Vulnerability-oriented risk identification framework for IoT risk assessment

The proliferation of Internet of Things (IoT) systems across diverse applications has led to a notable increase in connected smart devices. Nevertheless, this surge in connectivity has induced a broad spectrum of vulnerabilities and threats, jeopardizing the security and safety of IoT applications. Security risk assessment methods are commonly employed to analyze risks. However, traditional IT and existing IoT-tailored security assessment methods often fail to fully address key IoT aspects: complex assets intercommunication, dynamic system changes, assets’ potential as attack platforms, safety impacts of security breaches, and assets resource constraints. Such oversights lead to significant risks being overlooked in the IoT ecosystem. In this paper, we propose a novel vulnerability-oriented risk identification framework comprising a four-step process as a core element of IoT security risk assessment, applicable to any IoT system. Our process enhances both traditional and IoT-specific security risk assessment methods by providing tailored approaches that address their crucial oversights for comprehensive IoT risk assessment. We validate our process with a case study of an IoT smart healthcare system using a proposed expert-driven approach. The results confirm that our process effectively identifies critical attack scenarios originating from the lack of proper security measures, mobility, and intercommunication processes of IoT devices in the healthcare system. Furthermore, our analysis reveals potential attacks that exploit the IoT devices as platforms to target the backend and user domains. We demonstrate the feasibility of our process for identifying realistic risks by conducting simulations of two derived attack scenarios using the Contiki Cooja network simulator.