Abstract
In recent years, cybersecurity certification is gaining momentum as the baseline to build a structured approach to mitigate cybersecurity risks in the Internet of Things (IoT). This initiative is driven by industry, governmental institutions, and research communities, which have the goal to make IoT more secure for the end-users. In this survey, we analyze the current cybersecurity certification schemes, as well as the potential challenges to make them applicable for the IoT ecosystem. We also examine current efforts related to risk assessment and testing processes, which are widely recognized as the processes to build a cybersecurity certification framework. Our work provides a multidisciplinary perspective of a possible IoT cybersecurity certification framework by integrating research and technical tools and processes with policies and governance structures, which are analyzed against a set of identified challenges. This survey is intended to give a comprehensive overview of cybersecurity certification to facilitate the definition of a framework that fits in emerging scenarios, such as the IoT paradigm.
Supplemental Material
Available for Download
Supplemental movie, appendix, image and software files for, A Survey of Cybersecurity Certification for the Internet of Things
- European Parliament. 2016. Directive 2010/41/EU of the European Parliament and of the Council of 7 July 2010. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L11488from=EN.Google Scholar
- Habtamu Abie and Ilangko Balasingham. 2012. Risk-based adaptive security for smart IoT in eHealth. In Proceedings of the 7th International Conference on Body Area Networks. ACM. DOI:https://doi.org/10.4108/icst.bodynets.2012.250235Google ScholarDigital Library
- Mohamed Abomhara and Geir M. Koien. 2015. Cyber security and the Internet of Things: Vulnerabilities, threats, intruders and attacks. J. Cyber Secur. Mobil. 4, 1 (2015), 65--88. DOI:https://doi.org/10.13052/jcsm2245-1439.414Google ScholarCross Ref
- Abbas Ahmad, Gianmarco Baldini, Philippe Cousin, Sara N. Matheu, Antonio Skarmeta, Elizabeta Fourneret, and Bruno Legeard. 2017. Cognitive Hyperconnected Digital Transformation: Internet of Things Intelligence Evolution. River Publishers, 189--220. Retrieved from https://books.google.es/books?id=nPIxDwAAQBAJ.Google Scholar
- Abbas Ahmad, Fabrice Bouquet, Elizabeta Fourneret, Franck Le Gall, and Bruno Legeard. 2016. Model-based testing as a service for IoT platforms. In Proceedings of the International Symposium on Leveraging Applications of Formal Methods. 727--742. DOI:https://doi.org/10.1007/978-3-319-47169-3_55Google ScholarCross Ref
- AIOTI. 2016. Report on Workshop on Security and Privacy in the Hyper-Connected World. Retrieved from https://goo.gl/KeKqbs.Google Scholar
- Haneen Al-Alami, Ali Hadi, and Hussein Al-Bahadili. 2017. Vulnerability scanning of IoT devices in Jordan using Shodan. In Proceedings of the 2nd International Conference on the Applications of Information Technology in Developing Renewable Energy Processes and Systems (IT-DREPS’17). DOI:https://doi.org/10.1109/IT-DREPS.2017.8277814Google ScholarCross Ref
- A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari, and M. Ayyash. 2015. Internet of Things: A survey on enabling technologies, protocols, and applications. IEEE Commun. Surv. Tutor. 17, 4 (2015), 2347--2376. DOI:https://doi.org/10.1109/COMST.2015.2444095Google ScholarDigital Library
- Christopher J. Alberts, Audrey J. Dorofee, James F. Stevens, and Carol Woody. 2005. OCTAVE-S Implementation Guide, Version 1. Technical Report. Carnegie Mellon University. Retrieved from https://resources.sei.cmu.edu/asset_files/Handbook/2005_002_001_14273.pdf.Google Scholar
- Bako Ali and Ali Awad. 2018. Cyber and physical security vulnerability assessment for IoT-based smart homes. Sensors 18, 3 (Mar. 2018), 817. DOI:https://doi.org/10.3390/s18030817Google ScholarCross Ref
- Lautenbach Aljoscha and Mafijul Islam. 2016. HEAling Vulnerabilities to ENhance Software Security and Safety—Project Proposal (HAVENS). Retrieved from http://autosec.se/wp-content/uploads/2018/03/HEAVENS_D2_v2.0.pdf.Google Scholar
- Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. 2019. SoK—Security evaluation of home-based IoT deployments. In Proceedings of the IEEE Symposium on Security and Privacy (SP’19). IEEE, 1362--1380. DOI:https://doi.org/10.1109/SP.2019.00013Google ScholarCross Ref
- Faisal Alsubaei, Abdullah Abuhussein, and Sajjan Shiva. 2017. Security and privacy in the Internet of Medical Things: Taxonomy and risk assessment. In Proceedings of the IEEE 42nd Conference on Local Computer Networks Workshops (LCN Workshops’17). IEEE, 112--120. DOI:https://doi.org/10.1109/LCN.Workshops.2017.72Google ScholarCross Ref
- Faisal Alsubaei, Abdullah Abuhussein, and Sajjan Shiva. 2018. Quantifying security and privacy in Internet of Things solutions. In Proceedings of the IEEE/IFIP Network Operations and Management Symposium (NOMS’18). IEEE, 1--6. DOI:https://doi.org/10.1109/NOMS.2018.8406318Google ScholarCross Ref
- Prashant Anantharaman, Michael Locasto, Gabriela F. Ciocarlie, and Ulf Lindqvist. 2017. Building hardened Internet-of-Things clients with language-theoretic security. In Proceedings of the IEEE Security and Privacy Workshops (SPW’17). IEEE, 120--126. DOI:https://doi.org/10.1109/SPW.2017.36Google ScholarCross Ref
- Ross Anderson and Shailendra Fuloria. 2009. Certification and evaluation: A security economics perspective. In Proceedings of the IEEE Conference on Emerging Technologies 8 Factory Automation. IEEE, 1--7. DOI:https://doi.org/10.1109/ETFA.2009.5347129Google ScholarCross Ref
- ANSSI. 2008. Certification de Sécurité de Premier Niveau (CSPN). Retrieved from https://www.ssi.gouv.fr/administration/produits-certifies/cspn/.Google Scholar
- ANSSI. 2018. Certification de Sécurité de Premier Niveau des Produits des Technologies de l’Information. Retrieved from https://www.ssi.gouv.fr/uploads/2015/01/anssi-cspn-cer-p-01-certification_de_securite_de_premier_niveau_v2.0.pdf.Google Scholar
- Qazi Mamoon Ashraf and Mohamed Hadi Habaebi. 2015. Autonomic schemes for threat mitigation in Internet of Things. J. Netw. Comput. Applic. 49 (Mar. 2015), 112--127. DOI:https://doi.org/10.1016/j.jnca.2014.11.011Google Scholar
