MB Tech Innovation

Business Challenge 02 — Threat Modelling

Author

Andy Weeger

Published

Mar 5, 2024

Modified

Mar 22, 2024

General Briefing

Mercedes-Benz Tech Innovation GmbH is a subsidiary of Mercedes-Benz Group AG, and is one of the largest tech subsidiaries within the group, with over 1,400 employees. They are a 100% tech company, and their focus is on developing digital products and software solutions exclusively for Mercedes-Benz.

The aim of Mercedes-Benz Tech Innovation (MBTI) is to be a best-in-class tech company developing the latest technologies as the basis for new products and innovations within the Mercedes-Benz Group AG and offering solutions, services and consulting in the fields of mobility, digital vehicle, sales & care, digital production and cyber security within the group.

Within the last years, cyber security has become a key area for the success of almost every company, so also within the Mercedes-Benz Group AG. Today cyber security is impacting every aspect of their operations, from ensuring the safety of their vehicles to protecting their sensitive data and maintaining a strong reputation. MBTI is one of the key players within the Mercedes-Benz Group taking care for the continuous expansion of the protection of its products and services against threats from hacker attacks and cybercrime.

“Cyber security and future-oriented thinking go hand in hand. Together, we make Mercedes-Benz even safer!” Suela, Project Manager, Offensive Security

Cyber security is a top priority because of many reasons. Below some key aspects are summarized.

Increased reliance on technology
Mercedes-Benz vehicles are becoming increasingly interconnected and reliant on software, making them more vulnerable to cyberattacks. The company also relies heavily on IT systems for its operations, making them susceptible to data breaches and disruptions.
Potential consequences of cyberattacks
A successful cyberattack could potentially compromise the safety and control of Mercedes-Benz vehicles, putting passengers and others at risk. Furhter data breaches can lead to financial losses through stolen intellectual property, ransom demands, and regulatory fines. Last not least, a major cyberattack could severely damage the reputation of Mercedes-Benz.
Regulatory requirements
The automotive industry is subject to various regulations regarding data security and privacy, requiring Mercedes-Benz to implement robust cyber security measures.
Competitive advantage
Strong cyber security can be a competitive advantage for Mercedes-Benz by demonstrating their commitment to protecting their customers’ data and ensuring the safety and reliability of their vehicles.

Challenge

Threat modelling is a systematic process used to proactively identify, analyze, and address potential threats to a system, application, or asset. It involves considering the perspective of an attacker and systematically exploring how they might exploit vulnerabilities to gain unauthorized access, disrupt operations, or steal data. It is an essential, but complex and time consuming process, for ensuring cyber security providing, amongst others, following benefits:

  • Improved security posture: By proactively identifying and mitigating threats, organizations can significantly improve their overall security posture.
  • Reduced risk of breaches: Early detection and mitigation of threats can help prevent costly and damaging security breaches.
  • More informed decision-making: Threat modeling provides valuable insights that can inform security investments and resource allocation.
  • Enhanced communication and collaboration: The process of threat modeling fosters communication and collaboration between different teams involved in security.

MTBI seeks for innovative solutions to facilitate the process and improve communication and collaboration between key stakeholders — in short, to develop approaches for “the next generation threat modelling”. MBTI strives to reduce the complexity of threat modelling including the cognitive load of the development teams and to empower them to develop safer and more resilient digital products in even shorter time.

To achieve that, the MBTI is looking for innovative solutions based on AI that pave the way to next level threat modelling, particularly solutions that enable standardization and partly automation of the thread modelling process by considering existing IT risk assessment (ITRA) and information security risk management (ISRM) processes. The key question therefore is:

How can AI facilitate the threat modelling processes within MBTI?

By combining the requirements of state-of-the art threat modelling, the capabilities of AI-related technology and levers to improve human-human collaboration as well as human-AI collaboration, significant progress towards improving threat modelling, particularly regarding the enablement of the whole organization to engage efficiently in threat modelling processes can be realized. To achieve this, MBTI has identified the following critical opportunity areas for innovation:

  • Reduction of cognitive load for development teams
  • Improved collaboration and communication between different security teams
  • Automation of routine taks within the process
  • Integration of predefined credible attack vectors1
  • Personalized threat modeling by considering specific, often dynamic contextual factors

If you have different ideas and directions that you want to pursue, either check-in with the professors and the contact persons at MTBI.

Mandatory questions

Following questions should definitely be answered as part of your concept and adressed by your MVP

  • What are key requirements of thread modelling as well as ITRA and ISRM?
  • What are unmet needs of parties involved in the process?
  • How does your solution address the key requirements and unmet needs?
  • What capabilities could what type of AI bring in?
  • What specific tasks within threat modeling can AI be used for?
  • How will human expertise and judgment be integrated?
  • What data will be used to train and inform AI models?
  • What is the potential impact (i.e., business value) of your solution with regard to both security and efficiency?
  • How does the MVP proof your concept, particularly value creation and feasibility?
  • What should the go-to-market strategy/implementation approach be for your solution?

Requirements

Measure of impact
It is essential to introduce metrics that allow to evaluate the effectiveness and performance of AI-integrated threat modeling.
Target key parties involved
The proposed solution should take into account the most important needs and concerns of the key parties involved.
Training data
It is critical to identify the data that can be used to train and inform AI models.
Roles and responsibilities
The solution should consider clearly defined roles and responsibilities for humans and AI in the threat modeling process; AI should be used to complement and enhance human decision-making, not replace it.
Data protection and security
The proposed solution needs also to consider the security of the AI models and data used.
Technology
The proposed solution should be mostly based on open source technology as MBTI is committed to the open source community.

Goals and outcome

The aim is to propose an innovative digital solution for next level threat modelling that can be implemented at MTBI within a few months and to proof the concept by means of a MVP. If the proof of concept is successful, there is the opportunity to present the concept at MBTI. This is also a great chance to show case yourself for a job after finishing the master program.

Knowledge base

Details about the MTBI an their services can be found online:

In addition, Manuel Krumm and his colleagues will introduce MTBI specifics to threat modelling, ITRA and ISRM as well as to answer specific questions. Dates will be announced asap.

Footnotes

  1. Predefined credible attack vectors are well-established and documented methods that attackers use to exploit vulnerabilities in systems, applications, or assets.↩︎