Research Article
Open Access
Secure Software Engineering for Industrial IoT: Integrating Threat Modeling into the Development Lifecycle
1
Department of Computer Science, COMSATS University Islamabad (CUI), Sahiwal Campus, Sahiwal 57000, Pakistan
2
Department of Computer Science, Illinois Institute of Technology, Chicago, IL 60616, United States
3
Department of Information Technology and Management, Illinois Institute of Technology, Chicago, IL 60616, United States
4
Department of Computer Science, Government Postgraduate College for Women, Sahiwal 57040, Pakistan
* Corresponding Author:
Misbah Ali,
[email protected]
Volume 1, Issue 2
2025
Received: 11 July 2025
Accepted: 26 August 2025
Published: 24 October 2025
Article Information
Published in
ICCK Journal of Software Engineering
Volume/Issue
Volume 1, Issue 2, 2025
Pages
63-74
Cited by
2 (Crossref)
1 (Scopus)
Abstract
The Industrial Internet of Things (IIoT) is central to smart manufacturing, enabling real-time automation, data exchange, and system intelligence. However, the convergence of cyber-physical systems with legacy software and heterogeneous architectures introduces significant security challenges. This paper explores how software engineering principles can be strategically employed to enhance IIoT security by integrating threat modeling into the development lifecycle. In this study, we review classic models such as STRIDE, DREAD, and STPA-Sec, and evaluate their effectiveness when applied at various phases of the Secure Software Development Life Cycle (SSDLC). STRIDE focuses on classifying security threats, DREAD helps score the severity of risks, and STPA-Sec provides a safety-oriented approach to identifying unsafe control actions in IIoT environments. Additionally, we propose a secure development process to embed continuous security assurance during IIoT software deployment. This research highlights design-driven security patterns, model-driven engineering strategies, and secure API development best practices. This paper aims to support developers and architects in designing scalable and threat-aware IIoT systems through the alignment of software engineering with IIoT-specific threat vectors.
Graphical Abstract
Keywords
industrial IoT
software engineering
threat modeling
secure software development lifecycle (SSDLC)
Data Availability Statement
Data will be made available on request.
Funding
This work was supported without any funding.
Conflicts of Interest
The authors declare no conflicts of interest.
Ethical Approval and Consent to Participate
Not applicable.
References
- Hou, K. M., Diao, X., Shi, H., Ding, H., Zhou, H., & de Vaulx, C. (2023). Trends and challenges in AIoT/IIoT/IoT implementation. Sensors, 23(11), 5074.
[CrossRef] [Google Scholar] - Sheng, C., Zhou, W., Han, Q. L., Ma, W., Zhu, X., Wen, S., & Xiang, Y. (2025). Network traffic fingerprinting for IIoT device identification: A survey. IEEE Transactions on Industrial Informatics.
[CrossRef] [Google Scholar] - Bahaa, A., Abdelaziz, A., Sayed, A., Elfangary, L., & Fahmy, H. (2021). Monitoring real time security attacks for IoT systems using DevSecOps: a systematic literature review. Information, 12(4), 154.
[CrossRef] [Google Scholar] - De Oliveira, G. W., Nogueira, M., dos Santos, A. L., & Batista, D. M. (2023). Intelligent VNF placement to mitigate DDoS attacks on industrial IoT. IEEE Transactions on Network and Service Management, 20(2), 1319-1331.
[CrossRef] [Google Scholar] - Sarjan, H., Ameli, A., & Ghafouri, M. (2022). Cyber-security of industrial internet of things in electric power systems. IEEE Access, 10, 92390-92409.
[CrossRef] [Google Scholar] - Kavitha, D., & Thejas, S. (2024). Ai enabled threat detection: Leveraging artificial intelligence for advanced security and cyber threat mitigation. IEEE Access.
[CrossRef] [Google Scholar] - Khan, R. A., Khan, S. U., Akbar, M. A., & Alzahrani, M. (2024). Security risks of global software development life cycle: Industry practitioner's perspective. Journal of Software: Evolution and Process, 36(3), e2521.
[CrossRef] [Google Scholar] - Barrera, D., Bellman, C., & Van Oorschot, P. (2023). Security best practices: a critical analysis using IoT as a case study. ACM Transactions on Privacy and Security, 26(2), 1-30.
[CrossRef] [Google Scholar] - Ali, A., Husain, M., & Hans, P. (2025). Federated Learning-Enhanced Blockchain Framework for Privacy-Preserving Intrusion Detection in Industrial IoT. arXiv preprint arXiv:2505.15376.
[Google Scholar] - Crothers, E. N., Japkowicz, N., & Viktor, H. L. (2023). Machine-generated text: A comprehensive survey of threat models and detection methods. IEEE Access, 11, 70977-71002.
[CrossRef] [Google Scholar] - Ali, M., Raza, A., Akram, M. A., Arif, H., & Ali, A. (2025). Enhancing IOT Security: A review of Machine Learning-Driven Approaches to Cyber Threat Detection: Enhancing IOT Security: A review of Machine Learning-Driven Approaches to Cyber Threat Detection. Journal of Informatics and Interactive Technology, 2(1), 316-324.
[CrossRef] [Google Scholar] - Benmalek, M. (2024). Ransomware on cyber-physical systems: Taxonomies, case studies, security gaps, and open challenges. Internet of Things and Cyber-Physical Systems, 4, 186-202.
[CrossRef] [Google Scholar] - Kim, K. H., Kim, K., & Kim, H. K. (2022). STRIDE‐based threat modeling and DREAD evaluation for the distributed control system in the oil refinery. ETRI Journal, 44(6), 991-1003.
[CrossRef] [Google Scholar] - Yu, J., Wagner, S., & Luo, F. (2021). Data-flow-based adaption of the system-theoretic process analysis for security (STPA-sec). PeerJ Computer Science, 7, e362.
[CrossRef] [Google Scholar] - Mohanty, R. K., Padmaja, C. V. R., Kanaparthi, S. K., & Rajan, A. (2025). Unified threat modeling: Strategies for comprehensive risk assessment in modern systems. In Integrating Technology in Problem-Solving Educational Practices (pp. 429-450). IGI Global.
[CrossRef] [Google Scholar] - He, P., Du, X., Li, Y., Guo, H., & Cui, J. (2025). An integration methodology of safety and security requirements for autonomous vehicles. Journal of Transportation Safety & Security, 17(3), 253-271.
[CrossRef] [Google Scholar] - Alauthman, M., Al-Qerem, A., Aldweesh, A., & Almomani, A. (2025). Secure SDLC Frameworks: Leveraging DevSecOps to Enhance Software Security. In Modern Insights on Smart and Secure Software Development (pp. 77-118). IGI Global Scientific Publishing.
[CrossRef] [Google Scholar] - Yu, Z., Gao, H., Cong, X., Wu, N., & Song, H. H. (2023). A survey on cyber–physical systems security. IEEE Internet of Things Journal, 10(24), 21670-21686.
[CrossRef] [Google Scholar] - Rathee, G., Ahmad, F., Jaglan, N., & Konstantinou, C. (2022). A secure and trusted mechanism for industrial IoT network using blockchain. IEEE Transactions on Industrial Informatics, 19(2), 1894-1902.
[CrossRef] [Google Scholar] - Hameed, A., Violos, J., & Leivadeas, A. (2022). A deep learning approach for IoT traffic multi-classification in a smart-city scenario. IEEE Access, 10, 21193-21210.
[CrossRef] [Google Scholar] - Ajiga, D., Okeleke, P. A., Folorunsho, S. O., & Ezeigweneme, C. (2024). Designing cybersecurity measures for enterprise software applications to protect data integrity. Computer Science & IT Research Journal, 5(8), 1920-1941.
