STRIDE Threat Model
Systematic threat analysis for the Capped AI on-premises operator copilot — covering spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege across all system components.
This model covers the Capped AI on-premises appliance deployment topology: the 1U inference server, its read-only OPC-UA connection to the DCS historian, the operator web interface on the plant intranet, and the one-way aggregate telemetry channel to Capped AI Ops Cloud. It does not cover cloud-hosted deployments or customer DCS internals.
System scope
The Capped AI appliance sits inside the plant perimeter network, air-gapped from the public internet. It has exactly two external trust boundaries:
- DCS historian (inbound read): OPC-UA port 4840, read-only service account, no write access granted.
- Capped AI Ops Cloud (outbound telemetry): HTTPS on port 443, sends aggregate health metrics only — no plant data, no handover content, no alarm payloads.
Operators connect to the appliance web UI over the plant LAN. Authentication is handled by the on-prem identity provider (Active Directory / LDAP). All shift handover data stays on-appliance and is never transmitted outside the plant perimeter.
Trust boundaries
| Boundary | Direction | Protocol | Data in scope |
|---|---|---|---|
| Plant LAN → Appliance | Inbound | HTTPS/TLS 1.3 (port 443) | Operator sessions, handover drafts, audit actions |
| Appliance → DCS Historian | Outbound (read-only) | OPC-UA (port 4840) | Alarm logs, trend snapshots, tag metadata |
| Appliance → Capped AI Ops Cloud | Outbound | HTTPS/TLS 1.3 (port 443) | Aggregate health metrics, model version, uptime |
| Physical — Appliance chassis | Physical access | n/a | Hardware, NVMe drives with model weights + handover DB |
Asset inventory
| Asset | Classification | Owner | Impact if compromised |
|---|---|---|---|
| Shift handover records | Confidential — Operational | Plant operations | Safety incident, regulatory breach, litigation |
| OPC-UA service account credentials | Secret | Plant IT | Unauthorized historian read; potential pivot to DCS |
| Operator identity & session tokens | Confidential | Plant IT / Capped AI | Impersonation, fraudulent handover signing |
| AI model weights | Proprietary — Capped AI IP | Capped AI | Competitive harm; no direct safety impact |
| Appliance OS & inference stack | Internal | Capped AI | Availability loss; potential pivot to historian network |
| Capped AI Ops Cloud telemetry pipeline | Internal | Capped AI | Visibility loss, false health signals |
Threat actor taxonomy
| Actor | Access level | Motivation | Likelihood |
|---|---|---|---|
| Malicious insider (operator) | Authenticated plant LAN + appliance UI | Cover up operational error; fraudulent handover | Medium |
| Malicious insider (IT / admin) | OS shell, network infrastructure | Data exfiltration; sabotage | Low |
| Physical attacker | Physical access to server room | Hardware theft; drive extraction | Low |
| Nation-state / industrial espionage | Lateral movement via plant LAN | IP theft; process disruption | Low (air-gapped reduces exposure) |
| Supply chain attacker | Software or firmware update channel | Persistent backdoor | Low |
STRIDE analysis
Each category below lists specific threats, the asset at risk, an inherent risk rating (before mitigations), and the primary control that reduces it. Risk ratings assume a production deployment with all standard mitigations applied.
