A Survey of Cybersecurity Certification for the Internet of Things

In recent years, cybersecurity certification is gaining momentum as the baseline to build a structured approach to mitigate cybersecurity risks in the Internet of Things (IoT). This initiative is d...

[1]  Ricardo Neisse,et al.  A Model-Based Security Toolkit for the Internet of Things , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[2]  Dan Liu,et al.  A Vulnerability Assessment Method in Industrial Internet of Things Based on Attack Graph and Maximum Flow , 2018, IEEE Access.

[3]  Martin Gogolla,et al.  Object Constraint Language (OCL): A Definitive Guide , 2012, SFM.

[4]  Jin B. Hong,et al.  A framework for automating security analysis of the internet of things , 2017, J. Netw. Comput. Appl..

[5]  Ruth Motunrayo Ogunnaike,et al.  VULNERABILITY DETECTION AND RESOLUTION IN INTERNET OF THINGS (IoT) DEVICES , 2017 .

[6]  Jeffrey M. Voas,et al.  IoT’s Certification Quagmire , 2018, Computer.

[7]  Geir M. Køien,et al.  Cyber Security and the Internet of Things: Vulnerabilities, Threats, Intruders and Attacks , 2015, J. Cyber Secur. Mobil..

[8]  John C. Mitchell,et al.  State of the Art: Automated Black-Box Web Application Vulnerability Testing , 2010, 2010 IEEE Symposium on Security and Privacy.

[9]  Johannes Sametinger,et al.  Software Security , 2013, 2013 20th IEEE International Conference and Workshops on Engineering of Computer Based Systems (ECBS).

[10]  Geng Yang,et al.  Wearable Internet of Things: Concept, architectural components and promises for person-centered healthcare , 2014, 2014 4th International Conference on Wireless Mobile Communication and Healthcare - Transforming Healthcare Through Innovations in Mobile and Wireless Technologies (MOBIHEALTH).

[11]  Anne Marsden,et al.  International Organization for Standardization , 2014 .

[12]  Etsi Guide Methods for Testing & Specification; Risk-based Security Assessment and Testing Methodologies , 2015 .

[13]  Yan Li,et al.  Approaches for the combined use of risk analysis and testing: a systematic literature review , 2014, International Journal on Software Tools for Technology Transfer.

[14]  Adebayo Omotosho,et al.  Threat Modeling of Internet of Things Health Devices , 2019 .

[15]  Joint Task Force Transformation Initiative Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach , 2014 .

[16]  Ilangko Balasingham,et al.  Risk-based adaptive security for smart IoT in eHealth , 2012, BODYNETS.

[17]  Norbert Pohlmann,et al.  Threat modeling for mobile health systems , 2018, 2018 IEEE Wireless Communications and Networking Conference Workshops (WCNCW).

[18]  Zhiqiang Lin,et al.  IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing , 2018, NDSS.

[19]  Thomas Wilhelm,et al.  Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research , 2007 .

[20]  Rhona K. M. Smith Directive 2010/41/EU of the European Parliament and of the Council of 7 July 2010 , 2015 .

[21]  Xiaosong Zhang,et al.  Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface , 2019, Secur. Commun. Networks.

[22]  Sajjan G. Shiva,et al.  Security and Privacy in the Internet of Medical Things: Taxonomy and Risk Assessment , 2017, 2017 IEEE 42nd Conference on Local Computer Networks Workshops (LCN Workshops).

[23]  Jeroen Heijmans,et al.  A Practical Model for Rating Software Security , 2013, 2013 IEEE Seventh International Conference on Software Security and Reliability Companion.

[24]  Fabien Duchene Detection of Web Vulnerabilities via Model Inference assisted Evolutionary Fuzzing. (Détection de vulnérabilités Web par frelatage évolutionniste et inférence de modèles) , 2014 .

[25]  Sabu M. Thampi,et al.  A Graph-Based Security Framework for Securing Industrial IoT Networks From Vulnerability Exploitations , 2018, IEEE Access.

[26]  Jose L. Hernandez-Ramos,et al.  Toward a Cybersecurity Certification Framework for the Internet of Things , 2019, IEEE Security & Privacy.

[27]  Bruno Legeard,et al.  Improving Internet of Things device certification with policy-based management , 2017, 2017 Global Internet of Things Summit (GIoTS).

[28]  Mark Harman,et al.  Regression testing minimization, selection and prioritization: a survey , 2012, Softw. Test. Verification Reliab..

[29]  James Stevens,et al.  Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process , 2007 .

[30]  Anders Carlsson,et al.  Analysis of Assets for Threat Risk Model in Avatar-Oriented IoT Architecture , 2018, NEW2AN.

[31]  Andreas Jacobsson,et al.  A risk analysis of a smart home automation system , 2016, Future Gener. Comput. Syst..

[32]  Chen Chen,et al.  A systematic review of fuzzing techniques , 2018, Comput. Secur..

[33]  Prashant Anantharaman,et al.  Building Hardened Internet-of-Things Clients with Language-Theoretic Security , 2017, 2017 IEEE Security and Privacy Workshops (SPW).

[34]  Mike Bond,et al.  How Certification Systems Fail: Lessons from the Ware Report , 2012, IEEE Security & Privacy.

[35]  Fernand Meyer,et al.  A comparative study of LPWAN technologies for large-scale IoT deployment , 2019, ICT Express.

[36]  Zoltán Micskei,et al.  Evaluating code‐based test input generator tools , 2017, Softw. Test. Verification Reliab..

[37]  Richard Kissel,et al.  Glossary of Key Information Security Terms , 2014 .

[38]  Jürgen Großmann,et al.  Online Model-Based Behavioral Fuzzing , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops.

[39]  Barry E. Mullins,et al.  Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices , 2014, Int. J. Crit. Infrastructure Prot..

[40]  Georgios Kambourakis,et al.  DDoS in the IoT: Mirai and Other Botnets , 2017, Computer.

[41]  Olivier Festor,et al.  A Testing Framework for Discovering Vulnerabilities in 6LoWPAN Networks , 2012, 2012 IEEE 8th International Conference on Distributed Computing in Sensor Systems.

[42]  Wei Ni,et al.  Anatomy of Threats to the Internet of Things , 2019, IEEE Communications Surveys & Tutorials.

[43]  Bernhard K. Aichernig,et al.  MoMut::UML Model-Based Mutation Testing for UML , 2015, 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST).

[44]  Tiago M. Fernández-Caramés,et al.  Clock Frequency Impact on the Performance of High-Security Cryptographic Cipher Suites for Energy-Efficient Resource-Constrained IoT Devices † , 2018, Sensors.

[45]  Fabrice Bouquet,et al.  A subset of precise UML for model-based testing , 2007, A-MOST '07.

[46]  Baojiang Cui,et al.  A Novel Fuzzing Method for Zigbee Based on Finite State Machine , 2014, Int. J. Distributed Sens. Networks.

[47]  Aurélien Francillon,et al.  Toward a Methodology for Unified Verification of Hardware / Software Co-designs , 2015 .

[48]  Franz Wotawa,et al.  Model-based Testing - From Safety to Security , 2012 .

[49]  Asaf Shabtai,et al.  Advanced Security Testbed Framework for Wearable IoT Devices , 2016, ACM Trans. Internet Techn..

[50]  Carol Woody,et al.  OCTAVE-S Implementation Guide, Version 1 , 2005 .

[51]  Jorge Sá Silva,et al.  Security for the Internet of Things: A Survey of Existing Protocols and Open Research Issues , 2015, IEEE Communications Surveys & Tutorials.

[52]  Joint Task Force Risk management framework for information systems and organizations: , 2018 .

[53]  Hunor Sándor,et al.  Optimal security design in the Internet of Things , 2017, 2017 5th International Symposium on Digital Forensic and Security (ISDFS).

[54]  Mohamed Cheriet,et al.  Taxonomy of information security risk assessment (ISRA) , 2016, Comput. Secur..

[55]  Hannes Tschofenig,et al.  Best Current Practices for Securing Internet of Things (IoT) Devices , 2017 .

[56]  Michael Felderer,et al.  A systematic classification of security regression testing approaches , 2015, International Journal on Software Tools for Technology Transfer.

[57]  Maurizio A. Spirito,et al.  Denial-of-Service detection in 6LoWPAN based Internet of Things , 2013, 2013 IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[58]  Ali Ismail Awad,et al.  Cyber and Physical Security Vulnerability Assessment for IoT-Based Smart Homes , 2018, Sensors.

[59]  Ken Choi,et al.  Game theory-based Security Vulnerability Quantification for Social Internet of Things , 2017, Future Gener. Comput. Syst..

[60]  Gian Luigi Ferrari,et al.  Security Issues in Service Composition , 2006, FMOODS.

[61]  Bruno Legeard,et al.  Smartesting CertifyIt: Model-Based Testing for Enterprise IT , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation.

[62]  Sathya Prakash Kadhirvelan,et al.  Threat Modelling and Risk Assessment Within Vehicular Systems , 2014 .

[63]  Hussein Al-Bahadili,et al.  Vulnerability scanning of IoT devices in Jordan using Shodan , 2017, 2017 2nd International Conference on the Applications of Information Technology in Developing Renewable Energy Processes & Systems (IT-DREPS).

[64]  Feisal Keblawi,et al.  Applying the common criteria in systems engineering , 2006, IEEE Security & Privacy.

[65]  Matthew P. Barrett,et al.  Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (Arabic translation) , 2018 .

[66]  Saija Sorsa Protocol fuzz testing as a part of secure software development life cycle , 2018 .

[67]  Antonio F. Gómez-Skarmeta,et al.  Risk-based automated assessment and testing for the cybersecurity certification and labelling of IoT devices , 2019, Comput. Stand. Interfaces.

[69]  Remzi Seker,et al.  Trustworthiness requirements and models for aviation and aerospace systems , 2018, 2018 Integrated Communications, Navigation, Surveillance Conference (ICNS).

[70]  Xiaohong Huang,et al.  Ensuring Interoperability for the Internet of Things: Experience with CoAP Protocol Testing , 2013 .

[71]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[72]  Taeshik Shon,et al.  Design and Implementation of Fuzzing Framework Based on IoT Applications , 2017, Wirel. Pers. Commun..

[73]  Heng Yin,et al.  FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation , 2019, USENIX Security Symposium.

[74]  Ross J. Anderson,et al.  Certification and evaluation: A security economics perspective , 2009, 2009 IEEE Conference on Emerging Technologies & Factory Automation.

[75]  Jürgen Großmann,et al.  A Taxonomy to Assess and Tailor Risk-Based Testing in Recent Testing Standards , 2019, IEEE Software.

[76]  Nick Feamster,et al.  Security and Privacy Analyses of Internet of Things Children’s Toys , 2019, IEEE Internet of Things Journal.

[77]  Dong Seong Kim,et al.  A Framework for Modeling and Assessing Security of the Internet of Things , 2015, 2015 IEEE 21st International Conference on Parallel and Distributed Systems (ICPADS).

[78]  L. Johnson,et al.  Minimum Security Requirements for Federal Information and Information Systems , 2006 .

[79]  Karthik Pattabiraman,et al.  Formal security analysis of smart embedded systems , 2016, ACSAC.

[80]  Samuel Paul Kaluvuri,et al.  A Quantitative Analysis of Common Criteria Certification Practice , 2014, TrustBus.

