Abstract
The Internet of Things (IoT) defines a new era where ordinary physical objects are being transformed into smart connected devices. These advanced devices have the ability to sense, compute, and communicate with their surroundings via the Internet. This may result in severe network security breaches, as these devices in-crease the attack surface by exposing new vulnerabilities and infiltration points into restricted networks. One of the major challenges in such deployments is determining the security risks that IoT devices pose to the environment they operated in. This paper proposes an IoT device risk score model, denoted as the Weighted Risk Ranking (WRR) model. The proposed approach focuses on quantifying the static and dynamic properties of a device, in order to define a risk score. Our practical proof of concept demonstrates the use of the WRR scheme for several IoT devices in the context of an enterprise network, showing the feasibility of the suggested solution as a tool for device risk assessment in modern networks where IoT devices are widely deployed.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Atzori, L., Iera, A., Morabito, G.: The Internet of Things: a survey. Comput. Netw. 54(15), 2787–2805 (2010)
Sicari, S., Rizzardi, A., Grieco, L.A., Coen-Porisini, A.: Security, privacy and trust in Internet of Things: the road ahead. Comput. Netw. 76, 146–164 (2015)
Weber, R.H.: Internet of Things-New security and privacy challenges. Comput. Law Secur. Rev. 26(1), 23–30 (2010)
Roman, R., Zhou, J., Lopez, J.: On the features and challenges of security and privacy in distributed Internet of Things. Comput. Netw. 57(10), 2266–2279 (2013)
Abomhara, M. Køien, G.M.: Security and privacy in the Internet of Things: current status and open issues. In: 2014 International Conference on Privacy and Security in Mobile Systems (PRISMS), pp. 1–8. IEEE, May 2014
Chang, S.I., Huang, A., Chang, L.M., Liao, J.C.: Risk factors of enterprise internal control: Governance refers to Internet of Things (IoT) environment, RISK (2016)
Bi, Z., Da Xu, L., Wang, C.: Internet of Things for enterprise systems of modern manufacturing. IEEE Trans. Ind. Inf. 10(2), 1537–1546 (2014)
Nurse, J.R., Creese, S., De Roure, D.: Security risk assessment in Internet of Things systems. IT Prof. 19(5), 20–26 (2017)
NIST: IoT security and privacy risk considerations (2017). https://www.nist.gov/sites/default/files/documents/2017/12/20/nist_iot_security_and_privacy_risk_considerations_discussion_draft.pdf. Accessed 10 Mar 2019
Stine, I., Rice, M., Dunlap, S., Pecarina, J.: A cyber risk scoring system for medical devices. Int. J. Crit. Infrastruct. Prot. 19, 32–46 (2017)
Watkins, L.A., Hurley, J.S.: Cyber maturity as measured by scientific-based risk metrics. J. Inf. Warfare 14(3), 57–65 (2015)
Rapid7: Nexpose, a weighted model for risk calculation (2018). https://help.rapid7.com/nexpose/en-us/Files/Risk_scoring_FAQ.html. Accessed 10 Mar 2019
Mohajerani, Z., et al.: Cyber-related risk assessment and critical asset identification within the power grid. In: IEEE PES on Transmission and Distribution Conference and Exposition (2010)
Abie, H., Balasingham, I.: Risk-based adaptive security for smart IoT in eHealth. In: Proceedings of the 7th International Conference on Body Area Networks, pp. 269–275. Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering (2012)
Jacobsson, A., Boldt, M., Carlsson, B.: A risk analysis of a smart home automation system. Future Gener. Comput. Syst. 56, 719–733 (2016)
Rahmati, A., Fernandes, E., Eykholt, K., Prakash, A.: Tyche: a risk-based permission model for smart homes. In: 2018 IEEE Cybersecurity Development (SecDev), pp. 29–36. IEEE, September 2018
NIST: NVD vulnerability metrics and severity ratings for CVSS v3.0 (2019). https://nvd.nist.gov/vuln-metrics/cvss. Accessed 10 Mar 2019
Tenable: Nessus vulnerability scanner tool for network security (2018). https://www.tenable.com/products/nessus-home. Accessed 10 Mar 2019
Kdnuggets: Removing outliers using standard deviation in Python (2017). https://www.kdnuggets.com/2017/02/removing-outliers-standard-deviation-python.html. Accessed 10 Mar 2019
Siboni, S., Shabtai, A., Tippenhauer, N.O., Lee, J., Elovici, Y.: Advanced security testbed framework for wearable IoT devices. ACM Trans. Internet Technol. (TOIT) 16(4), 26 (2016)
Siboni, S., et al.: Security testbed for Internet-of-Things Devices. IEEE Trans. Reliab. 68(1), 23–44 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Siboni, S., Glezer, C., Shabtai, A., Elovici, Y. (2019). A Weighted Risk Score Model for IoT Devices. In: Wang, G., Feng, J., Bhuiyan, M., Lu, R. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2019. Lecture Notes in Computer Science(), vol 11637. Springer, Cham. https://doi.org/10.1007/978-3-030-24900-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-24900-7_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-24899-4
Online ISBN: 978-3-030-24900-7
eBook Packages: Computer ScienceComputer Science (R0)