Abstract
Internet of Things (IoT) technologies have enabled Cyber-Physical Systems (CPS) to become fully interconnected. This connectivity however has radically changed their threat landscape. Existing risk assessment methodologies often fail to identify various attack paths that stem from the new connectivity/functionality features of IoT-enabled CPS. Even worse, due to their inherent characteristics, IoT systems are usually the weakest link in the security chain and thus many attacks utilize IoT technologies as their key enabler. In this paper we review risk assessment methodologies for IoT-enabled CPS. In addition, based on our previous work (Stellios et al. in IEEE Commun Surv Tutor 20:3453–3495, 2018, [47]) on modeling IoT-enabled cyberattacks, we present a high-level risk assessment approach, specifically suited for IoT-enabled CPS. The mail goal is to enable an assessor to identify and assess non-obvious (indirect or subliminal) attack paths introduced by IoT technologies, that usually target mission critical components of an CPS.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
H. Abie, I. Balasingham, Risk-based adaptive security for smart IoT in eHealth, in Proceedings of the 7th International Conference on Body Area Networks (ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), 2012), pp. 269–275
I. Agadakos, C.Y. Chen, M. Campanelli, P. Anantharaman, M. Hasan, B. Copos, T. Lepoint, M. Locasto, G.F. Ciocarlie, U. Lindqvist, Jumping the air gap: modeling cyber-physical attack paths in the internet-of-things, in Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and Privacy (ACM, 2017), pp. 37–48
S. Amin, G.A. Schwartz, A. Hussain, In quest of benchmarking security risks to cyber-physical systems. IEEE Netw. 27(1), 19–24 (2013)
A.W. Atamli, A. Martin, Threat-based security analysis for the internet of things, in 2014 International Workshop on Secure Internet of Things (SIoT) (IEEE, 2014), pp. 35–43
H.F. Atlam, A. Alenezi, R.J. Walters, G.B. Wills, J. Daniel, Developing an adaptive risk-based access control model for the internet of things, in 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData) (2017), pp. 655–661
C. Bormann, A.P. Castellani, Z. Shelby, CoAP: an application protocol for billions of tiny internet nodes. IEEE Internet Comput. 16(2), 62 (2012)
A.A. Cárdenas, S. Amin, Z.S. Lin, Y.L. Huang, C.Y. Huang, S. Sastry, Attacks against process control systems: risk assessment, detection, and response, in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ACM, 2011), pp. 355–366
C. Cesar, A. Lucas, Hacking robots before Skynet (IOActive) (2017), https://ioactive.com/pdfs/Hacking-Robots-Before-Skynet.pdf
S. Cobb, 10 things to know about the October 21 IoT DDoS attacks (2016), http://www.welivesecurity.com/2016/10/24/10-things-know-october-21-iot-ddos-attacks/
S. Darwish, I. Nouretdinov, S.D. Wolthusen, Towards composable threat assessment for medical IoT (MIoT). Procedia Comput. Sci. 113, 627–632 (2017)
J. Depoy, J. Phelan, P. Sholander, B. Smith, G. Varnado, G. Wyss, Risk assessment for physical and cyber attacks on critical infrastructures, in Military Communications Conference, 2005. MILCOM 2005 (IEEE, 2005), pp. 1961–1969
B. Dorsemaine, J.P. Gaulier, J.P. Wary, N. Kheir, P. Urien, A new threat assessment method for integrating an IoT infrastructure in an information system, in 2017 IEEE 37th International Conference on Distributed Computing Systems Workshops (ICDCSW) (IEEE, 2017), pp. 105–112