- Nathaniel Ayewah, David Hovemeyer, J. David Morgenthaler, John Penix, and William Pugh. 2008. Using static analysis to find bugs. IEEE Softw. 25, 5 (Sept. 2008), 22--29. DOI:https://doi.org/10.1109/MS.2008.130Google ScholarDigital Library
- Hans Baars, Robert Lassche, Robin Massink, and Hans Pille. 2014. Smart grid security certification in Europe. Challenges and recommendations. Retrieved from https://www.enisa.europa.eu/publications/smart-grid-security-certification-in-europe/at_download/fullReport.Google Scholar
- Ruediger Bachmann and Achim D. Brucker. 2014. Developing secure software. Datensch. Datensich. - DuD 38, 4 (Mar. 2014), 257--261. DOI:https://doi.org/10.1007/s11623-014-0102-0Google ScholarCross Ref
- Gianmarco Baldini, Georgios Giannopoulos, and Alessandro Lazari. 2017. Annex 8: JRC Analysis and Recommendations for a European Certification and Labelling Framework for Cybersecurity in Europe. Technical Report. European Commission. Retrieved from https://ec.europa.eu/transparency/regdoc/rep/10102/2017/EN/SWD-2017-500-F1-EN-MAIN-PART-6.PDF.Google Scholar
- Gianmarco Baldini, Antonio Skarmeta, Elizabeta Fourneret, Ricardo Neisse, Bruno Legeard, and Franck Le Gall. 2016. Security certification and labelling in Internet of Things. In Proceedings of the IEEE 3rd World Forum on Internet of Things (WF-IoT’16). IEEE, 627--632. DOI:https://doi.org/10.1109/WF-IoT.2016.7845514Google ScholarCross Ref
- Aaron Ballman. 2016. SEI CERT C++ Coding Standard Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems in C++. Retrieved from http://cysecure.org/455/dmccarroll/455/online/WeekTwo/Reading/sei-cert-cpp-coding-standard-2016-v01.pdf.Google Scholar
- Arthur Barstow, Mark Burstein, James Hendler, Vincent Marcatt, David Martin, Drew McDermott, Deborah L. McGuinness, Sheila McIlraith, Jeff Pollock, David De Roure, Mark Skall, Katia Sycara, and Hideki Yoshida. 2004. OWL-S—Semantic markup for Web services. W3C Member Submission 22 (2004). Retrieved from https://www.researchgate.net/publication/39994181_OWL-S_Semantic_markup_for_Web_services.Google Scholar
- Massimo Bartoletti, Pierpaolo Degano, and Gian Luigi Ferrari. 2006. Security issues in service composition. In Formal Methods for Open Object-based Distributed Systems, Vol. 4037. Springer Berlin, 1--16. DOI:https://doi.org/10.1007/11768869_1Google Scholar
- Jason Bau, Elie Bursztein, Divij Gupta, and John Mitchell. 2010. State of the art: Automated black-box web application vulnerability testing. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 332--345. DOI:https://doi.org/10.1109/SP.2010.27Google ScholarDigital Library
- Sofia Bekrar, Chaouki Bekrar, Roland Groz, and Laurent Mounier. 2011. Finding software vulnerabilities by smart fuzzing. In Proceedings of the 4th IEEE International Conference on Software Testing, Verification and Validation. IEEE, 427--430. DOI:https://doi.org/10.1109/ICST.2011.48Google ScholarDigital Library
- Matt Bishop. 2007. About penetration testing. IEEE Secur. Priv. Mag. 5, 6 (Nov. 2007), 84--87. DOI:https://doi.org/10.1109/MSP.2007.159Google ScholarDigital Library
- BITAG. 2016. Internet of Things (IoT) Security and Privacy Recommendations. Retrieved from https://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf.Google Scholar
- Kim Jonatan Wessel Bjørneset. 2017. Testing Security for Internet of Things. Survey on Vulnerabilities in IP Cameras. Ph.D. Thesis. University of Oslo. Retrieved from https://www.mn.uio.no/ifi/english/research/groups/psy/completedmasters/2017/Kim_Jonatan_Wessel_Bjorneset/kim_jonatan_wessel_bjorneset_testing_security_for_internet_of_things_a_survey_on_vulnerabilities_in_ip_cameras.pdf.Google Scholar
- Roland Bodenheim, Jonathan Butts, Stephen Dunlap, and Barry Mullins. 2014. Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices. Int. J. Crit. Infrast. Protect. 7, 2 (June 2014), 114--123. DOI:https://doi.org/10.1016/j.ijcip.2014.03.001Google Scholar
- Katie Boeckl, Michael Fagan, William Fisher, Naomi Lefkovitz, Katerina N. Megas, Ellen Nadeau, Danna Gabel O’Rourke, Ben Piccarreta, and Karen Scarfone. 2018. Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. https://doi.org/10.6028/NIST.IR.8228-draftGoogle Scholar
- Julien Botella, Fabrice Bouquet, Jean-Francois Capuron, Franck Lebeau, Bruno Legeard, and Florence Schadle. 2013. Model-based testing of cryptographic components—Lessons learned from experience. In Proceedings of the IEEE 6th International Conference on Software Testing, Verification and Validation. IEEE, 192--201. DOI:https://doi.org/10.1109/ICST.2013.42Google ScholarDigital Library
- F. Bouquet, C. Grandpierre, B. Legeard, F. Peureux, N. Vacelet, and M. Utting. 2007. A subset of precise UML for model-based testing. In Proceedings of the 3rd International Workshop on Advances in Model-based Testing (A-MOST’07). ACM Press, 95--104. DOI:https://doi.org/10.1145/1291535.1291545Google Scholar
- Josip Bozic and Franz Wotawa. 2012. Model-based testing—From safety to security. In STV Bozic, Wotawa. 9--16. Retrieved from https://graz.pure.elsevier.com/en/publications/model-based-testing-from-safety-to-security.Google Scholar
- Josip Bozic and Franz Wotawa. 2014. Security testing based on attack patterns. In Proceedings of the IEEE 7th International Conference on Software Testing, Verification and Validation Workshops. IEEE, 4--11. DOI:https://doi.org/10.1109/ICSTW.2014.58Google ScholarDigital Library
- Miroslav Bures, Tomas Cerny, and Bestoun S. Ahmed. 2019. Internet of Things: Current challenges in the quality assurance and testing methods. In Proceedings of the International Conference on Information Science and Applications, Kuinam J. Kim and Nakhoon Baek (Eds.). Vol. 514. Springer Singapore, 625--634. DOI:https://doi.org/10.1007/978-981-13-1056-0_61Google Scholar
- Jordi Cabot and Martin Gogolla. 2017. Object constraint language (OCL): A definitive guide. In Proceedings of the 12th International Conference on Formal Methods for the Design of Computer, Communication, and Software Systems: Formal Methods for Model-driven Engineering. DOI:https://doi.org/10.1007/978-3-642-30982-3_3Google Scholar
- Matteo Cagnazzo, Markus Hertlein, Thorsten Holz, and Norbert Pohlmann. 2018. Threat modeling for mobile health systems. In Proceedings of the IEEE Wireless Communications and Networking Conference Workshops (WCNCW’18). IEEE, 314--319. DOI:https://doi.org/10.1109/WCNCW.2018.8369033Google ScholarCross Ref
