams to highlight attack surfaces. Expected scenarios from the data flow diagrams are discussed to identify violated intended use of the system using STRIDE threat classification. A risk assessment of assets that may be of interest to an adversary aid the discovery of more security risks that are then prioritised using the DREAD methodology. The results of the research present a comprehensive breakdown of vulnerabilities associated with IoT data security for route optimisation ranging from GPS spoofing, to Firestore vulnerabilities in the real-time database to Bluetooth Low Energy vulnerabilities in the IoT hardware, all of which could be common risks in cyber-physical systems designed by SME businesses. The research concludes various security risks applicable to SME businesses adopting industry 4.0 to alleviate the risk of new security breaches to the business through this adoption, increasing the likelihood of successful adoption of industry 4.0.


Introduction
Industrial revolutions have governed the success of businesses for centuries with the prospect of business' success being heavily dependent on adopting progressive business models. Pioneering technology has been a catalyst for industrial revolutions with the most recent being the fourth in the form of cyber-physical systems. With technology becoming ever more intertwined with the core success of a business the systems must be threat modelled to alleviate security catastrophes and breaches. Using Window Cleaning Warehouse (WCW) as a case study the design of the cyber-physical system (CPS) is threat modelled to identify and mitigate inherent risks.
WCW is a window cleaning equipment supplier looking to adopt industry 4.0 (I4.0) technologies to monitor and optimise the window cleaning operation (WCO). High tech van systems with on-board water purification systems have revolutionised the WCO compared to a bucket and ladder approach. WCW is striving to take this technology further and develop a CPS to monitor and optimise the WCO. This is achieved through the medium of real-time data exchange between internet of things (IoT) hardware in specialised van systems and machine learning (ML) models deployed in a cloud architecture to optimise route and resources.
The research will use WCW's theoretical framework as a case study of an innovative digital supply chain for the commercialisation of real-time data. The research will focus on the digital supply chains encompassment of security and privacy along with the electronic and physical security of the hardware for real-time data. WCW propose a novel cyberphysical system that can infer dynamic resource and routing based on real-time window cleaning operation data, such as water usage. WCW will be developing the IoT hardware in house and use the digital supply chain to market business intelligence of the pure water usage hotspots. The novel aspect of the research is the threat modelling of the digital supply chain's real-time data in the IoT based route and resource optimisation context and the security policy as a course of action to circumvent security risks.
The threat modelling process follows the Microsoft security development lifecycle to identify potential security threats in the design and strategize risk management to reduce inherent risk severity. This process involves defining the external dependencies of the CPS for the Google Cloud Platform (GCP) cloud functions since they have a direct impact on the security of the system. External entities and their privileges to access the system is then discussed to determine their trust levels for the system, thus setting a precedence of acceptable access privileges among expected entities. To represent the system schematically and represent how data flow is expected, data flow diagrams are used with trust boundaries bordering a change of privilege in the system, to highlight attack surfaces. From the dataflow diagrams the expected data exchange scenarios are documented to clearly define intended use of the system thus making it simpler to distinguish violated intended use of the system using STRIDE threat classification. Because attackers usually act with intent an assessment of assets that may be of interest to an adversary give context to the impacts these risks can cause which is summarised using the DREAD methodology before risks are prioritised and managed.

Aims and Objectives
This section outlines aims and objectives defining the success criteria of the research project. This will be achieved by focusing on the following aims; 1. Defining the entry and exit points of the system for realtime data 2. Defining the external entities and their trust level in the digital supply chain 3. Defining the intended use of the system and its real-time routing data 4. Defining the external dependencies that are interoperable with the real-time data 5. STRIDE threat classification to identify risks relating to digital supply chain innovation 6. DREAD risk assessment of the novel real-time route and resource optimising IoT data risks 7. Specify the security measures for the identified criticalities and policy to be implemented to curb the problem To fulfil the objective of novel research in threat modelling real-time IoT data for route optimisation based on the physical and electronic security and the digital supply chains encompassment of security and privacy of real-time data.

