Skip to main content
SpringerLink
Log in

Risk Assessment for IoT-Enabled Cyber-Physical Systems

  • Chapter
  • First Online:
Advances in Core Computer Science-Based Technologies

Part of the book series: Learning and Analytics in Intelligent Systems ((LAIS,volume 14))

Abstract

Internet of Things (IoT) technologies have enabled Cyber-Physical Systems (CPS) to become fully interconnected. This connectivity however has radically changed their threat landscape. Existing risk assessment methodologies often fail to identify various attack paths that stem from the new connectivity/functionality features of IoT-enabled CPS. Even worse, due to their inherent characteristics, IoT systems are usually the weakest link in the security chain and thus many attacks utilize IoT technologies as their key enabler. In this paper we review risk assessment methodologies for IoT-enabled CPS. In addition, based on our previous work (Stellios et al. in IEEE Commun Surv Tutor 20:3453–3495, 2018, [47]) on modeling IoT-enabled cyberattacks, we present a high-level risk assessment approach, specifically suited for IoT-enabled CPS. The mail goal is to enable an assessor to identify and assess non-obvious (indirect or subliminal) attack paths introduced by IoT technologies, that usually target mission critical components of an CPS.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. H. Abie, I. Balasingham, Risk-based adaptive security for smart IoT in eHealth, in Proceedings of the 7th International Conference on Body Area Networks (ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), 2012), pp. 269–275

    Google Scholar 

  2. I. Agadakos, C.Y. Chen, M. Campanelli, P. Anantharaman, M. Hasan, B. Copos, T. Lepoint, M. Locasto, G.F. Ciocarlie, U. Lindqvist, Jumping the air gap: modeling cyber-physical attack paths in the internet-of-things, in Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and Privacy (ACM, 2017), pp. 37–48

    Google Scholar 

  3. S. Amin, G.A. Schwartz, A. Hussain, In quest of benchmarking security risks to cyber-physical systems. IEEE Netw. 27(1), 19–24 (2013)

    Article  Google Scholar 

  4. A.W. Atamli, A. Martin, Threat-based security analysis for the internet of things, in 2014 International Workshop on Secure Internet of Things (SIoT) (IEEE, 2014), pp. 35–43

    Google Scholar 

  5. H.F. Atlam, A. Alenezi, R.J. Walters, G.B. Wills, J. Daniel, Developing an adaptive risk-based access control model for the internet of things, in 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData) (2017), pp. 655–661

    Google Scholar 

  6. C. Bormann, A.P. Castellani, Z. Shelby, CoAP: an application protocol for billions of tiny internet nodes. IEEE Internet Comput. 16(2), 62 (2012)

    Article  Google Scholar 

  7. A.A. Cárdenas, S. Amin, Z.S. Lin, Y.L. Huang, C.Y. Huang, S. Sastry, Attacks against process control systems: risk assessment, detection, and response, in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ACM, 2011), pp. 355–366

    Google Scholar 

  8. C. Cesar, A. Lucas, Hacking robots before Skynet (IOActive) (2017), https://ioactive.com/pdfs/Hacking-Robots-Before-Skynet.pdf

  9. S. Cobb, 10 things to know about the October 21 IoT DDoS attacks (2016), http://www.welivesecurity.com/2016/10/24/10-things-know-october-21-iot-ddos-attacks/

  10. S. Darwish, I. Nouretdinov, S.D. Wolthusen, Towards composable threat assessment for medical IoT (MIoT). Procedia Comput. Sci. 113, 627–632 (2017)

    Article  Google Scholar 

  11. J. Depoy, J. Phelan, P. Sholander, B. Smith, G. Varnado, G. Wyss, Risk assessment for physical and cyber attacks on critical infrastructures, in Military Communications Conference, 2005. MILCOM 2005 (IEEE, 2005), pp. 1961–1969

    Google Scholar 

  12. B. Dorsemaine, J.P. Gaulier, J.P. Wary, N. Kheir, P. Urien, A new threat assessment method for integrating an IoT infrastructure in an information system, in 2017 IEEE 37th International Conference on Distributed Computing Systems Workshops (ICDCSW) (IEEE, 2017), pp. 105–112

    Google Scholar 

  13. P.M. Erdősi, The common vulnerability scoring system (CVSS) generations–usefulness and deficiencies

    Google Scholar 

  14. D. Evans, P. Bond, A. Bement, FIPS PUB 199 standards for security categorization of federal information and information systems. The National Institute of Standards and Technology (NIST) (2004)

    Google Scholar 

  15. N. Falliere, L.O. Murchu, E. Chien, W32. Stuxnet Dossier. White paper, Symantec Corporation. Secur. Response 5(6) (2011)

