research-article

Open access

A Survey of Cybersecurity Certification for the Internet of Things

Authors:

Sara N. Matheu,

José L. Hernández-Ramos,

Antonio F. Skarmeta,

Gianmarco BaldiniAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 53, Issue 6

Article No.: 115, Pages 1 - 36

https://doi.org/10.1145/3410160

Published: 06 December 2020 Publication History

All formats PDF

Abstract

In recent years, cybersecurity certification is gaining momentum as the baseline to build a structured approach to mitigate cybersecurity risks in the Internet of Things (IoT). This initiative is driven by industry, governmental institutions, and research communities, which have the goal to make IoT more secure for the end-users. In this survey, we analyze the current cybersecurity certification schemes, as well as the potential challenges to make them applicable for the IoT ecosystem. We also examine current efforts related to risk assessment and testing processes, which are widely recognized as the processes to build a cybersecurity certification framework. Our work provides a multidisciplinary perspective of a possible IoT cybersecurity certification framework by integrating research and technical tools and processes with policies and governance structures, which are analyzed against a set of identified challenges. This survey is intended to give a comprehensive overview of cybersecurity certification to facilitate the definition of a framework that fits in emerging scenarios, such as the IoT paradigm.

Supplementary Material

a15-matheu-apndx.pdf (matheu.zip)

Supplemental movie, appendix, image and software files for, A Survey of Cybersecurity Certification for the Internet of Things

Download
58.73 KB

References

[1]

European Parliament. 2016. Directive 2010/41/EU of the European Parliament and of the Council of 7 July 2010. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L11488from=EN.

[2]

Habtamu Abie and Ilangko Balasingham. 2012. Risk-based adaptive security for smart IoT in eHealth. In Proceedings of the 7th International Conference on Body Area Networks. ACM.

Digital Library

[3]

Mohamed Abomhara and Geir M. Koien. 2015. Cyber security and the Internet of Things: Vulnerabilities, threats, intruders and attacks. J. Cyber Secur. Mobil. 4, 1 (2015), 65--88.

[4]

Abbas Ahmad, Gianmarco Baldini, Philippe Cousin, Sara N. Matheu, Antonio Skarmeta, Elizabeta Fourneret, and Bruno Legeard. 2017. Cognitive Hyperconnected Digital Transformation: Internet of Things Intelligence Evolution. River Publishers, 189--220. Retrieved from https://books.google.es/books?id=nPIxDwAAQBAJ.

[5]

Abbas Ahmad, Fabrice Bouquet, Elizabeta Fourneret, Franck Le Gall, and Bruno Legeard. 2016. Model-based testing as a service for IoT platforms. In Proceedings of the International Symposium on Leveraging Applications of Formal Methods. 727--742.

[6]

AIOTI. 2016. Report on Workshop on Security and Privacy in the Hyper-Connected World. Retrieved from https://goo.gl/KeKqbs.

[7]

Haneen Al-Alami, Ali Hadi, and Hussein Al-Bahadili. 2017. Vulnerability scanning of IoT devices in Jordan using Shodan. In Proceedings of the 2nd International Conference on the Applications of Information Technology in Developing Renewable Energy Processes and Systems (IT-DREPS’17).

[8]

A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari, and M. Ayyash. 2015. Internet of Things: A survey on enabling technologies, protocols, and applications. IEEE Commun. Surv. Tutor. 17, 4 (2015), 2347--2376.

Digital Library

[9]

Christopher J. Alberts, Audrey J. Dorofee, James F. Stevens, and Carol Woody. 2005. OCTAVE-S Implementation Guide, Version 1. Technical Report. Carnegie Mellon University. Retrieved from https://resources.sei.cmu.edu/asset_files/Handbook/2005_002_001_14273.pdf.

[10]

Bako Ali and Ali Awad. 2018. Cyber and physical security vulnerability assessment for IoT-based smart homes. Sensors 18, 3 (Mar. 2018), 817.

[11]

Lautenbach Aljoscha and Mafijul Islam. 2016. HEAling Vulnerabilities to ENhance Software Security and Safety—Project Proposal (HAVENS). Retrieved from http://autosec.se/wp-content/uploads/2018/03/HEAVENS_D2_v2.0.pdf.

[12]

Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. 2019. SoK—Security evaluation of home-based IoT deployments. In Proceedings of the IEEE Symposium on Security and Privacy (SP’19). IEEE, 1362--1380.

[13]

Faisal Alsubaei, Abdullah Abuhussein, and Sajjan Shiva. 2017. Security and privacy in the Internet of Medical Things: Taxonomy and risk assessment. In Proceedings of the IEEE 42nd Conference on Local Computer Networks Workshops (LCN Workshops’17). IEEE, 112--120.

[14]

Faisal Alsubaei, Abdullah Abuhussein, and Sajjan Shiva. 2018. Quantifying security and privacy in Internet of Things solutions. In Proceedings of the IEEE/IFIP Network Operations and Management Symposium (NOMS’18). IEEE, 1--6.

[15]

Prashant Anantharaman, Michael Locasto, Gabriela F. Ciocarlie, and Ulf Lindqvist. 2017. Building hardened Internet-of-Things clients with language-theoretic security. In Proceedings of the IEEE Security and Privacy Workshops (SPW’17). IEEE, 120--126.

[16]

Ross Anderson and Shailendra Fuloria. 2009. Certification and evaluation: A security economics perspective. In Proceedings of the IEEE Conference on Emerging Technologies 8 Factory Automation. IEEE, 1--7.

[17]

ANSSI. 2008. Certification de Sécurité de Premier Niveau (CSPN). Retrieved from https://www.ssi.gouv.fr/administration/produits-certifies/cspn/.

[18]

ANSSI. 2018. Certification de Sécurité de Premier Niveau des Produits des Technologies de l’Information. Retrieved from https://www.ssi.gouv.fr/uploads/2015/01/anssi-cspn-cer-p-01-certification_de_securite_de_premier_niveau_v2.0.pdf.

[19]

Qazi Mamoon Ashraf and Mohamed Hadi Habaebi. 2015. Autonomic schemes for threat mitigation in Internet of Things. J. Netw. Comput. Applic. 49 (Mar. 2015), 112--127.

[20]

Nathaniel Ayewah, David Hovemeyer, J. David Morgenthaler, John Penix, and William Pugh. 2008. Using static analysis to find bugs. IEEE Softw. 25, 5 (Sept. 2008), 22--29.

Digital Library

[21]

Hans Baars, Robert Lassche, Robin Massink, and Hans Pille. 2014. Smart grid security certification in Europe. Challenges and recommendations. Retrieved from https://www.enisa.europa.eu/publications/smart-grid-security-certification-in-europe/at_download/fullReport.

[22]

Ruediger Bachmann and Achim D. Brucker. 2014. Developing secure software. Datensch. Datensich. - DuD 38, 4 (Mar. 2014), 257--261.

[23]

Gianmarco Baldini, Georgios Giannopoulos, and Alessandro Lazari. 2017. Annex 8: JRC Analysis and Recommendations for a European Certification and Labelling Framework for Cybersecurity in Europe. Technical Report. European Commission. Retrieved from https://ec.europa.eu/transparency/regdoc/rep/10102/2017/EN/SWD-2017-500-F1-EN-MAIN-PART-6.PDF.

[24]

Gianmarco Baldini, Antonio Skarmeta, Elizabeta Fourneret, Ricardo Neisse, Bruno Legeard, and Franck Le Gall. 2016. Security certification and labelling in Internet of Things. In Proceedings of the IEEE 3rd World Forum on Internet of Things (WF-IoT’16). IEEE, 627--632.

[25]

Aaron Ballman. 2016. SEI CERT C++ Coding Standard Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems in C++. Retrieved from http://cysecure.org/455/dmccarroll/455/online/WeekTwo/Reading/sei-cert-cpp-coding-standard-2016-v01.pdf.

[26]

Arthur Barstow, Mark Burstein, James Hendler, Vincent Marcatt, David Martin, Drew McDermott, Deborah L. McGuinness, Sheila McIlraith, Jeff Pollock, David De Roure, Mark Skall, Katia Sycara, and Hideki Yoshida. 2004. OWL-S—Semantic markup for Web services. W3C Member Submission 22 (2004). Retrieved from https://www.researchgate.net/publication/39994181_OWL-S_Semantic_markup_for_Web_services.

[27]

Massimo Bartoletti, Pierpaolo Degano, and Gian Luigi Ferrari. 2006. Security issues in service composition. In Formal Methods for Open Object-based Distributed Systems, Vol. 4037. Springer Berlin, 1--16.

