Skip to main content
SpringerLink
Log in

Transparent Security Method for Automating IoT Security Assessments

  • Conference paper
  • First Online:
Information Security Practice and Experience (ISPEC 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14341))

  • 305 Accesses

Abstract

People and businesses are dependent on the security of the Internet of Things (IoT). Vendor-independent security assessment and certification intends to provide an objective view of the security of an IoT product. Unfortunately, the assessment is often done for a single version and configuration of the product and usually does not yield data to reproduce the assessment. We present the Transparent Security Method, in which product security is described by a machine-readable security statement. A security statement can be verified using tools for automated assessment, which can be repeated for different product versions and configurations to cover the product life-cycle. As a case study, we create an entry-level security statement for a real IoT product and do the verification using common security tools. In the study, 12 out of 15 security claims are verified fully or partially by automation. A security statement can be used in certification or labeling to speed up security assessment, especially in re-certification. Tool-based verification discourages inflated security claims, as they can be scrutinized. Eventually, this should drive product security improvements, as products without security statements are less attractive.

This work is supported by the Finnish Scientific Advisory Board for Defence (MATINE/2500M-0152).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.github.com.

References

  1. Cyber Security for Consumer Internet of Things: Baseline Requirements v2.1.1. ETSI EN 303 645, ETSI (2020)

    Google Scholar 

  2. Common Criteria for Information Technology Security Evaluation, Parts 1–5. Standard (2022). https://www.commoncriteriaportal.org/

  3. OpenAPI Specification (2023). https://swagger.io/resources/open-api/

  4. Ruuvi home page (2023). https://ruuvi.com

  5. Abu Waraga, O., Bettayeb, M., Nasir, Q., Abu Talib, M.: Design and implementation of automated IoT security testbed. Comput. Secur. 88, 101648 (2020)

    Article  Google Scholar 

  6. Akhilesh, R., Bills, O., Chilamkurti, N., Mohammad Jabed, M.C.: Automated penetration testing framework for smart-home-based IoT devices. Future Internet 14(10), 276 (2022)

    Article  Google Scholar 

  7. BSI, Germany: Baseline Requirements for consumer IoT devices (2023). https://www.bsi.bund.de/dok/ciot-standard

  8. Chatzoglou, E., Kambourakis, G., Smiliotopoulos, C.: Let the cat out of the bag: popular android IoT apps under security scrutiny. Sensors 22, 513 (2022)

    Article  Google Scholar 

  9. Cirne, A., Sousa, P.R., Resende, J.S., Antunes, L.: IoT security certifications: challenges and potential approaches. Comput. Secur. 116, 102669 (2022)

    Article  Google Scholar 

  10. Connectivity Standards Alliance Inc: Matter Specification, Version 1.0. Standard (2022)

    Google Scholar 

  11. Cyber Security Agency of Singapore: Cybersecurity Labelling Scheme (2023). https://www.csa.gov.sg/our-programmes/certification-and-labelling-schemes/cybersecurity-labelling-scheme

  12. Emami-Naeini, P., Dheenadhayalan, J., Agarwal, Y., Cranor, L.F.: An informative security and privacy “nutrition’’ label for internet of things devices. IEEE Secur. Priv. 20(2), 31–39 (2022)

    Article  Google Scholar 

  13. European Commission: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016)

    Google Scholar 

  14. European Cyber Security Organisation (ECSO): European Cyber Security Certification, A Meta-Scheme Approach v1.0. WG1 - Standardisation, certification, labelling and supply chain management, ESCO (2017)

    Google Scholar 

  15. Gangurde, C.: Automation of IoT pre-certification security testing environment based on the manufacturing usage description. Master thesis, Eindhoven University of Technology (2019)

    Google Scholar 

  16. Hernández-Ramos, J.L., et al.: Defining the behavior of IoT devices through the MUD standard: review, challenges, and research directions. IEEE Access 9, 126265–126285 (2021)

