Abstract
People and businesses are dependent on the security of the Internet of Things (IoT). Vendor-independent security assessment and certification intends to provide an objective view of the security of an IoT product. Unfortunately, the assessment is often done for a single version and configuration of the product and usually does not yield data to reproduce the assessment. We present the Transparent Security Method, in which product security is described by a machine-readable security statement. A security statement can be verified using tools for automated assessment, which can be repeated for different product versions and configurations to cover the product life-cycle. As a case study, we create an entry-level security statement for a real IoT product and do the verification using common security tools. In the study, 12 out of 15 security claims are verified fully or partially by automation. A security statement can be used in certification or labeling to speed up security assessment, especially in re-certification. Tool-based verification discourages inflated security claims, as they can be scrutinized. Eventually, this should drive product security improvements, as products without security statements are less attractive.
This work is supported by the Finnish Scientific Advisory Board for Defence (MATINE/2500M-0152).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
References
Cyber Security for Consumer Internet of Things: Baseline Requirements v2.1.1. ETSI EN 303 645, ETSI (2020)
Common Criteria for Information Technology Security Evaluation, Parts 1–5. Standard (2022). https://www.commoncriteriaportal.org/
OpenAPI Specification (2023). https://swagger.io/resources/open-api/
Ruuvi home page (2023). https://ruuvi.com
Abu Waraga, O., Bettayeb, M., Nasir, Q., Abu Talib, M.: Design and implementation of automated IoT security testbed. Comput. Secur. 88, 101648 (2020)
Akhilesh, R., Bills, O., Chilamkurti, N., Mohammad Jabed, M.C.: Automated penetration testing framework for smart-home-based IoT devices. Future Internet 14(10), 276 (2022)
BSI, Germany: Baseline Requirements for consumer IoT devices (2023). https://www.bsi.bund.de/dok/ciot-standard
Chatzoglou, E., Kambourakis, G., Smiliotopoulos, C.: Let the cat out of the bag: popular android IoT apps under security scrutiny. Sensors 22, 513 (2022)
Cirne, A., Sousa, P.R., Resende, J.S., Antunes, L.: IoT security certifications: challenges and potential approaches. Comput. Secur. 116, 102669 (2022)
Connectivity Standards Alliance Inc: Matter Specification, Version 1.0. Standard (2022)
Cyber Security Agency of Singapore: Cybersecurity Labelling Scheme (2023). https://www.csa.gov.sg/our-programmes/certification-and-labelling-schemes/cybersecurity-labelling-scheme
Emami-Naeini, P., Dheenadhayalan, J., Agarwal, Y., Cranor, L.F.: An informative security and privacy “nutrition’’ label for internet of things devices. IEEE Secur. Priv. 20(2), 31–39 (2022)
European Commission: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016)
European Cyber Security Organisation (ECSO): European Cyber Security Certification, A Meta-Scheme Approach v1.0. WG1 - Standardisation, certification, labelling and supply chain management, ESCO (2017)
Gangurde, C.: Automation of IoT pre-certification security testing environment based on the manufacturing usage description. Master thesis, Eindhoven University of Technology (2019)
Hernández-Ramos, J.L., et al.: Defining the behavior of IoT devices through the MUD standard: review, challenges, and research directions. IEEE Access 9, 126265–126285 (2021)
ioXt Alliance: ioXT Internet of secure things (2023). https://www.ioxtalliance.org/
Jan Odvarko: HTTP Archive 1.2 Specification (2007). http://www.softwareishard.com/blog/har-12-spec/
Kaksonen, R., Halunen, K., Röning, J.: Common cybersecurity requirements in IoT standards, best practices, and guidelines. In: Proceedings of the 7th International Conference on Internet of Things, Big Data and Security - vol. 1: IoTBDS, pp. 149–156. INSTICC, SciTePress (2022)
Kaksonen, R., Halunen, K., Röning, J.: Vulnerabilities in IoT devices, backends, applications, and components. In: ICISSP - 9th International Conference on Information Systems Security and Privacy. INSTICC, SciTePress (2023)
Kaksonen, R., Järvenpää, T., Pajukangas, J., Mahalean, M., Röning, J.: 100 popular open-source Infosec tools. In: Jøsang, A., Futcher, L., Hagen, J. (eds.) SEC 2021. IAICT, vol. 625, pp. 181–195. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78120-0_12
Khurshid, A., Alsaaidi, R., Aslam, M., Raza, S.: EU cybersecurity act and IoT certification: landscape, perspective and a proposed template scheme. IEEE Access 10, 129932–129948 (2022)
Matheu, S.N., Hernández-Ramos, J.L., Skarmeta, A.F., Baldini, G.: A survey of cybersecurity certification for the internet of things. ACM Comput. Surv. 53(6), 1–36 (2020)
National Institute of Standards and Technology (NIST): National Vulnerability Database (2023). https://nvd.nist.gov/
Rekhter, Y., Li, T.: Manufacturer Usage Description Specification. RFC - Proposed Standard, RFC Editor (2019)
Rollo, J.: D1.2 List of tools and techniques applicable for high and medium assurance for efficient assurance. Report DS-01-731456 / D1.2 / V1.0, Project: Compositional security certification for medium to high-assurance COTS-based systems in environments with emerging threats (2017)
Schiller, E., Aidoo, A., Fuhrer, J., Stahl, J., Ziörjen, M., Stiller, B.: Landscape of IoT security. Comput. Sci. Rev. 44, 100467 (2022)
Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., Tschofenig, H.: Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth). RFC - Proposed Standard, RFC Editor (2022)
Traficom, Finland: The Cybersecurity Label, National Cyber Security Center, Finnish Transport and Communications Agency (2023). https://tietoturvamerkki.fi/en/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Kaksonen, R., Halunen, K., Laakso, M., Röning, J. (2023). Transparent Security Method for Automating IoT Security Assessments. In: Meng, W., Yan, Z., Piuri, V. (eds) Information Security Practice and Experience. ISPEC 2023. Lecture Notes in Computer Science, vol 14341. Springer, Singapore. https://doi.org/10.1007/978-981-99-7032-2_9
Download citation
DOI: https://doi.org/10.1007/978-981-99-7032-2_9
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7031-5
Online ISBN: 978-981-99-7032-2
eBook Packages: Computer ScienceComputer Science (R0)