- Richard A. Caralli, James F. Stevens, Lisa R. Young, and William R. Wilson. 2007. Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. Technical Report. CERT. Retrieved from https://resources.sei.cmu.edu/asset_files/TechnicalReport/2007_005_001_14885.pdf.Google Scholar
- CCRA. 2012. Common Criteria, Assurance Continuity, CCRA requirements. Version 2.1. Retrieved from http://www.commoncriteriaportal.org/files/operatingprocedures/2012-06-01.pdf.Google Scholar
- CCRA. 2017. Common Criteria for Information Technology Security Evaluation. Part 1: Introduction and general model.Retrieved from https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf.Google Scholar
- CERT SEI. 2018. Android Secure Coding Standard. Retrieved from https://wiki.sei.cmu.edu/confluence/display/android/Android+Secure+Coding+Standard.Google Scholar
- CESG. 2014. The Commercial Product Assurance (CPA) build standard. Retrieved from https://www.ncsc.gov.uk/content/files/protected_files/document_files/The%20CPA%20Build%20Standard%201.3.pdf.Google Scholar
- Chen Chen, Baojiang Cui, Jinxin Ma, Runpu Wu, Jianchao Guo, and Wenqian Liu. 2018. A systematic review of fuzzing techniques. Comput. Secur. 75 (June 2018), 118--137. DOI:https://doi.org/10.1016/j.cose.2018.02.002Google Scholar
- Jiongyi Chen, Wenrui Diaoy, Qingchuan Zhaoz, Chaoshun Zuoz, Zhiqiang Linz, XiaoFeng Wangx, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer—Discovering memory corruptions in IoT through app-based fuzzing. In Proceedings of the Network and Distributed System Security Symposium. DOI:https://doi.org/10.14722/ndss.2018.23166Google ScholarCross Ref
- Nanxing Chen, César Viho, Anthony Baire, Xiaohong Huang, and Jiexi Zha. 2012. Ensuring interoperability for the Internet of Things: Experience with CoAP protocol testing. J. Contr. Meas. Electron. Comput. Commun. 6 (2012), 448--458. DOI:https://doi.org/10.7305/automatika.54-4.418Google Scholar
- Kai Cheng, Qiang Li, Lei Wang, Qian Chen, Yaowen Zheng, Limin Sun, and Zhenkai Liang. 2018. DTaint—Detecting the taint-style vulnerability in embedded device firmware. In Proceedings of the 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’18). 430--441. DOI:https://doi.org/10.1109/DSN.2018.00052Google ScholarCross Ref
- Brian Chess and Jabob West. 2007. Secure Programming with Static Analysis. Gary McGraw. Retrieved from https://www.e-reading.club/bookreader.php/142130/Secure_programming_with_Static_Analysis.pdf.Google Scholar
- Gordon Chu, Noah Apthorpe, and Nick Feamster. 2018. Security and privacy analyses of Internet of Things toys. IEEE Internet Things J. 6, 1 (2018), 978--985. DOI:https://doi.org/10.1109/JIOT.2018.2866423Google ScholarCross Ref
- Peter Cihon, Glenda Michel Gutierrez, Sam Kee, Moritz Jan Kleinaltenkamp, Thanel Voigt, and Antonio Rosato. 2018. Why certify? Increasing adoption of the proposed EU cybersecurity certification framework. Cambridge Judge Business School, Sophia Antipolis, France. Retrieved from https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/00POSTERS/Cambridge%20EU%20Cybersecurity%20Certification%20Report.pdf.Google Scholar
- Sara Cleemput. 2018. Secure and Privacy-friendly Smart Electricity Metering. Ph.D. Thesis. Arenberg Doctoral School. Faculty of Engineering Science. Retrieved from https://www.esat.kuleuven.be/cosic/publications/thesis-303.pdf.Google Scholar
- CNSSI. 2015. CNSSI No. 4009: Committee on National Security Systems (CNSS) Glossary. Retrieved from https://cryptosmith.files.wordpress.com/2015/08/glossary-2015-cnss.pdf.Google Scholar
- Common Criteria. 2014. Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security. Retrieved from https://www.commoncriteriaportal.org/files/operatingprocedures/cc-recarrange.pdf.Google Scholar
- Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. 2014. A large-scale analysis of the security of embedded firmwares. 95--110. Retrieved from https://www.usenix.org/node/184450.Google Scholar
- Antoine Coutant. 2016. French Scheme CSPN to CC evaluation. Retrieved from http://www.yourcreativesolutions.nl/ICCC13/p/CC%20and%20New%20Techniques/Antoine%20COUTANT%20-%20CSPN%20to%20CC%20Evaluation.pdf.Google Scholar
- Aymeric Cretin, Bruno Legeard, Fabien Peureux, and Alexandre Vernotte. 2018. Increasing the resilience of ATC systems against false data injection attacks using DSL-based testing. In Proceedings of the Doctoral Symposium (ICRAT’18).Google Scholar
- Lajos Cseppento and Zoltan Micskei. 2017. Evaluating code-based test input generator tools. Softw. Test. Verif. Reliab. 27, 6 (Sept. 2017), e1627. DOI:https://doi.org/10.1002/stvr.1627Google ScholarCross Ref
- CTIA. 2018. Cybersecurity Certification Test Plan for IoT Devices. Retrieved from https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf.Google Scholar
- Baojiang Cui, Shurui Liang, Shilei Chen, Bing Zhao, and Xiaobing Liang. 2014. A novel fuzzing method for Zigbee based on finite state machine. Int. J. Distrib. Sensor Netw. 10, 1 (Jan. 2014), 762891. DOI:https://doi.org/10.1155/2014/762891Google ScholarCross Ref
- Joao Pedro Dias, Flavio Couto, Ana C. R. Paiva, and Hugo Sereno Ferreira. 2018. A brief overview of existing tools for testing the Internet-of-Things. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW’18). IEEE, 104--109. DOI:https://doi.org/10.1109/ICSTW.2018.00035Google ScholarCross Ref
- Fabien Duchene. 2014. Detection of Web Vulnerabilities via Model Inference assisted Evolutionary Fuzzing. Ph.D. Dissertation. Grenoble University. Retrieved from https://hal.archives-ouvertes.fr/tel-01102325/document.Google Scholar
- ECSO. 2017. A Meta-Scheme Approach v1.0. Retrieved from http://www.ecs-org.eu/documents/uploads/european-cyber-security-certification-a-meta-scheme-approach.pdf.Google Scholar
- ECSO. 2017. State of the Art Syllabus v2. Retrieved from http://www.ecs-org.eu/documents/uploads/updated-sota.pdf.Google Scholar
- ENISA. 2018. Overview of ICT certification laboratories. Retrieved from http://www.european-accreditation.org/brochure/document-ict-certification-laboratories.Google Scholar
- Gencer Erdogan, Yan Li, Ragnhild Kobro Runde, Fredrik Seehusen, and Ketil Stølen. 2014. Approaches for the combined use of risk analysis and testing: A systematic literature review. Int. J. Softw. Tools Technol. Transf. 16 (2014), 627--642. DOI:https://doi.org/10.1007/s10009-014-0330-5Google ScholarDigital Library
- ETSI. 2015. ETSI EG 203 251: Methods for Testing 8 Specification; Risk-based Security Assessment and Testing Methodologies. Retrieved from https://www.etsi.org/deliver/etsi_eg/203200_203299/203251/01.01.01_50/eg_203251v010101m.pdf.Google Scholar
- European Commission. 2010. Directive 2010/30/EU on the indication by labelling and standard product information of the consumption of energy and other resources by energy-related products. Retrieved from http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32010L0030.Google Scholar
- European Parliament. 2016. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Retrieved from https://eugdpr.org/.Google Scholar
- EVITA. 2008. E-Safety Vehicle Intrusion Protected Applications. Retrieved from https://www.evita-project.org/.Google Scholar
- Michael Felderer, Berthold Agreiter, Philipp Zech, and Ruth Breu. 2011. A classification for model-based security testing. 109--114. Retrieved from https://www.thinkmind.org/index.php?view=article8articleid=valid_2011_5_10_40020.Google Scholar
- Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, and Alexander Pretschner. 2015. Chapter one - Security testing: A survey. In Advances in Computers. Vol. 101. Elsevier, 1--51. DOI:https://doi.org/10.1016/bs.adcom.2015.11.003Google Scholar
- Michael Felderer and Elizabeta Fourneret. 2015. A systematic classification of security regression testing approaches. Int. J. Softw. Tools Technol. Transf. 17, 3 (June 2015), 305--319. DOI:https://doi.org/10.1007/s10009-015-0365-2Google ScholarDigital Library
- Michael Felderer and Ina Schieferdecker. 2014. A taxonomy of risk-based testing. Int. J. Softw. Tools Technol. Transf. 16, 5 (Oct. 2014), 559--568. DOI:https://doi.org/10.1007/s10009-014-0332-3Google Scholar
- FIRST. 2015. Common Vulnerability Score System (CVSS) v3. Retrieved from https://www.first.org/cvss/cvss-v30-specification-v1.8.pdf.Google Scholar
- Elizabeta Fourneret, Fabrice Bouquet, Frederic Dadeau, and Stephane Debricon. 2011. Selective test generation method for evolving critical systems. In Proceedings of the IEEE 4th International Conference on Software Testing, Verification and Validation Workshops. IEEE, 125--134. DOI:https://doi.org/10.1109/ICSTW.2011.95Google ScholarCross Ref
- Anna Baron Garcia, Radu F. Babiceanu, and Remzi Seker. 2018. Trustworthiness requirements and models for aviation and aerospace systems. In Proceedings of the Integrated Communications, Navigation, Surveillance Conference (ICNS’18). IEEE, 1--16. DOI:https://doi.org/10.1109/ICNSURV.2018.8384911Google ScholarCross Ref
- Mengmeng Ge, Jin B. Hong, Walter Guttmann, and Dong Seong Kim. 2017. A framework for automating security analysis of the internet of things. J. Netw. Comput. Applic. 83 (Apr. 2017), 12--27. DOI:https://doi.org/10.1016/j.jnca.2017.01.033Google ScholarDigital Library
- Mengmeng Ge and Dong Seong Kim. 2015. A framework for modeling and assessing security of the Internet of Things. In Proceedings of the IEEE 21st International Conference on Parallel and Distributed Systems (ICPADS’15). 776--781. DOI:https://doi.org/10.1109/ICPADS.2015.102Google Scholar
- Gemini George and Sabu M. Thampi. 2018. A graph-based security framework for securing industrial IoT networks from vulnerability exploitations. IEEE Access 6 (2018), 43586--43601. DOI:https://doi.org/10.1109/ACCESS.2018.2863244Google ScholarCross Ref
- J. Granjal, E. Monteiro, and J. Sa Silva. 2015. Security for the Internet of Things: A survey of existing protocols and open research issues. IEEE Commun. Surv. Tutor. 17, 3 (2015), 1294--1312. DOI:https://doi.org/10.1109/COMST.2015.2388550Google ScholarDigital Library
- Jurgen Grossmann, Michael Felderer, Johannes Viehmann, and Ina Schieferdecker. 2019. A taxonomy to assess and tailor risk-based testing in recent testing standards. IEEE Softw. PP (May 2019), 1--1. DOI:https://doi.org/10.1109/MS.2019.2915297Google Scholar
- GSMA. 2016. IoT Security Guidelines Overview Document. Retrieved from https://www.gsma.com/iot/wp-content/uploads/2016/02/CLP.11-v1.1.pdf.Google Scholar
- Ayyoob Hamza, Dinesha Ranathunga, Hassan Habibi Gharakheili, Theophilus A. Benson, Matthew Roughan, and Vijay Sivaraman. 2019. Verifying and monitoring IoTs network behavior using MUD profiles. Retrieved from http://arxiv.org/abs/1902.02484.Google Scholar
- Wenxi Han, Xiaoming Liu, Hong Zhang, Ruijie Quan, and Linfeng Shen. 2018. Dynamically-enabled defense effectiveness evaluation of IoT based on vulnerability analysis. In Proceedings of the 3rd International Conference on Multimedia Systems and Signal Processing (ICMSSP’18). ACM Press, 99--103. DOI:https://doi.org/10.1145/3220162.3220170Google ScholarDigital Library
- J. Hearn. 2004. Does the common criteria paradigm have a future?IEEE Secur. Priv. Mag. 2, 1 (Jan. 2004), 64--65. DOI:https://doi.org/10.1109/MSECP.2004.1264857Google ScholarDigital Library
- S. Hiremath, G. Yang, and K. Mankodiya. 2014. Wearable Internet of Things: Concept, architectural components and promises for person-centered healthcare. In Proceedings of the 4th International Conference on Wireless Mobile Communication and Healthcare—Transforming Healthcare through Innovations in Mobile and Wireless Technologies (MOBIHEALTH’14). 304--307. DOI:https://doi.org/10.1109/MOBIHEALTH.2014.7015971Google Scholar
- Juliane Hubner and Maria Lastovka. 2017. BOSCH Political Viewpoint. Security in IoT. Retrieved from https://www.boschsecurity.com/xc/en/news/rethink-the-magazine/winds-of-change/.Google Scholar
- ICSA. 2016. ICSA Labs IoT Security and Privacy. Retrieved from https://www.icsalabs.com/technology-program/iot-devices-sensors/iot-device-requirements-framework.Google Scholar
- ICSA. 2016. Internet of Things (IoT) Security Testing Framework. Retrieved from https://www.icsalabs.com/sites/default/files/body_images/ICSALABS_IoT_reqts_framework_v2.0_161026.pdf.Google Scholar
- Information Technology Promotion Agency (IPA). 2019. Japan Information Technology Security Evaluation and Certification Scheme. Retrieved from https://www.ipa.go.jp/security/jisec/jisec_e/.Google Scholar
- IoT Security Fundation. 2017. IoT Security Compliance Framework. Release 1.1. Retrieved from https://www.iotsecurityfoundation.org/wp-content/uploads/2017/12/IoT-Security-Compliance-Framework_WG1_2017.pdf.Google Scholar
- ISO. 2018. Information technology—Internet of Things (IoT)—Vocabulary (ISO/IEC 20924:2018). Retrieved from http://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/06/94/69470.html.Google Scholar
