research-article

Open Access

A Survey of Cybersecurity Certification for the Internet of Things

Authors:
Sara N. Matheu

University of Murcia, Department of Information and Communications Engineering, Murcia, Spain

University of Murcia, Department of Information and Communications Engineering, Murcia, Spain

0000-0002-7997-5737
View Profile

,
José L. Hernández-Ramos

European Commission, Joint Research Centre, Ispra 21027, Italy

European Commission, Joint Research Centre, Ispra 21027, Italy
View Profile

,
Antonio F. Skarmeta

University of Murcia, Department of Information and Communications Engineering, Murcia, Spain

University of Murcia, Department of Information and Communications Engineering, Murcia, Spain
View Profile

,
Gianmarco Baldini

European Commission, Joint Research Centre, Ispra 21027, Italy

European Commission, Joint Research Centre, Ispra 21027, Italy
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 53 Issue 6Article No.: 115pp 1–36https://doi.org/10.1145/3410160

Published:06 December 2020Publication History

ACM Computing Surveys

Abstract

In recent years, cybersecurity certification is gaining momentum as the baseline to build a structured approach to mitigate cybersecurity risks in the Internet of Things (IoT). This initiative is driven by industry, governmental institutions, and research communities, which have the goal to make IoT more secure for the end-users. In this survey, we analyze the current cybersecurity certification schemes, as well as the potential challenges to make them applicable for the IoT ecosystem. We also examine current efforts related to risk assessment and testing processes, which are widely recognized as the processes to build a cybersecurity certification framework. Our work provides a multidisciplinary perspective of a possible IoT cybersecurity certification framework by integrating research and technical tools and processes with policies and governance structures, which are analyzed against a set of identified challenges. This survey is intended to give a comprehensive overview of cybersecurity certification to facilitate the definition of a framework that fits in emerging scenarios, such as the IoT paradigm.

Supplemental Material

Available for Download

zip

matheu.zip (58.7 KB)

Supplemental movie, appendix, image and software files for, A Survey of Cybersecurity Certification for the Internet of Things

