Threat Actor

A threat actor is any entity that intentionally or unintentionally causes harm to a system, organisation, or individual through cyber means. In security risk assessments, identifying relevant threat actors is a foundational step — the controls needed to defend against a nation-state attacker are very different from those needed against a curious teenager. Threat actors are typically characterised by: motivation (financial, political, ideological, competitive espionage, disruption); capability (skill level, access to zero-day exploits, resources); opportunity (access to the target, knowledge of its vulnerabilities); and typical tactics (phishing, supply chain attacks, physical access, insider threats). For manufacturers performing CRA risk assessments, the threat actor profile shapes which threats are credible and therefore which mitigations are proportionate.

For CRA-covered products, the most relevant threat actor categories are:

• Cybercriminal groups: Financially motivated actors using ransomware, credential theft, and botnet recruitment. IoT devices are prime targets for botnet recruitment (Mirai-style attacks). Industrial equipment may be targeted for ransomware extortion.
• Nation-state attackers: State-sponsored groups with high capabilities and specific geopolitical objectives. Relevant for Important Class products in critical infrastructure sectors. Use advanced persistent threat (APT) techniques.
• Industrial spies: Corporate espionage actors targeting intellectual property. Relevant for products in competitive industries where design data is valuable.
• Script kiddies / opportunistic attackers: Low-capability actors using publicly available exploit tools against known vulnerabilities. These actors are the most common threat to consumer devices — they scan for unpatched, internet-exposed products at scale.
• Insider threats: Malicious or negligent insiders with legitimate access to systems. Relevant to manufacturing security and supply chain integrity.

CRA Annex I requires manufacturers to conduct a cybersecurity risk assessment. Threat actor profiles are an input to this assessment. The process:

1. Identify credible threat actors: Based on the product category, sector, and geographic market, determine which threat actor types are likely to target the product. A consumer smart home device will primarily face opportunistic attackers; an industrial SCADA component may face nation-state actors.

1. Map actor capabilities to attack vectors: For each relevant threat actor, identify the attack vectors they are likely to use given their capability level — automated vulnerability scanning, exploitation of published CVEs, supply chain compromise, or zero-day research.

1. Assess impact scenarios: For each actor × attack vector combination, assess the potential impact on the product and its users.

1. Design proportionate controls: Controls should be proportionate to the credibility and severity of the threats identified — over-engineering against implausible threats wastes resources.

MITRE ATT&CK is a globally accessible, publicly available knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. It provides structured threat actor profiles and technique libraries that manufacturers can use to ground their CRA threat models in observed attacker behaviour. For IoT and ICS products, MITRE ATT&CK for ICS and ATT&CK for Mobile provide sector-specific technique matrices. Using ATT&CK in threat modelling:

• Map the product's attack surface to relevant ATT&CK techniques (Initial Access, Persistence, Privilege Escalation, etc.).
• Identify which techniques are plausible given the product's connectivity and deployment context.
• Design detection and prevention controls targeting the highest-risk techniques.
• Document the ATT&CK technique coverage in the Annex VII threat model to demonstrate a structured, evidence-based approach to risk assessment.