Scope and Constraints
The research will focus on the novel aspects which are to threat model the innovative digital supply chain of real-time IoT data for route and resource optimisation. The delimitations of the research are aspects not associated with the cloud infrastructure, IoT hardware, data exchange between these systems and the cyber-physical system. These delimitations include but are not limited to, risks associated with the underlying Flutter framework and the multiple operating systems it supports.

Related Work
The contextual background that the research will be conducted against includes; 1. The novelty of real-time IoT data for resource and route optimisation 2. The novelty of small and medium-sized enterprises (SME) digital supply chain's encompassment of security and privacy of real-time data for IoT route optimisation 3. The novelty of electronic and physical security of IoT devices to monitor resources affects the efficiency of a route Literature review of related work to IoT data being used for resource and route optimisation is summarised as route optimisation of freight logistics based on vehicle capacity, customer time-window, the maximum travelling distance, the road capacity and traffic data [11]. Other IoT based route optimisation is based on how planned routes are performed using IoT devices to monitor vehicles and drivers to learn preferences [12]. Research has also been conducted on IoT use in waste management routing problems [13,14].
Research objectives aligning with the literature review for real-time IoT data for route and resource optimisation is that the literature does not consider the security of the IoT data for routing problems. This is a significant knowledge gap since attacks could occur to IoT routing such as physical denial of service attacks on roads by routing all vehicles towards congested areas if the integrity of the data SN Computer Science is breached or a breach of confidentiality of the routes could lead to digital supply chain loses of marketable real-time data for WCW in the context of this study.
According to a review on cyber risk analytics and artificial intelligence in the industrial IoT and I4.0 supply chains [1] there are knowledge gaps for Small and midsize enterprises (SMEs) since; "the SME's digital supply chains need to encompass the security and privacy, along with electronic and physical security of real-time data", "the SMEs need security measures to protect themselves from a range of attacks in their supply chains, while cyber attackers only need to identify the weakest links" and "the weakness of existing cyber risk impact assessment models is that the economic impact is calculated on organisations stand-alone risk, ignoring the impacts of sharing supply chain infrastructure".
The research expressed [1] stresses the lack of knowledge for research objectives 1-3 and how this case study will add to the body of knowledge since it is very important for SMEs looking to adopt I4.0 to have real-time data infrastructures for a more efficient production process and economies of scale [6]. The synthesis of the literature review for objective 2 is that convolutional neural networks (CNN) have been used to detect cross-site scripting attacks (XSS) in SME IoT network payloads after applying data preparation methods [4]. Critical analysis is that the CNN is used on fog compute nodes which require the integration of CNN inference and data pre-processing into self-hosted compute units. This method is expensive to develop and there are also cloud solutions readily available such as Google Cloud Armor which would be cheaper ($0.75 per million requests), easier and quicker to deploy and develop by security experts.
Bluetooth Low Energy (BLE) will be used to connect a mobile device to the IoT hardware to monitor variables affecting the route optimisation. In line with research objective 3 an exploration of prior work has revealed case studies, where unauthenticated BLE devices have been exposed allowing anyone to connect to the BLE device using a BLE sniffer. There have also been researched studies on bypassing the passkey authentication in BLE [2] and the exploration of BLE security [3]. This case study will add to the body of literature by exploring the WCW case study and look at these security risks in the context of real-time data exchange in the WCO.
After comparing and contrasting the literature to identify knowledge gaps it is clear there is a gap in knowledge about the use of real-time IoT data for resource and route optimisation that this paper will address. This paper's contributions will also be in the form of building knowledge for SME's digital supply chain's security and privacy of real-time IoT data for route optimisation. The final contribution to knowledge gaps in the electronic and physical security of IoT devices is to monitor resources affecting the efficiency of a route which is presented in this paper.

Research Methodology
To fulfil the research objective the data is collected through a non-probabilistic convenience sample using WCW as a case study of a theoretical CPS design. The data analysis method is grounded theory [5] which is a systematic method of constructing hypotheses, and theories of possible security risks based on the threat modelling of the design of the CPS. Since ideas and concepts of security risks become apparent from the qualitative threat model data they can then be succinctly summarised with codes and grouped into threat classifications before being analysed further to discuss risk severity, impacts and mitigations.

