=Paper=
{{Paper
|id=Vol-2739/paper_1
|storemode=property
|title=Risk Assessment in IoT Case Study: Collaborative Robots System
|pdfUrl=https://ceur-ws.org/Vol-2739/paper_1.pdf
|volume=Vol-2739
|authors=Salim Chehida,Abdelhakim Baouya,Miquel Cantero,Paul-Emmanuel Brun,Guillemette Massot
|dblpUrl=https://dblp.org/rec/conf/sam-iot/ChehidaBCBM20
}}
==Risk Assessment in IoT Case Study: Collaborative Robots System==
https://ceur-ws.org/Vol-2739/paper_1.pdf
Risk Assessment in IoT
Case Study: Collaborative Robots System
Salim Chehida, Abdelhakim Baouya Paul-Emmanuel Brun, Guillemette Massot
University of Grenoble Alpes, CNRS, VERIMAG F-38000 Airbus CyberSecurity SAS
Grenoble, France Elancourt, France
{name.surname}@univ-grenoble-alpes.fr {name.surname}@airbus.com
Miquel Cantero
Robotnik Automation S.L.L
Valencia, Spain
mcantero@robotnik.es
Abstract—Security is one of the crucial challenges in the design ever, these methods are generic, and they do not consider the
and development of IoT applications. This paper presents an complexity and the dynamic of IoT systems.
approach that focuses on existing security standards to evaluate In this work, we present a new approach that considers
and analyse the potential risks faced by IoT systems. It begins by
identifying system assets and their associated vulnerabilities and existing methodologies and standards for risk assessment in
threats. A list of security objectives and technical requirements IoT systems. It starts by identifying the assets that should be
are then defined to mitigate the risks and build a secure and protected and evaluating the threats they face. Then, a list of
safe system. We use our approach to assess risks in the robotic security objectives and requirements are defined to defend the
system for supporting the movement of loads in a warehouse. system against potential threats. We apply our approach to the
Index Terms—Security Risk Assessment, IoT, Threats, Security
Requirements.
collaborative robots system. Our approach is different from
all the generic approaches mentioned above and presented in
Section II. It is dedicated to IoT systems and takes into account
I. I NTRODUCTION the relevant domain model and standards, as well as the need
for evolution of these systems.
Internet of Things (IoT) is a promising technology that This paper is organized as follows: Section II presents the
offers significant improvements to various domains such as main approaches and standards for security assessment. We
health, commerce, construction, buildings management, en- give an overview of our risk assessment approach in section
ergy, and transport. It reduces management costs, automates III, then we describe its different stages and apply them to
the monitoring of infrastructures and equipment, saves energy, our case study in sections IV to VI. Finally, we give our
and more. An IoT system consists of a network of smart conclusions in Section VII.
devices that collaborate with users to accomplish intelligent
services. It generally groups a large number of devices that II. S TATE OF THE ART
interact using multiple communication technologies and pro-
We first present the main security standards, then the
tocols.
existing methods for risk assessment.
In the last decade, IoT systems are increasingly susceptible
to various security issues, such as malicious access to services A. Security Standards
and network attacks. These problems have caused considerable
damage and affected the secrecy, integrity, and availability Security standards guide an organization in best security
of information. There are several surveys, such as [1]–[4], practices in order to enforce a common level of security by en-
that discuss vulnerabilities that can be exploited by attackers suring availability, integrity, and confidentiality requirements.
to damage IoT systems. Taking into account these risks and Many countries and organizations have established standards
their possible consequences constitute one of the principal for risk assessment and analysis. In this section, we briefly
challenges for the designer and developer of these systems. present the relevant common and IoT security standards.
Security Risk Assessment (SRA) is the process that aims (a) Common Standards
to identify the most critical threats and provide the required • ISO/IEC 27002 [10]: International standard that gives
measures to avoid these threats. It aims to mitigate the risks general guidance on the commonly accepted goals of
and build a secure system while covering its vulnerabilities. information security management. It describes general
Several SRA methodologies [5]–[9] have been proposed to principles structured around 36 security objectives and
evaluate risks and enforce a common level of security. How- 133 controls.