[28]

Jason Bau, Elie Bursztein, Divij Gupta, and John Mitchell. 2010. State of the art: Automated black-box web application vulnerability testing. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 332--345.

Digital Library

[29]

Sofia Bekrar, Chaouki Bekrar, Roland Groz, and Laurent Mounier. 2011. Finding software vulnerabilities by smart fuzzing. In Proceedings of the 4th IEEE International Conference on Software Testing, Verification and Validation. IEEE, 427--430.

Digital Library

[30]

Matt Bishop. 2007. About penetration testing. IEEE Secur. Priv. Mag. 5, 6 (Nov. 2007), 84--87.

Digital Library

[31]

BITAG. 2016. Internet of Things (IoT) Security and Privacy Recommendations. Retrieved from https://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf.

[32]

Kim Jonatan Wessel Bjørneset. 2017. Testing Security for Internet of Things. Survey on Vulnerabilities in IP Cameras. Ph.D. Thesis. University of Oslo. Retrieved from https://www.mn.uio.no/ifi/english/research/groups/psy/completedmasters/2017/Kim_Jonatan_Wessel_Bjorneset/kim_jonatan_wessel_bjorneset_testing_security_for_internet_of_things_a_survey_on_vulnerabilities_in_ip_cameras.pdf.

[33]

Roland Bodenheim, Jonathan Butts, Stephen Dunlap, and Barry Mullins. 2014. Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices. Int. J. Crit. Infrast. Protect. 7, 2 (June 2014), 114--123.

[34]

Katie Boeckl, Michael Fagan, William Fisher, Naomi Lefkovitz, Katerina N. Megas, Ellen Nadeau, Danna Gabel O’Rourke, Ben Piccarreta, and Karen Scarfone. 2018. Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. https://doi.org/10.6028/NIST.IR.8228-draft

[35]

Julien Botella, Fabrice Bouquet, Jean-Francois Capuron, Franck Lebeau, Bruno Legeard, and Florence Schadle. 2013. Model-based testing of cryptographic components—Lessons learned from experience. In Proceedings of the IEEE 6th International Conference on Software Testing, Verification and Validation. IEEE, 192--201.

Digital Library

[36]

F. Bouquet, C. Grandpierre, B. Legeard, F. Peureux, N. Vacelet, and M. Utting. 2007. A subset of precise UML for model-based testing. In Proceedings of the 3rd International Workshop on Advances in Model-based Testing (A-MOST’07). ACM Press, 95--104.

[37]

Josip Bozic and Franz Wotawa. 2012. Model-based testing—From safety to security. In STV Bozic, Wotawa. 9--16. Retrieved from https://graz.pure.elsevier.com/en/publications/model-based-testing-from-safety-to-security.

[38]

Josip Bozic and Franz Wotawa. 2014. Security testing based on attack patterns. In Proceedings of the IEEE 7th International Conference on Software Testing, Verification and Validation Workshops. IEEE, 4--11.

Digital Library

[39]

Miroslav Bures, Tomas Cerny, and Bestoun S. Ahmed. 2019. Internet of Things: Current challenges in the quality assurance and testing methods. In Proceedings of the International Conference on Information Science and Applications, Kuinam J. Kim and Nakhoon Baek (Eds.). Vol. 514. Springer Singapore, 625--634.

[40]

Jordi Cabot and Martin Gogolla. 2017. Object constraint language (OCL): A definitive guide. In Proceedings of the 12th International Conference on Formal Methods for the Design of Computer, Communication, and Software Systems: Formal Methods for Model-driven Engineering.

[41]

Matteo Cagnazzo, Markus Hertlein, Thorsten Holz, and Norbert Pohlmann. 2018. Threat modeling for mobile health systems. In Proceedings of the IEEE Wireless Communications and Networking Conference Workshops (WCNCW’18). IEEE, 314--319.

[42]

Richard A. Caralli, James F. Stevens, Lisa R. Young, and William R. Wilson. 2007. Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. Technical Report. CERT. Retrieved from https://resources.sei.cmu.edu/asset_files/TechnicalReport/2007_005_001_14885.pdf.

[43]

CCRA. 2012. Common Criteria, Assurance Continuity, CCRA requirements. Version 2.1. Retrieved from http://www.commoncriteriaportal.org/files/operatingprocedures/2012-06-01.pdf.

[44]

CCRA. 2017. Common Criteria for Information Technology Security Evaluation. Part 1: Introduction and general model.Retrieved from https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf.

[45]

CERT SEI. 2018. Android Secure Coding Standard. Retrieved from https://wiki.sei.cmu.edu/confluence/display/android/Android+Secure+Coding+Standard.

[46]

CESG. 2014. The Commercial Product Assurance (CPA) build standard. Retrieved from https://www.ncsc.gov.uk/content/files/protected_files/document_files/The%20CPA%20Build%20Standard%201.3.pdf.

[47]

Chen Chen, Baojiang Cui, Jinxin Ma, Runpu Wu, Jianchao Guo, and Wenqian Liu. 2018. A systematic review of fuzzing techniques. Comput. Secur. 75 (June 2018), 118--137.

[48]

Jiongyi Chen, Wenrui Diaoy, Qingchuan Zhaoz, Chaoshun Zuoz, Zhiqiang Linz, XiaoFeng Wangx, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer—Discovering memory corruptions in IoT through app-based fuzzing. In Proceedings of the Network and Distributed System Security Symposium.

[49]

Nanxing Chen, César Viho, Anthony Baire, Xiaohong Huang, and Jiexi Zha. 2012. Ensuring interoperability for the Internet of Things: Experience with CoAP protocol testing. J. Contr. Meas. Electron. Comput. Commun. 6 (2012), 448--458.

[50]

Kai Cheng, Qiang Li, Lei Wang, Qian Chen, Yaowen Zheng, Limin Sun, and Zhenkai Liang. 2018. DTaint—Detecting the taint-style vulnerability in embedded device firmware. In Proceedings of the 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’18). 430--441.

[51]

Brian Chess and Jabob West. 2007. Secure Programming with Static Analysis. Gary McGraw. Retrieved from https://www.e-reading.club/bookreader.php/142130/Secure_programming_with_Static_Analysis.pdf.

[52]

Gordon Chu, Noah Apthorpe, and Nick Feamster. 2018. Security and privacy analyses of Internet of Things toys. IEEE Internet Things J. 6, 1 (2018), 978--985.

[53]

Peter Cihon, Glenda Michel Gutierrez, Sam Kee, Moritz Jan Kleinaltenkamp, Thanel Voigt, and Antonio Rosato. 2018. Why certify? Increasing adoption of the proposed EU cybersecurity certification framework. Cambridge Judge Business School, Sophia Antipolis, France. Retrieved from https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/00POSTERS/Cambridge%20EU%20Cybersecurity%20Certification%20Report.pdf.

[54]

Sara Cleemput. 2018. Secure and Privacy-friendly Smart Electricity Metering. Ph.D. Thesis. Arenberg Doctoral School. Faculty of Engineering Science. Retrieved from https://www.esat.kuleuven.be/cosic/publications/thesis-303.pdf.

[55]

CNSSI. 2015. CNSSI No. 4009: Committee on National Security Systems (CNSS) Glossary. Retrieved from https://cryptosmith.files.wordpress.com/2015/08/glossary-2015-cnss.pdf.

[56]

Common Criteria. 2014. Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security. Retrieved from https://www.commoncriteriaportal.org/files/operatingprocedures/cc-recarrange.pdf.

[57]

Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. 2014. A large-scale analysis of the security of embedded firmwares. 95--110. Retrieved from https://www.usenix.org/node/184450.

[58]

Antoine Coutant. 2016. French Scheme CSPN to CC evaluation. Retrieved from http://www.yourcreativesolutions.nl/ICCC13/p/CC%20and%20New%20Techniques/Antoine%20COUTANT%20-%20CSPN%20to%20CC%20Evaluation.pdf.

[59]

Aymeric Cretin, Bruno Legeard, Fabien Peureux, and Alexandre Vernotte. 2018. Increasing the resilience of ATC systems against false data injection attacks using DSL-based testing. In Proceedings of the Doctoral Symposium (ICRAT’18).

[60]

Lajos Cseppento and Zoltan Micskei. 2017. Evaluating code-based test input generator tools. Softw. Test. Verif. Reliab. 27, 6 (Sept. 2017), e1627.

[61]

CTIA. 2018. Cybersecurity Certification Test Plan for IoT Devices. Retrieved from https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf.

[62]

Baojiang Cui, Shurui Liang, Shilei Chen, Bing Zhao, and Xiaobing Liang. 2014. A novel fuzzing method for Zigbee based on finite state machine. Int. J. Distrib. Sensor Netw. 10, 1 (Jan. 2014), 762891.

[63]

Joao Pedro Dias, Flavio Couto, Ana C. R. Paiva, and Hugo Sereno Ferreira. 2018. A brief overview of existing tools for testing the Internet-of-Things. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW’18). IEEE, 104--109.

[64]

Fabien Duchene. 2014. Detection of Web Vulnerabilities via Model Inference assisted Evolutionary Fuzzing. Ph.D. Dissertation. Grenoble University. Retrieved from https://hal.archives-ouvertes.fr/tel-01102325/document.

[65]

ECSO. 2017. A Meta-Scheme Approach v1.0. Retrieved from http://www.ecs-org.eu/documents/uploads/european-cyber-security-certification-a-meta-scheme-approach.pdf.

[66]

ECSO. 2017. State of the Art Syllabus v2. Retrieved from http://www.ecs-org.eu/documents/uploads/updated-sota.pdf.

[67]

ENISA. 2018. Overview of ICT certification laboratories. Retrieved from http://www.european-accreditation.org/brochure/document-ict-certification-laboratories.

[68]

Gencer Erdogan, Yan Li, Ragnhild Kobro Runde, Fredrik Seehusen, and Ketil Stølen. 2014. Approaches for the combined use of risk analysis and testing: A systematic literature review. Int. J. Softw. Tools Technol. Transf. 16 (2014), 627--642.

Digital Library

[69]

ETSI. 2015. ETSI EG 203 251: Methods for Testing 8 Specification; Risk-based Security Assessment and Testing Methodologies. Retrieved from https://www.etsi.org/deliver/etsi_eg/203200_203299/203251/01.01.01_50/eg_203251v010101m.pdf.

[70]

European Commission. 2010. Directive 2010/30/EU on the indication by labelling and standard product information of the consumption of energy and other resources by energy-related products. Retrieved from http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32010L0030.

[71]

European Parliament. 2016. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Retrieved from https://eugdpr.org/.

[72]

EVITA. 2008. E-Safety Vehicle Intrusion Protected Applications. Retrieved from https://www.evita-project.org/.

[73]

Michael Felderer, Berthold Agreiter, Philipp Zech, and Ruth Breu. 2011. A classification for model-based security testing. 109--114. Retrieved from https://www.thinkmind.org/index.php?view=article8articleid=valid_2011_5_10_40020.

[74]

Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, and Alexander Pretschner. 2015. Chapter one - Security testing: A survey. In Advances in Computers. Vol. 101. Elsevier, 1--51.

[75]

Michael Felderer and Elizabeta Fourneret. 2015. A systematic classification of security regression testing approaches. Int. J. Softw. Tools Technol. Transf. 17, 3 (June 2015), 305--319.

Digital Library

[76]

Michael Felderer and Ina Schieferdecker. 2014. A taxonomy of risk-based testing. Int. J. Softw. Tools Technol. Transf. 16, 5 (Oct. 2014), 559--568.

[77]

FIRST. 2015. Common Vulnerability Score System (CVSS) v3. Retrieved from https://www.first.org/cvss/cvss-v30-specification-v1.8.pdf.

[78]

Elizabeta Fourneret, Fabrice Bouquet, Frederic Dadeau, and Stephane Debricon. 2011. Selective test generation method for evolving critical systems. In Proceedings of the IEEE 4th International Conference on Software Testing, Verification and Validation Workshops. IEEE, 125--134.

[79]

Anna Baron Garcia, Radu F. Babiceanu, and Remzi Seker. 2018. Trustworthiness requirements and models for aviation and aerospace systems. In Proceedings of the Integrated Communications, Navigation, Surveillance Conference (ICNS’18). IEEE, 1--16.

[80]

Mengmeng Ge, Jin B. Hong, Walter Guttmann, and Dong Seong Kim. 2017. A framework for automating security analysis of the internet of things. J. Netw. Comput. Applic. 83 (Apr. 2017), 12--27.

Digital Library

[81]

Mengmeng Ge and Dong Seong Kim. 2015. A framework for modeling and assessing security of the Internet of Things. In Proceedings of the IEEE 21st International Conference on Parallel and Distributed Systems (ICPADS’15). 776--781.

