Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top
Published in:
Advances in Core Computer Science-Based Technologies Read chapter Read first chapter

2021 | OriginalPaper | Chapter

8. Risk Assessment for IoT-Enabled Cyber-Physical Systems

Authors : Ioannis Stellios, Panayiotis Kotzanikolaou, Mihalis Psarakis, Cristina Alcaraz

Published in: Advances in Core Computer Science-Based Technologies

Publisher: Springer International Publishing

Log in

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

Internet of Things (IoT) technologies have enabled Cyber-Physical Systems (CPS) to become fully interconnected. This connectivity however has radically changed their threat landscape. Existing risk assessment methodologies often fail to identify various attack paths that stem from the new connectivity/functionality features of IoT-enabled CPS. Even worse, due to their inherent characteristics, IoT systems are usually the weakest link in the security chain and thus many attacks utilize IoT technologies as their key enabler. In this paper we review risk assessment methodologies for IoT-enabled CPS. In addition, based on our previous work (Stellios et al. in IEEE Commun Surv Tutor 20:3453–3495, 2018, [47]) on modeling IoT-enabled cyberattacks, we present a high-level risk assessment approach, specifically suited for IoT-enabled CPS. The mail goal is to enable an assessor to identify and assess non-obvious (indirect or subliminal) attack paths introduced by IoT technologies, that usually target mission critical components of an CPS.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

inform now
previous chapter Challenges and Issues in Risk Assessment in Modern Maritime Systems
next chapter Sustaining Social Cohesion in Information and Knowledge Society: The Priceless Value of Privacy
Literature
1.
H. Abie, I. Balasingham, Risk-based adaptive security for smart IoT in eHealth, in Proceedings of the 7th International Conference on Body Area Networks (ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), 2012), pp. 269–275
2.
I. Agadakos, C.Y. Chen, M. Campanelli, P. Anantharaman, M. Hasan, B. Copos, T. Lepoint, M. Locasto, G.F. Ciocarlie, U. Lindqvist, Jumping the air gap: modeling cyber-physical attack paths in the internet-of-things, in Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and Privacy (ACM, 2017), pp. 37–48
3.
S. Amin, G.A. Schwartz, A. Hussain, In quest of benchmarking security risks to cyber-physical systems. IEEE Netw. 27(1), 19–24 (2013)CrossRef
4.
A.W. Atamli, A. Martin, Threat-based security analysis for the internet of things, in 2014 International Workshop on Secure Internet of Things (SIoT) (IEEE, 2014), pp. 35–43
5.
H.F. Atlam, A. Alenezi, R.J. Walters, G.B. Wills, J. Daniel, Developing an adaptive risk-based access control model for the internet of things, in 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData) (2017), pp. 655–661
6.
C. Bormann, A.P. Castellani, Z. Shelby, CoAP: an application protocol for billions of tiny internet nodes. IEEE Internet Comput. 16(2), 62 (2012)CrossRef
7.
A.A. Cárdenas, S. Amin, Z.S. Lin, Y.L. Huang, C.Y. Huang, S. Sastry, Attacks against process control systems: risk assessment, detection, and response, in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ACM, 2011), pp. 355–366
8.
9.
10.
S. Darwish, I. Nouretdinov, S.D. Wolthusen, Towards composable threat assessment for medical IoT (MIoT). Procedia Comput. Sci. 113, 627–632 (2017)CrossRef
11.
J. Depoy, J. Phelan, P. Sholander, B. Smith, G. Varnado, G. Wyss, Risk assessment for physical and cyber attacks on critical infrastructures, in Military Communications Conference, 2005. MILCOM 2005 (IEEE, 2005), pp. 1961–1969
12.
B. Dorsemaine, J.P. Gaulier, J.P. Wary, N. Kheir, P. Urien, A new threat assessment method for integrating an IoT infrastructure in an information system, in 2017 IEEE 37th International Conference on Distributed Computing Systems Workshops (ICDCSW) (IEEE, 2017), pp. 105–112
13.
P.M. Erdősi, The common vulnerability scoring system (CVSS) generations–usefulness and deficiencies
14.
D. Evans, P. Bond, A. Bement, FIPS PUB 199 standards for security categorization of federal information and information systems. The National Institute of Standards and Technology (NIST) (2004)
15.
N. Falliere, L.O. Murchu, E. Chien, W32. Stuxnet Dossier. White paper, Symantec Corporation. Secur. Response 5(6) (2011)
16.
M. Ge, J.B. Hong, W. Guttmann, D.S. Kim, A framework for automating security analysis of the internet of things. J. Netw. Comput. Appl. 83, 12–27 (2017)CrossRef
17.
18.
G. Hernandez, O. Arias, D. Buentello, Y. Jin, Smart nest thermostat: a smart spy in your home, in Black Hat USA (2014)
19.
J. Hong, D.S. Kim, HARMs: hierarchical attack representation models for network security analysis (2012)
20.
ISO: ISO/IEC 27005:2011 Information technology—security techniques—information security risk management. Technical report. International Standardization Organization (2011)
21.
W. Knowles, D. Prince, D. Hutchison, J.F.P. Disso, K. Jones, A survey of cyber security management in industrial control systems. Int. J. Crit. Infrastruct. Prot. 9, 52–80 (2015)CrossRef
22.
A. Kott, J. Ludwig, M. Lange, Assessing mission impact of cyberattacks: toward a model-driven paradigm. IEEE Secur. Priv. 5, 65–74 (2017)CrossRef
23.
A. Kott, C. Wang, R.F. Erbacher, Cyber Defense and Situational Awareness, vol. 62 (Springer, 2015)
24.
25.
26.
R.M. Lee, M.J. Assante, T. Conway, Analysis of the cyber attack on the Ukrainian power grid. SANS Industrial Control Systems (2016)
27.
C. Liu, Y. Zhang, J. Zeng, L. Peng, R. Chen, Research on dynamical security risk assessment for the internet of things inspired by immunology, in 2012 Eighth International Conference on Natural Computation (ICNC) (IEEE, 2012), pp. 874–878
28.
F. Maggi, D. Quarta, M. Pogliani, M. Polino, A.M. Zanchettin, S. Zanero, Rogue robots: testing the limits of an industrial robots security. Technical report, Trend Micro, Politecnico di Milano (2017)
29.
30.
L. Maglaras, M.A. Ferrag, A. Derhab, M. Mukherjee, H. Janicke, S. Rallis, Threats, protection and attribution of cyber attacks on critical infrastructures (2019), arXiv:​1901.​03899
31.
E. Marin, D. Singelée, F.D. Garcia, T. Chothia, R. Willems, B. Preneel, On the (in)security of the latest generation implantable cardiac defibrillators and how to secure them, in Proceedings of the 32nd Annual Conference on Computer Security Applications (ACM, 2016), pp. 226–236
32.
D. Martins, H. Guyennet, Wireless sensor network attacks and security mechanisms: a short survey, in 2010 13th International Conference on Network-Based Information Systems (NBiS) (IEEE, 2010), pp. 313–320
33.
R. Neisse, G. Steri, I.N. Fovino, G. Baldini, SecKit: a model-based security toolkit for the internet of things. Comput. Secur. 54, 60–76 (2015)CrossRef
34.
C.P. O’Flynn, Message denial and alteration on IEEE 802.15.4 low-power radio networks, in 2011 4th IFIP International Conference on New Technologies, Mobility and Security (NTMS) (IEEE, 2011), pp. 1–5
35.
Y. Peng, T. Lu, J. Liu, Y. Gao, X. Guo, F. Xie, Cyber-physical system risk assessment, in 2013 Ninth International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IEEE, 2013), pp. 442–447
36.
J. Petit, B. Stottelaar, M. Feiri, F. Kargl, Remote attacks on automated vehicles sensors: experiments on camera and Lidar, in Black Hat Europe, vol. 11 (2015), p. 2015
37.
D. Quarta, M. Pogliani, M. Polino, F. Maggi, A.M. Zanchettin, S. Zanero, An experimental security analysis of an industrial robot controller, in 2017 IEEE Symposium on Security and Privacy (SP) (IEEE, 2017), pp. 268–286
38.
P.A. Ralston, J.H. Graham, J.L. Hieb, Cyber security risk assessment for SCADA and DCS networks. ISA Trans. 46(4), 583–594 (2007)CrossRef
39.
E. Ronen, C. O’Flynn, A. Shamir, A.O. Weingarten, IoT goes nuclear: creating a zigbee chain reaction. IACR Cryptol. ePrint Arch. 2016, 1047 (2016)
40.
E. Ronen, A. Shamir, Extended functionality attacks on IoT devices: the case of smart lights, in 2016 IEEE European Symposium on Security and Privacy (EuroS&P) (IEEE, 2016), pp. 3–12
41.
R.S. Ross, NIST SP-800-39 Managing Information Security Risk–Organization, Mission, and Information System View. The National Institute of Standards and Technology (NIST), Gaithersburg (2011)
42.
R.S. Ross, NIST SP-800-30rev1 Guide for conducting risk assessments. The National Institute of Standards and Technology (NIST), Gaithersburg (2012)
43.
R.A. Sahner, K. Trivedi, A. Puliafito, Performance and Reliability Analysis of Computer Systems: An Example-based Approach Using the SHARPE Software Package (Springer Science & Business Media, 2012)
44.
45.
Z. Shelby, C. Bormann, 6LoWPAN: The Wireless Embedded Internet, vol. 43 (Wiley, 2011)
46.
R. Spenneberg, M. Brüggemann, H. Schwartke, PLC-blaster: a worm living solely in the PLC, in Black Hat Asia, Marina Bay Sands, Singapore (2016)
47.
I. Stellios, P. Kotzanikolaou, M. Psarakis, C. Alcaraz, J. Lopez, A survey of IoT-enabled cyberattacks: assessing attack paths to critical infrastructures and services. IEEE Commun. Surv. Tutor. 20(4), 3453–3495 (2018)CrossRef
48.
TrapX Research, Labs: Anatomy of Attack: MEDJACK.2—Hospitals Under Siege. TrapX Investigative Report (2016)
49.
50.
C. Yan, X. Wenyuan, J. Liu, Can you trust autonomous vehicles: contactless attacks against sensors of self-driving vehicle, in DEF CON (2016)
51.
S.E. Yusuf, M. Ge, J.B. Hong, H.K. Kim, P. Kim, D.S. Kim, Security modelling and analysis of dynamic enterprise networks, in 2016 IEEE International Conference on Computer and Information Technology (CIT) (IEEE, 2016), pp. 249–256
Metadata
Title
Risk Assessment for IoT-Enabled Cyber-Physical Systems
Authors
Ioannis Stellios
Panayiotis Kotzanikolaou
Mihalis Psarakis
Cristina Alcaraz
Copyright Year
2021
Book
Advances in Core Computer Science-Based Technologies

Print ISBN: 978-3-030-41195-4

Electronic ISBN: 978-3-030-41196-1

Copyright Year: 2021

DOI
https://doi.org/10.1007/978-3-030-41196-1_8

Premium Partners

    Image Credits