Abstract
The growth of damage caused by security issues in IoT-based systems requires the definition of a rigorous methodology allowing risks assessment and protecting the system against them. In this work, we propose an approach that follows the security standards to identify and analyse the potential risks. Our approach starts by specifying the system assets considering IoT domain model and the potential threats that might compromise them. Starting from the list of threats, we define the security objectives then technical requirements and countermeasures that can cover these objectives. We apply our approach to an IoT system for monitoring and control the management of the urban water cycle.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
References
MEHARI: Method for Harmonized Analysis of Risk (2010). https://en.wikipedia.org/wiki/MEHARI
Risk assessment in water management infrastructure (2020). https://github.com/SafetyAnalysis/Asset-driven-Approach-for-Security-Risk-Assessment-in-IoT-Systems/blob/master/EMALCSA-RiskAssessment.xlsx
den Braber, F., Hogganvik, I., Lund, M.S., Stølen, K., Vraalsen, F.: Model-based security analysis in seven steps – a guided tour to theCORAS method. BT Technol. J. 25(1), 101–117 (2007). https://doi.org/10.1007/s10550-007-0013-9, http://link.springer.com/10.1007/s10550-007-0013-9
Chehida, S., Baouya, A., Bozga, M., Bensalem, S.: Exploration of impactful countermeasures on IoT attacks. In: 2020 9th Mediterranean Conference on Embedded Computing (MECO) (2020)
Ekelhart, A., Fenz, S., Neubauer, T.: AURUM: a framework for information security risk management. In: 2009 42nd Hawaii International Conference on System Sciences, pp. 1–10 (2009)
Haller, S., Serbanati, A., Bauer, M., Carrez, F.: A domain model for the internet of things. In: 2013 IEEE International Conference on Green Computing and Communications and IEEE Internet of Things and IEEE Cyber, Physical and Social Computing, pp. 411–417 (2013)
ISO/IEC 27001:2013: Information technology – Security techniques – Information security management systems – Requirements (2013). https://www.iso.org/standard/54534.html
ISO/IEC 27002:2013: Information technology – Security techniques – Code of practice for information security controls (2013). https://www.iso.org/standard/54533.html
ISO/IEC 27005:2011: Information technology – Security techniques – Information security risk management (2011). https://www.iso.org/standard/56742.html
Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19751-2_6
Lin, J., Yu, W., Zhang, N., Yang, X., Zhang, H., Zhao, W.: A survey on internet of things: architecture, enabling technologies, security and privacy, and applications. IEEE Int. Things J. 4(5), 1125–1142 (2017)
Mediouni, B.L., Nouri, A., Bozga, M., Legay, A., Bensalem, S.: Mitigating security risks through attack strategies exploration. In: Margaria, T., Steffen, B. (eds.) ISoLA 2018. LNCS, vol. 11245, pp. 392–413. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03421-4_25
Object Management Group: Unified Modeling Language (UML): Superstructure, version 2.0 (2005)
Radoglou Grammatikis, P.I., Sarigiannidis, P.G., Moscholios, I.D.: Securing the internet of things: challenges, threats and solutions. Internet Things 5, 41–70 (2019). https://doi.org/10.1016/j.iot.2018.11.003
Sengupta, J., Ruj, S., Das Bit, S.: A comprehensive survey on attacks, security issues and blockchain solutions for IoT and IIoT. J. Netw. Comput. Appl. 149, 102481 (2020). https://doi.org/10.1016/j.jnca.2019.102481
Shameli-Sendi, A., Aghababaei-Barzegar, R., Cheriet, M.: Taxonomy of information security risk assessment (ISRA). Comput. Secur. 57, 14–30 (2016). https://doi.org/10.1016/j.cose.2015.11.001,https://linkinghub.elsevier.com/retrieve/pii/S0167404815001650
Sicari, S., Rizzardi, A., Grieco, L., Coen-Porisini, A.: Security, privacy and trust in internet of things: the road ahead. Comput. Netw. 76, 146–164 (2015). https://doi.org/10.1016/j.comnet.2014.11.008
Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. Nist Spec. Publ. 800(30), 800-830 (2002)
The European Union Agency for Cybersecurity: Mehari (2010). https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_mehari.html
The National Cybersecurity Agency of France (ANSSI): EBIOS 2010 - Expression of Needs and Identifiation of Security objectives. (2010). https://www.ssi.gouv.fr/guide/ebios-2010-expression-des-besoins-et-identification-des-objectifs-de-securite/
Yazar, Z.: A qualitative risk analysis and management tool-CRAMM. SANS InfoSec Reading Room White Paper 11, 12–32 (2002)
Zahra, B.F., Abdelhamid, B.: Risk analysis in Internet of things using EBIOS. In: 2017 IEEE 7th Annual Computing and Communication Workshop and Conference (CCWC), pp. 1–7. IEEE (2017)
Acknowledgments
The research leading to these results has been supported by the European Union through the BRAIN-IoT project H2020-EU.2.1.1. Grant agreement ID: 780089.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Chehida, S. et al. (2021). Asset-Driven Approach for Security Risk Assessment in IoT Systems. In: Garcia-Alfaro, J., Leneutre, J., Cuppens, N., Yaich, R. (eds) Risks and Security of Internet and Systems. CRiSIS 2020. Lecture Notes in Computer Science(), vol 12528. Springer, Cham. https://doi.org/10.1007/978-3-030-68887-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-68887-5_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-68886-8
Online ISBN: 978-3-030-68887-5
eBook Packages: Computer ScienceComputer Science (R0)