- Andreas Jacobsson, Martin Boldt, and Bengt Carlsson. 2016. A risk analysis of a smart home automation system. Fut. Gen. Comput. Syst. 56 (Mar. 2016), 719--733. DOI:https://doi.org/10.1016/j.future.2015.09.003Google Scholar
- Joint Task Force Transformation Initiative. 2014. Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Technical Report NIST SP 800-37r1. National Institute of Standards and Technology. DOI:https://doi.org/10.6028/NIST.SP.800-37r1Google Scholar
- Sathya Prakash Kadhirvelan and Andrew Soderberg-Rivkin. 2014. Threat Modelling and Risk Assessment within Vehicular Systems. Ph.D. Dissertation. University of Gothenburg. Retrieved from http://publications.lib.chalmers.se/records/fulltext/202917/202917.pdf.Google Scholar
- Samuel Paul Kaluvuri, Michele Bezzi, and Yves Roudier. 2014. A quantitative analysis of common criteria certification practice. In Trust, Privacy, and Security in Digital Business. Vol. 8647. Springer International Publishing, Cham, 132--143. DOI:https://doi.org/10.1007/978-3-319-09770-1_12Google Scholar
- Prabhakaran Kasinathan, Claudio Pastrone, Maurizio A. Spirito, and Mark Vinkovits. 2013. Denial-of-service detection in 6LoWPAN based Internet of Things. In Proceedings of the IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob’13). IEEE, 600--607. DOI:https://doi.org/10.1109/WiMOB.2013.6673419Google ScholarCross Ref
- Prabhakaran Kasinathan, Claudio Pastrone, Maurizio A. Spirito, Mark Vinkovits, Nils O. Tippenhauer Jemin Lee Shachar Siboni, Asaf Shabtai, and Yuval Elovici. 2016. Advanced security testbed framework for wearable IoT devices. In Proceedings of the IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob’13), Vol. 16. DOI:https://doi.org/10.1145/2981546Google Scholar
- Kaspersky. 2017. Kaspersky Labs Targeted Attacks Detection Solution Is Certified by ICSA Labs. Retrieved from https://www.kaspersky.com/about/press-releases/2017_targeted-attacks-detection-solution-certified-by-icsa-labs.Google Scholar
- F. Keblawi and D. Sullivan. 2006. Applying the common criteria in systems engineering. IEEE Secur. Priv. Mag. 4, 2 (Mar. 2006), 50--55. DOI:https://doi.org/10.1109/MSP.2006.35Google Scholar
- Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, and Jeffrey Voas. 2017. DDoS in the IoT: Mirai and other botnets. Computer 50, 7 (2017), 80--84. DOI:https://doi.org/10.1109/MC.2017.201Google ScholarDigital Library
- Willibald Krenn, Rupert Schlick, Stefan Tiran, Bernhard Aichernig, Elisabeth Jobstl, and Harald Brandl. 2015. MoMut—UML model-based mutation testing for UML. In Proceedings of the IEEE 8th International Conference on Software Testing, Verification and Validation (ICST’15). IEEE, 1--8. DOI:https://doi.org/10.1109/ICST.2015.7102627Google ScholarCross Ref
- Ievgeniia Kuzminykh and Anders Carlsson. 2018. Analysis of assets for threat risk model in avatar-oriented IoT architecture. In Internet of Things, Smart Spaces, and Next Generation Networks and Systems (Lecture Notes in Computer Science), Olga Galinina, Sergey Andreev, Sergey Balandin, and Yevgeni Koucheryavy (Eds.). Springer International Publishing, Cham, 52--63. DOI:https://doi.org/10.1007/978-3-030-01168-0_6Google Scholar
- Abdelkader Lahmadi, Cesar Brandin, and Olivier Festor. 2012. A testing framework for discovering vulnerabilities in 6LoWPAN networks. In Proceedings of the IEEE 8th International Conference on Distributed Computing in Sensor Systems. IEEE, 335--340. DOI:https://doi.org/10.1109/DCOSS.2012.48Google ScholarDigital Library
- Eliot Lear, Dan Romascanu, and Ralph Droms. 2019. Manufacturer Usage Description Specification (RFC 8520). Retrieved from https://tools.ietf.org/html/rfc8520.Google Scholar
- Seokcheol Lee, Sungjin Kim, Ken Choi, and Taeshik Shon. 2018. Game theory-based security vulnerability quantification for social Internet of Things. Fut. Gen. Comput. Syst. 82 (May 2018), 752--760. DOI:https://doi.org/10.1016/j.future.2017.09.032Google Scholar
- Bruno Legeard and Arnaud Bouzy. 2013. Smartesting CertifyIt: Model-based testing for enterprise IT. In Proceedings of the IEEE 6th International Conference on Software Testing, Verification and Validation. IEEE, 391--397. DOI:https://doi.org/10.1109/ICST.2013.55Google ScholarDigital Library
- Wenbin Li, Franck Le Gall, and Naum Spaseski. 2018. A survey on model-based testing tools for test case generation. In Tools and Methods of Program Analysis, Vladimir Itsykson, Andre Scedrov, and Victor Zakharov (Eds.), Vol. 779. Springer International Publishing, Cham, 77--89. DOI:https://doi.org/10.1007/978-3-319-71734-0_7Google Scholar
- Caiming Liu, Yan Zhang, Jinquan Zeng, Lingxi Peng, and Run Chen. 2012. Research on dynamical security risk assessment for the Internet of Things inspired by immunology. In Proceedings of the 8th International Conference on Natural Computation. IEEE, 874--878. DOI:https://doi.org/10.1109/ICNC.2012.6234533Google ScholarCross Ref
- Fred Long, Dhruv Mohindra, and Robert C. Seacord. 2011. The Cert Oracle Secure Coding Standard for Java (1st ed.). Addison Wesley Pub. Co. Inc., Upper Saddle River, NJ.Google Scholar
- Florian Lugou, Ludovic Apvrille, and Aurélien Francillon. 2016. Toward a methodology for unified verification of hardware/software co-designs. J. Cryptog. Eng. (Nov. 2016), 1--12. DOI:https://doi.org/10.1007/s13389-016-0145-2Google Scholar
- Imran Makhdoom, Mehran Abolhasan, Justin Lipman, Ren Ping Liu, and Wei Ni. 2018. Anatomy of threats to the Internet of Things. IEEE Commun. Surv. Tutor. (2018), 1--1. DOI:https://doi.org/10.1109/COMST.2018.2874978Google Scholar
- Mark Miller. 2018. D3.2 European cybersecurity and privacy Research and Innovation Ecosystem. Retrieved from https://www.cyberwatching.eu/sites/default/files/D3.2_European_cybersecurity_and_privacy_Research_%26Innovation_Ecosystem.pdf.Google Scholar
- S. N. Matheu, J. L. Hernandez-Ramos, and A. F. Skarmeta. 2019. Toward a cybersecurity certification framework for the Internet of Things. IEEE Secur. Priv. 17, 3 (May 2019), 66--76. DOI:https://doi.org/10/gf256zGoogle ScholarCross Ref
- Sara N. Matheu-Garcia, Jose L. Hernandez-Ramos, and Antonio F. Skarmeta. 2018. Test-based risk assessment and security certification proposal for the Internet of Things. In Proceedings of the IEEE 4th World Forum on Internet of Things (WF-IoT’18). IEEE, 641--646. DOI:https://doi.org/10.1109/WF-IoT.2018.8355193Google Scholar
- Sara N. Matheu-Garcia, Jose L. Hernandez-Ramos, Antonio F. Skarmeta, and Gianmarco Baldini. 2019. Risk-based automated assessment and testing for the cybersecurity certification and labelling of IoT devices. Comput. Stand. Interf. 62 (Feb. 2019), 64--83. DOI:https://doi.org/10.1016/j.csi.2018.08.003Google Scholar
- David Maynor. 2011. Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research. Elsevier. Google-Books-ID: JWgNVFtbWJ4C. Retrieved from https://www.elsevier.com/books/metasploit-toolkit-for-penetration-testing-exploit-development-and-vulnerability-research/maynor/978-1-59749-074-0.Google Scholar
- G. Mcgraw. 2004. Software security. IEEE Secur. Priv. Mag. 2, 2 (Mar. 2004), 80--83. DOI:https://doi.org/10.1109/MSECP.2004.1281254Google Scholar
- Kais Mekki, Eddy Bajic, Frederic Chaxel, and Fernand Meyer. 2019. A comparative study of LPWAN technologies for large-scale IoT deployment. ICT Express 5, 1 (Mar. 2019), 1--7. DOI:https://doi.org/10/gfsc2nGoogle ScholarCross Ref
- Bruno Melo, Paulo Licio Geus, and Andre A. Gregio. 2017. Robustness testing of CoAP server-side implementations through black-box fuzzing techniques. In Proceedings of the Brazilian Symposium on Information Security and Computer Systems. 533--540. Retrieved from https://pdfs.semanticscholar.org/487b/7a45bc5962fd2cdf65da2caa05fcaef64591.pdf.Google Scholar
- Microsoft. 2018. The STRIDE Threat Model. Retrieved from https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx.Google Scholar
- Microsoft. 2010. DREAD scheme. Retrieved from https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff648644(v=pandp.10)#dread.Google Scholar
- Charlie Miller and Zachary Peterson. 2007. Analysis of mutation and generation-based fuzzing. Retrieved from http://mirror.picosecond.org/defcon/defcon15-cd/Speakers/Miller/Whitepaper/dc-15-miller-WP.pdf.Google Scholar
- MITRE. 2011. Common Weakness Risk Analysis Framework (CWRAF). Retrieved from https://cwe.mitre.org/cwraf/.Google Scholar
- MITRE. 2014. CWE—Common Weakness Scoring System (CWSS). Retrieved from https://cwe.mitre.org/cwss/cwss_v1.0.1.html.Google Scholar
- Robert Montante. 2018. Using Scapy in teaching network header formats: Programming network headers for non-programmers (abstract only). In Proceedings of the 49th ACM Technical Symposium on Computer Science Education (SIGCSE’18). ACM, New York, NY, 1106--1106. DOI:https://doi.org/10.1145/3159450.3162228Google ScholarDigital Library
- K. Moore, R. Barnes, and H. Tschofenig. 2016. Best Current Practices for Securing Internet of Things (IoT) Devices. Retrieved from https://tools.ietf.org/html/draft-moore-iot-security-bcp-00.Google Scholar
- Geoff Mulligan. 2007. The 6LoWPAN architecture. In Proceedings of the 4th Workshop on Embedded Networked Sensors (EmNets’07). ACM, New York, NY, 78--82. DOI:https://doi.org/10.1145/1278972.1278992Google ScholarDigital Library
- Tewodros Legesse Munea, I. Luk Kim, and Taeshik Shon. 2017. Design and implementation of fuzzing framework based on IoT applications. Wirel. Person. Commun. 93, 2 (Mar. 2017), 365--382. DOI:https://doi.org/10.1007/s11277-016-3322-9Google Scholar
- Steven Murdoch, Mike Bond, and Ross J. Anderson. 2012. How certification systems fail: Lessons from the ware report. IEEE Secur. Priv. Mag. 10, 6 (2012), 1--1. DOI:https://doi.org/10.1109/MSP.2012.89Google Scholar
- National Cybersecurity Center of United Kingdom. 2017. Foundation Grade explained. Retrieved from https://www.ncsc.gov.uk/articles/foundation-grade-explained.Google Scholar
- National Cybersecurity Center (UK). 2016. CPA SC Overwriting Tools for Magnetic Media v2-1. Retrieved from https://www.ncsc.gov.uk/content/files/protected_files/document_files/CPA%20SC%20Overwriting%20Tools%20for%20Magnetic%20Media%20v2-1.pdf.Google Scholar
- National Cybersecurity Centre (UK). 2016. Process for performing commercial product assurance foundation grade evaluations. Retrieved from https://www.ncsc.gov.uk/content/files/protected_files/document_files/Process%20for%20Performing%20CPA%20Foundation%20Grade%20Evaluations%202-4.pdf.Google Scholar
- NCC Group. 2016. Commercial Product Assurance and Common Criteria. Retrieved from https://www.nccgroup.trust/uk/our-services/cyber-security/compliance-and-accreditations/cpa-and-cc/.Google Scholar
- NCC Group. 2007. CERT C Programming Language Secure Coding Standard. Retrieved from http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1255.pdf.Google Scholar
- NCC Group. 2016. Threat prioritisation: DREAD is dead, baby?Retrieved from https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/march/threat-prioritisation-dread-is-dead-baby/.Google Scholar
- Ricardo Neisse, Gianmarco Baldini, Gary Steri, Abbas Ahmad, Elizabeta Fourneret, and Bruno Legeard. 2017. Improving Internet of Things device certification with policy-based management. In Proceedings of the Global Internet of Things Summit (GIoTS’17). IEEE, 1--6. DOI:https://doi.org/10.1109/GIOTS.2017.8016273Google ScholarCross Ref
- Ricardo Neisse, Gary Steri, Igor Nai Fovino, and Gianmarco Baldini. 2015. SecKit—A model-based security toolkit for the Internet of Things. Comput. Secur. 54 (Oct. 2015), 60--76. DOI:https://doi.org/10.1016/j.cose.2015.06.002Google Scholar
- NIST. 2019. Glossary of Key Information Security Terms. Retrieved from https://www.nist.gov/publications/glossary-key-information-security-terms-2.Google Scholar
- NIST. 2006. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. Retrieved from https://csrc.nist.gov/publications/detail/fips/200/final.Google Scholar
- NIST. 2014. Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0. Retrieved from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.Google Scholar
- NIST. 2018. Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. Technical Report. National Institute of Standards and Technology. https://doi.org/10.6028%2Fnist.cswp.04162018Google Scholar
- NIST. 2018. Risk Management Framework for Information Systems and Organizations. Retrieved from https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-2/draft/documents/sp800-37r2-draft-fpd.pdf.Google Scholar
- Jason R. C. Nurse, Sadie Creese, and David De Roure. 2017. Security risk assessment in Internet of Things systems. IEEE Computer Society, IT Pro (2017).Google ScholarDigital Library
- Ruth Motunrayo Ogunnaike. 2017. Vulnerability Detection and Resolution in Internet of Things (IoT) Devices. Master Thesis. University of Washington.Google Scholar