Entry and Exit Points
The confidentiality, integrity and availability of the realtime data are important since it is a fundamental part of the CPS and the digital supply chain. Figure 1 shows an abstract view of the architecture consisting of the components used to monitor the WCO. Round-Control's data is to be stored on GCP's FireStore which is a real-time NoSQL database. Only authorised WCW staff can create, read, update, delete (CRUD) and make backups of the data through the GCP console. It is encrypted automatically by GCP but is decrypted to read in the Firebase console through an authenticated admin account. The IoT hardware is composed of Arduino components consisting of an HM-10 Bluetooth Low Energy (BLE) transceiver enabled microcontroller, inflow and outflow Hall Effect sensors, temperature sensor, fill level sensor, total dissolved solids (TDS) inflow and outflow and a Global Positioning System (GPS) sensor. The Flutter application on the mobile device can connect to the hardware via BLE and forward the real-time data to the platform-specific Firebase app endpoint. The communication with the Firebase app endpoints is authenticated via Firebase Authentication which requires validation of email ownership. The Flutter application is authenticated to use the Firebase app using the Firebase app credentials for each platform. Changes made to the Firestore is broadcasted to all authenticated users signed in that have access to that user's data in the Firestore so the real-time data of the IoT hardware is updated in real-time across Android, iOS, Linux, Windows, macOS and web derived apps.
It is important to define the external entities and their trust levels to access the system. The expected entities are presented in Table 1. Figure 1 illustrates the data flow and trust boundaries but does not intuitively describe the expected scenarios and the intended use of the system to identify deviations. The intended use of the system is presented in Table 2.
Scenarios deviating from the intended scenarios of the system in Table 2 help identify violated deployment of the application and intended use of the system thus impacting the security of the system.

External Dependencies
The external dependencies are directly interoperable with the system. The external entities relating to the real-time data are presented in Table 3.

STRIDE Threat Classification
The qualitative data collected about WCW's adoption of I4.0 is analysed in this section for risks by analysing the intended use, external dependencies, and the descriptions of the data flow diagrams. The qualitative data can  IoT hardware be succinctly summarised through a thematic grouping of threats into STRIDE classifications. STRIDE is an acronym for spoofing, tampering, repudiation, information disclosure, denial of service and elevation of Privilege. The derived data from the data flow diagram in Fig. 1 can be succinctly summarised as threat classifications of STRIDE as presented in Table 4.

Risk Assessment
The identified risks severity is quantified using the DREAD risk assessment model. DREAD is an acronym for damage, reproducibility, exploitability, affected users and discoverability. Each category is given a rating from 1 to 10, where 10 is the worst. The sum of the ratings helps to prioritise risks. The DREAD methodology for risk assessment is typically inconsistent among assessors and ratings tend to be subject to debate so the rationale for the ratings is provided ( Table 5).

Discussion of Risks and Mitigation
The high prioritised risks and their mitigation is discussed in this section and their novel contribution to real-time IoT data security for route and resource optimisation. The novel aspects of the research is the threat modelling of real-time IoT data for route optimisation for the physical and electronic security of the system as well as the digital supply chains encompassment of security and privacy of real-time data. Through literature review, the common variables used for routing are presented in Table 6.
To address risks 18, 19 and 20 the Bluetooth module should enforce pin pairing where the pin for the van system hardware is generated differently for each van installation and provided to the customer. The HM-10 BLE module should be genuine by having a crystal fitted alongside the bottom four solder connections otherwise you cannot add pin authentication.

Conclusion
The researcher set out to bridge the identified knowledge gap through threat modelling real-time IoT data for route optimisation based on the physical and electronic security of the system as well as the digital supply chains encompassment of security and privacy of real-time data using WCW as an SME case study. The main points of the research summarise that numerous cyber security vulnerabilities have been found with particular focus on real-time data exchange that other SMEs can consider when designing CPSs. The results are significant, since IoT data transmission enabled by 2 g is Tampering with the data in Firestore through the User Interface (UI) by accidentally deleting data (1). Non-repudiation without the Firestore rules, because the allowed actions should be limited (2) 2 g sim Physical denial of service through being covered to not omit 2 g signal (8). 2 g was created in 1991 and encryption between tower and device can be cracked in real-time to disclose information, since HTTP POST is used and the users' Firebase Authentication details and password and email is not encrypted before sending over 2 g (9). Nonrepudiation is caused by the system not being able to have enough evidence to prove that it should deny a malicious process, since there is no authentication between the tower and 2 g enabled hardware (10). Spoofing is an issue, since a man in the middle attacks can happen as someone posing as a 2 g tower is possible due to no authentication between device and tower (11). Tampering with the data is possible with a man in the middle attacks (12) IoT sensors Due to the significant number of sensors the attack surface is quite broad for compromising sensors for example if the sensor is unauthenticated then a spoofing attack can occur where false sensor signals are injected causing malicious data input like the considered by Huang et al. [7] (14). An example of spoofing attacks on IoT sensors is using laser microphones [8] where oscillating laser signals from a fixed location can deflect off of the microphone receiver and cause vibrations mimicking audio signals. Tampering with the Hall Effect sensors could compromise the validity of the water flow which might happen if there are incentives to reduce water usage on jobs (15). Denial of service attacks can happen on the path between the sensors, since they are exposed in the van system by delaying or blocking the transmission aiding stale data attacks (16) GPS mobile GPS spoofing on the mobile device is easy using free PlayStore and App Store apps (21) Arduino controller Tampering with the Arduino controller is possible, since it is easily accessible so compromising the controller can send incorrect control signals to the actuators [9] (13). A denial of service attack to the user can happen through compromising actuators through zero dynamics attacks, since the actuators are exposed so the actuator will execute a different command than what was intended by the controller [10] (17) BLE Denial of service since only one BLE connection at a time (18). Connecting to the BLE and operating the actuators in the van while not being the owner of the van system is a spoofing attack (19). If the IoT device is operated without a mobile device and there is currently no signal then data is stored in temporary memory on Arduino which could be erased if an adversary connects and modifies the data by beginning a process (20) Shopify targeted advert Information disclosure and spoofing, since API Gateway API keys are programmed into Flutter code and not encrypted so access to API key allows an adversary to pose as an email address owner to find their purchase history (3) API Gateway Denial of service, since the number of invocations of cloud functions is not capped so spamming requests to a cloud function could yield a big bill (4). Spoofing since API keys are sent in the HTTP POST request URL and can be obtained (5) Hardware Data Update Pyrebase is required, since using API key alone to access API gateway is unsafe, since the API key is quite easy to obtain through social engineering or other vulnerabilities discussed. Authentication with Firebase Authentication is required before being able to change data in the database but Pyrebase is not an official Google package so could have vulnerabilities allowing for tampering (6). Not restricted to a number of invocations so denial of service through large compute bill (7) likely to be considered for real-time data exchange by other SMEs, since it is low cost but the vulnerabilities discussed are significant. The significance of the risks found with BLE is also likely to apply to many other SME CPS projects.
The technical achievement of the paper is its identification of security vulnerabilities for novel IoT route optimisation variables and the proposed security measures and policies to circumvent, manage and monitor the risks. It is difficult to reproduce the attack, since Firestore makes you type in to confirm the deletion 2 10 4 6 10 2 32/50 The damage would be high, since Firestore CRUD operations could be performed. The affected users would be WCW customers and their customers and WCW 3 8 7 3 10 8 36/50 Quite difficult to decompile into dart code from Android application Package (APK). High damage to WCW 4 10 10 8 10 9 47/50 Uncapped cloud function invocations could yield an extortionate GCP bill for WCW and might be too much to pay to cause bankruptcy affecting the whole supply chain 5 10 10 9 8 10 47/50 Getting a user's API key could mean that an adversary can use the systems services and the API key owner would be billed 6 8 9 9 10 9 45/50 If Pyrebase was illegitimate then they would have full access to the Firebase services for the project 7 10 10 8 10 9 47/50 Same as risk 4 8 1 10 10 1 10 32/50 The attack is easy to reproduce and does not take much technical knowledge 9 10 7 5 9 8 39/50 The attack is severe, since users Firebase credentials are exposed. The affected users would be the user, their customers and WCW 10 10 7 5 9 8 39/50 The phone can't authenticate a legitimate 2 g receiver so and the same rationale as risk 9 applies 11 10 8 5 9 8 40/50 The same rationale as risk 10 12 10 9 4 10 8 40/50 The attack is easier to reproduce, since the HTTP packet structure is consistent and once the data structure is found data can be modified automatically through a malicious parsing program 13 2 10 10 1 9 32/50 The controller is easily accessible 14