    Google Scholar 

  16. M. Ge, J.B. Hong, W. Guttmann, D.S. Kim, A framework for automating security analysis of the internet of things. J. Netw. Comput. Appl. 83, 12–27 (2017)

    Article  Google Scholar 

  17. D. Goodin, Hackers trigger yet another power outage in Ukraine (2017), https://arstechnica.com/security/2017/01/the-new-normal-yet-another-hacker-caused-power-outage-hits-ukraine/

  18. G. Hernandez, O. Arias, D. Buentello, Y. Jin, Smart nest thermostat: a smart spy in your home, in Black Hat USA (2014)

    Google Scholar 

  19. J. Hong, D.S. Kim, HARMs: hierarchical attack representation models for network security analysis (2012)

    Google Scholar 

  20. ISO: ISO/IEC 27005:2011 Information technology—security techniques—information security risk management. Technical report. International Standardization Organization (2011)

    Google Scholar 

  21. W. Knowles, D. Prince, D. Hutchison, J.F.P. Disso, K. Jones, A survey of cyber security management in industrial control systems. Int. J. Crit. Infrastruct. Prot. 9, 52–80 (2015)

    Article  Google Scholar 

  22. A. Kott, J. Ludwig, M. Lange, Assessing mission impact of cyberattacks: toward a model-driven paradigm. IEEE Secur. Priv. 5, 65–74 (2017)

    Article  Google Scholar 

  23. A. Kott, C. Wang, R.F. Erbacher, Cyber Defense and Situational Awareness, vol. 62 (Springer, 2015)

    Google Scholar 

  24. KrebsonSecurity, FBI: smart meter hacks likely to spread (2012), https://krebsonsecurity.com/2012/04/fbi-smart-meter-hacks-likely-to-spread/

  25. D. Kushner, The real story of Stuxnet. IEEE Spectr. 50(3), 48–53 (2013)

    Article  Google Scholar 

  26. R.M. Lee, M.J. Assante, T. Conway, Analysis of the cyber attack on the Ukrainian power grid. SANS Industrial Control Systems (2016)

    Google Scholar 

  27. C. Liu, Y. Zhang, J. Zeng, L. Peng, R. Chen, Research on dynamical security risk assessment for the internet of things inspired by immunology, in 2012 Eighth International Conference on Natural Computation (ICNC) (IEEE, 2012), pp. 874–878

    Google Scholar 

  28. F. Maggi, D. Quarta, M. Pogliani, M. Polino, A.M. Zanchettin, S. Zanero, Rogue robots: testing the limits of an industrial robots security. Technical report, Trend Micro, Politecnico di Milano (2017)

    Google Scholar 

  29. L. Maglaras, M.A. Ferrag, A. Derhab, M. Mukherjee, H. Janicke, S. Rallis, Threats, countermeasures and attribution of cyber attacks on critical infrastructures. Secur. Saf. 5(16), 1–9 (2018). https://doi.org/10.4108/eai.15-10-2018.155856

    Article  Google Scholar 

  30. L. Maglaras, M.A. Ferrag, A. Derhab, M. Mukherjee, H. Janicke, S. Rallis, Threats, protection and attribution of cyber attacks on critical infrastructures (2019), arXiv:1901.03899

  31. E. Marin, D. Singelée, F.D. Garcia, T. Chothia, R. Willems, B. Preneel, On the (in)security of the latest generation implantable cardiac defibrillators and how to secure them, in Proceedings of the 32nd Annual Conference on Computer Security Applications (ACM, 2016), pp. 226–236

    Google Scholar 

  32. D. Martins, H. Guyennet, Wireless sensor network attacks and security mechanisms: a short survey, in 2010 13th International Conference on Network-Based Information Systems (NBiS) (IEEE, 2010), pp. 313–320

    Google Scholar 

  33. R. Neisse, G. Steri, I.N. Fovino, G. Baldini, SecKit: a model-based security toolkit for the internet of things. Comput. Secur. 54, 60–76 (2015)

    Article  Google Scholar 

  34. C.P. O’Flynn, Message denial and alteration on IEEE 802.15.4 low-power radio networks, in 2011 4th IFIP International Conference on New Technologies, Mobility and Security (NTMS) (IEEE, 2011), pp. 1–5

    Google Scholar 

  35. Y. Peng, T. Lu, J. Liu, Y. Gao, X. Guo, F. Xie, Cyber-physical system risk assessment, in 2013 Ninth International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IEEE, 2013), pp. 442–447

    Google Scholar 

  36. J. Petit, B. Stottelaar, M. Feiri, F. Kargl, Remote attacks on automated vehicles sensors: experiments on camera and Lidar, in Black Hat Europe, vol. 11 (2015), p. 2015