[82]

Gemini George and Sabu M. Thampi. 2018. A graph-based security framework for securing industrial IoT networks from vulnerability exploitations. IEEE Access 6 (2018), 43586--43601.

[83]

J. Granjal, E. Monteiro, and J. Sa Silva. 2015. Security for the Internet of Things: A survey of existing protocols and open research issues. IEEE Commun. Surv. Tutor. 17, 3 (2015), 1294--1312.

Digital Library

[84]

Jurgen Grossmann, Michael Felderer, Johannes Viehmann, and Ina Schieferdecker. 2019. A taxonomy to assess and tailor risk-based testing in recent testing standards. IEEE Softw. PP (May 2019), 1--1.

[85]

GSMA. 2016. IoT Security Guidelines Overview Document. Retrieved from https://www.gsma.com/iot/wp-content/uploads/2016/02/CLP.11-v1.1.pdf.

[86]

Ayyoob Hamza, Dinesha Ranathunga, Hassan Habibi Gharakheili, Theophilus A. Benson, Matthew Roughan, and Vijay Sivaraman. 2019. Verifying and monitoring IoTs network behavior using MUD profiles. Retrieved from http://arxiv.org/abs/1902.02484.

[87]

Wenxi Han, Xiaoming Liu, Hong Zhang, Ruijie Quan, and Linfeng Shen. 2018. Dynamically-enabled defense effectiveness evaluation of IoT based on vulnerability analysis. In Proceedings of the 3rd International Conference on Multimedia Systems and Signal Processing (ICMSSP’18). ACM Press, 99--103.

Digital Library

[88]

J. Hearn. 2004. Does the common criteria paradigm have a future?IEEE Secur. Priv. Mag. 2, 1 (Jan. 2004), 64--65.

Digital Library

[89]

S. Hiremath, G. Yang, and K. Mankodiya. 2014. Wearable Internet of Things: Concept, architectural components and promises for person-centered healthcare. In Proceedings of the 4th International Conference on Wireless Mobile Communication and Healthcare—Transforming Healthcare through Innovations in Mobile and Wireless Technologies (MOBIHEALTH’14). 304--307.

[90]

Juliane Hubner and Maria Lastovka. 2017. BOSCH Political Viewpoint. Security in IoT. Retrieved from https://www.boschsecurity.com/xc/en/news/rethink-the-magazine/winds-of-change/.

[91]

ICSA. 2016. ICSA Labs IoT Security and Privacy. Retrieved from https://www.icsalabs.com/technology-program/iot-devices-sensors/iot-device-requirements-framework.

[92]

ICSA. 2016. Internet of Things (IoT) Security Testing Framework. Retrieved from https://www.icsalabs.com/sites/default/files/body_images/ICSALABS_IoT_reqts_framework_v2.0_161026.pdf.

[93]

Information Technology Promotion Agency (IPA). 2019. Japan Information Technology Security Evaluation and Certification Scheme. Retrieved from https://www.ipa.go.jp/security/jisec/jisec_e/.

[94]

IoT Security Fundation. 2017. IoT Security Compliance Framework. Release 1.1. Retrieved from https://www.iotsecurityfoundation.org/wp-content/uploads/2017/12/IoT-Security-Compliance-Framework_WG1_2017.pdf.

[95]

ISO. 2018. Information technology—Internet of Things (IoT)—Vocabulary (ISO/IEC 20924:2018). Retrieved from http://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/06/94/69470.html.

[96]

Andreas Jacobsson, Martin Boldt, and Bengt Carlsson. 2016. A risk analysis of a smart home automation system. Fut. Gen. Comput. Syst. 56 (Mar. 2016), 719--733.

[97]

Joint Task Force Transformation Initiative. 2014. Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Technical Report NIST SP 800-37r1. National Institute of Standards and Technology.

[98]

Sathya Prakash Kadhirvelan and Andrew Soderberg-Rivkin. 2014. Threat Modelling and Risk Assessment within Vehicular Systems. Ph.D. Dissertation. University of Gothenburg. Retrieved from http://publications.lib.chalmers.se/records/fulltext/202917/202917.pdf.

[99]

Samuel Paul Kaluvuri, Michele Bezzi, and Yves Roudier. 2014. A quantitative analysis of common criteria certification practice. In Trust, Privacy, and Security in Digital Business. Vol. 8647. Springer International Publishing, