Introduction

Industrial revolutions have governed the success of businesses for centuries with the prospect of business’ success being heavily dependent on adopting progressive business models. Pioneering technology has been a catalyst for industrial revolutions with the most recent being the fourth in the form of cyber-physical systems. With technology becoming ever more intertwined with the core success of a business the systems must be threat modelled to alleviate security catastrophes and breaches. Using Window Cleaning Warehouse (WCW) as a case study the design of the cyber-physical system (CPS) is threat modelled to identify and mitigate inherent risks.

WCW is a window cleaning equipment supplier looking to adopt industry 4.0 (I4.0) technologies to monitor and optimise the window cleaning operation (WCO). High tech van systems with on-board water purification systems have revolutionised the WCO compared to a bucket and ladder approach. WCW is striving to take this technology further and develop a CPS to monitor and optimise the WCO. This is achieved through the medium of real-time data exchange between internet of things (IoT) hardware in specialised van systems and machine learning (ML) models deployed in a cloud architecture to optimise route and resources.

The research will use WCW’s theoretical framework as a case study of an innovative digital supply chain for the commercialisation of real-time data. The research will focus on the digital supply chains encompassment of security and privacy along with the electronic and physical security of the hardware for real-time data. WCW propose a novel cyber-physical system that can infer dynamic resource and routing based on real-time window cleaning operation data, such as water usage. WCW will be developing the IoT hardware in house and use the digital supply chain to market business intelligence of the pure water usage hotspots. The novel aspect of the research is the threat modelling of the digital supply chain’s real-time data in the IoT based route and resource optimisation context and the security policy as a course of action to circumvent security risks.

The threat modelling process follows the Microsoft security development lifecycle to identify potential security threats in the design and strategize risk management to reduce inherent risk severity. This process involves defining the external dependencies of the CPS for the Google Cloud Platform (GCP) cloud functions since they have a direct impact on the security of the system. External entities and their privileges to access the system is then discussed to determine their trust levels for the system, thus setting a precedence of acceptable access privileges among expected entities. To represent the system schematically and represent how data flow is expected, data flow diagrams are used with trust boundaries bordering a change of privilege in the system, to highlight attack surfaces. From the dataflow diagrams the expected data exchange scenarios are documented to clearly define intended use of the system thus making it simpler to distinguish violated intended use of the system using STRIDE threat classification. Because attackers usually act with intent an assessment of assets that may be of interest to an adversary give context to the impacts these risks can cause which is summarised using the DREAD methodology before risks are prioritised and managed.

Aims and Objectives

This section outlines aims and objectives defining the success criteria of the research project. This will be achieved by focusing on the following aims;

  1. 1.

    Defining the entry and exit points of the system for real-time data

  2. 2.

    Defining the external entities and their trust level in the digital supply chain

  3. 3.

    Defining the intended use of the system and its real-time routing data

  4. 4.

    Defining the external dependencies that are interoperable with the real-time data

  5. 5.

    STRIDE threat classification to identify risks relating to digital supply chain innovation

  6. 6.

    DREAD risk assessment of the novel real-time route and resource optimising IoT data risks

  7. 7.

    Specify the security measures for the identified criticalities and policy to be implemented to curb the problem

To fulfil the objective of novel research in threat modelling real-time IoT data for route optimisation based on the physical and electronic security and the digital supply chains encompassment of security and privacy of real-time data.

Scope and Constraints

The research will focus on the novel aspects which are to threat model the innovative digital supply chain of real-time IoT data for route and resource optimisation. The delimitations of the research are aspects not associated with the cloud infrastructure, IoT hardware, data exchange between these systems and the cyber-physical system. These delimitations include but are not limited to, risks associated with the underlying Flutter framework and the multiple operating systems it supports.

Related Work

The contextual background that the research will be conducted against includes;

  1. 1.

    The novelty of real-time IoT data for resource and route optimisation

  2. 2.

    The novelty of small and medium-sized enterprises (SME) digital supply chain’s encompassment of security and privacy of real-time data for IoT route optimisation

  3. 3.

