Detailed Analysis on Mitigating Threats

The following sections describe the different threats as they are described by ENISA
​and which of our services can help mitigate those threats.
Nefarious Activity / Abuse
Firmware Modification, e.g. of CPU, internal/external Controllers (e.g. hard drive/USB media), smart chargers, smart batteries, co-processors, NICs. Exploiting firmware vulnerabilities, abusing update functionality, or abusing binary firmware loading mechanisms.
Remote firmware attacks, e.g. in network interface cards, Memory Corruption Vulnerabilities, Logical Flaws, Backdoor Functionality or Remote management functionality. Attack Persistence via Firmware modification/ Bootkit
Information Access (Can also be Physical Attacks)
Eavesdropping / Interception / Hijacking
Traffic Sniffing on the Network level, Internal Bus level or Memory level

Surveillance of Location, Audio, Visual data or Behaviour

Data Tampering/Spoofing of Location or Behaviour
Destruction of Hardware – Overheating, Explosion, “Bricking” and Disabling of interfaces.

Waste/destruction of Resources - Excessive Heating/use of heat - producing resources, Excessive energy consumption and Excessive use of water/physical resources controlled by a computing control system.
Physical Attacks
The threat of Hardware Modification, by an External or an Internal Hardware Trojan. The risk is that someone has a temporary hardware access and can do system modification.

Property Losses - Access control bypass (e.g. smart lock), Disabling of monitoring/alerting (e.g. alarm systems), Unlock attack (e.g. in vehicles)
The threat here is Denial-of-Service - Flooding/volumetric attack, Software bug /exploit or Logical flaws – all can create outages and disruption of normal service.
Failures or Malfunctions
Malfunction can come in a variety of forms - Failure of medical devices, Overheating/explosion of batteries, Failure of control/production systems, Failure of access systems, Failure of alarm systems, Outages of monitoring systems etc.

Modification-of-Service - Wrong treatment by medical devices, False negative reporting by alarm/monitoring systems or Granted access for unauthorized parties by access control systems.
Loss of Compliance due to Voidance of certification/validation approvals, Violation of contractual requirements, Violation of internal/external compliance requirements or Violation of data protection laws.