    Article  Google Scholar 

  17. ioXt Alliance: ioXT Internet of secure things (2023). https://www.ioxtalliance.org/

  18. Jan Odvarko: HTTP Archive 1.2 Specification (2007). http://www.softwareishard.com/blog/har-12-spec/

  19. Kaksonen, R., Halunen, K., Röning, J.: Common cybersecurity requirements in IoT standards, best practices, and guidelines. In: Proceedings of the 7th International Conference on Internet of Things, Big Data and Security - vol. 1: IoTBDS, pp. 149–156. INSTICC, SciTePress (2022)

    Google Scholar 

  20. Kaksonen, R., Halunen, K., Röning, J.: Vulnerabilities in IoT devices, backends, applications, and components. In: ICISSP - 9th International Conference on Information Systems Security and Privacy. INSTICC, SciTePress (2023)

    Google Scholar 

  21. Kaksonen, R., Järvenpää, T., Pajukangas, J., Mahalean, M., Röning, J.: 100 popular open-source Infosec tools. In: Jøsang, A., Futcher, L., Hagen, J. (eds.) SEC 2021. IAICT, vol. 625, pp. 181–195. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78120-0_12

    Chapter  Google Scholar 

  22. Khurshid, A., Alsaaidi, R., Aslam, M., Raza, S.: EU cybersecurity act and IoT certification: landscape, perspective and a proposed template scheme. IEEE Access 10, 129932–129948 (2022)

    Article  Google Scholar 

  23. Matheu, S.N., Hernández-Ramos, J.L., Skarmeta, A.F., Baldini, G.: A survey of cybersecurity certification for the internet of things. ACM Comput. Surv. 53(6), 1–36 (2020)

    Article  Google Scholar 

  24. National Institute of Standards and Technology (NIST): National Vulnerability Database (2023). https://nvd.nist.gov/

  25. Rekhter, Y., Li, T.: Manufacturer Usage Description Specification. RFC - Proposed Standard, RFC Editor (2019)

    Google Scholar 

  26. Rollo, J.: D1.2 List of tools and techniques applicable for high and medium assurance for efficient assurance. Report DS-01-731456 / D1.2 / V1.0, Project: Compositional security certification for medium to high-assurance COTS-based systems in environments with emerging threats (2017)

    Google Scholar 

  27. Schiller, E., Aidoo, A., Fuhrer, J., Stahl, J., Ziörjen, M., Stiller, B.: Landscape of IoT security. Comput. Sci. Rev. 44, 100467 (2022)

    Article  Google Scholar 

  28. Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., Tschofenig, H.: Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth). RFC - Proposed Standard, RFC Editor (2022)

    Google Scholar 

  29. Traficom, Finland: The Cybersecurity Label, National Cyber Security Center, Finnish Transport and Communications Agency (2023). https://tietoturvamerkki.fi/en/

Download references

Author information

Authors and Affiliations

  1. University of Oulu, Oulu, Finland

    Rauli Kaksonen, Kimmo Halunen, Marko Laakso & Juha Röning

  2. Department of Military Technology, National Defence University of Finland, Helsinki, Finland

    Kimmo Halunen

Authors
  1. Rauli Kaksonen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kimmo Halunen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marko Laakso
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Juha Röning
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rauli Kaksonen .

Editor information

Editors and Affiliations

  1. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  2. Xidian University, Xi'an, China

    Zheng Yan

  3. University of Milan, Milan, Italy

    Vincenzo Piuri

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kaksonen, R., Halunen, K., Laakso, M., Röning, J. (2023). Transparent Security Method for Automating IoT Security Assessments. In: Meng, W., Yan, Z., Piuri, V. (eds) Information Security Practice and Experience. ISPEC 2023. Lecture Notes in Computer Science, vol 14341. Springer, Singapore. https://doi.org/10.1007/978-981-99-7032-2_9

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-7032-2_9

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-7031-5

  • Online ISBN: 978-981-99-7032-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation