STRIDE Threat Model

Systematic threat analysis for the Capped AI on-premises operator copilot — covering spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege across all system components.

This model covers the Capped AI on-premises appliance deployment topology: the 1U inference server, its read-only OPC-UA connection to the DCS historian, the operator web interface on the plant intranet, and the one-way aggregate telemetry channel to Capped AI Ops Cloud. It does not cover cloud-hosted deployments or customer DCS internals.

System scope

The Capped AI appliance sits inside the plant perimeter network, air-gapped from the public internet. It has exactly two external trust boundaries:

  • DCS historian (inbound read): OPC-UA port 4840, read-only service account, no write access granted.
  • Capped AI Ops Cloud (outbound telemetry): HTTPS on port 443, sends aggregate health metrics only — no plant data, no handover content, no alarm payloads.

Operators connect to the appliance web UI over the plant LAN. Authentication is handled by the on-prem identity provider (Active Directory / LDAP). All shift handover data stays on-appliance and is never transmitted outside the plant perimeter.

Trust boundaries

BoundaryDirectionProtocolData in scope
Plant LAN → ApplianceInboundHTTPS/TLS 1.3 (port 443)Operator sessions, handover drafts, audit actions
Appliance → DCS HistorianOutbound (read-only)OPC-UA (port 4840)Alarm logs, trend snapshots, tag metadata
Appliance → Capped AI Ops CloudOutboundHTTPS/TLS 1.3 (port 443)Aggregate health metrics, model version, uptime
Physical — Appliance chassisPhysical accessn/aHardware, NVMe drives with model weights + handover DB

Asset inventory

AssetClassificationOwnerImpact if compromised
Shift handover recordsConfidential — OperationalPlant operationsSafety incident, regulatory breach, litigation
OPC-UA service account credentialsSecretPlant ITUnauthorized historian read; potential pivot to DCS
Operator identity & session tokensConfidentialPlant IT / Capped AIImpersonation, fraudulent handover signing
AI model weightsProprietary — Capped AI IPCapped AICompetitive harm; no direct safety impact
Appliance OS & inference stackInternalCapped AIAvailability loss; potential pivot to historian network
Capped AI Ops Cloud telemetry pipelineInternalCapped AIVisibility loss, false health signals

Threat actor taxonomy

ActorAccess levelMotivationLikelihood
Malicious insider (operator)Authenticated plant LAN + appliance UICover up operational error; fraudulent handoverMedium
Malicious insider (IT / admin)OS shell, network infrastructureData exfiltration; sabotageLow
Physical attackerPhysical access to server roomHardware theft; drive extractionLow
Nation-state / industrial espionageLateral movement via plant LANIP theft; process disruptionLow (air-gapped reduces exposure)
Supply chain attackerSoftware or firmware update channelPersistent backdoorLow

STRIDE analysis

Each category below lists specific threats, the asset at risk, an inherent risk rating (before mitigations), and the primary control that reduces it. Risk ratings assume a production deployment with all standard mitigations applied.

S

Spoofing

Pretending to be something or someone else

IDThreatAssetRiskPrimary Mitigation
S-01Attacker uses stolen operator credentials to access the handover UI and sign a fraudulent handoverOperator identity / handover recordsHighMFA enforced at IdP; session tokens bound to IP + user-agent; 8-hour expiry
S-02Rogue device on the plant LAN presents itself as the Capped AI appliance to intercept operator requestsOperator sessionsMediumTLS certificate pinned to appliance hostname; operators warned on cert mismatch
S-03Attacker spoofs the OPC-UA historian endpoint to feed fabricated alarm data to the AIOPC-UA connection / handover accuracyMediumOPC-UA server certificate pinned at appliance; historian IP allowlisted in firewall
S-04Fake Capped AI Ops Cloud endpoint intercepts outbound telemetry to exfiltrate metadataTelemetry pipelineLowOutbound HTTPS with Capped AI CA-pinned cert; no plant data in telemetry payload
T

Tampering

Modifying data or code without authorization

IDThreatAssetRiskPrimary Mitigation
T-01Operator edits AI-generated handover draft after a colleague has reviewed it, without the change being visibleShift handover recordsCriticalImmutable audit log with cryptographic hashes; every edit timestamped and attributed
T-02Attacker injects false alarm records into the OPC-UA historian, causing the AI to generate misleading handover contentDCS historian data / handover accuracyHighRead-only OPC-UA service account; historian-side write audit; operators review AI draft before signing
T-03Physical attacker swaps NVMe drive to replace model weights with a backdoored versionAI model weights / appliance OSHighFull-disk encryption (LUKS); TPM-sealed keys; drive removal triggers alarm; signed model manifests verified at boot
T-04Software supply-chain attack modifies a Capped AI update package before it reaches the applianceAppliance OS / inference stackMediumUpdate packages signed with Capped AI ED25519 key; signature verified before install; update channel is plant-IT-controlled
T-05Admin modifies handover records directly in the on-appliance databaseShift handover recordsHighDB access requires break-glass procedure with dual approval; all direct DB queries logged and alerted to plant manager
R

Repudiation

Denying an action was taken when it was

IDThreatAssetRiskPrimary Mitigation
R-01Operator denies signing a handover they approved, claiming the system auto-signed itHandover records / operator accountabilityHighDigital signature tied to operator session + timestamp; confirmation dialog with explicit acknowledgement required
R-02No record of which AI model version generated a given handover draft, preventing incident investigationAudit trailMediumModel version, inference hash, and prompt fingerprint stored per handover record; retained for 7 years
R-03Audit logs deleted or truncated by an admin to hide unauthorized activityAudit trailHighAudit logs are append-only; deletion requires break-glass + plant manager approval; log integrity verified daily via Merkle hash
I

