Dynamic real-time risk analytics of uncontrollable states in complex internet of things systems, cyber risk at the edge

The Internet of Things (IoT) triggers new types of cyber risks. Therefore, the integration of new IoT devices and services requires a self-assessment of IoT cyber security posture. By security posture this article refers to the cybersecurity strength of an organisation to predict, prevent and respond to cyberthreats. At present, there is a gap in the state of the art, because there are no self-assessment methods for quantifying IoT cyber risk posture. To address this gap, an empirical analysis is performed of 12 cyber risk assessment approaches. The results and the main findings from the analysis is presented as the current and a target risk state for IoT systems, followed by conclusions and recommendations on a transformation roadmap, describing how IoT systems can achieve the target state with a new goal-oriented dependency model. By target state, we refer to the cyber security target that matches the generic security requirements of an organisation. The research paper studies and adapts four alternatives for IoT risk assessment and identifies the goal-oriented dependency modelling as a dominant approach among the risk assessment models studied. The new goal-oriented dependency model in this article enables the assessment of uncontrollable risk states in complex IoT systems and can be used for a quantitative self-assessment of IoT cyber risk posture

Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

Security Management of Smart Home Internet-Of-Things: A Framework, Finite-State Attack Modeling, And Worst Attack Vulnerability Analysis

Title from PDF of title page, viewed July 5, 2023Dissertation advisor: Deep MedhiVitaIncludes bibliographical references (pages 65-70)Dissertation (Ph.D.)--Department of Computer Science and Electrical Engineering. University of Missouri--Kansas City, 2023Smart Home Internet of Things (SHIoT) provides a rich compendium of innovative, ubiquitous, and interactive services to users using a variety of smart sensors, devices and applications. However, owing to the strongly internet-facing, dynamic, and heterogeneous and low capability nature of these devices, and existence of vulnerabilities in them, in their controlling applications and their configurations, there are security threats in SHIoT that affect the safe and secure functioning of these systems. Because of the complexity of the SHIoT system, it is difficult to effectively determine the security posture. We consider attack vulnerabilities and how to identify those vulnerabilities to prevent attacks from spreading for Smart Home Internet of Things (SHIoT). We then address the problem of assessing the worst vulnerability, that is the one that has the potential to cause maximum damage, in the SHIoT. The resource-constrained nature of many of the IoT devices present in a smart home environment does not permit the implementation of standard security solutions. Therefore, the special purpose SHIoT devices and their services with rich human interactions are more vulnerable to cyberattacks. To understand the vulnerability of the threat and attacker motive in SHIoT environment, we introduce a graph-based framework for attacks in IoT security. In this framework, an attack graph is first represented through Finite-state automata for three different SHIoT based cyberattacks - a confidentiality attack, an authentication attack and an access control attack. we then present vulnerability analysis for different SHIoT based attack graphs, followed by a fortification process to enhance the overall system security. For the problem on the worst path vulnerability in the attack graph for SHIoT, we needed to address the probabilistic nature of arcs of the attack graph. In particular, the attack path has non-additive property. We showed how the problem can be transformed to an equivalent problem with additive property so that a short path based approach can be applied to determine the worst path vulnerability. We also present an approach to iteratively fortify the environment to reduce impact from vulnerability. Finally, we apply Common Vulnerability Scoring System (CVSS) to determine attack probabilities on arcs in the attack graph and present an analysis on representative attack graphs.Introduction -- Background -- Related work -- Overview of FSA-based Smart Home IoT attack model -- Attack modeling using finite state automata: a formal treatment for SHIoT -- SHIoT fortification process and vulnerability analysis -- Conclusion and future wor

Methodology for Designing Decision Support Systems for Visualising and Mitigating Supply Chain Cyber Risk from IoT Technologies

This paper proposes a methodology for designing decision support systems for visualising and mitigating the Internet of Things cyber risks. Digital technologies present new cyber risk in the supply chain which are often not visible to companies participating in the supply chains. This study investigates how the Internet of Things cyber risks can be visualised and mitigated in the process of designing business and supply chain strategies. The emerging DSS methodology present new findings on how digital technologies affect business and supply chain systems. Through epistemological analysis, the article derives with a decision support system for visualising supply chain cyber risk from Internet of Things digital technologies. Such methods do not exist at present and this represents the first attempt to devise a decision support system that would enable practitioners to develop a step by step process for visualising, assessing and mitigating the emerging cyber risk from IoT technologies on shared infrastructure in legacy supply chain systems

Data centric trust evaluation and prediction framework for IOT

© 2017 ITU. Application of trust principals in internet of things (IoT) has allowed to provide more trustworthy services among the corresponding stakeholders. The most common method of assessing trust in IoT applications is to estimate trust level of the end entities (entity-centric) relative to the trustor. In these systems, trust level of the data is assumed to be the same as the trust level of the data source. However, most of the IoT based systems are data centric and operate in dynamic environments, which need immediate actions without waiting for a trust report from end entities. We address this challenge by extending our previous proposals on trust establishment for entities based on their reputation, experience and knowledge, to trust estimation of data items [1-3]. First, we present a hybrid trust framework for evaluating both data trust and entity trust, which will be enhanced as a standardization for future data driven society. The modules including data trust metric extraction, data trust aggregation, evaluation and prediction are elaborated inside the proposed framework. Finally, a possible design model is described to implement the proposed ideas