    The novelty of electronic and physical security of IoT devices to monitor resources affects the efficiency of a route

Literature review of related work to IoT data being used for resource and route optimisation is summarised as route optimisation of freight logistics based on vehicle capacity, customer time-window, the maximum travelling distance, the road capacity and traffic data [11]. Other IoT based route optimisation is based on how planned routes are performed using IoT devices to monitor vehicles and drivers to learn preferences [12]. Research has also been conducted on IoT use in waste management routing problems [13, 14].

Research objectives aligning with the literature review for real-time IoT data for route and resource optimisation is that the literature does not consider the security of the IoT data for routing problems. This is a significant knowledge gap since attacks could occur to IoT routing such as physical denial of service attacks on roads by routing all vehicles towards congested areas if the integrity of the data is breached or a breach of confidentiality of the routes could lead to digital supply chain loses of marketable real-time data for WCW in the context of this study.

According to a review on cyber risk analytics and artificial intelligence in the industrial IoT and I4.0 supply chains [1] there are knowledge gaps for Small and mid-size enterprises (SMEs) since;

“the SME’s digital supply chains need to encompass the security and privacy, along with electronic and physical security of real-time data”, “the SMEs need security measures to protect themselves from a range of attacks in their supply chains, while cyber attackers only need to identify the weakest links” and “the weakness of existing cyber risk impact assessment models is that the economic impact is calculated on organisations stand-alone risk, ignoring the impacts of sharing supply chain infrastructure”.

The research expressed [1] stresses the lack of knowledge for research objectives 1–3 and how this case study will add to the body of knowledge since it is very important for SMEs looking to adopt I4.0 to have real-time data infrastructures for a more efficient production process and economies of scale [6]. The synthesis of the literature review for objective 2 is that convolutional neural networks (CNN) have been used to detect cross-site scripting attacks (XSS) in SME IoT network payloads after applying data preparation methods [4]. Critical analysis is that the CNN is used on fog compute nodes which require the integration of CNN inference and data pre-processing into self-hosted compute units. This method is expensive to develop and there are also cloud solutions readily available such as Google Cloud Armor which would be cheaper ($0.75 per million requests), easier and quicker to deploy and develop by security experts.

Bluetooth Low Energy (BLE) will be used to connect a mobile device to the IoT hardware to monitor variables affecting the route optimisation. In line with research objective 3 an exploration of prior work has revealed case studies, where unauthenticated BLE devices have been exposed allowing anyone to connect to the BLE device using a BLE sniffer. There have also been researched studies on bypassing the passkey authentication in BLE [2] and the exploration of BLE security [3]. This case study will add to the body of literature by exploring the WCW case study and look at these security risks in the context of real-time data exchange in the WCO.

After comparing and contrasting the literature to identify knowledge gaps it is clear there is a gap in knowledge about the use of real-time IoT data for resource and route optimisation that this paper will address. This paper’s contributions will also be in the form of building knowledge for SME’s digital supply chain’s security and privacy of real-time IoT data for route optimisation. The final contribution to knowledge gaps in the electronic and physical security of IoT devices is to monitor resources affecting the efficiency of a route which is presented in this paper.

Research Methodology

To fulfil the research objective the data is collected through a non-probabilistic convenience sample using WCW as a case study of a theoretical CPS design. The data analysis method is grounded theory [5] which is a systematic method of constructing hypotheses, and theories of possible security risks based on the threat modelling of the design of the CPS. Since ideas and concepts of security risks become apparent from the qualitative threat model data they can then be succinctly summarised with codes and grouped into threat classifications before being analysed further to discuss risk severity, impacts and mitigations.

Entry and Exit Points

The confidentiality, integrity and availability of the real-time data are important since it is a fundamental part of the CPS and the digital supply chain. Figure 1 shows an abstract view of the architecture consisting of the components used to monitor the WCO.

Fig. 1
figure 1

CPS architecture overview

Full size image

Round-Control’s data is to be stored on GCP’s FireStore which is a real-time NoSQL database. Only authorised WCW staff can create, read, update, delete (CRUD) and make backups of the data through the GCP console. It is encrypted automatically by GCP but is decrypted to read in the Firebase console through an authenticated admin account. The IoT hardware is composed of Arduino components consisting of an HM-10 Bluetooth Low Energy (BLE) transceiver enabled microcontroller, inflow and outflow Hall Effect sensors, temperature sensor, fill level sensor, total dissolved solids (TDS) inflow and outflow and a Global Positioning System (GPS) sensor. The Flutter application on the mobile device can connect to the hardware via BLE and forward the real-time data to the platform-specific Firebase app endpoint. The communication with the Firebase app endpoints is authenticated via Firebase Authentication which requires validation of email ownership. The Flutter application is authenticated to use the Firebase app using the Firebase app credentials for each platform. Changes made to the Firestore is broadcasted to all authenticated users signed in that have access to that user’s data in the Firestore so the real-time data of the IoT hardware is updated in real-time across Android, iOS, Linux, Windows, macOS and web derived apps.

It is important to define the external entities and their trust levels to access the system. The expected entities are presented in Table 1.

Table 1 Trust level of external entities
Full size table

Figure 1 illustrates the data flow and trust boundaries but does not intuitively describe the expected scenarios and the intended use of the system to identify deviations. The intended use of the system is presented in Table 2.

Table 2 Intended use of the system
Full size table

Scenarios deviating from the intended scenarios of the system in Table 2 help identify violated deployment of the application and intended use of the system thus impacting the security of the system.

External Dependencies

The external dependencies are directly interoperable with the system. The external entities relating to the real-time data are presented in Table 3.

Table 3 External dependencies
Full size table

STRIDE Threat Classification

The qualitative data collected about WCW’s adoption of I4.0 is analysed in this section for risks by analysing the intended use, external dependencies, and the descriptions of the data flow diagrams. The qualitative data can be succinctly summarised through a thematic grouping of threats into STRIDE classifications. STRIDE is an acronym for spoofing, tampering, repudiation, information disclosure, denial of service and elevation of Privilege. The derived data from the data flow diagram in Fig. 1 can be succinctly summarised as threat classifications of STRIDE as presented in Table 4.

Table 4 STRIDE threat classification
Full size table

Risk Assessment

The identified risks severity is quantified using the DREAD risk assessment model. DREAD is an acronym for damage, reproducibility, exploitability, affected users and discoverability. Each category is given a rating from 1 to 10, where 10 is the worst. The sum of the ratings helps to prioritise risks. The DREAD methodology for risk assessment is typically inconsistent among assessors and ratings tend to be subject to debate so the rationale for the ratings is provided (Table 5).

Table 5 Risk assessment of threats
Full size table

Discussion of Risks and Mitigation

The high prioritised risks and their mitigation is discussed in this section and their novel contribution to real-time IoT data security for route and resource optimisation. The novel aspects of the research is the threat modelling of real-time IoT data for route optimisation for the physical and electronic security of the system as well as the digital supply chains encompassment of security and privacy of real-time data. Through literature review, the common variables used for routing are presented in Table 6.

Table 6 Security measures and policy to mitigate and monitor threats
Full size table

To address risks 18, 19 and 20 the Bluetooth module should enforce pin pairing where the pin for the van system hardware is generated differently for each van installation and provided to the customer. The HM-10 BLE module should be genuine by having a crystal fitted alongside the bottom four solder connections otherwise you cannot add pin authentication.

Conclusion

The researcher set out to bridge the identified knowledge gap through threat modelling real-time IoT data for route optimisation based on the physical and electronic security of the system as well as the digital supply chains encompassment of security and privacy of real-time data using WCW as an SME case study. The main points of the research summarise that numerous cyber security vulnerabilities have been found with particular focus on real-time data exchange that other SMEs can consider when designing CPSs. The results are significant, since IoT data transmission enabled by 2 g is likely to be considered for real-time data exchange by other SMEs, since it is low cost but the vulnerabilities discussed are significant. The significance of the risks found with BLE is also likely to apply to many other SME CPS projects. The technical achievement of the paper is its identification of security vulnerabilities for novel IoT route optimisation variables and the proposed security measures and policies to circumvent, manage and monitor the risks.