Copyright © 2020 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
3
� • AS/NZS 4360 [11]: The joint Australian/New Zealand – Y.2075 specifies the security capabilities of EHM
risk management standard that provides a generic (e-health monitoring) with IoT.
framework for identifying, analysing, evaluating, treat- – Y.4112/Y.2077 specifies the concept, purpose, and
ing, monitoring, and communicating risk. components of plug and play (PnP) capability of
• ISO/IEC 27005 [12]: International standard that pro- the IoT, including security-related requirements.
vides guidelines for managing information security – Y.4553 specifies the requirements of the smart-
risks in an organization. The standard describes the risk phone as a sink node for IoT applications, including
management process, which includes context establish- authentication and data protection capabilities.
ment, risk assessment, risk treatment, risk acceptance, – Y.4702 provides common requirements and ca-
risk communication, and risk monitoring and review. pabilities of device management (DM) in IoT,
• BS7799 (ISO17799) [13]: British Standard (Code including security management capabilities such
of Practice for Information Security Management), as security event detection and reporting, device
evolved into ISO17799 (The Information Security security assurance, and device security control.
Standard). It gives a basis guide for risk assessment • ISO/IEC standards: ISO/IEC 30128 [18] covers IoT
and information security management. security related to sensor network application interface.
• NIST SP 800-30 [14]: Special Publications Risk Man-
agement Guide for Information Technology Systems Among regional standards, ETSI (standards organization
standard that provides practitioners with practical guid- in the telecommunication industry in Europe) recently
ance for carrying out each of the three steps in the risk provided “ETSI TS103645” [19] (Cyber Security for
assessment process (i.e., prepare for the assessment, Consumer Internet of Thing) standard that gives security
conduct the assessment, and maintain the assessment). practices for consumer devices connected to the Internet.
It also discusses how organizational risk management
processes complement and inform each other. According to [17], most of the IoT security standards
• NIST SP 800-82 [15]: This standard guides on im- presented above are just specification-level standards and
proving security in Industrial Control Systems (ICS), a few of them are involved in availability and non-
including Supervisory Control and Data Acquisi- repudiation.
tion (SCADA) systems, Distributed Control Systems
(DCS), and other control system configurations such B. Risk Assessment Methods
as Programmable Logic Controllers (PLC).
• IEEE 1686 [16]: Standard for Intelligent Electronic EBIOS [9] is used for the assessment and treatment of
Devices Cyber Security Capabilities’ that defines func- risks associated with an Information System (IS). Its steps are:
tions and features to be provided in Intelligent Elec- definition of the context, identification and estimation of the
tronic Devices (IEDs). The document addresses access, security needs and eventual sources of threats, identification
operation, configuration, firmware revision, and data and analysis of threat scenarios, and finally specification
retrieval of an IED. of security objectives and measures to be implemented for
(b) IoT Security Standards risk treatment. The goal of the EBIOS method is to create
The authors in [17] analyse the existing regional and a common ground for security discussion between various
international standards for IoT security and indicate their stakeholders in order to support management-level decision-
limitations. Among international standards: making. One of the main strengths of the EBIOS approach is
1 its modularity; its knowledge bases can be tuned to comply
• ITU-T standards :
with local standards and best practices, and to include external
– Y.2060 provides reference models of IoT and shows repositories of attack methods, entities or vulnerabilities [20].
generic security capabilities on every layer. CRAMM [7] (CCTA Risk Analysis and Management
– Y.2063 covers the authorization of heterogeneous Method) is a qualitative risk assessment methodology that
devices of WoT. consists of the following steps: collection of data and definition
– Y.2066 defines common requirements of IoT and of objectives, identification and evaluation of system assets,
also security and privacy protection requirements threat and vulnerability assessment, and finally determining
related to all the IoT actors. countermeasures.
– Y.2067 covers gateway security mechanisms in-
AURUM [5] (Automated Risk and Utility Management)
cluding authentication, data encryption, privacy
supports the NIST SP 800-30 standard [14]. It consists of
protection, etc.
the following steps: identification of risks and their impacts,
– Y.2068 defines concepts of functional framework
implementation of adequate countermeasures, and evaluation
and capabilities of IoT, including service provision
of the impact of countermeasures.
security, security integration, security audit, etc.
CORAS [6] allows risk assessment, documentation of in-
termediate results, and presentation of conclusions. The main
1 https://www.itu.int/en/ITU-T/Pages/default.aspx steps of the methodology are: definition of security goals,
4
�description of threats, risk estimation by giving likelihood
values for identified unwanted incidents, and risk treatment.
MEHARI [8] (MEthod for Harmonized Analysis of RIsk)
aims to provide a risk management model compliant to ISO-
27005 [12]. The steps of MEHARI are: establishment of the
organization context, identification and classification of assets,
identification and analysis of risks, and finally quantification
and management of risks. MEHARI allows the analysis of the
security stakes and the preliminary classification of the IS en-
tities according to three basic security criteria (confidentiality,
integrity, and availability).
OCTAVE [21] (Operationally Critical Threat, Asset, and
Vulnerability Evaluation) method allows to define a risk-
based strategic assessment and planning technique for system
security. It is based on process broken into three phases
: development of initial security strategies, identification of
infrastructure vulnerabilities, and development of final security
strategy and plans.
IT-Grundschutz [22] provides methods, processes, proce-
dures, and measures to establish a system for information
security management. It describes a two-tier risk assessment:
one is designed for reaching a standard level of security, while
a second supplementary risk analysis can be undertaken by
companies that desire an approach customized to their specific
needs or sector or that have special security requirements. Fig. 1. IoT Risk Assessment Methodology.
IT-Grundschutz also provides lists of relevant threats and
required countermeasures that can be adapted to the needs
of an organization. Our approach is iterative, and security requirements can be
revised after the system assets have been refined. The results
III. A N OUTLINE OF OUR M ETHODOLOGY of each step should be checked with the customer.
In this work, we apply our method to the service robotics
Starting from standards and methods presented in the pre- system. As shown in Figure 2, our system consists of a fleet
vious section, we define the risk assessment methodology of robots installed in a warehouse to support the movement of
depicted in Figure 1. different loads.
Our method consists of four steps:
1) The first step identifies the assets based on the IoT domain
model.
2) The second step specifies threats on the assets based on
common threats database proposed by the risk assess-
ment methods presented in Section II. In this work, we
consider EBIOS database [9], which is compatible with
all relevant ISO standards and provides a complete list
of possible threats (42 threats) relative to information
systems. EBIOS threats database is widely used in risk
Fig. 2. Service Robotics System.
assessment. Some works like [23] have used it for risk
analysis of IoT systems.
3) In the third step, security objectives are derived from the The flow of these loads does not require any operator to
threats. In this step, we extract relevant objectives (13 command the fleet. Robots are expected to empty continuously
objectives) for IoT systems from ISO-27002 [10] that an “unload area” where different loads are put together. At
provides a set of generic security objectives supported by some point, the system needs to identify the different items
a set of controls that are an important part of information and then asks a specific robot to pick it and place it in a
security management. specific storage area following some predefined rules. It is also
4) In the last step, security requirements are built in order foreseen that in order to perform such activity, the system will
to implement the security objectives and provide coun- need to actuate IoT devices, for example, an automated door
termeasures of the identified threats. in the middle of the robot’s path to “storage areas”.
5
� IV. I DENTIFICATION OF ASSETS
ISO-27001 [24] defines an asset as “any tangible or intangi-
ble thing or characteristic that has value to an organization”.
In our approach, we refer to IoT domain model proposed by
[25] to facilitate the identification of the system assets. In this
model, the main concepts are: thing, device, user and resource.
As shown in Figure 3, Thing is the combination of PE
(Physical Entity) together with its digital representation VE
(Virtual Entity).
Fig. 4. IoT Devices.
Asset ID Asset Description
A1 Mobile Robot: Embedded Computer
Fig. 3. IoT Things.
A2 Mobile Robot: Motion Control (motor driver)
VE can be of both types: A3 Mobile Robot: Sensor 1, RGBD Camera
• Passive Digital Artefact (PDA): a digital representation
A4 Mobile Robot: Sensor 2, Lidar
of PE stored in a database or similar form.