P.M. Erdősi, The common vulnerability scoring system (CVSS) generations–usefulness and deficiencies
D. Evans, P. Bond, A. Bement, FIPS PUB 199 standards for security categorization of federal information and information systems. The National Institute of Standards and Technology (NIST) (2004)
N. Falliere, L.O. Murchu, E. Chien, W32. Stuxnet Dossier. White paper, Symantec Corporation. Secur. Response 5(6) (2011)
M. Ge, J.B. Hong, W. Guttmann, D.S. Kim, A framework for automating security analysis of the internet of things. J. Netw. Comput. Appl. 83, 12–27 (2017)
D. Goodin, Hackers trigger yet another power outage in Ukraine (2017), https://arstechnica.com/security/2017/01/the-new-normal-yet-another-hacker-caused-power-outage-hits-ukraine/
G. Hernandez, O. Arias, D. Buentello, Y. Jin, Smart nest thermostat: a smart spy in your home, in Black Hat USA (2014)
J. Hong, D.S. Kim, HARMs: hierarchical attack representation models for network security analysis (2012)
ISO: ISO/IEC 27005:2011 Information technology—security techniques—information security risk management. Technical report. International Standardization Organization (2011)
W. Knowles, D. Prince, D. Hutchison, J.F.P. Disso, K. Jones, A survey of cyber security management in industrial control systems. Int. J. Crit. Infrastruct. Prot. 9, 52–80 (2015)
A. Kott, J. Ludwig, M. Lange, Assessing mission impact of cyberattacks: toward a model-driven paradigm. IEEE Secur. Priv. 5, 65–74 (2017)
A. Kott, C. Wang, R.F. Erbacher, Cyber Defense and Situational Awareness, vol. 62 (Springer, 2015)
KrebsonSecurity, FBI: smart meter hacks likely to spread (2012), https://krebsonsecurity.com/2012/04/fbi-smart-meter-hacks-likely-to-spread/
D. Kushner, The real story of Stuxnet. IEEE Spectr. 50(3), 48–53 (2013)
R.M. Lee, M.J. Assante, T. Conway, Analysis of the cyber attack on the Ukrainian power grid. SANS Industrial Control Systems (2016)
C. Liu, Y. Zhang, J. Zeng, L. Peng, R. Chen, Research on dynamical security risk assessment for the internet of things inspired by immunology, in 2012 Eighth International Conference on Natural Computation (ICNC) (IEEE, 2012), pp. 874–878
F. Maggi, D. Quarta, M. Pogliani, M. Polino, A.M. Zanchettin, S. Zanero, Rogue robots: testing the limits of an industrial robots security. Technical report, Trend Micro, Politecnico di Milano (2017)
L. Maglaras, M.A. Ferrag, A. Derhab, M. Mukherjee, H. Janicke, S. Rallis, Threats, countermeasures and attribution of cyber attacks on critical infrastructures. Secur. Saf. 5(16), 1–9 (2018). https://doi.org/10.4108/eai.15-10-2018.155856
L. Maglaras, M.A. Ferrag, A. Derhab, M. Mukherjee, H. Janicke, S. Rallis, Threats, protection and attribution of cyber attacks on critical infrastructures (2019), arXiv:1901.03899
E. Marin, D. Singelée, F.D. Garcia, T. Chothia, R. Willems, B. Preneel, On the (in)security of the latest generation implantable cardiac defibrillators and how to secure them, in Proceedings of the 32nd Annual Conference on Computer Security Applications (ACM, 2016), pp. 226–236
D. Martins, H. Guyennet, Wireless sensor network attacks and security mechanisms: a short survey, in 2010 13th International Conference on Network-Based Information Systems (NBiS) (IEEE, 2010), pp. 313–320
R. Neisse, G. Steri, I.N. Fovino, G. Baldini, SecKit: a model-based security toolkit for the internet of things. Comput. Secur. 54, 60–76 (2015)
C.P. O’Flynn, Message denial and alteration on IEEE 802.15.4 low-power radio networks, in 2011 4th IFIP International Conference on New Technologies, Mobility and Security (NTMS) (IEEE, 2011), pp. 1–5
Y. Peng, T. Lu, J. Liu, Y. Gao, X. Guo, F. Xie, Cyber-physical system risk assessment, in 2013 Ninth International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IEEE, 2013), pp. 442–447
J. Petit, B. Stottelaar, M. Feiri, F. Kargl, Remote attacks on automated vehicles sensors: experiments on camera and Lidar, in Black Hat Europe, vol. 11 (2015), p. 2015
D. Quarta, M. Pogliani, M. Polino, F. Maggi, A.M. Zanchettin, S. Zanero, An experimental security analysis of an industrial robot controller, in 2017 IEEE Symposium on Security and Privacy (SP) (IEEE, 2017), pp. 268–286
P.A. Ralston, J.H. Graham, J.L. Hieb, Cyber security risk assessment for SCADA and DCS networks. ISA Trans. 46(4), 583–594 (2007)
E. Ronen, C. O’Flynn, A. Shamir, A.O. Weingarten, IoT goes nuclear: creating a zigbee chain reaction. IACR Cryptol. ePrint Arch. 2016, 1047 (2016)
E. Ronen, A. Shamir, Extended functionality attacks on IoT devices: the case of smart lights, in 2016 IEEE European Symposium on Security and Privacy (EuroS&P) (IEEE, 2016), pp. 3–12
R.S. Ross, NIST SP-800-39 Managing Information Security Risk–Organization, Mission, and Information System View. The National Institute of Standards and Technology (NIST), Gaithersburg (2011)
R.S. Ross, NIST SP-800-30rev1 Guide for conducting risk assessments. The National Institute of Standards and Technology (NIST), Gaithersburg (2012)
R.A. Sahner, K. Trivedi, A. Puliafito, Performance and Reliability Analysis of Computer Systems: An Example-based Approach Using the SHARPE Software Package (Springer Science & Business Media, 2012)
R. Santamarta, In flight hacking system (IOActive Research Labs) (2016), http://blog.ioactive.com/2016/12/in-flight-hacking-system.html
Z. Shelby, C. Bormann, 6LoWPAN: The Wireless Embedded Internet, vol. 43 (Wiley, 2011)
R. Spenneberg, M. Brüggemann, H. Schwartke, PLC-blaster: a worm living solely in the PLC, in Black Hat Asia, Marina Bay Sands, Singapore (2016)
I. Stellios, P. Kotzanikolaou, M. Psarakis, C. Alcaraz, J. Lopez, A survey of IoT-enabled cyberattacks: assessing attack paths to critical infrastructures and services. IEEE Commun. Surv. Tutor. 20(4), 3453–3495 (2018)
TrapX Research, Labs: Anatomy of Attack: MEDJACK.2—Hospitals Under Siege. TrapX Investigative Report (2016)
Wikileaks: Vault 7: CIA Hacking Tools Revealed—CIA malware targets iPhone, Android, smart TVs (2017), https://wikileaks.org/ciav7p1/
C. Yan, X. Wenyuan, J. Liu, Can you trust autonomous vehicles: contactless attacks against sensors of self-driving vehicle, in DEF CON (2016)
S.E. Yusuf, M. Ge, J.B. Hong, H.K. Kim, P. Kim, D.S. Kim, Security modelling and analysis of dynamic enterprise networks, in 2016 IEEE International Conference on Computer and Information Technology (CIT) (IEEE, 2016), pp. 249–256
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Stellios, I., Kotzanikolaou, P., Psarakis, M., Alcaraz, C. (2021). Risk Assessment for IoT-Enabled Cyber-Physical Systems. In: Tsihrintzis, G., Virvou, M. (eds) Advances in Core Computer Science-Based Technologies. Learning and Analytics in Intelligent Systems, vol 14. Springer, Cham. https://doi.org/10.1007/978-3-030-41196-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-41196-1_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41195-4
Online ISBN: 978-3-030-41196-1
eBook Packages: EngineeringEngineering (R0)