Software architecture - Phase 3

Privacy analysis report

Dommicent Leendert - s0205006 Van Loock Jorn - s0205008

Prof.: W. Joosen Assistent: Riccardo Scandariato

Contents
1 Understanding the architecture 2 Privacy analysis 2.1 2.2 2.3 Data Flow Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mapping of threats to DFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Threat elicitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.1 2.3.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T1. External person intercepts measurement data . . . . . . . . . . . . . . T2. External person intercepts portal trac . . . . . . . . . . . . . . . . . . T3. Disclosures of bills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T4. Disclosures of UIS messages . . . . . . . . . . . . . . . . . . . . . . . . T5. Disclosures of internal ows . . . . . . . . . . . . . . . . . . . . . . . . T6. Disclosures internal processes . . . . . . . . . . . . . . . . . . . . . . . 4 4 4 6 8 8 9 9 9 10 11 11 12 13 13 14 15 15 16 17 17 18 19 19 20 21 22 22 23 23 24

T7. Consumer unaware of uploading data . . . . . . . . . . . . . . . . . . . T8. Consumer fails to update information . . . . . . . . . . . . . . . . . . . T9. Linkability of research data . . . . . . . . . . . . . . . . . . . . . . . . . T10. Identiability of user measurements by researcher . . . . . . . . . . . T11. Linkability of general database content . . . . . . . . . . . . . . . . . . . . . . . . . . .

T12. Linkability of alarm conguration database content

T13. Identiability of data in databases . . . . . . . . . . . . . . . . . . . . T14. Information disclosure of the databases by insider . . . . . . . . . . . T15. Information disclosure of the databases by outsider . . . . . . . . . . . T16. Spoong a user by falsifying credentials . . . . . . . . . . . . . . . . . T17. Spoong a user by eavesdropping communication . . . . . . . . . . . . T18. Spoong a user because of weak credential storage . . . . . . . . . . . T19. Missing consumer consent . . . . . . . . . . . . . . . . . . . . . . . . . T20. Non-compliance of the management . . . . . . . . . . . . . . . . . . . T21. Non-compliance of employees . . . . . . . . . . . . . . . . . . . . . . . T22. Non-compliance of externals . . . . . . . . . . . . . . . . . . . . . . . 2.4 Prioritization of threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4.1 High Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.4.2 2.4.3

Medium Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Low Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

24 24

Understanding the architecture

The alarm trame is received by the Incoming Communication Component with the receiveData interface method. This component will route the alarm to the Alarm Processor through the receiveAlarmTrame method. The Alarm Processor will then handle the alarm. First he stores the alarm in the general Database so the costumers can see them in their control panel. He also needs the conguration of the module which he can nd in the Alarm Conguration Data database. He needs this conguration to determine if he has to activate an actuator and to know who he has to contact. If an actuator has to be closed the Alarm Processor will call the activateValve method of the Actuator Controller. This Actuator Controller will contact the actuator through the Outgoing Communication Component with the sendCommand method. The actuator will respond if the action is completed succesfully. The Actuator Controller will receive this message through the Incoming Communication Component and store it in the general Database. If a costumer had to be notied he will do that with the Outgoing Communication Component through the notifyAlarm method. This component will than get the costumers details from the Database. He will then store the notication in the database and send it to the costumer.

2
2.1

Privacy analysis
Data Flow Diagram

In gure 1 you can nd the Data Flow Diagram. Some arrows are in color, this is just for readability. There is no connection between the colors! For creating the DFD we started for simplicity from the original component diagram. To get all the data being send between the components we took a look at the interfaces and sequence diagrams. This way all the dataows could be determined. Further we didnt take components together. This allows us the keep ne-grained details of the owing data. Evenso, combining components would result in splitting them up again in the mapping of the threats to the DFD if we want to maintain these details. In the threat analysis however multiple ows were taken together but this is stated in the assumptions.

Figure 1: The Data Flow Diagram

2.2

Mapping of threats to DFD

A = T14, T15, T16, T17, T18 B = T19, T20, T21, T22 C = T7, T8

Threat target Data Store Data Flow General Database Alarm Conguration Database Remote Module - Incoming Component Consumer - Consumer Portal Consumer Portal - Consumer Researcher - Researcher Portal Researcher Portal - Researcher Operator - Operator Portal Operator Portal - Operator 3th Party Billing - Billing Billing - 3th Party Billing UIS - UIS WebService UIS WebService - UIS Incoming Module - Alarm Processor Incoming Module - Actuator Controller Incoming Module - Data Processor Incoming Module - Conguration Controller Alarm Processor - Alarm Conguration Data Alarm Conguration Data - Alarm Processor Alarm Processor - Outgoing Module Alarm Processor - General Database Alarm Processor - Actuator Controller Actuator Controller - Outgoing Module Actuator Controller - General Database Data Processor - General Database Data Processor - Anomaly Detector Conguration Controller - Actuator Controller Conguration Controller - Outgoing Module Conguration Controller - General Database Anomaly Detector - Outgoing Module Anomaly Detector - General Database General Database - Anomaly Detector Consumer Portal - Conguration Controller Consumer Portal - Statistics Component Statistics Component - Consumer Portal Consumer Portal - General Database Statistics Component - General Database General Database - Statistics Component Researcher Portal - Statistics Component Statistics Component - Researcher Portal Statistics Component - Operator Portal Operator Portal - Statistics Component Statistics Component - UIS WebService UIS WebService - Statistics Component Operator Portal - UIS WebService Operator Portal - General Database UIS WebService - General Database

N B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B

11 13 A 12 13 A 9 10 1 2 2 2 2 2 2 3 3 4 4 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5

Threat target General Database - UIS WebService UIS WebService - Outgoing Module General Database - Outgoing Module Outgoing Module - General Database Schedule Checker - Outgoing Module Schedule Checker - General Database General Database - Schedule Checker Billing - General Database General Database - Billing Global Demand Predictor - General Database General Database - Global Demand Predictor Process Incoming Module Alarm Processor Actuator Controller Data Processor Conguration Controller Consumer Portal Researcher Portal Operator Portal Statistics Component Outgoing Component Anomaly Detector Schedule Checker Billing Global Demand Predictor UIS Web Service Remote Module Consumer Researcher Operator UIS 3th Party Billing

D 5 5 5 5 5 5 5 5 5 5 5 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6

N B B B B B B B B B B B B B B B B B B B B B B B B B B

Entity

2.3
2.3.1

Threat elicitation
Assumptions

1. We dont handle detectability threats. This type of threats are important in general but not for this system. The fact that the user uses this system or not, is not considered as important information. Only the data itself is. 2. No non-repudiation threats exists in the system, as the data ows, processes and data stores do not require plausible deniability. 3. The unawareness threat is only applicable for the consumer because only data from this entity is stored in the system. 4. Non compliance is a threat that isnt specic to one process or data ow. Because of this we will not make an distinction between the dierent elements. 5. Linkability and detectability does not apply for the internal dataows because the fact that somebody knows that 2 requests belong to the same user or knows which users made a request does not harm the privacy of this user. The privacy is only in danger when the information of the request is exposed. 6. We consider the backend of the system suciently protected against outside attacks. Our systems our stored in an 3th party datacenter, so security of this datacenter is their responsibility. We will only consider inside threats for the internal processes and dataows. 7. All internal dataows are similar and we will consider them together. 8. All internal processes are similar and we will consider them together also. 9. Linkablity and identiability of entities is not considered a threat because knowing if an entity is using a service isnt considered an issue. The same applies for linkability of entities 10. Linkability and identiability is not considered for processes because knowing that 2 actions belong to the same user does not violate the patients privacy. The patients privacy is only violated when the content of the action is revealed. 11. Because of previous assumption (10) also the dataows between the entities and their corresponding portals arent vulnerably for identiability and linkability threats. An exception for this is the ow between researcher and his portal. 12. We assume that all communication channels are safe from side channel attacks, however they are not all encrypted. 13. We assume that the bit layout of the message is generally know and by consequence isnt good enough for encrypting purposes. 14. There is no access control on the databases themselves. The only authentication is happening in the portals. 15. The authentication services inside the portals are assumed to be completely secure and are running under an encrypted ssl connection. The connection between entities and portals however isnt. 16. Except of the auth ow no other ows are encrypted. 17. The user can not provide too much personal information because the registration is done by using predened forms. 18. There is no anonymization system present in the datastores.

19. Information like ip addresses, computer ids and session ids are not being stored in the datastores because they arent important for the working of the system. 20. The datastore is considered to be programmed in a secure way. We can assume this because this piece of software is written by a 3th party so it is their responsibility. 21. Spoong a remote module is a high threat but a security threat so it isnt handled here.

2.3.2

Threats

T1. External person intercepts measurement data

Summary: An external person can intercept the ow between the remote modules and the incoming component. He can than read the bits and get module and measurement information.

Primary mis-actor: Skilled outsider

Basic path: bf1. The outsider intercepts the message with MITM attack. bf2. Outsider reads the bits from the message

Consequence: The outsider knows all the information of the message. This includes measurement data, module id and a lot more.

Reference to threat tree node(s):

ID df4, ID df6, ID dv7

Parent threat tree(s): ID, ID df

DFD element(s): Remote Module, Incoming Component

Remarks: r1. This threat only works when assumption 13 holds. r2. If he knows the module id he cant however link this to a consumer.

T2. External person intercepts portal trac

Summary: Since the trac from entities to portals and vica versa is running over a http connection it is not secure. So an attacker can intercept the packages and read the information.

Primary mis-actor: Skilled outsider

Basic path: bf1. The outsider intercepts the message with a MITM attack. bf2. Outsider reads the messages.

Consequence: The attacker can get information of the user, their valves, their modules, measurement info,...

Reference to threat tree node(s):

ID df4, ID df6, ID dv7

Parent threat tree(s): ID, ID df

DFD element(s): Consumer, Consumer Portal, Researcher, Researcher Portal, Operator, Operator Portal

Remarks: r1. ID df1 is possible because of assumption 16, there is no encryption on the channel. r2. Together with T1 the user can couple the measurments to a consumer which is a very high threat. r3. This portal trac can also contains credentials and session tokens, with which a user can be spoofed (T17).

T3. Disclosures of bills

Summary:

The bills that are sent to the 3th party billing company can be intercepted.

Primary mis-actor: Skilled outsider

Basic path: bf1. The outsider intercepts the bill with a MITM attack bf2. Outsider reads the bill.

Consequence: The outsider has all the user information like address, telephone number and measurement data.

Reference to threat tree node(s):

ID df4, ID df6, ID dv7

Parent threat tree(s): ID, ID df

10

DFD element(s): 3th Party Billing, Billing

Remarks: r1. This threat is very important because the bill contains a lot of information. r2. ID df1 is possible because of assumption 16, there is no encryption on the channel. r3. This portal trac can also contains credentials and session tokens, with which a user can be spoofed (T17).

T4. Disclosures of UIS messages

Summary:

The communication with the UIS can be intercepted

Primary mis-actor: Skilled outsider

Basic path: bf1. The outsider intercepts the messages with a MITM attack bf2. Outsider reads the messages.

Consequence: The outsider has prediction information but also user information because ReMeS updates the UIS with the users that start to use ReMeS.

Reference to threat tree node(s):

ID df4, ID df6, ID dv7

Parent threat tree(s): ID, ID df

DFD element(s): UIS, UIS WebService

Remarks: r1. The information sended over this channel isnt that important so this threat also has a low priority. r2. ID df1 is possible because of assumption 16, there is no encryption on the channel. r3. This portal trac can also contains credentials and session tokens, with which a user can be spoofed (T17).

T5. Disclosures of internal ows

Summary:

All internal ows can be intercepted by an insider.

11

Primary mis-actor: and Skilled insider

Basic path: bf1. The insider intercepts the ow with a MITM attack bf2. Insider reads the messages.

Consequence: The insider has access to personal information, measurement information and conguration details.

Reference to threat tree node(s):

ID df4, ID df6, ID dv7

Parent threat tree(s): ID, ID df

DFD element(s): All internal ows

Remarks: r1. We only consider inside attacks because of assumption 6. r2. ID df1 is possible because of assumption 16, there is no encryption on the channel.

T6. Disclosures internal processes

Summary:

An authorized insider can corrupt a process and get private information.

Primary mis-actor: Authorized insider

Basic path: bf1. The insider makes a request with corrupt parameters bf2. Because there isnt sucient input validation the process and or memory gets corrupt. bf3. The insider is now in control of the process and is able to get information from other processes and the databases.

Consequence: The insider has access to personal information, measurement information and conguration information.

Reference to threat tree node(s):

ID p3, ID p4

Parent threat tree(s): ID, ID p

12

DFD element(s): All internal processes

Remarks: r1. We dont consider spoong external entities because of assumption 6. r2. We dont consider side channels because of assumption 12. r3. Requests by an corrupt process to the database is possible because of assumption 14. r4. Tampering threats against persistence storage isnt handled because it is a security issue. Disclosure of the database is handled in T14 and T15.

T7. Consumer unaware of uploading data

Summary: The user does not know for which purposes his information is used and decides to use the system with lag of information.

Primary mis-actor: Management

Basic path: bf1. The management fails to explain to the user for which purposes his data is used. bf2. This can inuence the users decision to (not) use the system.

Consequence: Outsiders like the billing company could have users information without the users knowledge.

Reference to threat tree node(s):

Parent threat tree(s): U

DFD element(s): Consumer

Remarks: r1. We assume the user cannot provide too much personal information because of assumption 17.

T8. Consumer fails to update information

Summary:

Other people could receive information about users who are using the system.

Primary mis-actor: Consumer 13

Basic path: bf1. The consumer fails to change his contact details. bf2. Information could be sent to the wrong addresses. bf3. Other people receive information of ReMeS consumers.

Consequence:

Other people have information of ReMeS consumers.

Reference to threat tree node(s):

U 3, U 4

Parent threat tree(s): U

DFD element(s): Consumer

T9. Linkability of research data

Summary:

The researcher could link received data together

Primary mis-actor: Researcher

Basic path: bf1. The researcher requests data from his portal. bf2. The researcher receives measurement and user data. bf3. The researcher could link this measurement data.

Consequence:

Researcher links dierent measurement data

Reference to threat tree node(s):

L df8, L df9, L df11

Parent threat tree(s): L df

DFD element(s): Researcher, Researcher Portal

Remarks: r1. L df1 is already considered in threat 2, so we do not consider it again. r2. L df4 and the other leaf nodes of the non-anonymous communication branch L df3 are not considered. This is because this threat wants to protect the consumer who is not directly part of this data ow. r3. Its unclear from the documentation what is returned to the researcher. Thats why we included both L df8, L df9 and L df11. 14

T10. Identiability of user measurements by researcher

Summary:

The researcher could link received data to certain users

Primary mis-actor: Researcher

Basic path: bf1. The researcher requests data from his portal. bf2. The researcher receives measurement and user data. bf3. The researcher could link this measurement data to certain users.

Consequence:

Researcher links dierent measurement data to users

Reference to threat tree node(s):

I df8, I df9, I df11

Parent threat tree(s): I df

DFD element(s): Researcher, Researcher Portal

Remarks: r1. I df1 is already considered in threat 2, so we do not consider it again. r2. I df4 and the other leaf nodes of the non-anonymous communication branch I df3 are not considered. This is because this threat wants to protect the consumer who is not directly part of this data ow. r3. Its unclear from the documentation what is returned to the researcher. Thats why we included both I df8, I df9 and I df11.

T11. Linkability of general database content

Summary:

An internal person could link measurement, notication and alarm data together

Primary mis-actor: Skilled insider with direct access to the data store

Basic path: bf1. The insider runs queries on the datastore. bf2. The insider links the measurement, notication and alarm data together based on user ids, content and behavioral patterns

15

Consequence:

An insider has linked measurement, notication and alarm data together.

Reference to threat tree node(s):

L e6, L e7, L e9

Parent threat tree(s): l df

DFD element(s): General Database

Remarks: r1. L ds1 and L e1 are fullled because the its an inside attack and by assumption 14 there is no access control on the datastore. r2. L ds3 is not considered because of assumption 18. If data isnt being anonymized you do not have to re-identify. r3. The other leaf nodes of L e2 are not considered because of assumption 19.

T12. Linkability of alarm conguration database content

Summary: An internal person could link conguration and modules together because the database returns not only the valve but also the user id.

Primary mis-actor: Skilled insider with direct access to the data store

Basic path: bf1. The insider runs queries on the datastore. bf2. The insider links the modules together with the user id.

Consequence:

An insider has linked measurement, notication and alarm data together.

Reference to threat tree node(s):

L e6, L e7, L e9

Parent threat tree(s): l df

DFD element(s): Alarm Conguration Database

Remarks: r1. L ds1 and L e1 are fullled because the its an inside attack and by assumption 14 there is no access control on the datastore.

16

r2. L ds3 is not considered because of assumption 18. If data isnt being anonymized you do not have to re-identify. r3. The other leaf nodes of L e2 are not considered because of assumption 19.

T13. Identiability of data in databases

Summary: consumer

An internal person could link measurement, notication and alarm data with a

Primary mis-actor: Skilled insider with direct access to the data store

Basic path: bf1. The insider runs queries on the datastore. bf2. The insider links the measurement, notication and alarm data together . This is possible because this information contains module ids and consumer ids which are linked together in the database.

Consequence:

An insider knows the measurement, notication and alarm data of a consumer.

Reference to threat tree node(s):

L ds2

Parent threat tree(s): I ds

DFD element(s): General Database, Alarm Conguration Database

Remarks: r1. I ds1 is fullled because its an internal person so no access control is available due to assumption 14. r2. Identiability of the entity is considered because none of the nodes seemed to match so we just consider I ds2

T14. Information disclosure of the databases by insider

Summary:

An insider runs queries on the datastores to get information about the users.

Primary mis-actor: Skilled insider with direct database access.

Basic path: bf1. The misactor runs queries direct on the datastore. bf2. The misactor receives user, measurement and notication information. 17

Consequence:

The misactor has user, measurment and notication information.

Reference to threat tree node(s):

ID ds1, ID ds10

Parent threat tree(s): ID ds

DFD element(s): General Database, Alarm Conguration Database

Remarks: r1. ID ds7 is fullled because its an internal person with a direct connection. We know from assumption 14 that there is no access control available in the datastore. r2. ID ds10 is fullled because the misactor directly runs queries on the database who returns unencrypted data. r3. ID ds3, ID ds4 and ID ds5 are not considered because we assume that the database is securely written (assumption 20).

T15. Information disclosure of the databases by outsider

Summary:

An outsider spoofs a consumer and gets his details from the databases

Primary mis-actor: Skilled outsider.

Basic path: bf1. The misactor spoofs the victim. bf2. The misactor makes calls to the database on behalf of the victim. bf3. The misactor receives information of the victim

Consequence:

The misactor has user, measurment and notication information of the victim.

Reference to threat tree node(s):

ID ds7, ID ds2

Parent threat tree(s): ID ds

DFD element(s): General Database, Alarm Conguration Database

18

Remarks: r1. ID ds7 is fullled because of assumption 14. The database himself doesnt have any access control. r2. Spoong a user is considered in threat T16, T17 and T18. r3. ID ds3, ID ds4 and ID ds5 are not considered because we assume that the database is securely written (assumption 20).

T16. Spoong a user by falsifying credentials

Summary:

An outsider spoofs a consumer and gets his details from the databases

Primary mis-actor: Skilled outsider.

Basic path: bf1. The misactor gets hold of the users credential by guessing or stealing. bf2. The misactor authenticates with the users credentials. bf3. The misactor makes calls on behalf of the user.

Consequence:

The misactor has access to all the condential data of the victim.

Reference to threat tree node(s):

S 8, S 12, S 13

Parent threat tree(s): S

DFD element(s): Consumer, Researcher, Operator, UIS, 3th Party Billing

Remarks: r1. According to the documentation there is an authentication service so we do not consider S 4. r2. Because of assumption 15 we assume the authentication process secure. By consequence the tampering threat, S 7, S 09, S 10, S 11 and S 14 do not hold. r3. Spoong of the remote module isnt handled because of assumption 21. r4. If the victim is a operator information of multiple persons can be leaked.

T17. Spoong a user by eavesdropping communication

Summary: An outsider spoofs a consumer by eavesdropping the communication and gets his details from the databases.

19

Primary mis-actor: Skilled outsider.

Basic path: bf1. The misactor eavesdrops on the communication with the portals and receives credentials. bf2. The misactor authenticates with this credentials. bf3. The misactor makes calls on behalf of the user, with whos credentials the misactor is authenticated.

Consequence:

The misactor has access to all the condential data of the victim.

Reference to threat tree node(s):

S 6, S 7

Parent threat tree(s): S

DFD element(s): Consumer, Researcher, Operator, UIS, 3th Party Billing

Remarks: r1. According to the documentation there is an authentication service so we do not consider S 4. r2. Because of assumption 15 we assume the authentication process secure. By consequence the tampering threat, S 7, S 09, S 10, S 11 and S 14 do not hold. r3. Spoong of the remote module isnt handled because of assumption 21. r4. If the victim is a operator information of multiple persons can be leaked. r5. Disclosure of external ows (which contain passwords) is handled in T2, T3 and T4.

T18. Spoong a user because of weak credential storage

Summary: An outsider gets access to the general database and uses the credentials to log in on behalf of other users.

Primary mis-actor: Skilled outsider.

Basic path: bf1. The misactor uses T14 or T15 to get access to users credentials. Note that for this step to work the user has to be an insider for T14 or he has to spoof an operator and use T15. bf2. The misactor authenticates with this credentials. bf3. The misactor makes calls on behalf of the user, with whos credentials the misactor is authenticated.

20

Consequence:

The misactor has access to all the condential data of the victim.

Reference to threat tree node(s):

S 15

Parent threat tree(s): S

DFD element(s): Consumer, Researcher, Operator, UIS, 3th Party Billing

Remarks: r1. According to the documentation there is an authentication service so we do not consider S 4. r2. Because of assumption 15 we assume the authentication process secure. By consequence the tampering threat, S 7, S 09, S 10, S 11 and S 14 do not hold. r3. Spoong of the remote module isnt handled because of assumption 21. r4. If the victim is a operator information of multiple persons can be leaked.

T19. Missing consumer consent

Summary: The system did not ask for the users consent to share his information with the 3th Party Billing Company or researchers.

Primary mis-actor: Management

Basic path: bf1. There is no user consent system implemented by the management. bf2. The consumer cant give his consent to the way his data will be used in the system.

Consequence: The consumers data will be shared with the 3th Party Billing and researchers out of the control of the consumer.

Reference to threat tree node(s):

PN 3

Parent threat tree(s): PN

DFD element(s): All systems except the entities

Remarks: r1. This threat applies to the whole system 4.

21

T20. Non-compliance of the management

Summary: The management didnt request a system whos design and implementation was in compliance with legislation.

Primary mis-actor: Management

Basic path: bf1. The misactor fails to require a system that is legally compliant. bf2. The private information of the consumer arent dealt with in a manner that is in compliance with the current legislation.

Consequence: The consumers data will be shared with the 3th Party Billing and researchers out of the control of the consumer.

Reference to threat tree node(s):

PN 2

Parent threat tree(s): PN

DFD element(s): All systems except the entities

Remarks: r1. This threat applies to the whole system 4.

T21. Non-compliance of employees

Summary: The operators or admins do not handle the information of the consumers in compliance with legislation.

Primary mis-actor: Operator, admin

Basic path: bf1. The admin or operator doesnt handle the consumer information according to legislation (ex. He exposes it to third parties)

Consequence:

The consumers information is shared without his knowledge.

Reference to threat tree node(s):

PN 2

22

Parent threat tree(s): PN

DFD element(s): All systems except the entities

Remarks: r1. This threat applies to the whole system 4.

T22. Non-compliance of externals

Summary: The 3th party billing company or utility service provider do not handle the consumers information according to legislation.

Primary mis-actor: Utility Service Provider, 3th Party Billing

Basic path: bf1. The utility service provider or 3th party billing do not handle the users information according to legislation.(ex. Expose it to third parties)

Consequence: The users information is exposed and ReMeS is responsible because they requested the info from the user and allowed it to get leaked by a company with which they work together.

Reference to threat tree node(s):

PN 2

Parent threat tree(s): PN

DFD element(s): All systems except the entities

Remarks: r1. This threat applies to the whole system 4.

2.4

Prioritization of threats

This section provides an list of the threats (ID + title) of the previous section. The order is based on the threats risk (likelihood * impact). A distinction between high, medium, and low risk is made.

23

2.4.1

High Priority T15 T02 T01 T04 T03 T16 T18 T17 Information disclosure of the databases by outsider External person intercepts portal trac External person intercepts measurement data Disclosures of UIS messages Disclosures of bills Spoong a user by falsifying credentials Spoong a user because of weak credential storage Spoong a user by eavesdropping communication

Information disclosure of data (both measurement data and consumer data) is the most important threat as it violates the consumers privacy the most (the consumer uses this system under the assumption that his information is kept condential). Also identiability of stored measurements has high priority as it should be assured that only the consumer himself can access his own identiable information and researchers should not be able to identify the consumer from his shared data. Information disclosure of transmitted data also poses a high risk, but less than information disclosure of the data store, as the data only reveals part of the information. Finally, spoofng is considered high-priority. Even though spoong is security.

2.4.2

Medium Priority T10 T13 T09 T12 T11 T08 T20 Identiability of user measurements by researcher Identiability of data in databases Linkability of research data Linkability of alarm conguration database content Linkability of general database content Consumer fails to update information Non-compliance of the management

Linkability and identibility of the users information sent to the ReMeS-system can violate the consumers privacy. Linking data only poses a real threat when the linking actual leads to identication of the consumer. Therefore, linkability on its own is only considered medium risk. Non-compliance of the system in general, and missing consents and user unawareness specically, will result in a violation of the consumers privacy. However, the management are considered knowledgeable and at least aware of the consequences of ignoring legislation. T08 is considered as medium priority, because if the consumer doesnt update his home address if he moves, the new people will receive the billing. This violates the consumers privacy.

2.4.3

Low Priority T06 T14 T05 T07 T19 T21 T22 Disclosures internal processes Information disclosure of the databases by insider Disclosures of internal ows Consumer unaware of uploading data Missing consumer consent Non-compliance of employees Non-compliance of externals

The internal process and data ow threats are considered low priority as there is a trust relation with the employees of the ReMeS-system. Most likely there is also a non-disclosure agreement in their contract with associated consequences. Non-compliance of employees is considered low risk 24

for the same reason as the internal processes and data ows. Given the trust relationship between the employees and the company, it is less likely that they will violate the rules.

25