[81]  Robert Montante Using Scapy in Teaching Network Header Formats: Programming Network Headers for Non-Programmers (Abstract Only) , 2018, SIGCSE.

[82]  Alexandre Vernotte Research Questions for Model-Based Vulnerability Testing of Web Applications , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation.

[83]  Fabrice Bouquet,et al.  Selective Test Generation Method for Evolving Critical Systems , 2011, 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops.

[84]  Omar Alrawi,et al.  SoK: Security Evaluation of Home-Based IoT Deployments , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[85]  Geoff Mulligan,et al.  The 6LoWPAN architecture , 2007, EmNets '07.

[86]  Franz Wotawa,et al.  Security Testing Based on Attack Patterns , 2014, 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops.

[87]  Zachary N. J. Peterson,et al.  Analysis of Mutation and Generation-Based Fuzzing , 2007 .

[88]  Adam Sedgewick,et al.  Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 , 2014 .

[89]  Aurélien Francillon,et al.  A Large-Scale Analysis of the Security of Embedded Firmwares , 2014, USENIX Security Symposium.

[90]  F. Peureux,et al.  Increasing the Resilience of ATC systems against False Data Injection Attacks using DSL-based Testing , 2018 .

[91]  Jinquan Zeng,et al.  Research on Dynamical Security Risk Assessment for the Internet of Things inspired by immunology , 2012, 2012 8th International Conference on Natural Computation.

[92]  Yanzhen Qu,et al.  Assessing Vulnerabilities in Bluetooth Low Energy (BLE) Wireless Network Based IoT Systems , 2016, 2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS).

[93]  Peng Liu,et al.  Discovering and Understanding the Security Hazards in the Interactions between IoT Devices, Mobile Apps, and Clouds on Smart Home Platforms , 2018, USENIX Security Symposium.

[94]  Matthew Roughan,et al.  Verifying and Monitoring IoTs Network Behavior Using MUD Profiles , 2019, IEEE Transactions on Dependable and Secure Computing.

[95]  Yuval Elovici,et al.  Let the Cat Out of the Bag: A Holistic Approach Towards Security Analysis of the Internet of Things , 2017, IoTPTS@AsiaCCS.

[96]  Vasaka Visoottiviseth,et al.  PENTOS: Penetration testing tool for Internet of Thing devices , 2017, TENCON 2017 - 2017 IEEE Region 10 Conference.

[97]  Ina Schieferdecker,et al.  A taxonomy of risk-based testing , 2014, International Journal on Software Tools for Technology Transfer.

[98]  Muhammad Torabi Dashti,et al.  SECFUZZ: Fuzz-testing security protocols , 2012, 2012 7th International Workshop on Automation of Software Test (AST).

[99]  Lei Wang,et al.  DTaint: Detecting the Taint-Style Vulnerability in Embedded Device Firmware , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[100]  Bernhard K. Aichernig,et al.  Model-Based Testing IoT Communication via Active Automata Learning , 2017, 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST).

[101]  Hong Zhang,et al.  Dynamically-enabled Defense Effectiveness Evaluation of IoT Based on Vulnerability Analysis , 2018, ICMSSP '18.

[102]  Model-Based Testing of Cryptographic Components -- Lessons Learned from Experience , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation.

[103]  Sadie Creese,et al.  Security Risk Assessment in Internet of Things Systems , 2017, IT Professional.

[104]  Sajjan G. Shiva,et al.  Quantifying security and privacy in Internet of Things solutions , 2018, NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium.

[105]  Matt Bishop,et al.  About Penetration Testing , 2007, IEEE Security & Privacy.

[106]  Dianxiang Xu,et al.  Automated Security Test Generation with Formal Threat Models , 2012, IEEE Transactions on Dependable and Secure Computing.

[107]  Antonio F. Skarmeta,et al.  Test-based risk assessment and security certification proposal for the Internet of Things , 2018, 2018 IEEE 4th World Forum on Internet of Things (WF-IoT).