- Adebayo Omotosho, Benjamin Ayemlo Haruna, and Olayemi Mikail Olaniyi. 2019. Threat modeling of Internet of Things health devices. J. Appl. Secur. Res. 14, 1 (Jan. 2019), 106--121. DOI:https://doi.org/10.1080/19361610.2019.1545278Google Scholar
- Online Trust Alliance. 2017. IoT Security 8 Privacy Trust Framework v2.5. Retrieved from https://otalliance.org/system/files/files/initiative/documents/iot_trust_framework6-22.pdf.Google Scholar
- Openstack. 2014. Security/OSSA-Metrics. Retrieved from https://wiki.openstack.org/wiki/Security/OSSA-Metrics#Calibration.Google Scholar
- OWASP. [n.d.]. OWASP Application Security Verification Standard (ASVS) Project. Retrieved from https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology.Google Scholar
- Euopean Parliament. 2019. Regulation (EU) 2019/881 of the European Parliament and of the council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (Cybersecurity Act). Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32019R08818from=EN.Google Scholar
- J. M. Porup. 2016. Underwriters Labs refuses to share new IoT cybersecurity standard. Retrieved from https://arstechnica.com/information-technology/2016/04/underwriters-labs-refuses-to-share-new-iot-cybersecurity-standard/.Google Scholar
- Yanzhen Qu and Philip Chan. 2016. Assessing vulnerabilities in Bluetooth low energy (BLE) wireless network based IoT systems. In Proceedings of the IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS). IEEE, New York, NY, 42--48. DOI:https://doi.org/10.1109/BigDataSecurity-HPSC-IDS.2016.63Google Scholar
- Petar Radanliev, David C. De Roure, Jason R. C. Nurse, Rafael Mantilla Montalvo, and Peter Burnap. 2019. Standardisation of cyber risk impact assessment for the Internet of Things (IoT). (2019), 50. Retrieved from https://www.preprints.org/manuscript/201903.0109/v2.Google Scholar
- RASEN project. 2015. D3.2.3. Techniques for Compositional Test-Based Security Risk Assessment v.3. Retrieved from http://www.rasenproject.eu/downloads/985/.Google Scholar
- Vinay Sachidananda, Shachar Siboni, Asaf Shabtai, Jinghui Toh, Suhas Bhairav, and Yuval Elovici. 2017. Let the cat out of the bag: A holistic approach towards security analysis of the Internet of Things. In Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security (IoTPTS’17). ACM Press, 3--10. DOI:https://doi.org/10.1145/3055245.3055251Google ScholarDigital Library
- Hunor Sandor and Gheorghe Sebestyen-Pal. 2017. Optimal security design in the Internet of Things. In Proceedings of the 5th International Symposium on Digital Forensic and Security (ISDFS’17). IEEE, 1--6. DOI:https://doi.org/10.1109/ISDFS.2017.7916496Google ScholarCross Ref
- Martin Schneider, Jurgen Grossmann, Ina Schieferdecker, and Andrej Pietschker. 2013. Online model-based behavioral fuzzing. In Proceedings of the IEEE 6th International Conference on Software Testing, Verification and Validation Workshops. IEEE, 469--475. DOI:https://doi.org/10.1109/ICSTW.2013.61Google ScholarDigital Library
- Robert C. Seacord. 2014. CERT C Coding Standard, Second Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems. Addison-Wesley Professional, Upper Saddle River, NJ.Google Scholar
- SEI CERT. 2016. Coding Standards. Retrieved from https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards.Google Scholar
- SEI CERT. [n.d.]. SEI CERT Perl Coding Standard. Retrieved from https://wiki.sei.cmu.edu/confluence/display/perl.Google Scholar
- Alireza Shameli-Sendi, Rouzbeh Aghababaei-Barzegar, and Mohamed Cheriet. 2016. Taxonomy of information security risk assessment (ISRA). Comput. Secur. 57 (Mar. 2016), 14--30. DOI:https://doi.org/10.1016/j.cose.2015.11.001Google Scholar
- Z. Shelby, K. Hartke, and C. Bormann. 2014. The Constrained Application Protocol (CoAP) (RFC7252). Retrieved from https://tools.ietf.org/html/rfc7252.Google Scholar
- V. L. Shivraj, M. A. Rajan, and P. Balamuralidhar. 2017. A graph theory based generic risk assessment framework for internet of things (IoT). In Proceedings of the IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS’17). IEEE, 1--6. DOI:https://doi.org/10.1109/ANTS.2017.8384121Google Scholar
- Sabrina Sicari, Alessandra Rizzardi, Daniele Miorandi, and Alberto Coen-Porisini. 2018. A risk assessment methodology for the Internet of Things. Comput. Commun. 129 (Sept. 2018), 67--79. DOI:https://doi.org/10.1016/j.comcom.2018.07.024Google Scholar
- Saijda Sorsa. 2018. Protocol Fuzz Testing as a Part of Secure Software Development Life Cycle. Ph.D. Dissertation. Tampere University of Technology. Retrieved from https://dspace.cc.tut.fi/dpub/bitstream/handle/123456789/25667/Sorsa.pdf?sequence=3.Google Scholar
- International Organization for Standardization. 2018. ISO/IEC 31000 - Risk Management. IEC. Retrieved from https://www.iso.org/iso-31000-risk-management.html.Google Scholar
- Bernard Stepien and Liam Peyton. 2014. Innovation and evolution in integrated web application testing with TTCN-3. Int. J. Softw. Tools Technol. Transf. 16, 3 (June 2014), 269--283. DOI:https://doi.org/10.1007/s10009-013-0278-xGoogle ScholarDigital Library
- Michael Sutton, Adam Greene, and Pedram Aminir. 2007. Fuzzing—Brute force vulnerability discovery. Addison-Wesley Professional, 1--51.Google Scholar
- Farid Molazem Tabrizi and Karthik Pattabiraman. 2016. Formal security analysis of smart embedded systems. In Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC’16). ACM Press, 1--15. DOI:https://doi.org/10.1145/2991079.2991085Google ScholarDigital Library
- Martin Tappler, Bernhard K. Aichernig, and Roderick Bloem. 2017. Model-based testing IoT communication via active automata learning. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation (ICST’17). 276--287. DOI:https://doi.org/10.1109/ICST.2017.32Google ScholarCross Ref
- Emmeline Taylor and Katina Michael. 2016. Smart toys that are the stuff of nightmares. IEEE Technol. Soc. Mag. 35, 1 (Mar. 2016), 8--10. DOI:https://doi.org/10.1109/MTS.2016.2527078Google ScholarCross Ref
- Ralf Tonjes, Eike Steffen Reetz, Klaus Moessner, and Payam Barnaghi. 2012. A test-driven approach for life cycle management of Internet of Things enabled services. In Proceedings of the Future Network and Mobile Summit. Retrieved from http://info.ee.surrey.ac.uk/Personal/P.Barnaghi/doc/IoTest-Paper.pdf.Google Scholar
- Petar Tsankov, Mohammad Torabi Dashti, and David Basin. 2012. SECFUZZ—Fuzz-testing security protocols. In Proceedings of the 7th International Workshop on Automation of Software Test (AST’12). IEEE, 1--7. DOI:https://doi.org/10.1109/IWAST.2012.6228985Google ScholarCross Ref
- Underwriters Laboratories. 2017. UL 2900 Standards Process. Retrieved from https://industries.ul.com/cybersecurity/ul-2900-standards-process.Google Scholar
- Underwriters Laboratories (UL). 2017. Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems. Retrieved from https://standardscatalog.ul.com/standards/en/standard_2900-2-1.Google Scholar
- Margus Valja, Matus Korman, and Robert Lagerstrom. 2017. A study on software vulnerabilities and weaknesses of embedded systems in power networks. In Proceedings of the 2nd Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG’17). ACM Press, 47--52. DOI:https://doi.org/10.1145/3055386.3055397Google ScholarDigital Library
- VERACODE. 2006. VerAfied Methodology. Retrieved from https://help.veracode.com/reader/kJC1iOtXp8N rCtV8P9jhw/UQa oUCwYhluVREDo4480g.Google Scholar
- Alexandre Vernotte. 2013. Research questions for model-based vulnerability testing of web applications. In Proceedings of the IEEE 6th International Conference on Software Testing, Verification and Validation. IEEE, 505--506. DOI:https://doi.org/10.1109/ICST.2013.82Google ScholarDigital Library
- Vasaka Visoottiviseth, Phuripat Akarasiriwong, Siravitch Chaiyasart, and Siravit Chotivatunyu. 2017. PENTOS—Penetration testing tool for Internet of Thing devices. In Proceedings of the IEEE Region 10 Conference (TENCON’17). 2279--2284. DOI:https://doi.org/10.1109/TENCON.2017.8228241Google ScholarCross Ref
- Jeffrey Voas and Phillip A. Laplante. 2018. IoT’s certification quagmire. (Apr. 2018). DOI:https://doi.org/10.1109/MC.2018.2141036Google Scholar
- Dong Wang, Xiaosong Zhang, Ting Chen, and Jingwei Li. 2019. Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface. DOI:https://doi.org/10.1155/2019/5076324Google Scholar
- Huan Wang, Zhanfang Chen, Jianping Zhao, Xiaoqiang Di, and Dan Liu. 2018. A vulnerability assessment method in industrial Internet of Things based on attack graph and maximum flow. IEEE Access 6 (2018), 8599--8609. DOI:https://doi.org/10.1109/ACCESS.2018.2805690Google ScholarCross Ref
- Zhongru Wang, Yuntao Zhang, Zhihong Tian, Qiang Ruan, Tong Liu, Haichen Wang, Zhehui Liu, Jiayi Lin, Binxing Fang, and Wei Shi. 2019. Automated vulnerability discovery and exploitation in the Internet of Things. Sensors 19, 15 (July 2019). DOI:https://doi.org/10.3390/s19153362Google Scholar
- Weibull. 2004. Basic concepts of FMEA and FMECA. ([n.d.]). Retrieved from http://www.weibull.com/hotwire/issue46/relbasics46.htm.Google Scholar
- Chanoksuda Wongvises, Assadarat Khurat, Doudou Fall, and Shigeru Kashihara. 2017. Fault tree analysis-based risk quantification of smart homes. In Proceedings of the 2nd International Conference on Information Technology (INCIT’17). IEEE, 1--6. DOI:https://doi.org/10.1109/INCIT.2017.8257865Google ScholarCross Ref
- Tianshui Wu and Gang Zhao. 2014. A novel risk assessment model for privacy security in Internet of Things. Wuhan Univ. J. Nat. Sci. 19, 5 (Oct. 2014), 398--404. DOI:https://doi.org/10.1007/s11859-014-1031-3Google ScholarCross Ref
- Dianxiang Xu, Manghui Tu, Michael Sanford, Lijo Thomas, Daniel Woodraska, and Weifeng Xu. 2012. Automated security test generation with formal threat models. IEEE Trans. Depend. Sec. Comput. 9, 4 (July 2012), 526--540. DOI:https://doi.org/10.1109/TDSC.2012.24Google ScholarDigital Library
- Guangquan Xu, Yan Cao, Yuanyuan Ren, Xiaohong Li, and Zhiyong Feng. 2017. Network security situation awareness based on semantic ontology and user-defined rules for Internet of Things. IEEE Access 5 (2017), 21046--21056. DOI:https://doi.org/10.1109/ACCESS.2017.2734681Google ScholarCross Ref
- Haiyun Xu, Jeroen Heijmans, and Joost Visser. 2013. A practical model for rating software security. In Proceedings of the IEEE 7th International Conference on Software Security and Reliability. IEEE, 231--232. DOI:https://doi.org/10.1109/SERE-C.2013.11Google ScholarDigital Library
- S. Yoo and M. Harman. 2012. Regression testing minimization, selection and prioritization: A survey. Softw. Test. Verif. Reliab. 22, 2 (Mar. 2012), 67--120. DOI:https://doi.org/10.1002/stv.430Google ScholarDigital Library
- Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun. 2019. FIRM-AFL—High-throughput greybox fuzzing of IoT firmware via augmented process emulation. 1099--1114. Retrieved from https://www.usenix.org/conference/usenixsecurity19/presentation/zheng.Google Scholar
- Changying Zhou and Stefano Ramacciotti. 2011. Common criteria: Its limitations and advice on improvement. ISSA Journal (2011). Retrieved from https://www.difesa.it/SMD_/Staff/Reparti/II/CeVa/Pubblicazioni/Estere/Documents/CommonCriteria_ISSA%20Journal_0411.pdf.Google Scholar
- Wei Zhou, Yan Jia, Yao Yao, Lipeng Zhu, Le Guan, Yuhang Mao, Peng Liu, and Yuqing Zhang. 2019. Discovering and understanding the security hazards in the interactions between IoT devices, mobile apps, and clouds on smart home platforms. 1133--1150. Retrieved from https://www.usenix.org/conference/usenixsecurity19/presentation/zhou.Google Scholar
Index Terms
- A Survey of Cybersecurity Certification for the Internet of Things
Recommendations
Internet of Things security
The Internet of things (IoT) has recently become an important research topic because it integrates various sensors and objects to communicate directly with one another without human intervention. The requirements for the large-scale deployment of the ...
Cyberentity Security in the Internet of Things
A proposed Internet of Things system architecture offers a solution to the broad array of challenges researchers face in terms of general system security, network security, and application security.
Taxonomy and analysis of security protocols for Internet of Things
AbstractThe Internet of Things (IoT) is a system of physical as well as virtual objects (each with networking capabilities incorporated) that are interconnected to exchange and collect information locally or remotely over the Internet. Since ...
Highlights- We first discuss essential security requirements that are needed to secure IoT environment. We also discuss the threat model and various attacks related to ...
Comments