A5 Mobile Robot: Sensor 3, Odometry
• Active Digital Artefact (ADA): any type of active code or
software program usually be some sort of software agent A6 Mobile Robot: Lift Mechanism
or embedded application. A7 Mobile Robot: Battery (LiFePo)
Device is a hardware with computing and network capabil- A8 Mobile Robot: Network (Card)
ities that allows to monitor or interact with PE. As shown in A9 System: User Computer
Figure 4, device can be:
A10 System: Network (Router and infrastructure)
• Sensor : allows to monitor PE.
• Actuator : allows to act on PE. A11 System: Mission Command (Outwards)
• Tag : allows to identify PE and can be read by sensors. A12 System: Robot State (Inwards)
User represents who interacts with PE physically or through A13 Door PLC
software interfaces. Users can either be humans or ADA. A14 PLC WiFi Gateway
Resource is software components that can provide infor-
A15 PLC: Opening order (Inwards)
mation about PE, allow the execution of actuation tasks, or
analyse data provided by multiple sensors. Resources may be A16 Operator HMI
hosted on a Device, or they could be hosted anywhere in the TABLE I
ROBOTS S YSTEM A SSETS .
network.
Table I presents examples of 16 assets identified in our case
study. The system includes different types of devices, such as
sensors (e.g., A3, A4, A5) and actuators (e.g., A13, A14, A15). the EBIOS knowledge bases, threats are classified into eight
V. I DENTIFICATION OF THREATS AND VULNERABILITIES main categories:
ISO-27001 [24] defines a threat as “a potential cause of an • Physical damage: T-1010 to T-1050.
unwanted incident, which may result in harm to a system or • Natural events : T-2010 to T-2050.
organization” and considers vulnerability as “weakness that • Loss of essential services : T-3010 to T-3030.
is related to the organizations’ assets, which sometimes could • Disturbance due to radiation : T-4010 to T-4030.
cause an unexpected incident”. • Compromise of information : T-5010 to T-5110.
As mentioned in Section III, our method considers a list of • Technical failures : T-6010 to T-6050.
generic threats from EBIOS database. In Table II taken from • Unauthorized actions : T-7010 to T-7050.
6
� ID Threats Description A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 A11 A12 A13 A14 A15 A16
T-1010 Fire X X X X X X X X X X X X
T-1020 Water damage X X X X X X X X X X X X
T-1030 Pollution X X X X X X X X X X X X
T-1040 Major Accident X X X X X X X X X X X X
T-1050 Destruction of equip- X X X X X X X X X X X X
ment or media
T-2010 Climatic X X X X X X X X X X X X
Phenomenon
T-2020 Seismic X X X X X X X X X X X X
Phenomenon
T-2030 Volcanic X X X X X X X X X X X X
Phenomenon
T-2040 Meteorological Phe- X X X X X X X X X X X X
nomenon
T-2050 Flood X X X X X X X X X X X X
T-3010 Failure of air- X X X X
conditioning
T-3020 Loss of power sup- X X X X X X X X X X X X
ply
T-3030 Failure of X X X X X X X X
telecommunication
equipment
T-4010 Electromagnetic ra- X X X X X X X
diation
T-4020 thermal radiation X X X X X X X X X X X X
T-4030 Electromagnetic X X X X X X X X X X X X
pulses
T-5010 Interception of X X X X X X
compromising
interference signals
T-5020 remote spying X X
T-5030 eavesdropping X X X X X X X
T-5040 Theft of media or X X
documents
T-5050 Theft of Equipment X X X X X X X X X X X X
T-5060 Retrieval or recycled X
or discarded media
T-5070 disclosure X
T-5080 data from untrust- X X X
worthy sources
T-5090 Tampering with X X X X X X X X X X X X
hardware
T-5100 Tampering with soft- X X X X X X X X
ware
T-5110 Position detection X X
T-6010 Equipment failure X X X X X X X X X X X X
T-6020 Equipment malfunc- X X X X X X X X X X X X
tion
T-6030 Saturation of the in- X X X
formation system
T-6040 Software X X X
malfunction
T-6050 Breach of informa- X X X X
tion system main-
tainability
T-7010 Unauthorised use or X X X
equipment
T-7020 Fraudulent copying X X X X
of software
T-7030 use of counterfeit or X X X X
copied software
T-7040 corruption of data X X X X X X X
T-7050 Illegal processing of X X X X X X X X
data
T-8010 Error in use X X X X X X X
T-8020 Abuse of rights X X X X X X X
T-8030 Forging of rights X X X X X X X
T-8040 Denial of actions X X X X
T-8050 Breach of personnel X X X X
availability
TABLE II
T HREAT-A SSET M ATRIX .
7
�• Compromise of functions :T-8010 to T-8050. presented in Table I.
The threat factors can be divided into two categories:
• Environment factors such as earthquakes or floods, cannot
VI. S PECIFICATION OF SECURITY OBJECTIVES AND
REQUIREMENTS
be avoided. The risk manager should always consider
environment threats according to their operating environ- In this step, we based on ISO-27002 [10] generic list
ment, even if it is difficult to consider them. to specify security objectives needed to protect the system
• Human factors, which are more of our concern because assets against the identified threats. We also map each security
they are vagrant regarding different people and different objective with the threat list. Table III gives an example
situations, and it is more difficult to predict human behav- of security objectives that cover the most potential threats
ior than regular natural disasters. We distinguish persons presented in the previous step.
who belong to the organization like different users of the After the specification of security objectives, we define
system and persons from outside the organization such security requirements. In Table IV, each security objective
as recipient, provider, and competitor. from Table III leads to the implementation of one or more
In Table II, we show the threats associated to each asset technical requirements.
ID Security Objective Security Objective Description Threats
O1010 Protection Against Malicious Prevent and detect the allocation of any malicious code, as well T-50xx
Code as connections of any unprivileged user to the robot network
T-10XX
O1020 Backup The data from the initial robot setup and the robot firmware
require regular backup T-20XX
T-5030
T-5090
O1030 Network Security Protect the information and communication in network from a T-7010
Management client to robot. Sending REST Command once authenticated in T-7020
the same network can modify the operations T-7040
T-5070
O1040 Exchange of information Secure the interaction between the platform and robot system
T-5080
T-5030
T-5040
O1050 Monitoring Logs and robot system state shall be secured to prevent a bad T-60xx
usage (i.e. a door opened) T-70xx
T-80xx
T-7010
T-7020
O2010 User Access Management Authentication and authorization of the robot and any user or T-7040
system accessing the robot T-8020
T-8030
T-6030
O2020 Network Access Control Prevent unauthorized use of robot network services
T-70xx
T-8020
O2030 Operating System Access Rely on the access control mechanism offered by Ubuntu T-8030
Control T-8040
O3010 Correct processing in applica- Check any command received by the robot and the processing T-60xx
tions status of the robot. No robot shall accept commands out of reach
by itself
T-8020
O3020 Cryptographic controls Protect the sensible information in the robot network and also the
authentication operations of the users or systems accessing the T-8030
robot
O3030 Security of system files Rely on the security mechanisms and limitation rules offered by T-8020
Ubuntu to protect the system files
T-6040
T-6050
O3040 Security in Development and Control of information flow and integrity in robot systems
support process T-8040
T-8050
T-6020
O3050 Technical vulnerability man- Detect and deal with the technical vulnerabilities to reduce the
agement risks such as physical interfacing of robots. T-6040
TABLE III
S ECURITY O BJECTIVES OF S ERVICE ROBOTICS S YSTEM
8
� Objective ID Requirement ID Requirements Description
R-1010-0010 REST API must detect malformed commands
R-1010-0020 Access to the REST API must be authenticated
O-1010
R-1010-0030 Robot firewall should block all the connection except SSH
R-1010-0040 SSH connection should be restricted to unprivileged users
O-1020 R-1020-0010 Robot firmware should be stored in a non-erasable memory
R-1030-0010 Network access must require authentication
O-1030
R-1030-0020 Network communication from a client with a robot must be authenticated and
encrypted
O-1040 R-1040-0010 Communication from platform to robot must be authenticated and encrypted (e.g:
using protocol like TLS1.2 minimum)
O-1050 R-1050-0010 Access to log information must be limited to authorized person only
R-2010-0010 System account management (right, password, creation, deletion, ...) should be
O-2010 done in a central application (to avoid account / password duplication and error in
duplicated right management system)
R-2010-0020 User (or technical account) password should be at least 12 characters, with at least
one upper case, lower case, number and special character)
O-2020 R-2020-0010 Network equipment should implement network access control (e.g: 802.1.X)
R-2030-0010 Sudo account should be blocked
O-2030
R-2030-0020 Sudoers rules should be set up according to the system privileged action to perform
R-3010-0010 Commands received by the robot should be parsed and checked using whitelist
O-3010 approach
R-3010-0020 The robot should monitor its processing status (to avoid overprocessing)
R-3020-0010 Authentication operation should be performed using cryptographic signature (at
O-3020 least SHA256 combined with RSA or ECC algorithms)
R-3020-0020 Operating system integrity should be guarantee using cryptographic proof (signa-
ture) securely stored (e.g: TPM)
R-3030-0010 File systems access must be limited to authenticated and allowed users (or technical
O-3030 account)
R-3030-0020 File systems should be encrypted
R-3040-0010 Source code and binaries should be signed to ensure their integrity
O-3040
R-3040-0020 Binaries compilation should be done using hardening arguments (memory random-
ization, . . . )
R-3050-0010 Software vulnerability should be managed
O-3050
R-3050-0020 Outdated packaged should be upgradable
TABLE IV
S ECURITY R EQUIREMENTS OF S ERVICE ROBOTICS S YSTEM
VII. C ONCLUSION security objectives extracted from a common database. All the
steps of our approach was understandable and easy to follow
In this paper, we have tackled the highly vast subject of IoT
by the case study owners and several threats related to the
systems security while concentrating on risk assessment. The
target infrastructure not previously considered were discovered
proposed approach provides several advantages, including:
in this study.
• It considers IoT domain model to identify all system
assets. In the analysis performed in this paper, we have taken
• It follows relevant security standards to define security into account all system assets and a complete list of possible
requirements. threats taken from the standards, which allows us to identify all
• It is an iterative approach and responds to the need for potential risks and the requirements needed to mitigate those
evolution of IoT systems. risks.
We have applied this methodology to a robotic system that After the specification of security requirements, appropriate
supports the movement of loads in the warehouse. We started countermeasures can be deployed to protect the system against
by identifying the critical assets and the potential threats the identified risks. There are also approaches such as [26] that
that might compromise them. Then, we defined the technical helps security experts to determinate impactful and adequate
requirements considering the identified threats and a list of countermeasures considering organization defense budget.
9
� In future work, we plan to apply our method to other [20] European Network and Information Security Agency, Inventory of
systems. We also plan to support our approach with a tool risk management/ risk assessment methods, 2013. [Online]. Avail-
able: https://www.enisa.europa.eu/topics/threat-risk-management/risk-
that automates the various analysis activities. management/current-risk/risk-management-inventory/rm-ra-methods
[21] C. J. Alberts, S. G. Behrens, R. D. Pethia, and W. R. Wilson, “Opera-
ACKNOWLEDGMENT tionally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
Framework, Version 1.0,” 6 1999.
The research leading to these results has received funding [22] Federal Office for Information Security . (2005) IT Grundschutz.
[Online]. Available: http://www.bsi.de/gshb/
from the European Union through the BRAIN-IoT project [23] B. F. Zahra and B. Abdelhamid, “Risk analysis in Internet of things
H2020-EU.2.1.1. Grant agreement ID: 780089. using EBIOS,” in 2017 IEEE 7th Annual Computing and Communication
Workshop and Conference (CCWC). IEEE, 2017, pp. 1–7.
[24] ISO/IEC 27001:2013. (2013) Information technology — Security tech-
R EFERENCES niques — Information security management systems — Requirements.
[Online]. Available: https://www.iso.org/standard/54534.html
[1] S. Sicari, A. Rizzardi, L. Grieco, and A. Coen-Porisini, “Security, [25] S. Haller, A. Serbanati, M. Bauer, and F. Carrez, “A Domain Model
privacy and trust in Internet of Things: The road ahead,” Computer for the Internet of Things,” in 2013 IEEE International Conference on
Networks, vol. 76, pp. 146–164, Jan. 2015. Green Computing and Communications and IEEE Internet of Things
[2] J. Lin, W. Yu, N. Zhang, X. Yang, H. Zhang, and W. Zhao, “A Survey and IEEE Cyber, Physical and Social Computing, 2013, pp. 411–417.
on Internet of Things: Architecture, Enabling Technologies, Security [26] S. Chehida, A. Baouya, M. Bozga, and S. Bensalem, “Exploration of
and Privacy, and Applications,” IEEE Internet of Things Journal, vol. 4, impactful countermeasures on iot attacks,” in 2020 9th Mediterranean
no. 5, pp. 1125–1142, Oct. 2017. Conference on Embedded Computing (MECO), 2020.
[3] J. Sengupta, S. Ruj, and S. Das Bit, “A Comprehensive Survey on
Attacks, Security Issues and Blockchain Solutions for IoT and IIoT,”
Journal of Network and Computer Applications, vol. 149, p. 102481,
Jan. 2020.
[4] P. I. Radoglou Grammatikis, P. G. Sarigiannidis, and I. D. Moscholios,
“Securing the Internet of Things: Challenges, threats and solutions,”
Internet of Things, vol. 5, pp. 41–70, Mar. 2019.
[5] A. Ekelhart, S. Fenz, and T. Neubauer, “Aurum: A framework for infor-
mation security risk management,” in 2009 42nd Hawaii International
Conference on System Sciences, 2009, pp. 1–10.
[6] F. den Braber, I. Hogganvik, M. S. Lund, K. Stølen, and F. Vraalsen,
“Model-based security analysis in seven steps — a guided tour to the
CORAS method,” BT Technology Journal, vol. 25, no. 1, pp. 101–117,
Jan. 2007. [Online]. Available: http://link.springer.com/10.1007/s10550-
007-0013-9
[7] Z. Yazar, “A qualitative risk analysis and management tool–CRAMM,”
SANS InfoSec Reading Room White Paper, vol. 11, pp. 12–32, 2002.
[8] “MEHARI: MEthod for Harmonized Analysis of RIsk,” 2010. [Online].
Available: https://en.wikipedia.org/wiki/MEHARI
[9] The National Cybersecurity Agency of France (ANSSI), EBIOS
2010 - Expression of Needs and Identifiation of Security objectives.,
2010. [Online]. Available: https://www.ssi.gouv.fr/guide/ebios-2010-
expression-des-besoins-et-identification-des-objectifs-de-securite/
[10] ISO/IEC 27002:2013. (2013) Information technology — Security
techniques — Code of practice for information security controls.
[Online]. Available: https://www.iso.org/standard/54533.html
[11] AS/NZS 4360-2004. (2004) Risk management. [On-
line]. Available: https://www.standards.org.au/standards-catalogue/sa-
snz/publicsafety/ob-007/as-slash-nzs–4360-2004
[12] ISO/IEC 27005:2011. (2011) Information technology — Security
techniques — Information security risk management. [Online].
Available: https://www.iso.org/standard/56742.html
[13] ISO/IEC 17799:2005. (2005) Information technology — Security
techniques — Code of practice for information security management.
[Online]. Available: https://www.iso.org/standard/39612.html
[14] G. Stoneburner, A. Goguen, and A. Feringa, “Risk management guide
for information technology systems,” Nist special publication, vol. 800,
no. 30, pp. 800–30, 2002.
[15] K. Stouffer, J. Falco, and K. Scarfone, “Nist special publication 800-
82, guide to industrial control systems (ics) security,” NIST Special
Publication, pp. 800–882, 01 2011.
[16] IEEE 1686. (2013) IEEE Standard for Intelligent Electronic
Devices Cyber Security Capabilities. [Online]. Available:
https://standards.ieee.org/standard/1686-2013.html
[17] I. Hwang and Y. Kim, “Analysis of Security Standardization for the
Internet of Things,” in 2017 International Conference on Platform
Technology and Service (PlatCon), 2017, pp. 1–6.
[18] ISO/IEC 30128:2014. (2014) Information technology — Sensor
networks — Generic Sensor Network Application Interface . [Online].
Available: https://www.iso.org/standard/53248.html
[19] ETSI TS 103 645. (2019) Cyber Security for Consumer Internet of
Things .
10