References

European Parliament. 2016. Directive 2010/41/EU of the European Parliament and of the Council of 7 July 2010. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L11488from=EN.Google Scholar
Habtamu Abie and Ilangko Balasingham. 2012. Risk-based adaptive security for smart IoT in eHealth. In Proceedings of the 7th International Conference on Body Area Networks. ACM. DOI:https://doi.org/10.4108/icst.bodynets.2012.250235Google ScholarDigital Library
Mohamed Abomhara and Geir M. Koien. 2015. Cyber security and the Internet of Things: Vulnerabilities, threats, intruders and attacks. J. Cyber Secur. Mobil. 4, 1 (2015), 65--88. DOI:https://doi.org/10.13052/jcsm2245-1439.414Google ScholarCross Ref
Abbas Ahmad, Gianmarco Baldini, Philippe Cousin, Sara N. Matheu, Antonio Skarmeta, Elizabeta Fourneret, and Bruno Legeard. 2017. Cognitive Hyperconnected Digital Transformation: Internet of Things Intelligence Evolution. River Publishers, 189--220. Retrieved from https://books.google.es/books?id=nPIxDwAAQBAJ.Google Scholar
Abbas Ahmad, Fabrice Bouquet, Elizabeta Fourneret, Franck Le Gall, and Bruno Legeard. 2016. Model-based testing as a service for IoT platforms. In Proceedings of the International Symposium on Leveraging Applications of Formal Methods. 727--742. DOI:https://doi.org/10.1007/978-3-319-47169-3_55Google ScholarCross Ref
AIOTI. 2016. Report on Workshop on Security and Privacy in the Hyper-Connected World. Retrieved from https://goo.gl/KeKqbs.Google Scholar
Haneen Al-Alami, Ali Hadi, and Hussein Al-Bahadili. 2017. Vulnerability scanning of IoT devices in Jordan using Shodan. In Proceedings of the 2nd International Conference on the Applications of Information Technology in Developing Renewable Energy Processes and Systems (IT-DREPS’17). DOI:https://doi.org/10.1109/IT-DREPS.2017.8277814Google ScholarCross Ref
A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari, and M. Ayyash. 2015. Internet of Things: A survey on enabling technologies, protocols, and applications. IEEE Commun. Surv. Tutor. 17, 4 (2015), 2347--2376. DOI:https://doi.org/10.1109/COMST.2015.2444095Google ScholarDigital Library
Christopher J. Alberts, Audrey J. Dorofee, James F. Stevens, and Carol Woody. 2005. OCTAVE-S Implementation Guide, Version 1. Technical Report. Carnegie Mellon University. Retrieved from https://resources.sei.cmu.edu/asset_files/Handbook/2005_002_001_14273.pdf.Google Scholar
Bako Ali and Ali Awad. 2018. Cyber and physical security vulnerability assessment for IoT-based smart homes. Sensors 18, 3 (Mar. 2018), 817. DOI:https://doi.org/10.3390/s18030817Google ScholarCross Ref
Lautenbach Aljoscha and Mafijul Islam. 2016. HEAling Vulnerabilities to ENhance Software Security and Safety—Project Proposal (HAVENS). Retrieved from http://autosec.se/wp-content/uploads/2018/03/HEAVENS_D2_v2.0.pdf.Google Scholar
Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. 2019. SoK—Security evaluation of home-based IoT deployments. In Proceedings of the IEEE Symposium on Security and Privacy (SP’19). IEEE, 1362--1380. DOI:https://doi.org/10.1109/SP.2019.00013Google ScholarCross Ref
Faisal Alsubaei, Abdullah Abuhussein, and Sajjan Shiva. 2017. Security and privacy in the Internet of Medical Things: Taxonomy and risk assessment. In Proceedings of the IEEE 42nd Conference on Local Computer Networks Workshops (LCN Workshops’17). IEEE, 112--120. DOI:https://doi.org/10.1109/LCN.Workshops.2017.72Google ScholarCross Ref
Faisal Alsubaei, Abdullah Abuhussein, and Sajjan Shiva. 2018. Quantifying security and privacy in Internet of Things solutions. In Proceedings of the IEEE/IFIP Network Operations and Management Symposium (NOMS’18). IEEE, 1--6. DOI:https://doi.org/10.1109/NOMS.2018.8406318Google ScholarCross Ref
Prashant Anantharaman, Michael Locasto, Gabriela F. Ciocarlie, and Ulf Lindqvist. 2017. Building hardened Internet-of-Things clients with language-theoretic security. In Proceedings of the IEEE Security and Privacy Workshops (SPW’17). IEEE, 120--126. DOI:https://doi.org/10.1109/SPW.2017.36Google ScholarCross Ref
Ross Anderson and Shailendra Fuloria. 2009. Certification and evaluation: A security economics perspective. In Proceedings of the IEEE Conference on Emerging Technologies 8 Factory Automation. IEEE, 1--7. DOI:https://doi.org/10.1109/ETFA.2009.5347129Google ScholarCross Ref
ANSSI. 2008. Certification de Sécurité de Premier Niveau (CSPN). Retrieved from https://www.ssi.gouv.fr/administration/produits-certifies/cspn/.Google Scholar
ANSSI. 2018. Certification de Sécurité de Premier Niveau des Produits des Technologies de l’Information. Retrieved from https://www.ssi.gouv.fr/uploads/2015/01/anssi-cspn-cer-p-01-certification_de_securite_de_premier_niveau_v2.0.pdf.Google Scholar
Qazi Mamoon Ashraf and Mohamed Hadi Habaebi. 2015. Autonomic schemes for threat mitigation in Internet of Things. J. Netw. Comput. Applic. 49 (Mar. 2015), 112--127. DOI:https://doi.org/10.1016/j.jnca.2014.11.011Google Scholar
Nathaniel Ayewah, David Hovemeyer, J. David Morgenthaler, John Penix, and William Pugh. 2008. Using static analysis to find bugs. IEEE Softw. 25, 5 (Sept. 2008), 22--29. DOI:https://doi.org/10.1109/MS.2008.130Google ScholarDigital Library
Hans Baars, Robert Lassche, Robin Massink, and Hans Pille. 2014. Smart grid security certification in Europe. Challenges and recommendations. Retrieved from https://www.enisa.europa.eu/publications/smart-grid-security-certification-in-europe/at_download/fullReport.Google Scholar
Ruediger Bachmann and Achim D. Brucker. 2014. Developing secure software. Datensch. Datensich. - DuD 38, 4 (Mar. 2014), 257--261. DOI:https://doi.org/10.1007/s11623-014-0102-0Google ScholarCross Ref
Gianmarco Baldini, Georgios Giannopoulos, and Alessandro Lazari. 2017. Annex 8: JRC Analysis and Recommendations for a European Certification and Labelling Framework for Cybersecurity in Europe. Technical Report. European Commission. Retrieved from https://ec.europa.eu/transparency/regdoc/rep/10102/2017/EN/SWD-2017-500-F1-EN-MAIN-PART-6.PDF.Google Scholar
Gianmarco Baldini, Antonio Skarmeta, Elizabeta Fourneret, Ricardo Neisse, Bruno Legeard, and Franck Le Gall. 2016. Security certification and labelling in Internet of Things. In Proceedings of the IEEE 3rd World Forum on Internet of Things (WF-IoT’16). IEEE, 627--632. DOI:https://doi.org/10.1109/WF-IoT.2016.7845514Google ScholarCross Ref
Aaron Ballman. 2016. SEI CERT C++ Coding Standard Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems in C++. Retrieved from http://cysecure.org/455/dmccarroll/455/online/WeekTwo/Reading/sei-cert-cpp-coding-standard-2016-v01.pdf.Google Scholar
Arthur Barstow, Mark Burstein, James Hendler, Vincent Marcatt, David Martin, Drew McDermott, Deborah L. McGuinness, Sheila McIlraith, Jeff Pollock, David De Roure, Mark Skall, Katia Sycara, and Hideki Yoshida. 2004. OWL-S—Semantic markup for Web services. W3C Member Submission 22 (2004). Retrieved from https://www.researchgate.net/publication/39994181_OWL-S_Semantic_markup_for_Web_services.Google Scholar
Massimo Bartoletti, Pierpaolo Degano, and Gian Luigi Ferrari. 2006. Security issues in service composition. In Formal Methods for Open Object-based Distributed Systems, Vol. 4037. Springer Berlin, 1--16. DOI:https://doi.org/10.1007/11768869_1Google Scholar
Jason Bau, Elie Bursztein, Divij Gupta, and John Mitchell. 2010. State of the art: Automated black-box web application vulnerability testing. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 332--345. DOI:https://doi.org/10.1109/SP.2010.27Google ScholarDigital Library
Sofia Bekrar, Chaouki Bekrar, Roland Groz, and Laurent Mounier. 2011. Finding software vulnerabilities by smart fuzzing. In Proceedings of the 4th IEEE International Conference on Software Testing, Verification and Validation. IEEE, 427--430. DOI:https://doi.org/10.1109/ICST.2011.48Google ScholarDigital Library
Matt Bishop. 2007. About penetration testing. IEEE Secur. Priv. Mag. 5, 6 (Nov. 2007), 84--87. DOI:https://doi.org/10.1109/MSP.2007.159Google ScholarDigital Library
BITAG. 2016. Internet of Things (IoT) Security and Privacy Recommendations. Retrieved from https://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf.Google Scholar
Kim Jonatan Wessel Bjørneset. 2017. Testing Security for Internet of Things. Survey on Vulnerabilities in IP Cameras. Ph.D. Thesis. University of Oslo. Retrieved from https://www.mn.uio.no/ifi/english/research/groups/psy/completedmasters/2017/Kim_Jonatan_Wessel_Bjorneset/kim_jonatan_wessel_bjorneset_testing_security_for_internet_of_things_a_survey_on_vulnerabilities_in_ip_cameras.pdf.Google Scholar
Roland Bodenheim, Jonathan Butts, Stephen Dunlap, and Barry Mullins. 2014. Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices. Int. J. Crit. Infrast. Protect. 7, 2 (June 2014), 114--123. DOI:https://doi.org/10.1016/j.ijcip.2014.03.001Google Scholar
Katie Boeckl, Michael Fagan, William Fisher, Naomi Lefkovitz, Katerina N. Megas, Ellen Nadeau, Danna Gabel O’Rourke, Ben Piccarreta, and Karen Scarfone. 2018. Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. https://doi.org/10.6028/NIST.IR.8228-draftGoogle Scholar
Julien Botella, Fabrice Bouquet, Jean-Francois Capuron, Franck Lebeau, Bruno Legeard, and Florence Schadle. 2013. Model-based testing of cryptographic components—Lessons learned from experience. In Proceedings of the IEEE 6th International Conference on Software Testing, Verification and Validation. IEEE, 192--201. DOI:https://doi.org/10.1109/ICST.2013.42Google ScholarDigital Library
F. Bouquet, C. Grandpierre, B. Legeard, F. Peureux, N. Vacelet, and M. Utting. 2007. A subset of precise UML for model-based testing. In Proceedings of the 3rd International Workshop on Advances in Model-based Testing (A-MOST’07). ACM Press, 95--104. DOI:https://doi.org/10.1145/1291535.1291545Google Scholar
Josip Bozic and Franz Wotawa. 2012. Model-based testing—From safety to security. In STV Bozic, Wotawa. 9--16. Retrieved from https://graz.pure.elsevier.com/en/publications/model-based-testing-from-safety-to-security.Google Scholar
Josip Bozic and Franz Wotawa. 2014. Security testing based on attack patterns. In Proceedings of the IEEE 7th International Conference on Software Testing, Verification and Validation Workshops. IEEE, 4--11. DOI:https://doi.org/10.1109/ICSTW.2014.58Google ScholarDigital Library
Miroslav Bures, Tomas Cerny, and Bestoun S. Ahmed. 2019. Internet of Things: Current challenges in the quality assurance and testing methods. In Proceedings of the International Conference on Information Science and Applications, Kuinam J. Kim and Nakhoon Baek (Eds.). Vol. 514. Springer Singapore, 625--634. DOI:https://doi.org/10.1007/978-981-13-1056-0_61Google Scholar
Jordi Cabot and Martin Gogolla. 2017. Object constraint language (OCL): A definitive guide. In Proceedings of the 12th International Conference on Formal Methods for the Design of Computer, Communication, and Software Systems: Formal Methods for Model-driven Engineering. DOI:https://doi.org/10.1007/978-3-642-30982-3_3Google Scholar
Matteo Cagnazzo, Markus Hertlein, Thorsten Holz, and Norbert Pohlmann. 2018. Threat modeling for mobile health systems. In Proceedings of the IEEE Wireless Communications and Networking Conference Workshops (WCNCW’18). IEEE, 314--319. DOI:https://doi.org/10.1109/WCNCW.2018.8369033Google ScholarCross Ref
Richard A. Caralli, James F. Stevens, Lisa R. Young, and William R. Wilson. 2007. Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. Technical Report. CERT. Retrieved from https://resources.sei.cmu.edu/asset_files/TechnicalReport/2007_005_001_14885.pdf.Google Scholar
CCRA. 2012. Common Criteria, Assurance Continuity, CCRA requirements. Version 2.1. Retrieved from http://www.commoncriteriaportal.org/files/operatingprocedures/2012-06-01.pdf.Google Scholar
CCRA. 2017. Common Criteria for Information Technology Security Evaluation. Part 1: Introduction and general model.Retrieved from https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf.Google Scholar
CERT SEI. 2018. Android Secure Coding Standard. Retrieved from https://wiki.sei.cmu.edu/confluence/display/android/Android+Secure+Coding+Standard.Google Scholar
CESG. 2014. The Commercial Product Assurance (CPA) build standard. Retrieved from https://www.ncsc.gov.uk/content/files/protected_files/document_files/The%20CPA%20Build%20Standard%201.3.pdf.Google Scholar
Chen Chen, Baojiang Cui, Jinxin Ma, Runpu Wu, Jianchao Guo, and Wenqian Liu. 2018. A systematic review of fuzzing techniques. Comput. Secur. 75 (June 2018), 118--137. DOI:https://doi.org/10.1016/j.cose.2018.02.002Google Scholar
Jiongyi Chen, Wenrui Diaoy, Qingchuan Zhaoz, Chaoshun Zuoz, Zhiqiang Linz, XiaoFeng Wangx, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer—Discovering memory corruptions in IoT through app-based fuzzing. In Proceedings of the Network and Distributed System Security Symposium. DOI:https://doi.org/10.14722/ndss.2018.23166Google ScholarCross Ref
Nanxing Chen, César Viho, Anthony Baire, Xiaohong Huang, and Jiexi Zha. 2012. Ensuring interoperability for the Internet of Things: Experience with CoAP protocol testing. J. Contr. Meas. Electron. Comput. Commun. 6 (2012), 448--458. DOI:https://doi.org/10.7305/automatika.54-4.418Google Scholar
Kai Cheng, Qiang Li, Lei Wang, Qian Chen, Yaowen Zheng, Limin Sun, and Zhenkai Liang. 2018. DTaint—Detecting the taint-style vulnerability in embedded device firmware. In Proceedings of the 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’18). 430--441. DOI:https://doi.org/10.1109/DSN.2018.00052Google ScholarCross Ref
Brian Chess and Jabob West. 2007. Secure Programming with Static Analysis. Gary McGraw. Retrieved from https://www.e-reading.club/bookreader.php/142130/Secure_programming_with_Static_Analysis.pdf.Google Scholar
Gordon Chu, Noah Apthorpe, and Nick Feamster. 2018. Security and privacy analyses of Internet of Things toys. IEEE Internet Things J. 6, 1 (2018), 978--985. DOI:https://doi.org/10.1109/JIOT.2018.2866423Google ScholarCross Ref
Peter Cihon, Glenda Michel Gutierrez, Sam Kee, Moritz Jan Kleinaltenkamp, Thanel Voigt, and Antonio Rosato. 2018. Why certify? Increasing adoption of the proposed EU cybersecurity certification framework. Cambridge Judge Business School, Sophia Antipolis, France. Retrieved from https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/00POSTERS/Cambridge%20EU%20Cybersecurity%20Certification%20Report.pdf.Google Scholar
Sara Cleemput. 2018. Secure and Privacy-friendly Smart Electricity Metering. Ph.D. Thesis. Arenberg Doctoral School. Faculty of Engineering Science. Retrieved from https://www.esat.kuleuven.be/cosic/publications/thesis-303.pdf.Google Scholar
CNSSI. 2015. CNSSI No. 4009: Committee on National Security Systems (CNSS) Glossary. Retrieved from https://cryptosmith.files.wordpress.com/2015/08/glossary-2015-cnss.pdf.Google Scholar
Common Criteria. 2014. Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security. Retrieved from https://www.commoncriteriaportal.org/files/operatingprocedures/cc-recarrange.pdf.Google Scholar
Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. 2014. A large-scale analysis of the security of embedded firmwares. 95--110. Retrieved from https://www.usenix.org/node/184450.Google Scholar
Antoine Coutant. 2016. French Scheme CSPN to CC evaluation. Retrieved from http://www.yourcreativesolutions.nl/ICCC13/p/CC%20and%20New%20Techniques/Antoine%20COUTANT%20-%20CSPN%20to%20CC%20Evaluation.pdf.Google Scholar
Aymeric Cretin, Bruno Legeard, Fabien Peureux, and Alexandre Vernotte. 2018. Increasing the resilience of ATC systems against false data injection attacks using DSL-based testing. In Proceedings of the Doctoral Symposium (ICRAT’18).Google Scholar
Lajos Cseppento and Zoltan Micskei. 2017. Evaluating code-based test input generator tools. Softw. Test. Verif. Reliab. 27, 6 (Sept. 2017), e1627. DOI:https://doi.org/10.1002/stvr.1627Google ScholarCross Ref
CTIA. 2018. Cybersecurity Certification Test Plan for IoT Devices. Retrieved from https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf.Google Scholar
Baojiang Cui, Shurui Liang, Shilei Chen, Bing Zhao, and Xiaobing Liang. 2014. A novel fuzzing method for Zigbee based on finite state machine. Int. J. Distrib. Sensor Netw. 10, 1 (Jan. 2014), 762891. DOI:https://doi.org/10.1155/2014/762891Google ScholarCross Ref
Joao Pedro Dias, Flavio Couto, Ana C. R. Paiva, and Hugo Sereno Ferreira. 2018. A brief overview of existing tools for testing the Internet-of-Things. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW’18). IEEE, 104--109. DOI:https://doi.org/10.1109/ICSTW.2018.00035Google ScholarCross Ref
Fabien Duchene. 2014. Detection of Web Vulnerabilities via Model Inference assisted Evolutionary Fuzzing. Ph.D. Dissertation. Grenoble University. Retrieved from https://hal.archives-ouvertes.fr/tel-01102325/document.Google Scholar
ECSO. 2017. A Meta-Scheme Approach v1.0. Retrieved from http://www.ecs-org.eu/documents/uploads/european-cyber-security-certification-a-meta-scheme-approach.pdf.Google Scholar
ECSO. 2017. State of the Art Syllabus v2. Retrieved from http://www.ecs-org.eu/documents/uploads/updated-sota.pdf.Google Scholar
ENISA. 2018. Overview of ICT certification laboratories. Retrieved from http://www.european-accreditation.org/brochure/document-ict-certification-laboratories.Google Scholar
Gencer Erdogan, Yan Li, Ragnhild Kobro Runde, Fredrik Seehusen, and Ketil Stølen. 2014. Approaches for the combined use of risk analysis and testing: A systematic literature review. Int. J. Softw. Tools Technol. Transf. 16 (2014), 627--642. DOI:https://doi.org/10.1007/s10009-014-0330-5Google ScholarDigital Library
ETSI. 2015. ETSI EG 203 251: Methods for Testing 8 Specification; Risk-based Security Assessment and Testing Methodologies. Retrieved from https://www.etsi.org/deliver/etsi_eg/203200_203299/203251/01.01.01_50/eg_203251v010101m.pdf.Google Scholar
European Commission. 2010. Directive 2010/30/EU on the indication by labelling and standard product information of the consumption of energy and other resources by energy-related products. Retrieved from http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32010L0030.Google Scholar
European Parliament. 2016. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Retrieved from https://eugdpr.org/.Google Scholar
EVITA. 2008. E-Safety Vehicle Intrusion Protected Applications. Retrieved from https://www.evita-project.org/.Google Scholar
Michael Felderer, Berthold Agreiter, Philipp Zech, and Ruth Breu. 2011. A classification for model-based security testing. 109--114. Retrieved from https://www.thinkmind.org/index.php?view=article8articleid=valid_2011_5_10_40020.Google Scholar
Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, and Alexander Pretschner. 2015. Chapter one - Security testing: A survey. In Advances in Computers. Vol. 101. Elsevier, 1--51. DOI:https://doi.org/10.1016/bs.adcom.2015.11.003Google Scholar
Michael Felderer and Elizabeta Fourneret. 2015. A systematic classification of security regression testing approaches. Int. J. Softw. Tools Technol. Transf. 17, 3 (June 2015), 305--319. DOI:https://doi.org/10.1007/s10009-015-0365-2Google ScholarDigital Library
Michael Felderer and Ina Schieferdecker. 2014. A taxonomy of risk-based testing. Int. J. Softw. Tools Technol. Transf. 16, 5 (Oct. 2014), 559--568. DOI:https://doi.org/10.1007/s10009-014-0332-3Google Scholar
FIRST. 2015. Common Vulnerability Score System (CVSS) v3. Retrieved from https://www.first.org/cvss/cvss-v30-specification-v1.8.pdf.Google Scholar
Elizabeta Fourneret, Fabrice Bouquet, Frederic Dadeau, and Stephane Debricon. 2011. Selective test generation method for evolving critical systems. In Proceedings of the IEEE 4th International Conference on Software Testing, Verification and Validation Workshops. IEEE, 125--134. DOI:https://doi.org/10.1109/ICSTW.2011.95Google ScholarCross Ref
Anna Baron Garcia, Radu F. Babiceanu, and Remzi Seker. 2018. Trustworthiness requirements and models for aviation and aerospace systems. In Proceedings of the Integrated Communications, Navigation, Surveillance Conference (ICNS’18). IEEE, 1--16. DOI:https://doi.org/10.1109/ICNSURV.2018.8384911Google ScholarCross Ref
Mengmeng Ge, Jin B. Hong, Walter Guttmann, and Dong Seong Kim. 2017. A framework for automating security analysis of the internet of things. J. Netw. Comput. Applic. 83 (Apr. 2017), 12--27. DOI:https://doi.org/10.1016/j.jnca.2017.01.033Google ScholarDigital Library
Mengmeng Ge and Dong Seong Kim. 2015. A framework for modeling and assessing security of the Internet of Things. In Proceedings of the IEEE 21st International Conference on Parallel and Distributed Systems (ICPADS’15). 776--781. DOI:https://doi.org/10.1109/ICPADS.2015.102Google Scholar
Gemini George and Sabu M. Thampi. 2018. A graph-based security framework for securing industrial IoT networks from vulnerability exploitations. IEEE Access 6 (2018), 43586--43601. DOI:https://doi.org/10.1109/ACCESS.2018.2863244Google ScholarCross Ref
J. Granjal, E. Monteiro, and J. Sa Silva. 2015. Security for the Internet of Things: A survey of existing protocols and open research issues. IEEE Commun. Surv. Tutor. 17, 3 (2015), 1294--1312. DOI:https://doi.org/10.1109/COMST.2015.2388550Google ScholarDigital Library
Jurgen Grossmann, Michael Felderer, Johannes Viehmann, and Ina Schieferdecker. 2019. A taxonomy to assess and tailor risk-based testing in recent testing standards. IEEE Softw. PP (May 2019), 1--1. DOI:https://doi.org/10.1109/MS.2019.2915297Google Scholar
GSMA. 2016. IoT Security Guidelines Overview Document. Retrieved from https://www.gsma.com/iot/wp-content/uploads/2016/02/CLP.11-v1.1.pdf.Google Scholar
Ayyoob Hamza, Dinesha Ranathunga, Hassan Habibi Gharakheili, Theophilus A. Benson, Matthew Roughan, and Vijay Sivaraman. 2019. Verifying and monitoring IoTs network behavior using MUD profiles. Retrieved from http://arxiv.org/abs/1902.02484.Google Scholar
Wenxi Han, Xiaoming Liu, Hong Zhang, Ruijie Quan, and Linfeng Shen. 2018. Dynamically-enabled defense effectiveness evaluation of IoT based on vulnerability analysis. In Proceedings of the 3rd International Conference on Multimedia Systems and Signal Processing (ICMSSP’18). ACM Press, 99--103. DOI:https://doi.org/10.1145/3220162.3220170Google ScholarDigital Library
J. Hearn. 2004. Does the common criteria paradigm have a future?IEEE Secur. Priv. Mag. 2, 1 (Jan. 2004), 64--65. DOI:https://doi.org/10.1109/MSECP.2004.1264857Google ScholarDigital Library
S. Hiremath, G. Yang, and K. Mankodiya. 2014. Wearable Internet of Things: Concept, architectural components and promises for person-centered healthcare. In Proceedings of the 4th International Conference on Wireless Mobile Communication and Healthcare—Transforming Healthcare through Innovations in Mobile and Wireless Technologies (MOBIHEALTH’14). 304--307. DOI:https://doi.org/10.1109/MOBIHEALTH.2014.7015971Google Scholar
Juliane Hubner and Maria Lastovka. 2017. BOSCH Political Viewpoint. Security in IoT. Retrieved from https://www.boschsecurity.com/xc/en/news/rethink-the-magazine/winds-of-change/.Google Scholar
ICSA. 2016. ICSA Labs IoT Security and Privacy. Retrieved from https://www.icsalabs.com/technology-program/iot-devices-sensors/iot-device-requirements-framework.Google Scholar
ICSA. 2016. Internet of Things (IoT) Security Testing Framework. Retrieved from https://www.icsalabs.com/sites/default/files/body_images/ICSALABS_IoT_reqts_framework_v2.0_161026.pdf.Google Scholar
Information Technology Promotion Agency (IPA). 2019. Japan Information Technology Security Evaluation and Certification Scheme. Retrieved from https://www.ipa.go.jp/security/jisec/jisec_e/.Google Scholar
IoT Security Fundation. 2017. IoT Security Compliance Framework. Release 1.1. Retrieved from https://www.iotsecurityfoundation.org/wp-content/uploads/2017/12/IoT-Security-Compliance-Framework_WG1_2017.pdf.Google Scholar
ISO. 2018. Information technology—Internet of Things (IoT)—Vocabulary (ISO/IEC 20924:2018). Retrieved from http://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/06/94/69470.html.Google Scholar
Andreas Jacobsson, Martin Boldt, and Bengt Carlsson. 2016. A risk analysis of a smart home automation system. Fut. Gen. Comput. Syst. 56 (Mar. 2016), 719--733. DOI:https://doi.org/10.1016/j.future.2015.09.003Google Scholar
Joint Task Force Transformation Initiative. 2014. Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Technical Report NIST SP 800-37r1. National Institute of Standards and Technology. DOI:https://doi.org/10.6028/NIST.SP.800-37r1Google Scholar
Sathya Prakash Kadhirvelan and Andrew Soderberg-Rivkin. 2014. Threat Modelling and Risk Assessment within Vehicular Systems. Ph.D. Dissertation. University of Gothenburg. Retrieved from http://publications.lib.chalmers.se/records/fulltext/202917/202917.pdf.Google Scholar
Samuel Paul Kaluvuri, Michele Bezzi, and Yves Roudier. 2014. A quantitative analysis of common criteria certification practice. In Trust, Privacy, and Security in Digital Business. Vol. 8647. Springer International Publishing, Cham, 132--143. DOI:https://doi.org/10.1007/978-3-319-09770-1_12Google Scholar
Prabhakaran Kasinathan, Claudio Pastrone, Maurizio A. Spirito, and Mark Vinkovits. 2013. Denial-of-service detection in 6LoWPAN based Internet of Things. In Proceedings of the IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob’13). IEEE, 600--607. DOI:https://doi.org/10.1109/WiMOB.2013.6673419Google ScholarCross Ref
Prabhakaran Kasinathan, Claudio Pastrone, Maurizio A. Spirito, Mark Vinkovits, Nils O. Tippenhauer Jemin Lee Shachar Siboni, Asaf Shabtai, and Yuval Elovici. 2016. Advanced security testbed framework for wearable IoT devices. In Proceedings of the IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob’13), Vol. 16. DOI:https://doi.org/10.1145/2981546Google Scholar
Kaspersky. 2017. Kaspersky Labs Targeted Attacks Detection Solution Is Certified by ICSA Labs. Retrieved from https://www.kaspersky.com/about/press-releases/2017_targeted-attacks-detection-solution-certified-by-icsa-labs.Google Scholar
F. Keblawi and D. Sullivan. 2006. Applying the common criteria in systems engineering. IEEE Secur. Priv. Mag. 4, 2 (Mar. 2006), 50--55. DOI:https://doi.org/10.1109/MSP.2006.35Google Scholar
Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, and Jeffrey Voas. 2017. DDoS in the IoT: Mirai and other botnets. Computer 50, 7 (2017), 80--84. DOI:https://doi.org/10.1109/MC.2017.201Google ScholarDigital Library
Willibald Krenn, Rupert Schlick, Stefan Tiran, Bernhard Aichernig, Elisabeth Jobstl, and Harald Brandl. 2015. MoMut—UML model-based mutation testing for UML. In Proceedings of the IEEE 8th International Conference on Software Testing, Verification and Validation (ICST’15). IEEE, 1--8. DOI:https://doi.org/10.1109/ICST.2015.7102627Google ScholarCross Ref
Ievgeniia Kuzminykh and Anders Carlsson. 2018. Analysis of assets for threat risk model in avatar-oriented IoT architecture. In Internet of Things, Smart Spaces, and Next Generation Networks and Systems (Lecture Notes in Computer Science), Olga Galinina, Sergey Andreev, Sergey Balandin, and Yevgeni Koucheryavy (Eds.). Springer International Publishing, Cham, 52--63. DOI:https://doi.org/10.1007/978-3-030-01168-0_6Google Scholar
Abdelkader Lahmadi, Cesar Brandin, and Olivier Festor. 2012. A testing framework for discovering vulnerabilities in 6LoWPAN networks. In Proceedings of the IEEE 8th International Conference on Distributed Computing in Sensor Systems. IEEE, 335--340. DOI:https://doi.org/10.1109/DCOSS.2012.48Google ScholarDigital Library
Eliot Lear, Dan Romascanu, and Ralph Droms. 2019. Manufacturer Usage Description Specification (RFC 8520). Retrieved from https://tools.ietf.org/html/rfc8520.Google Scholar
Seokcheol Lee, Sungjin Kim, Ken Choi, and Taeshik Shon. 2018. Game theory-based security vulnerability quantification for social Internet of Things. Fut. Gen. Comput. Syst. 82 (May 2018), 752--760. DOI:https://doi.org/10.1016/j.future.2017.09.032Google Scholar
Bruno Legeard and Arnaud Bouzy. 2013. Smartesting CertifyIt: Model-based testing for enterprise IT. In Proceedings of the IEEE 6th International Conference on Software Testing, Verification and Validation. IEEE, 391--397. DOI:https://doi.org/10.1109/ICST.2013.55Google ScholarDigital Library
Wenbin Li, Franck Le Gall, and Naum Spaseski. 2018. A survey on model-based testing tools for test case generation. In Tools and Methods of Program Analysis, Vladimir Itsykson, Andre Scedrov, and Victor Zakharov (Eds.), Vol. 779. Springer International Publishing, Cham, 77--89. DOI:https://doi.org/10.1007/978-3-319-71734-0_7Google Scholar
Caiming Liu, Yan Zhang, Jinquan Zeng, Lingxi Peng, and Run Chen. 2012. Research on dynamical security risk assessment for the Internet of Things inspired by immunology. In Proceedings of the 8th International Conference on Natural Computation. IEEE, 874--878. DOI:https://doi.org/10.1109/ICNC.2012.6234533Google ScholarCross Ref
Fred Long, Dhruv Mohindra, and Robert C. Seacord. 2011. The Cert Oracle Secure Coding Standard for Java (1st ed.). Addison Wesley Pub. Co. Inc., Upper Saddle River, NJ.Google Scholar
Florian Lugou, Ludovic Apvrille, and Aurélien Francillon. 2016. Toward a methodology for unified verification of hardware/software co-designs. J. Cryptog. Eng. (Nov. 2016), 1--12. DOI:https://doi.org/10.1007/s13389-016-0145-2Google Scholar
Imran Makhdoom, Mehran Abolhasan, Justin Lipman, Ren Ping Liu, and Wei Ni. 2018. Anatomy of threats to the Internet of Things. IEEE Commun. Surv. Tutor. (2018), 1--1. DOI:https://doi.org/10.1109/COMST.2018.2874978Google Scholar
Mark Miller. 2018. D3.2 European cybersecurity and privacy Research and Innovation Ecosystem. Retrieved from https://www.cyberwatching.eu/sites/default/files/D3.2_European_cybersecurity_and_privacy_Research_%26Innovation_Ecosystem.pdf.Google Scholar
S. N. Matheu, J. L. Hernandez-Ramos, and A. F. Skarmeta. 2019. Toward a cybersecurity certification framework for the Internet of Things. IEEE Secur. Priv. 17, 3 (May 2019), 66--76. DOI:https://doi.org/10/gf256zGoogle ScholarCross Ref
Sara N. Matheu-Garcia, Jose L. Hernandez-Ramos, and Antonio F. Skarmeta. 2018. Test-based risk assessment and security certification proposal for the Internet of Things. In Proceedings of the IEEE 4th World Forum on Internet of Things (WF-IoT’18). IEEE, 641--646. DOI:https://doi.org/10.1109/WF-IoT.2018.8355193Google Scholar
Sara N. Matheu-Garcia, Jose L. Hernandez-Ramos, Antonio F. Skarmeta, and Gianmarco Baldini. 2019. Risk-based automated assessment and testing for the cybersecurity certification and labelling of IoT devices. Comput. Stand. Interf. 62 (Feb. 2019), 64--83. DOI:https://doi.org/10.1016/j.csi.2018.08.003Google Scholar
David Maynor. 2011. Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research. Elsevier. Google-Books-ID: JWgNVFtbWJ4C. Retrieved from https://www.elsevier.com/books/metasploit-toolkit-for-penetration-testing-exploit-development-and-vulnerability-research/maynor/978-1-59749-074-0.Google Scholar
G. Mcgraw. 2004. Software security. IEEE Secur. Priv. Mag. 2, 2 (Mar. 2004), 80--83. DOI:https://doi.org/10.1109/MSECP.2004.1281254Google Scholar
Kais Mekki, Eddy Bajic, Frederic Chaxel, and Fernand Meyer. 2019. A comparative study of LPWAN technologies for large-scale IoT deployment. ICT Express 5, 1 (Mar. 2019), 1--7. DOI:https://doi.org/10/gfsc2nGoogle ScholarCross Ref
Bruno Melo, Paulo Licio Geus, and Andre A. Gregio. 2017. Robustness testing of CoAP server-side implementations through black-box fuzzing techniques. In Proceedings of the Brazilian Symposium on Information Security and Computer Systems. 533--540. Retrieved from https://pdfs.semanticscholar.org/487b/7a45bc5962fd2cdf65da2caa05fcaef64591.pdf.Google Scholar
Microsoft. 2018. The STRIDE Threat Model. Retrieved from https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx.Google Scholar
Microsoft. 2010. DREAD scheme. Retrieved from https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff648644(v=pandp.10)#dread.Google Scholar
Charlie Miller and Zachary Peterson. 2007. Analysis of mutation and generation-based fuzzing. Retrieved from http://mirror.picosecond.org/defcon/defcon15-cd/Speakers/Miller/Whitepaper/dc-15-miller-WP.pdf.Google Scholar
MITRE. 2011. Common Weakness Risk Analysis Framework (CWRAF). Retrieved from https://cwe.mitre.org/cwraf/.Google Scholar
MITRE. 2014. CWE—Common Weakness Scoring System (CWSS). Retrieved from https://cwe.mitre.org/cwss/cwss_v1.0.1.html.Google Scholar
Robert Montante. 2018. Using Scapy in teaching network header formats: Programming network headers for non-programmers (abstract only). In Proceedings of the 49th ACM Technical Symposium on Computer Science Education (SIGCSE’18). ACM, New York, NY, 1106--1106. DOI:https://doi.org/10.1145/3159450.3162228Google ScholarDigital Library
K. Moore, R. Barnes, and H. Tschofenig. 2016. Best Current Practices for Securing Internet of Things (IoT) Devices. Retrieved from https://tools.ietf.org/html/draft-moore-iot-security-bcp-00.Google Scholar
Geoff Mulligan. 2007. The 6LoWPAN architecture. In Proceedings of the 4th Workshop on Embedded Networked Sensors (EmNets’07). ACM, New York, NY, 78--82. DOI:https://doi.org/10.1145/1278972.1278992Google ScholarDigital Library
Tewodros Legesse Munea, I. Luk Kim, and Taeshik Shon. 2017. Design and implementation of fuzzing framework based on IoT applications. Wirel. Person. Commun. 93, 2 (Mar. 2017), 365--382. DOI:https://doi.org/10.1007/s11277-016-3322-9Google Scholar
Steven Murdoch, Mike Bond, and Ross J. Anderson. 2012. How certification systems fail: Lessons from the ware report. IEEE Secur. Priv. Mag. 10, 6 (2012), 1--1. DOI:https://doi.org/10.1109/MSP.2012.89Google Scholar
National Cybersecurity Center of United Kingdom. 2017. Foundation Grade explained. Retrieved from https://www.ncsc.gov.uk/articles/foundation-grade-explained.Google Scholar
National Cybersecurity Center (UK). 2016. CPA SC Overwriting Tools for Magnetic Media v2-1. Retrieved from https://www.ncsc.gov.uk/content/files/protected_files/document_files/CPA%20SC%20Overwriting%20Tools%20for%20Magnetic%20Media%20v2-1.pdf.Google Scholar
National Cybersecurity Centre (UK). 2016. Process for performing commercial product assurance foundation grade evaluations. Retrieved from https://www.ncsc.gov.uk/content/files/protected_files/document_files/Process%20for%20Performing%20CPA%20Foundation%20Grade%20Evaluations%202-4.pdf.Google Scholar
NCC Group. 2016. Commercial Product Assurance and Common Criteria. Retrieved from https://www.nccgroup.trust/uk/our-services/cyber-security/compliance-and-accreditations/cpa-and-cc/.Google Scholar
NCC Group. 2007. CERT C Programming Language Secure Coding Standard. Retrieved from http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1255.pdf.Google Scholar
NCC Group. 2016. Threat prioritisation: DREAD is dead, baby?Retrieved from https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/march/threat-prioritisation-dread-is-dead-baby/.Google Scholar
Ricardo Neisse, Gianmarco Baldini, Gary Steri, Abbas Ahmad, Elizabeta Fourneret, and Bruno Legeard. 2017. Improving Internet of Things device certification with policy-based management. In Proceedings of the Global Internet of Things Summit (GIoTS’17). IEEE, 1--6. DOI:https://doi.org/10.1109/GIOTS.2017.8016273Google ScholarCross Ref
Ricardo Neisse, Gary Steri, Igor Nai Fovino, and Gianmarco Baldini. 2015. SecKit—A model-based security toolkit for the Internet of Things. Comput. Secur. 54 (Oct. 2015), 60--76. DOI:https://doi.org/10.1016/j.cose.2015.06.002Google Scholar
NIST. 2019. Glossary of Key Information Security Terms. Retrieved from https://www.nist.gov/publications/glossary-key-information-security-terms-2.Google Scholar
NIST. 2006. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. Retrieved from https://csrc.nist.gov/publications/detail/fips/200/final.Google Scholar
NIST. 2014. Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0. Retrieved from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.Google Scholar
NIST. 2018. Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. Technical Report. National Institute of Standards and Technology. https://doi.org/10.6028%2Fnist.cswp.04162018Google Scholar
NIST. 2018. Risk Management Framework for Information Systems and Organizations. Retrieved from https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-2/draft/documents/sp800-37r2-draft-fpd.pdf.Google Scholar
Jason R. C. Nurse, Sadie Creese, and David De Roure. 2017. Security risk assessment in Internet of Things systems. IEEE Computer Society, IT Pro (2017).Google ScholarDigital Library
Ruth Motunrayo Ogunnaike. 2017. Vulnerability Detection and Resolution in Internet of Things (IoT) Devices. Master Thesis. University of Washington.Google Scholar
Adebayo Omotosho, Benjamin Ayemlo Haruna, and Olayemi Mikail Olaniyi. 2019. Threat modeling of Internet of Things health devices. J. Appl. Secur. Res. 14, 1 (Jan. 2019), 106--121. DOI:https://doi.org/10.1080/19361610.2019.1545278Google Scholar
Online Trust Alliance. 2017. IoT Security 8 Privacy Trust Framework v2.5. Retrieved from https://otalliance.org/system/files/files/initiative/documents/iot_trust_framework6-22.pdf.Google Scholar
Openstack. 2014. Security/OSSA-Metrics. Retrieved from https://wiki.openstack.org/wiki/Security/OSSA-Metrics#Calibration.Google Scholar
OWASP. [n.d.]. OWASP Application Security Verification Standard (ASVS) Project. Retrieved from https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology.Google Scholar
Euopean Parliament. 2019. Regulation (EU) 2019/881 of the European Parliament and of the council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (Cybersecurity Act). Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32019R08818from=EN.Google Scholar
J. M. Porup. 2016. Underwriters Labs refuses to share new IoT cybersecurity standard. Retrieved from https://arstechnica.com/information-technology/2016/04/underwriters-labs-refuses-to-share-new-iot-cybersecurity-standard/.Google Scholar
Yanzhen Qu and Philip Chan. 2016. Assessing vulnerabilities in Bluetooth low energy (BLE) wireless network based IoT systems. In Proceedings of the IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS). IEEE, New York, NY, 42--48. DOI:https://doi.org/10.1109/BigDataSecurity-HPSC-IDS.2016.63Google Scholar
Petar Radanliev, David C. De Roure, Jason R. C. Nurse, Rafael Mantilla Montalvo, and Peter Burnap. 2019. Standardisation of cyber risk impact assessment for the Internet of Things (IoT). (2019), 50. Retrieved from https://www.preprints.org/manuscript/201903.0109/v2.Google Scholar
RASEN project. 2015. D3.2.3. Techniques for Compositional Test-Based Security Risk Assessment v.3. Retrieved from http://www.rasenproject.eu/downloads/985/.Google Scholar
Vinay Sachidananda, Shachar Siboni, Asaf Shabtai, Jinghui Toh, Suhas Bhairav, and Yuval Elovici. 2017. Let the cat out of the bag: A holistic approach towards security analysis of the Internet of Things. In Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security (IoTPTS’17). ACM Press, 3--10. DOI:https://doi.org/10.1145/3055245.3055251Google ScholarDigital Library
Hunor Sandor and Gheorghe Sebestyen-Pal. 2017. Optimal security design in the Internet of Things. In Proceedings of the 5th International Symposium on Digital Forensic and Security (ISDFS’17). IEEE, 1--6. DOI:https://doi.org/10.1109/ISDFS.2017.7916496Google ScholarCross Ref
Martin Schneider, Jurgen Grossmann, Ina Schieferdecker, and Andrej Pietschker. 2013. Online model-based behavioral fuzzing. In Proceedings of the IEEE 6th International Conference on Software Testing, Verification and Validation Workshops. IEEE, 469--475. DOI:https://doi.org/10.1109/ICSTW.2013.61Google ScholarDigital Library
Robert C. Seacord. 2014. CERT C Coding Standard, Second Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems. Addison-Wesley Professional, Upper Saddle River, NJ.Google Scholar
SEI CERT. 2016. Coding Standards. Retrieved from https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards.Google Scholar
SEI CERT. [n.d.]. SEI CERT Perl Coding Standard. Retrieved from https://wiki.sei.cmu.edu/confluence/display/perl.Google Scholar
Alireza Shameli-Sendi, Rouzbeh Aghababaei-Barzegar, and Mohamed Cheriet. 2016. Taxonomy of information security risk assessment (ISRA). Comput. Secur. 57 (Mar. 2016), 14--30. DOI:https://doi.org/10.1016/j.cose.2015.11.001Google Scholar
Z. Shelby, K. Hartke, and C. Bormann. 2014. The Constrained Application Protocol (CoAP) (RFC7252). Retrieved from https://tools.ietf.org/html/rfc7252.Google Scholar
V. L. Shivraj, M. A. Rajan, and P. Balamuralidhar. 2017. A graph theory based generic risk assessment framework for internet of things (IoT). In Proceedings of the IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS’17). IEEE, 1--6. DOI:https://doi.org/10.1109/ANTS.2017.8384121Google Scholar
Sabrina Sicari, Alessandra Rizzardi, Daniele Miorandi, and Alberto Coen-Porisini. 2018. A risk assessment methodology for the Internet of Things. Comput. Commun. 129 (Sept. 2018), 67--79. DOI:https://doi.org/10.1016/j.comcom.2018.07.024Google Scholar
Saijda Sorsa. 2018. Protocol Fuzz Testing as a Part of Secure Software Development Life Cycle. Ph.D. Dissertation. Tampere University of Technology. Retrieved from https://dspace.cc.tut.fi/dpub/bitstream/handle/123456789/25667/Sorsa.pdf?sequence=3.Google Scholar
International Organization for Standardization. 2018. ISO/IEC 31000 - Risk Management. IEC. Retrieved from https://www.iso.org/iso-31000-risk-management.html.Google Scholar
Bernard Stepien and Liam Peyton. 2014. Innovation and evolution in integrated web application testing with TTCN-3. Int. J. Softw. Tools Technol. Transf. 16, 3 (June 2014), 269--283. DOI:https://doi.org/10.1007/s10009-013-0278-xGoogle ScholarDigital Library
Michael Sutton, Adam Greene, and Pedram Aminir. 2007. Fuzzing—Brute force vulnerability discovery. Addison-Wesley Professional, 1--51.Google Scholar
Farid Molazem Tabrizi and Karthik Pattabiraman. 2016. Formal security analysis of smart embedded systems. In Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC’16). ACM Press, 1--15. DOI:https://doi.org/10.1145/2991079.2991085Google ScholarDigital Library
Martin Tappler, Bernhard K. Aichernig, and Roderick Bloem. 2017. Model-based testing IoT communication via active automata learning. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation (ICST’17). 276--287. DOI:https://doi.org/10.1109/ICST.2017.32Google ScholarCross Ref
Emmeline Taylor and Katina Michael. 2016. Smart toys that are the stuff of nightmares. IEEE Technol. Soc. Mag. 35, 1 (Mar. 2016), 8--10. DOI:https://doi.org/10.1109/MTS.2016.2527078Google ScholarCross Ref
Ralf Tonjes, Eike Steffen Reetz, Klaus Moessner, and Payam Barnaghi. 2012. A test-driven approach for life cycle management of Internet of Things enabled services. In Proceedings of the Future Network and Mobile Summit. Retrieved from http://info.ee.surrey.ac.uk/Personal/P.Barnaghi/doc/IoTest-Paper.pdf.Google Scholar
Petar Tsankov, Mohammad Torabi Dashti, and David Basin. 2012. SECFUZZ—Fuzz-testing security protocols. In Proceedings of the 7th International Workshop on Automation of Software Test (AST’12). IEEE, 1--7. DOI:https://doi.org/10.1109/IWAST.2012.6228985Google ScholarCross Ref
Underwriters Laboratories. 2017. UL 2900 Standards Process. Retrieved from https://industries.ul.com/cybersecurity/ul-2900-standards-process.Google Scholar
Underwriters Laboratories (UL). 2017. Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems. Retrieved from https://standardscatalog.ul.com/standards/en/standard_2900-2-1.Google Scholar
Margus Valja, Matus Korman, and Robert Lagerstrom. 2017. A study on software vulnerabilities and weaknesses of embedded systems in power networks. In Proceedings of the 2nd Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG’17). ACM Press, 47--52. DOI:https://doi.org/10.1145/3055386.3055397Google ScholarDigital Library
VERACODE. 2006. VerAfied Methodology. Retrieved from https://help.veracode.com/reader/kJC1iOtXp8N rCtV8P9jhw/UQa oUCwYhluVREDo4480g.Google Scholar
Alexandre Vernotte. 2013. Research questions for model-based vulnerability testing of web applications. In Proceedings of the IEEE 6th International Conference on Software Testing, Verification and Validation. IEEE, 505--506. DOI:https://doi.org/10.1109/ICST.2013.82Google ScholarDigital Library
Vasaka Visoottiviseth, Phuripat Akarasiriwong, Siravitch Chaiyasart, and Siravit Chotivatunyu. 2017. PENTOS—Penetration testing tool for Internet of Thing devices. In Proceedings of the IEEE Region 10 Conference (TENCON’17). 2279--2284. DOI:https://doi.org/10.1109/TENCON.2017.8228241Google ScholarCross Ref
Jeffrey Voas and Phillip A. Laplante. 2018. IoT’s certification quagmire. (Apr. 2018). DOI:https://doi.org/10.1109/MC.2018.2141036Google Scholar
Dong Wang, Xiaosong Zhang, Ting Chen, and Jingwei Li. 2019. Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface. DOI:https://doi.org/10.1155/2019/5076324Google Scholar
Huan Wang, Zhanfang Chen, Jianping Zhao, Xiaoqiang Di, and Dan Liu. 2018. A vulnerability assessment method in industrial Internet of Things based on attack graph and maximum flow. IEEE Access 6 (2018), 8599--8609. DOI:https://doi.org/10.1109/ACCESS.2018.2805690Google ScholarCross Ref
Zhongru Wang, Yuntao Zhang, Zhihong Tian, Qiang Ruan, Tong Liu, Haichen Wang, Zhehui Liu, Jiayi Lin, Binxing Fang, and Wei Shi. 2019. Automated vulnerability discovery and exploitation in the Internet of Things. Sensors 19, 15 (July 2019). DOI:https://doi.org/10.3390/s19153362Google Scholar
Weibull. 2004. Basic concepts of FMEA and FMECA. ([n.d.]). Retrieved from http://www.weibull.com/hotwire/issue46/relbasics46.htm.Google Scholar
Chanoksuda Wongvises, Assadarat Khurat, Doudou Fall, and Shigeru Kashihara. 2017. Fault tree analysis-based risk quantification of smart homes. In Proceedings of the 2nd International Conference on Information Technology (INCIT’17). IEEE, 1--6. DOI:https://doi.org/10.1109/INCIT.2017.8257865Google ScholarCross Ref
Tianshui Wu and Gang Zhao. 2014. A novel risk assessment model for privacy security in Internet of Things. Wuhan Univ. J. Nat. Sci. 19, 5 (Oct. 2014), 398--404. DOI:https://doi.org/10.1007/s11859-014-1031-3Google ScholarCross Ref
Dianxiang Xu, Manghui Tu, Michael Sanford, Lijo Thomas, Daniel Woodraska, and Weifeng Xu. 2012. Automated security test generation with formal threat models. IEEE Trans. Depend. Sec. Comput. 9, 4 (July 2012), 526--540. DOI:https://doi.org/10.1109/TDSC.2012.24Google ScholarDigital Library
Guangquan Xu, Yan Cao, Yuanyuan Ren, Xiaohong Li, and Zhiyong Feng. 2017. Network security situation awareness based on semantic ontology and user-defined rules for Internet of Things. IEEE Access 5 (2017), 21046--21056. DOI:https://doi.org/10.1109/ACCESS.2017.2734681Google ScholarCross Ref
Haiyun Xu, Jeroen Heijmans, and Joost Visser. 2013. A practical model for rating software security. In Proceedings of the IEEE 7th International Conference on Software Security and Reliability. IEEE, 231--232. DOI:https://doi.org/10.1109/SERE-C.2013.11Google ScholarDigital Library
S. Yoo and M. Harman. 2012. Regression testing minimization, selection and prioritization: A survey. Softw. Test. Verif. Reliab. 22, 2 (Mar. 2012), 67--120. DOI:https://doi.org/10.1002/stv.430Google ScholarDigital Library
Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun. 2019. FIRM-AFL—High-throughput greybox fuzzing of IoT firmware via augmented process emulation. 1099--1114. Retrieved from https://www.usenix.org/conference/usenixsecurity19/presentation/zheng.Google Scholar
Changying Zhou and Stefano Ramacciotti. 2011. Common criteria: Its limitations and advice on improvement. ISSA Journal (2011). Retrieved from https://www.difesa.it/SMD_/Staff/Reparti/II/CeVa/Pubblicazioni/Estere/Documents/CommonCriteria_ISSA%20Journal_0411.pdf.Google Scholar
Wei Zhou, Yan Jia, Yao Yao, Lipeng Zhu, Le Guan, Yuhang Mao, Peng Liu, and Yuqing Zhang. 2019. Discovering and understanding the security hazards in the interactions between IoT devices, mobile apps, and clouds on smart home platforms. 1133--1150. Retrieved from https://www.usenix.org/conference/usenixsecurity19/presentation/zhou.Google Scholar

