Mohammad Beyrouti , Ahmed Lounis , Benjamin Lussier , Abdelmadjid Bouabdallah , Abed Ellatif Samhat
{"title":"Vulnerability-oriented risk identification framework for IoT risk assessment","authors":"Mohammad Beyrouti , Ahmed Lounis , Benjamin Lussier , Abdelmadjid Bouabdallah , Abed Ellatif Samhat","doi":"10.1016/j.iot.2024.101333","DOIUrl":null,"url":null,"abstract":"<div><p>The proliferation of Internet of Things (IoT) systems across diverse applications has led to a notable increase in connected smart devices. Nevertheless, this surge in connectivity has induced a broad spectrum of vulnerabilities and threats, jeopardizing the security and safety of IoT applications. Security risk assessment methods are commonly employed to analyze risks. However, traditional IT and existing IoT-tailored security assessment methods often fail to fully address key IoT aspects: complex assets intercommunication, dynamic system changes, assets’ potential as attack platforms, safety impacts of security breaches, and assets resource constraints. Such oversights lead to significant risks being overlooked in the IoT ecosystem. In this paper, we propose a novel vulnerability-oriented risk identification framework comprising a four-step process as a core element of IoT security risk assessment, applicable to any IoT system. Our process enhances both traditional and IoT-specific security risk assessment methods by providing tailored approaches that address their crucial oversights for comprehensive IoT risk assessment. We validate our process with a case study of an IoT smart healthcare system using a proposed expert-driven approach. The results confirm that our process effectively identifies critical attack scenarios originating from the lack of proper security measures, mobility, and intercommunication processes of IoT devices in the healthcare system. Furthermore, our analysis reveals potential attacks that exploit the IoT devices as platforms to target the backend and user domains. We demonstrate the feasibility of our process for identifying realistic risks by conducting simulations of two derived attack scenarios using the Contiki Cooja network simulator.</p></div>","PeriodicalId":29968,"journal":{"name":"Internet of Things","volume":"27 ","pages":"Article 101333"},"PeriodicalIF":6.0000,"publicationDate":"2024-08-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Internet of Things","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2542660524002749","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
The proliferation of Internet of Things (IoT) systems across diverse applications has led to a notable increase in connected smart devices. Nevertheless, this surge in connectivity has induced a broad spectrum of vulnerabilities and threats, jeopardizing the security and safety of IoT applications. Security risk assessment methods are commonly employed to analyze risks. However, traditional IT and existing IoT-tailored security assessment methods often fail to fully address key IoT aspects: complex assets intercommunication, dynamic system changes, assets’ potential as attack platforms, safety impacts of security breaches, and assets resource constraints. Such oversights lead to significant risks being overlooked in the IoT ecosystem. In this paper, we propose a novel vulnerability-oriented risk identification framework comprising a four-step process as a core element of IoT security risk assessment, applicable to any IoT system. Our process enhances both traditional and IoT-specific security risk assessment methods by providing tailored approaches that address their crucial oversights for comprehensive IoT risk assessment. We validate our process with a case study of an IoT smart healthcare system using a proposed expert-driven approach. The results confirm that our process effectively identifies critical attack scenarios originating from the lack of proper security measures, mobility, and intercommunication processes of IoT devices in the healthcare system. Furthermore, our analysis reveals potential attacks that exploit the IoT devices as platforms to target the backend and user domains. We demonstrate the feasibility of our process for identifying realistic risks by conducting simulations of two derived attack scenarios using the Contiki Cooja network simulator.
期刊介绍:
Internet of Things; Engineering Cyber Physical Human Systems is a comprehensive journal encouraging cross collaboration between researchers, engineers and practitioners in the field of IoT & Cyber Physical Human Systems. The journal offers a unique platform to exchange scientific information on the entire breadth of technology, science, and societal applications of the IoT.
The journal will place a high priority on timely publication, and provide a home for high quality.
Furthermore, IOT is interested in publishing topical Special Issues on any aspect of IOT.