    Google Scholar 

  37. D. Quarta, M. Pogliani, M. Polino, F. Maggi, A.M. Zanchettin, S. Zanero, An experimental security analysis of an industrial robot controller, in 2017 IEEE Symposium on Security and Privacy (SP) (IEEE, 2017), pp. 268–286

    Google Scholar 

  38. P.A. Ralston, J.H. Graham, J.L. Hieb, Cyber security risk assessment for SCADA and DCS networks. ISA Trans. 46(4), 583–594 (2007)

    Article  Google Scholar 

  39. E. Ronen, C. O’Flynn, A. Shamir, A.O. Weingarten, IoT goes nuclear: creating a zigbee chain reaction. IACR Cryptol. ePrint Arch. 2016, 1047 (2016)

    Google Scholar 

  40. E. Ronen, A. Shamir, Extended functionality attacks on IoT devices: the case of smart lights, in 2016 IEEE European Symposium on Security and Privacy (EuroS&P) (IEEE, 2016), pp. 3–12

    Google Scholar 

  41. R.S. Ross, NIST SP-800-39 Managing Information Security Risk–Organization, Mission, and Information System View. The National Institute of Standards and Technology (NIST), Gaithersburg (2011)

    Google Scholar 

  42. R.S. Ross, NIST SP-800-30rev1 Guide for conducting risk assessments. The National Institute of Standards and Technology (NIST), Gaithersburg (2012)

    Google Scholar 

  43. R.A. Sahner, K. Trivedi, A. Puliafito, Performance and Reliability Analysis of Computer Systems: An Example-based Approach Using the SHARPE Software Package (Springer Science & Business Media, 2012)

    Google Scholar 

  44. R. Santamarta, In flight hacking system (IOActive Research Labs) (2016), http://blog.ioactive.com/2016/12/in-flight-hacking-system.html

  45. Z. Shelby, C. Bormann, 6LoWPAN: The Wireless Embedded Internet, vol. 43 (Wiley, 2011)

    Google Scholar 

  46. R. Spenneberg, M. Brüggemann, H. Schwartke, PLC-blaster: a worm living solely in the PLC, in Black Hat Asia, Marina Bay Sands, Singapore (2016)

    Google Scholar 

  47. I. Stellios, P. Kotzanikolaou, M. Psarakis, C. Alcaraz, J. Lopez, A survey of IoT-enabled cyberattacks: assessing attack paths to critical infrastructures and services. IEEE Commun. Surv. Tutor. 20(4), 3453–3495 (2018)

    Article  Google Scholar 

  48. TrapX Research, Labs: Anatomy of Attack: MEDJACK.2—Hospitals Under Siege. TrapX Investigative Report (2016)

    Google Scholar 

  49. Wikileaks: Vault 7: CIA Hacking Tools Revealed—CIA malware targets iPhone, Android, smart TVs (2017), https://wikileaks.org/ciav7p1/

  50. C. Yan, X. Wenyuan, J. Liu, Can you trust autonomous vehicles: contactless attacks against sensors of self-driving vehicle, in DEF CON (2016)

    Google Scholar 

  51. S.E. Yusuf, M. Ge, J.B. Hong, H.K. Kim, P. Kim, D.S. Kim, Security modelling and analysis of dynamic enterprise networks, in 2016 IEEE International Conference on Computer and Information Technology (CIT) (IEEE, 2016), pp. 249–256

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. SecLab, Department of Informatics, University of Piraeus, 85 Karaoli & Dimitriou, 18534, Pireas, Greece

    Ioannis Stellios & Panayiotis Kotzanikolaou

  2. ESLab, Department of Informatics, University of Piraeus, 85 Karaoli & Dimitriou, 18534, Pireas, Greece

    Mihalis Psarakis

  3. Computer Science Department, University of Malaga, Campus de Teatinos s/n, 29071, Málaga, Spain

    Cristina Alcaraz

Authors
  1. Ioannis Stellios
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Panayiotis Kotzanikolaou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mihalis Psarakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Cristina Alcaraz
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Panayiotis Kotzanikolaou .

Editor information

Editors and Affiliations

  1. Department of Informatics, University of Piraeus, Piraeus, Greece

    George A. Tsihrintzis

  2. Department of Informatics, University of Piraeus, Piraeus, Greece

    Maria Virvou

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Stellios, I., Kotzanikolaou, P., Psarakis, M., Alcaraz, C. (2021). Risk Assessment for IoT-Enabled Cyber-Physical Systems. In: Tsihrintzis, G., Virvou, M. (eds) Advances in Core Computer Science-Based Technologies. Learning and Analytics in Intelligent Systems, vol 14. Springer, Cham. https://doi.org/10.1007/978-3-030-41196-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-41196-1_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-41195-4

  • Online ISBN: 978-3-030-41196-1

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation