A Security Risk Assessment Framework for IoT Systems

Abstract

The emergence and growth of the Internet of Things (IoT) have changed how we live and interact with technology. The seamless integration of connected devices, from household to industrial equipment, has brought about a new era of interconnectedness. However, this rapid expansion of the IoT also introduces new security concerns that need to be assessed. Assessing the security risks associated with deploying and using this technology is crucial. Consequently, organizations need a risk assessment framework that helps identify, evaluate, and manage the risks of IoT, including data privacy and confidentiality, system integrity, availability, and performance. The state-of-the-art has been given significant attention to security risk assessment in traditional cybersecurity with powerful computer systems, but the challenges of deploying IoT devices and their associated vulnerabilities have been overlooked. In this thesis, we first present a novel IoT security risk assessment framework for the healthcare environment, in which we have improved upon existing methodologies. The proposed framework dynamically calculates the risk score for different device profiles, considering their population and other parameters, such as network protocols, device heterogeneity, device security updates, device physical security status, device history status, layer history status, and device criticality. Second, we present a customizable framework for assessing the security risk of deploying and utilizing IoT devices in various environments. We dynamically calculate risk scores for different devices, considering their importance to the system and their vulnerabilities, among other parameters. The customizable framework considers the important parameters of the devices, their vulnerabilities, and how they impact the overall risk assessment. The importance of these devices and the severity of vulnerabilities are incorporated in the framework using the well-known Multi-Attribute Decision Making (MADM) methods, namely, Simple Additive Weighting (SAW) and Weighting Product (WP). Finally, the risk is assessed on a setup comprised of IoT devices widely deployed in healthcare systems, such as emergency rooms.