Vulnerability-oriented risk identification framework for IoT risk assessment

IF 6 3区 计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS
Mohammad Beyrouti , Ahmed Lounis , Benjamin Lussier , Abdelmadjid Bouabdallah , Abed Ellatif Samhat
{"title":"Vulnerability-oriented risk identification framework for IoT risk assessment","authors":"Mohammad Beyrouti ,&nbsp;Ahmed Lounis ,&nbsp;Benjamin Lussier ,&nbsp;Abdelmadjid Bouabdallah ,&nbsp;Abed Ellatif Samhat","doi":"10.1016/j.iot.2024.101333","DOIUrl":null,"url":null,"abstract":"<div><p>The proliferation of Internet of Things (IoT) systems across diverse applications has led to a notable increase in connected smart devices. Nevertheless, this surge in connectivity has induced a broad spectrum of vulnerabilities and threats, jeopardizing the security and safety of IoT applications. Security risk assessment methods are commonly employed to analyze risks. However, traditional IT and existing IoT-tailored security assessment methods often fail to fully address key IoT aspects: complex assets intercommunication, dynamic system changes, assets’ potential as attack platforms, safety impacts of security breaches, and assets resource constraints. Such oversights lead to significant risks being overlooked in the IoT ecosystem. In this paper, we propose a novel vulnerability-oriented risk identification framework comprising a four-step process as a core element of IoT security risk assessment, applicable to any IoT system. Our process enhances both traditional and IoT-specific security risk assessment methods by providing tailored approaches that address their crucial oversights for comprehensive IoT risk assessment. We validate our process with a case study of an IoT smart healthcare system using a proposed expert-driven approach. The results confirm that our process effectively identifies critical attack scenarios originating from the lack of proper security measures, mobility, and intercommunication processes of IoT devices in the healthcare system. Furthermore, our analysis reveals potential attacks that exploit the IoT devices as platforms to target the backend and user domains. We demonstrate the feasibility of our process for identifying realistic risks by conducting simulations of two derived attack scenarios using the Contiki Cooja network simulator.</p></div>","PeriodicalId":29968,"journal":{"name":"Internet of Things","volume":"27 ","pages":"Article 101333"},"PeriodicalIF":6.0000,"publicationDate":"2024-08-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Internet of Things","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2542660524002749","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

The proliferation of Internet of Things (IoT) systems across diverse applications has led to a notable increase in connected smart devices. Nevertheless, this surge in connectivity has induced a broad spectrum of vulnerabilities and threats, jeopardizing the security and safety of IoT applications. Security risk assessment methods are commonly employed to analyze risks. However, traditional IT and existing IoT-tailored security assessment methods often fail to fully address key IoT aspects: complex assets intercommunication, dynamic system changes, assets’ potential as attack platforms, safety impacts of security breaches, and assets resource constraints. Such oversights lead to significant risks being overlooked in the IoT ecosystem. In this paper, we propose a novel vulnerability-oriented risk identification framework comprising a four-step process as a core element of IoT security risk assessment, applicable to any IoT system. Our process enhances both traditional and IoT-specific security risk assessment methods by providing tailored approaches that address their crucial oversights for comprehensive IoT risk assessment. We validate our process with a case study of an IoT smart healthcare system using a proposed expert-driven approach. The results confirm that our process effectively identifies critical attack scenarios originating from the lack of proper security measures, mobility, and intercommunication processes of IoT devices in the healthcare system. Furthermore, our analysis reveals potential attacks that exploit the IoT devices as platforms to target the backend and user domains. We demonstrate the feasibility of our process for identifying realistic risks by conducting simulations of two derived attack scenarios using the Contiki Cooja network simulator.

面向脆弱性的物联网风险评估风险识别框架
随着物联网(IoT)系统在各种应用中的普及,联网智能设备显著增加。然而,连接性的激增诱发了大量的漏洞和威胁,危及物联网应用的安全保障。安全风险评估方法通常用于分析风险。然而,传统的信息技术和现有的物联网定制安全评估方法往往不能充分解决物联网的关键问题:复杂的资产互通、动态系统变化、资产作为攻击平台的潜力、安全漏洞对安全的影响以及资产资源限制。这些疏忽导致物联网生态系统中的重大风险被忽视。在本文中,我们提出了一个新颖的以脆弱性为导向的风险识别框架,包括一个四步流程,作为物联网安全风险评估的核心要素,适用于任何物联网系统。我们的流程增强了传统安全风险评估方法和针对物联网的安全风险评估方法,提供了量身定制的方法,解决了全面物联网风险评估中的关键疏漏。我们通过对一个物联网智能医疗系统的案例研究,采用建议的专家驱动方法验证了我们的流程。结果证实,我们的流程能有效识别因医疗系统中物联网设备缺乏适当的安全措施、移动性和互联互通流程而产生的关键攻击场景。此外,我们的分析还揭示了利用物联网设备作为平台来攻击后端和用户域的潜在攻击。我们使用 Contiki Cooja 网络模拟器对两个衍生攻击场景进行了模拟,从而证明了我们识别现实风险过程的可行性。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
Internet of Things
Internet of Things Multiple-
CiteScore
3.60
自引率
5.10%
发文量
115
审稿时长
37 days
期刊介绍: Internet of Things; Engineering Cyber Physical Human Systems is a comprehensive journal encouraging cross collaboration between researchers, engineers and practitioners in the field of IoT & Cyber Physical Human Systems. The journal offers a unique platform to exchange scientific information on the entire breadth of technology, science, and societal applications of the IoT. The journal will place a high priority on timely publication, and provide a home for high quality. Furthermore, IOT is interested in publishing topical Special Issues on any aspect of IOT.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信