Index Terms

A Survey of Cybersecurity Certification for the Internet of Things
1. General and reference
  1. Document types
    1. Surveys and overviews
2. Security and privacy
  1. Formal methods and theory of security
    1. Security requirements
  2. Systems security
    1. Vulnerability management

Recommendations

Internet of Things security

The Internet of things (IoT) has recently become an important research topic because it integrates various sensors and objects to communicate directly with one another without human intervention. The requirements for the large-scale deployment of the ...
Read More
Cyberentity Security in the Internet of Things

A proposed Internet of Things system architecture offers a solution to the broad array of challenges researchers face in terms of general system security, network security, and application security.

Read More
Taxonomy and analysis of security protocols for Internet of Things
Abstract
The Internet of Things (IoT) is a system of physical as well as virtual objects (each with networking capabilities incorporated) that are interconnected to exchange and collect information locally or remotely over the Internet. Since ...
Highlights
- We first discuss essential security requirements that are needed to secure IoT environment. We also discuss the threat model and various attacks related to ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 53, Issue 6
Invited Tutorial and Regular Papers
November 2021
803 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/3441629
Editor:
Albert Zomaya
University of Sydney, Australia
Issue’s Table of Contents
Copyright © 2020 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 December 2020
- Accepted: 1 July 2020
- Revised: 1 December 2019
- Received: 1 July 2019
Published in csur Volume 53, Issue 6

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
IoT
Security certification
labelling
security
security risk assessment
security testing
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 34
  Total Citations
  View Citations
- 4,061
  Total Downloads
- Downloads (Last 12 months)762
- Downloads (Last 6 weeks)91
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

A Survey of Cybersecurity Certification for the Internet of Things

ACM Computing Surveys

Abstract

Supplemental Material

Available for Download

References

Cited By

Index Terms

Recommendations

Internet of Things security

Cyberentity Security in the Internet of Things

Taxonomy and analysis of security protocols for Internet of Things