Threats

It is important to distinguish between a threat and threat source (or threat actor). Each threat has a threat actor. For example, in the case of a burglar invading your home, it is tempting to consider the burglar as the actual threat, but it is more accurate and useful to consider them the threat source (or actor). They are the actor, who may attack your house for a variety of malicious purposes, most notably their self-serving desire to separate you from your valued assets. In this context, the threat is actually the potential for the burglary to be performed, or more generally represents the exploit potential.

Threats may therefore come in a variety of types, both natural and man-made. Tornados, floods, and hurricanes can be considered natural threats; in these cases, the Earth's weather serves as the threat actor (or acts of God, in the lingo of many insurance policies).

IoT threats include all of the information assurance threats to management, application, sensor and control data sent to and from IoT devices. In addition, IoT devices are subject to the same physical security, hardware, software quality, environmental, supply chain, and many other threats, common to both security and safety domains. IoT devices in CPS (for example, actuation, and physical sensing) are subject to physical reliability and resilience threats beyond just the compromise or degradation of the computing platform. Additional engineering disciplines are at play in many industrial IoT CPS, such as classical control theory, state estimation and control, and others that use sensors, sensor feedback, controllers, filters, and actuators to manipulate physical system states. Threats can also target control system transfer functions, state estimation filters (such as Kalman filters), and other inner control loop artifacts that have direct consequences for the physical world.