Availability of Data and Materials
The authors confirm that the data supporting the findings of this study are available within the article [and/or] its supplementary materials.
Code Availability Code is maintained on a private GitHub repository and is property of Window Cleaning Warehouse.

Conflict of Interest
The authors are involved in a KTP. It is in the interest of the corresponding author to ensure the success of the KTP, exhaustive of cyber-security.

Ethical Approval
No ethics approval is needed, since research does not deal with human participants or human tissue, and is not sensitive, deceptive or covert according to the University Ethics Committee at Cardiff Metropolitan University.  [11,13,14] and this study 5, 8, 9, 10, 11 and 12 Risks 5 can be addressed by storing the API key associated with the user in the Firestore database to then check that the API key used is associated with the authenticated user Risks 8, 9, 10, 11 and 12 can be completely averted using a more secure mobile network protocol such as 3 g, 4 g or 5 g, but measures against 2 g downgrade attacks should be considered to stop downgrade back to 2 g. For risk 9 the user's password should also be encrypted before transmission as an extra security measure Travel distance [11][12][13][14] and this study 4 and 7 To calculate travel distance based on roads the GCP Directions API is commonly used. The billing for this is $5(~ £3.67) per 1000 requests. Risks 4 and 7 relate to uncapped Cloud Function invocations. WCW is looking to build a digital supply chain for business intelligence that is fully scalable. The security measures to mitigate risks 4 and 7 is to cap the number of requests per minute from an Internet Protocol (IP) address and cap the number of function instances that can be invoked in parallel. Monitoring the risk would be in the form of monitoring the user base growth to ensure that the CPS is not hindering genuine requests by limiting the number of function instances Road traffic data [11][12][13][14] and this study 21 Security measures to circumvent risk 21 of spoofing GPS location of a mobile device to simulate standstill traffic on a popular road would be to implement mobile device side code to detect mock locations.
In Android 17 this can be done through Setting. Secure to detect if ALLOW_MOCK_LOCATION is enabled. On Android 18 and above the Location.isFromMockProvider() API can be used. On iOS it is possible to detect if the iPhone is jailbroken that suggests the user could be spoofing their location Historic preferences [12] and this study 1 and 2 A policy to circumvent tampering with data in the firebase UI (risk 1) is to set up a Cloud Scheduler to publish a topic every specified duration that a Cloud Function is subscribed to. It would then be possible to write a Cloud Function in Node.js to back up a copy of the Firestore database to a Google Storage Bucket for disaster recovery, with the added benefit of having an offline data set you could export to a Comma-Separated Values (CSV) file using GCP's Big Query. The monitoring of the risk would be to check the Cloud Function logs to ensure it is being invoked routinely. Security measures addressing risk 2 are to implement Cloud Firestore Security Rules to restrict read and write access to authenticated users with verified emails. Further restricting the privileges of the users to roles is recommended so not any logged-in user has read and write access to entire database. Firebase Admin Software Development Kit (SDK) and Cloud Functions can still access the database regardless of closed access. It is, therefore, recommended to restrict access to public Cloud Function endpoints using API Gateway to enforce an OpenAPI specification with security definitions for API keys and authentication. Monitoring the risk would be in the form of setting up local unit tests using JavaScript version 9 SDK Consent to Participate No humans were involved in the participation of the research, since it was a theoretical threat analysis of the design of a cyber-physical system.

Consent for Publication Window Cleaning Warehouse give consent for publication.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.