[CrossRef] [Google Scholar] - Akerele, J. I., Uzoka, A., Ojukwu, P. U., & Olamijuwon, O. J. (2024). Increasing software deployment speed in agile environments through automated configuration management. International Journal of Engineering Research Updates, 7(02), 028-035. :
[CrossRef] [Google Scholar] - Mustonen, J. (2024). Designing a security framework for enhanced monitoring and secure development during the software life cycle.
[Google Scholar] - Ali, M., Mazhar, T., Al-Rasheed, A., Shahzad, T., Ghadi, Y. Y., & Khan, M. A. (2024). Enhancing software defect prediction: a framework with improved feature selection and ensemble machine learning. PeerJ Computer Science, 10, e1860.
[CrossRef] [Google Scholar] - Padmapriya, V. M., Thenmozhi, K., Hemalatha, M., Thanikaiselvan, V., Lakshmi, C., Chidambaram, N., & Rengarajan, A. (2025). Secured IIoT against trust deficit-A flexi cryptic approach. Multimedia Tools and Applications, 84(9), 5625-5652.
[CrossRef] [Google Scholar] - Lalar, S., Kumar, T., Kamboj, S., & Kumar, R. (2024). Security challenges and solutions in cloud, fog, and edge computing for sustainable development. In Cloud and Fog Optimization-based Solutions for Sustainable Developments (pp. 178-200). CRC Press.
[Google Scholar] - Veldi, S. R. (2025). Infrastructure-as-Code with Scripting: A Technical Review. Journal of Computer Science and Technology Studies, 7(6), 345-352.
[CrossRef] [Google Scholar] - Reyes-Acosta, R. E., Mendoza-González, R., Oswaldo Diaz, E., Vargas Martin, M., Luna Rosas, F. J., Martínez Romo, J. C., & Mendoza-González, A. (2025). Cybersecurity Conceptual Framework Applied to Edge Computing and Internet of Things Environments. Electronics, 14(11), 2109.
[CrossRef] [Google Scholar] - Hwang, I., Cho, H., & Kim, S. (2025). Deriving Usability Evaluation Criteria for Threat Modeling Tools. IEEE Access.
[CrossRef] [Google Scholar] - Bar, K. (2025). AI for Code Synthesis: Can LLMs Generate Secure Code?. Available at SSRN 5157837.
[CrossRef] [Google Scholar] - Gajera Jr, A. (2025). Comparative Analysis of Jenkins, GitLab CI, and GitHub Actions: Performance Evaluation in CI/CD Pipelines.
[Google Scholar] - Khan, I. A., Keshk, M., Pi, D., Khan, N., Hussain, Y., & Soliman, H. (2022). Enhancing IIoT networks protection: A robust security model for attack detection in Internet Industrial Control Systems. Ad Hoc Networks, 134, 102930.
[CrossRef] [Google Scholar]
Cited By (2)
-
Aashesh Kumar, Haroon Arif, Tehseen Mazhar, Ghadah Aldehim, Muhammad Amir Khan, Habib Hamam. Deep Learning Approaches for Intrusion Detection in IoT Networks: A PRISMA‐Guided Systematic Review With Descriptive Meta‐Analysis.
IET Networks, 2026 , 15 (1).
[CrossRef] -
Samia Akhtar, Shabib Aftab, Muhammad Anwaar Saeed, Usama Ahmed. .
2025 6th International Conference on Innovative Computing (ICIC), 2025 .
[CrossRef]
* Citation data provided by Crossref Cited-by.