[108]  Fabrice Bouquet,et al.  Model-Based Testing as a Service for IoT Platforms , 2016, ISoLA.

[109]  Achim D. Brucker,et al.  Developing secure software , 2014, Datenschutz und Datensicherheit - DuD.

[110]  Antonio F. Gómez-Skarmeta,et al.  Security certification and labelling in Internet of Things , 2016, 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT).

[111]  Karen Scarfone,et al.  Considerations for managing Internet of Things (IoT) cybersecurity and privacy risks , 2018 .

[112]  Zhiyong Feng,et al.  Network Security Situation Awareness Based on Semantic Ontology and User-Defined Rules for Internet of Things , 2017, IEEE Access.

[113]  Ralph E. Droms,et al.  Manufacturer Usage Description Specification , 2019, RFC.

[114]  Roland Groz,et al.  Finding Software Vulnerabilities by Smart Fuzzing , 2011, 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation.

[115]  Jerry R. Hobbs,et al.  DAML-S: Semantic Markup for Web Services , 2001, SWWS.

[116]  Assadarat Khurat,et al.  Fault tree analysis-based risk quantification of smart homes , 2017, 2017 2nd International Conference on Information Technology (INCIT).

[117]  Ana C. R. Paiva,et al.  A Brief Overview of Existing Tools for Testing the Internet-of-Things , 2018, 2018 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW).

[118]  Katina Michael,et al.  Smart Toys that are the Stuff of Nightmares [Editorial] , 2016, IEEE Technol. Soc. Mag..

[119]  Daniele Miorandi,et al.  A risk assessment methodology for the Internet of Things , 2018, Comput. Commun..

[120]  David Hovemeyer,et al.  Using Static Analysis to Find Bugs , 2008, IEEE Software.

[121]  Qazi Mamoon Ashraf,et al.  Autonomic schemes for threat mitigation in Internet of Things , 2015, J. Netw. Comput. Appl..

[122]  Mohsen Guizani,et al.  Internet of Things: A Survey on Enabling Technologies, Protocols, and Applications , 2015, IEEE Communications Surveys & Tutorials.

[123]  Wei Shi,et al.  Automated Vulnerability Discovery and Exploitation in the Internet of Things † , 2019, Sensors.

[124]  P. Balamuralidhar,et al.  A graph theory based generic risk assessment framework for internet of things (IoT) , 2017, 2017 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS).

[125]  Ruth Breu,et al.  Security Testing: A Survey , 2016, Adv. Comput..

[126]  Franck Le Gall,et al.  A Survey on Model-Based Testing Tools for Test Case Generation , 2017 .

[127]  Matus Korman,et al.  A Study on Software Vulnerabilities and Weaknesses of Embedded Systems in Power Networks , 2017, SPSR-SG@CPSWeek.

[128]  Nick Feamster,et al.  Security and Privacy Analyses of Internet of Things Toys , 2018, ArXiv.

[129]  Ruth Breu,et al.  A Classification for Model-Based Security Testing , 2011 .

[130]  Robert C. Seacord,et al.  The Cert Oracle Secure Coding Standard for Java , 2011 .

[131]  M. Petró‐Turza,et al.  The International Organization for Standardization. , 2003 .

[132]  Ralf Tönjes,et al.  A test-driven approach for life cycle management of internet of things enabled services , 2012, 2012 Future Network & Mobile Summit (FutureNetw).

[133]  Gang Zhao,et al.  A novel risk assessment model for privacy security in Internet of Things , 2014, Wuhan University Journal of Natural Sciences.

[134]  Miroslav Bures,et al.  Internet of Things: Current Challenges in the Quality Assurance and Testing Methods , 2018, ICISA.

[135]  Liam Peyton,et al.  Innovation and evolution in integrated web application testing with TTCN-3 , 2013, International Journal on Software Tools for Technology Transfer.