Abstract
Designing and assessing the security of IoT systems is very challenging, mainly due to the fact that new threats and vulnerabilities affecting IoT devices are continually discovered and published. Moreover, new (typically low-cost) devices are continuously plugged-in into IoT systems, thus introducing unpredictable security issues. This paper proposes a methodology aimed at automating the threat modeling and risk analysis processes for an IoT system. Such methodology enables to identify existing threats and related countermeasures and relies upon an open catalogue, built in the context of EU projects, for gathering information about threats and vulnerabilities of the IoT system under analysis. In order to validate the proposed methodology, we applied it to a real case study, based on a commercial smart home application.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alaba, F.A., Othman, M., Hashem, I.A.T., Alotaibi, F.: Internet of things security: a survey. J. Netw. Comput. Appl. 88, 10–28 (2017)
Borgia, E.: The internet of things vision: key features, applications and open issues. Comput. Commun. 54, 1–31 (2014). https://doi.org/10.1016/j.comcom.2014.09.008
Casola, V., De Benedictis, A., Rak, M., Villano, U.: Towards automated penetration testing for cloud applications. In: 2018 IEEE 27th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 24–29, June 2018
Casola, V., Esposito, M., Mazzocca, N., Flammini, F.: Freight train monitoring: a case-study for the pshield project. In: Proceedings - 6th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, IMIS 2012, pp. 597–602 (2012)
Guo, J., Chen, I.R., Tsai, J.J.: A survey of trust computation models for service management in internet of things systems. Comput. Commun. 97, 1–14 (2017). https://doi.org/10.1016/j.comcom.2016.10.012
ISO: Internet of Things Reference Architecture (IoT RA) ISO/IEC CD 30141 (2016)
Lewis, M.: Using graph databases to assess the security of thingernets based on the thingabilities and thingertivity of things. In: Living in the Internet of Things: Cybersecurity of the IoT - 2018, pp. 8 (9 pp.)–8 (9 pp.). IET (2018). https://doi.org/10.1049/cp.2018.0008
MicroBees: The MicroBees web site (2018). https://www.microbees.com/
Microsoft Corporation: The STRIDE Threat Model (2016). https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)
Minoli, D., Sohraby, K., Kouns, J.: IoT security (IoTSec) considerations, requirements, and architectures. In: 2017 14th IEEE Annual Consumer Communications & Networking Conference (CCNC), pp. 1006–1007. IEEE, Jan 2017. https://doi.org/10.1109/CCNC.2017.7983271
National Institute of Standards and Technology: SP 800-53 Rev 4: Recommended Security and Privacy Controls for Federal Information Systems and Organizations. Technical report (2013)
OWASP: The OWASP Risk Rating Methodology Wiki Page (2016). https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Rak, M.: Security assurance of (multi-)cloud application with security SLA composition. Lecture Notes in Computer Science vol. 10232, pp. 786–799 (2017)
Riahi Sfar, A., Natalizio, E., Challal, Y., Chtourou, Z.: A roadmap for security challenges in the internet of things. Digit. Commun. Netw. 4(2), 118–137 (2018). https://doi.org/10.1016/j.dcan.2017.04.003
Roman, R., Zhou, J., Lopez, J.: On the features and challenges of security and privacy in distributed internet of things. Comput. Netw. 57(10), 2266–2279 (2013)
Schiefer, M.: Smart home definition and security threats. In: 2015 Ninth International Conference on IT Security Incident Management IT Forensics, pp. 114–118 (2015)
Sicari, S., Rizzardi, A., Grieco, L., Coen-Porisini, A.: Security, privacy and trust in internet of things: the road ahead. Comput. Netw. 76, 146–164 (2015)
Weyrich, M., Ebert, C.: Reference architectures for the internet of things. IEEE Softw. 33(1), 112–116 (2016). https://doi.org/10.1109/MS.2016.20
Xu, L.D., He, W., Li, S.: Internet of things in industries: a survey. IEEE Trans. Ind. Inform. 10(4), 2233–2243 (2014). https://doi.org/10.1109/TII.2014.2300753
Zarpelão, B.B., Miani, R.S., Kawakani, C.T., de Alvarenga, S.C.: A survey of intrusion detection in Internet of Things. J. Netw. Comput. Appl. 84, 25–37 (2017). https://doi.org/10.1016/j.jnca.2017.02.009
The authors would like to thank Lorenzo Russo and Maria Teresa Diana for their valuable contribution in the validation of the methodology.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Rak, M., Casola, V., De Benedictis, A., Villano, U. (2019). Automated Risk Analysis for IoT Systems. In: Xhafa, F., Leu, FY., Ficco, M., Yang, CT. (eds) Advances on P2P, Parallel, Grid, Cloud and Internet Computing. 3PGCIC 2018. Lecture Notes on Data Engineering and Communications Technologies, vol 24. Springer, Cham. https://doi.org/10.1007/978-3-030-02607-3_24
Download citation
DOI: https://doi.org/10.1007/978-3-030-02607-3_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-02606-6
Online ISBN: 978-3-030-02607-3
eBook Packages: EngineeringEngineering (R0)