Cite This Article
APA Style
Ali, M., Arif, H., Raza, A., & Nazir, M. (2025). Secure Software Engineering for Industrial IoT: Integrating Threat Modeling into the Development Lifecycle. ICCK Journal of Software Engineering, 1(2), 63–74. https://doi.org/10.62762/JSE.2025.729568
Export Citation
RIS Format
Compatible with EndNote, Zotero, Mendeley, and other reference managers
TY - JOUR AU - Ali, Misbah AU - Arif, Haroon AU - Raza, Aamir AU - Nazir, Moomna PY - 2025 DA - 2025/10/24 TI - Secure Software Engineering for Industrial IoT: Integrating Threat Modeling into the Development Lifecycle JO - ICCK Journal of Software Engineering T2 - ICCK Journal of Software Engineering JF - ICCK Journal of Software Engineering VL - 1 IS - 2 SP - 63 EP - 74 DO - 10.62762/JSE.2025.729568 UR - https://www.icck.org/article/abs/JSE.2025.729568 KW - industrial IoT KW - software engineering KW - threat modeling KW - secure software development lifecycle (SSDLC) AB - The Industrial Internet of Things (IIoT) is central to smart manufacturing, enabling real-time automation, data exchange, and system intelligence. However, the convergence of cyber-physical systems with legacy software and heterogeneous architectures introduces significant security challenges. This paper explores how software engineering principles can be strategically employed to enhance IIoT security by integrating threat modeling into the development lifecycle. In this study, we review classic models such as STRIDE, DREAD, and STPA-Sec, and evaluate their effectiveness when applied at various phases of the Secure Software Development Life Cycle (SSDLC). STRIDE focuses on classifying security threats, DREAD helps score the severity of risks, and STPA-Sec provides a safety-oriented approach to identifying unsafe control actions in IIoT environments. Additionally, we propose a secure development process to embed continuous security assurance during IIoT software deployment. This research highlights design-driven security patterns, model-driven engineering strategies, and secure API development best practices. This paper aims to support developers and architects in designing scalable and threat-aware IIoT systems through the alignment of software engineering with IIoT-specific threat vectors. SN - 3069-1834 PB - Institute of Central Computation and Knowledge LA - English ER -
BibTeX Format
Compatible with LaTeX, BibTeX, and other reference managers
@article{Ali2025Secure,
author = {Misbah Ali and Haroon Arif and Aamir Raza and Moomna Nazir},
title = {Secure Software Engineering for Industrial IoT: Integrating Threat Modeling into the Development Lifecycle},
journal = {ICCK Journal of Software Engineering},
year = {2025},
volume = {1},
number = {2},
pages = {63-74},
doi = {10.62762/JSE.2025.729568},
url = {https://www.icck.org/article/abs/JSE.2025.729568},
abstract = {The Industrial Internet of Things (IIoT) is central to smart manufacturing, enabling real-time automation, data exchange, and system intelligence. However, the convergence of cyber-physical systems with legacy software and heterogeneous architectures introduces significant security challenges. This paper explores how software engineering principles can be strategically employed to enhance IIoT security by integrating threat modeling into the development lifecycle. In this study, we review classic models such as STRIDE, DREAD, and STPA-Sec, and evaluate their effectiveness when applied at various phases of the Secure Software Development Life Cycle (SSDLC). STRIDE focuses on classifying security threats, DREAD helps score the severity of risks, and STPA-Sec provides a safety-oriented approach to identifying unsafe control actions in IIoT environments. Additionally, we propose a secure development process to embed continuous security assurance during IIoT software deployment. This research highlights design-driven security patterns, model-driven engineering strategies, and secure API development best practices. This paper aims to support developers and architects in designing scalable and threat-aware IIoT systems through the alignment of software engineering with IIoT-specific threat vectors.},
keywords = {industrial IoT, software engineering, threat modeling, secure software development lifecycle (SSDLC)},
issn = {3069-1834},
publisher = {Institute of Central Computation and Knowledge}
}
Publisher's Note
ICCK stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and Permissions
Copyright © 2025 by the Author(s). Published by Institute of Central Computation and Knowledge. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.
Preserved at
Portico
Portico
Scan to read this article