Information Disclosure

Exposing information to unauthorized parties

IDThreatAssetRiskPrimary Mitigation
I-01Shift handover records exfiltrated via the outbound telemetry channel to Capped AI Ops CloudShift handover recordsCriticalTelemetry payload schema enforced at build time; payload contains only counters and uptime — no text, no tags, no alarm IDs
I-02OPC-UA service account credentials extracted from appliance config filesOPC-UA credentialsHighCredentials stored in hardware-backed secret store (TPM); never written to filesystem in plaintext
I-03AI model weights extracted by booting from an external driveModel weights (Capped AI IP)MediumFull-disk encryption; Secure Boot enforced; BIOS password set; chassis intrusion sensor
I-04Operator accesses another shift's handover records outside their authorised windowShift handover recordsMediumRole-based access: operators see only their own unit's records; supervisors see full unit; managers see aggregate only
I-05LAN traffic between operator browser and appliance captured by a network snifferOperator sessions / handover contentLowTLS 1.3 enforced end-to-end; HTTP redirects to HTTPS at appliance level
D

Denial of Service

Preventing legitimate users from accessing a service

IDThreatAssetRiskPrimary Mitigation
D-01Appliance GPU inference queue flooded with requests, delaying handover generation during shift changeHandover availabilityHighPer-user request rate limiting; inference queue has priority lane for active shift-change sessions; 15-minute SLA alert
D-02OPC-UA historian connection severed (network fault or historian maintenance), preventing AI from pulling alarm dataHandover data completenessMediumAppliance caches last 72 hours of historian data locally; operators warned when cache is serving stale data
D-03Plant LAN disruption prevents operators from reaching the appliance web UIHandover availabilityMediumOperators fall back to printed emergency handover template; appliance broadcasts last-known handover to local plant display
D-04Appliance disk filled by runaway logging or large handover attachmentsAppliance availabilityLowLog rotation capped at 50 GB; attachment size limit enforced; disk usage alerting at 80% threshold
E

Elevation of Privilege

Gaining capabilities beyond what is authorized

IDThreatAssetRiskPrimary Mitigation
E-01Exploiting a web UI vulnerability to gain OS-level access on the applianceAppliance OSCriticalWeb process runs as non-root in isolated container; AppArmor policy restricts syscalls; quarterly penetration test
E-02Operator escalates their role to supervisor within the app to access all unit handover recordsHandover records / RBACHighRole assignments managed exclusively in IdP (AD); Capped AI app trusts IdP claims only — no in-app role promotion
E-03Attacker pivots from the compromised appliance to gain write access to the DCS historianDCS historian / plant processCriticalFirewall rule enforces appliance → historian port 4840 only (no reverse); historian account is read-only at OPC-UA level; separate VLAN
E-04Compromised Capped AI update mechanism grants root access to the appliance during an automated updateAppliance OSHighUpdates require plant-IT approval and manual trigger; no automatic update execution; pre-install signature check

Mitigation controls summary

The following controls are required in all production deployments. Their presence is verified during the Week-2 security checklist in the Deployment Runbook.

ControlThreat IDsImplemented by
MFA on operator IdPS-01Customer IT
TLS 1.3 on all LAN trafficS-02, I-05Capped AI (appliance config)
OPC-UA server certificate pinningS-03, T-02Capped AI (appliance config)
Immutable append-only audit logT-01, R-01, R-03Capped AI (software)
Full-disk encryption (LUKS + TPM)T-03, I-02, I-03Capped AI (hardware + OS)
Signed update packages (ED25519)T-04, E-04Capped AI (update pipeline)
Break-glass DB access with dual approvalT-05, R-03Capped AI (ops procedure)
Telemetry payload schema enforcementI-01Capped AI (software)
Role-based access control via IdP claimsI-04, E-02Capped AI (software) + Customer IT
Per-user inference rate limitingD-01Capped AI (software)
72-hour local historian cacheD-02Capped AI (software)
Appliance → historian read-only VLAN ruleE-03Customer IT (firewall)
Web process non-root container isolationE-01Capped AI (OS / container)
Secure Boot + BIOS passwordI-03, T-03Capped AI (hardware)

Residual risk and assumptions

Assumptions

  • The plant firewall correctly enforces the allowlist rules documented in the Deployment Runbook. Capped AI has no visibility into or control over the customer firewall.
  • The customer IdP (Active Directory) is correctly administered: accounts are disabled promptly on termination, MFA is enforced globally, and privileged accounts use hardware tokens.
  • Physical access to the server room is restricted to authorized plant IT personnel per the customer's own physical security policy.
  • The DCS historian vendor has not introduced writable OPC-UA surfaces under the read-only service account. Capped AI relies on the historian vendor's access control enforcement.

Accepted residual risks

  • Insider historian injection (T-02): A historian admin with write access could fabricate alarm records that influence AI output. The operator review-before-sign step is the primary human control; this risk is accepted because eliminating it would require Capped AI to operate its own historian, which is out of scope.
  • Physical drive extraction (T-03, I-03): Full-disk encryption mitigates this substantially. Residual risk (weak passphrase, TPM bypass) is accepted; customers with Top Secret data should apply additional physical controls per their own classification policy.
  • LAN availability (D-03): Capped AI cannot guarantee operator access during a plant-wide network outage. The printed emergency template is the accepted fallback.

Review cadence

This threat model is reviewed and updated on the following schedule:

  • Annually — full STRIDE re-assessment by Capped AI security team
  • On significant architecture change — any new trust boundary, data store, or external integration triggers an incremental review
  • After a security incident — post-incident review updates affected threat entries within 30 days
  • Before each major release — threat IDs referenced in the release changelog if mitigations changed

The current model version is v1.0 — April 2026. Questions or disclosures: security@capped.ai.