Document Type
Article
Publication Date
10-14-2021
Department
Engineering
Keywords
internet of things, threat modeling, information technology
Abstract
Threat modeling and risk assessments are common ways to identify, estimate, and prioritize risk to national, organizational, and individual operations and assets. Several threat modeling and risk assessment approaches have been proposed prior to the advent of the Internet of Things (IoT) that focus on threats and risks in information technology (IT). Due to shortcomings in these approaches and the fact that there are significant differences between the IoT and IT, we synthesize and adapt these approaches to provide a threat modeling framework that focuses on threats and risks in the IoT. In doing so, we develop an IoT attack taxonomy that describes the adversarial assets, adversarial actions, exploitable vulnerabilities, and compromised properties that are components of any IoT attack. We use this IoT attack taxonomy as the foundation for designing a joint risk assessment and maturity assessment framework that is implemented as an interactive online tool. The assessment framework this tool encodes provides organizations with specific recommendations about where resources should be devoted to mitigate risk. The usefulness of this IoT framework is highlighted by case study implementations in the context of multiple industrial manufacturing companies, and the interactive implementation of this framework is available at http://iotrisk.andrew.cmu.edu.
Source Publication Title
ArXiv
Volume
abs/2110.07771
DOI
10.48550/arXiv.2110.07771
Recommended Citation
Griffioen, P., & Sinopoli, B. (2021). Assessing Risks and Modeling Threats in the Internet of Things. ArXiv, abs/2110.07771 https://doi.org/10.48550/arXiv.2110.07771