Spoofing
Pretending to be something or someone else
| ID | Threat | Asset | Risk | Primary Mitigation |
|---|---|---|---|---|
| S-01 | Attacker uses stolen operator credentials to access the handover UI and sign a fraudulent handover | Operator identity / handover records | High | MFA enforced at IdP; session tokens bound to IP + user-agent; 8-hour expiry |
| S-02 | Rogue device on the plant LAN presents itself as the Capped AI appliance to intercept operator requests | Operator sessions | Medium | TLS certificate pinned to appliance hostname; operators warned on cert mismatch |
| S-03 | Attacker spoofs the OPC-UA historian endpoint to feed fabricated alarm data to the AI | OPC-UA connection / handover accuracy | Medium | OPC-UA server certificate pinned at appliance; historian IP allowlisted in firewall |
| S-04 | Fake Capped AI Ops Cloud endpoint intercepts outbound telemetry to exfiltrate metadata | Telemetry pipeline | Low | Outbound HTTPS with Capped AI CA-pinned cert; no plant data in telemetry payload |
Tampering
Modifying data or code without authorization
| ID | Threat | Asset | Risk | Primary Mitigation |
|---|---|---|---|---|
| T-01 | Operator edits AI-generated handover draft after a colleague has reviewed it, without the change being visible | Shift handover records | Critical | Immutable audit log with cryptographic hashes; every edit timestamped and attributed |
| T-02 | Attacker injects false alarm records into the OPC-UA historian, causing the AI to generate misleading handover content | DCS historian data / handover accuracy | High | Read-only OPC-UA service account; historian-side write audit; operators review AI draft before signing |
| T-03 | Physical attacker swaps NVMe drive to replace model weights with a backdoored version | AI model weights / appliance OS | High | Full-disk encryption (LUKS); TPM-sealed keys; drive removal triggers alarm; signed model manifests verified at boot |
| T-04 | Software supply-chain attack modifies a Capped AI update package before it reaches the appliance | Appliance OS / inference stack | Medium | Update packages signed with Capped AI ED25519 key; signature verified before install; update channel is plant-IT-controlled |
| T-05 | Admin modifies handover records directly in the on-appliance database | Shift handover records | High | DB access requires break-glass procedure with dual approval; all direct DB queries logged and alerted to plant manager |
Repudiation
Denying an action was taken when it was
| ID | Threat | Asset | Risk | Primary Mitigation |
|---|---|---|---|---|
| R-01 | Operator denies signing a handover they approved, claiming the system auto-signed it | Handover records / operator accountability | High | Digital signature tied to operator session + timestamp; confirmation dialog with explicit acknowledgement required |
| R-02 | No record of which AI model version generated a given handover draft, preventing incident investigation | Audit trail | Medium | Model version, inference hash, and prompt fingerprint stored per handover record; retained for 7 years |
| R-03 | Audit logs deleted or truncated by an admin to hide unauthorized activity | Audit trail | High | Audit logs are append-only; deletion requires break-glass + plant manager approval; log integrity verified daily via Merkle hash |
Information Disclosure
Exposing information to unauthorized parties
| ID | Threat | Asset | Risk | Primary Mitigation |
|---|---|---|---|---|
| I-01 | Shift handover records exfiltrated via the outbound telemetry channel to Capped AI Ops Cloud | Shift handover records | Critical | Telemetry payload schema enforced at build time; payload contains only counters and uptime — no text, no tags, no alarm IDs |
| I-02 | OPC-UA service account credentials extracted from appliance config files | OPC-UA credentials | High | Credentials stored in hardware-backed secret store (TPM); never written to filesystem in plaintext |
| I-03 | AI model weights extracted by booting from an external drive | Model weights (Capped AI IP) | Medium | Full-disk encryption; Secure Boot enforced; BIOS password set; chassis intrusion sensor |
| I-04 | Operator accesses another shift's handover records outside their authorised window | Shift handover records | Medium | Role-based access: operators see only their own unit's records; supervisors see full unit; managers see aggregate only |
| I-05 | LAN traffic between operator browser and appliance captured by a network sniffer | Operator sessions / handover content | Low | TLS 1.3 enforced end-to-end; HTTP redirects to HTTPS at appliance level |
Denial of Service
Preventing legitimate users from accessing a service
| ID | Threat | Asset | Risk | Primary Mitigation |
|---|---|---|---|---|
| D-01 | Appliance GPU inference queue flooded with requests, delaying handover generation during shift change | Handover availability | High | Per-user request rate limiting; inference queue has priority lane for active shift-change sessions; 15-minute SLA alert |
| D-02 | OPC-UA historian connection severed (network fault or historian maintenance), preventing AI from pulling alarm data | Handover data completeness | Medium | Appliance caches last 72 hours of historian data locally; operators warned when cache is serving stale data |
| D-03 | Plant LAN disruption prevents operators from reaching the appliance web UI | Handover availability | Medium | Operators fall back to printed emergency handover template; appliance broadcasts last-known handover to local plant display |
| D-04 | Appliance disk filled by runaway logging or large handover attachments | Appliance availability | Low | Log rotation capped at 50 GB; attachment size limit enforced; disk usage alerting at 80% threshold |
Elevation of Privilege
Gaining capabilities beyond what is authorized
| ID | Threat | Asset | Risk | Primary Mitigation |
|---|---|---|---|---|
| E-01 | Exploiting a web UI vulnerability to gain OS-level access on the appliance | Appliance OS | Critical | Web process runs as non-root in isolated container; AppArmor policy restricts syscalls; quarterly penetration test |
| E-02 | Operator escalates their role to supervisor within the app to access all unit handover records | Handover records / RBAC | High | Role assignments managed exclusively in IdP (AD); Capped AI app trusts IdP claims only — no in-app role promotion |
| E-03 | Attacker pivots from the compromised appliance to gain write access to the DCS historian | DCS historian / plant process | Critical | Firewall rule enforces appliance → historian port 4840 only (no reverse); historian account is read-only at OPC-UA level; separate VLAN |
| E-04 | Compromised Capped AI update mechanism grants root access to the appliance during an automated update | Appliance OS | High | Updates require plant-IT approval and manual trigger; no automatic update execution; pre-install signature check |
Mitigation controls summary
The following controls are required in all production deployments. Their presence is verified during the Week-2 security checklist in the Deployment Runbook.
| Control | Threat IDs | Implemented by |
|---|---|---|
| MFA on operator IdP | S-01 | Customer IT |
| TLS 1.3 on all LAN traffic | S-02, I-05 | Capped AI (appliance config) |
| OPC-UA server certificate pinning | S-03, T-02 | Capped AI (appliance config) |
| Immutable append-only audit log | T-01, R-01, R-03 | Capped AI (software) |
| Full-disk encryption (LUKS + TPM) | T-03, I-02, I-03 | Capped AI (hardware + OS) |
| Signed update packages (ED25519) | T-04, E-04 | Capped AI (update pipeline) |
| Break-glass DB access with dual approval | T-05, R-03 | Capped AI (ops procedure) |
| Telemetry payload schema enforcement | I-01 | Capped AI (software) |
| Role-based access control via IdP claims | I-04, E-02 | Capped AI (software) + Customer IT |
| Per-user inference rate limiting | D-01 | Capped AI (software) |
| 72-hour local historian cache | D-02 | Capped AI (software) |
| Appliance → historian read-only VLAN rule | E-03 | Customer IT (firewall) |
| Web process non-root container isolation | E-01 | Capped AI (OS / container) |
| Secure Boot + BIOS password | I-03, T-03 | Capped AI (hardware) |
Residual risk and assumptions
Assumptions
- The plant firewall correctly enforces the allowlist rules documented in the Deployment Runbook. Capped AI has no visibility into or control over the customer firewall.
- The customer IdP (Active Directory) is correctly administered: accounts are disabled promptly on termination, MFA is enforced globally, and privileged accounts use hardware tokens.
- Physical access to the server room is restricted to authorized plant IT personnel per the customer's own physical security policy.
- The DCS historian vendor has not introduced writable OPC-UA surfaces under the read-only service account. Capped AI relies on the historian vendor's access control enforcement.
Accepted residual risks
- Insider historian injection (T-02): A historian admin with write access could fabricate alarm records that influence AI output. The operator review-before-sign step is the primary human control; this risk is accepted because eliminating it would require Capped AI to operate its own historian, which is out of scope.
- Physical drive extraction (T-03, I-03): Full-disk encryption mitigates this substantially. Residual risk (weak passphrase, TPM bypass) is accepted; customers with Top Secret data should apply additional physical controls per their own classification policy.
- LAN availability (D-03): Capped AI cannot guarantee operator access during a plant-wide network outage. The printed emergency template is the accepted fallback.
Review cadence
This threat model is reviewed and updated on the following schedule:
- Annually — full STRIDE re-assessment by Capped AI security team
- On significant architecture change — any new trust boundary, data store, or external integration triggers an incremental review
- After a security incident — post-incident review updates affected threat entries within 30 days
- Before each major release — threat IDs referenced in the release changelog if mitigations changed
The current model version is v1.0 — April 2026. Questions or disclosures: security@capped.ai.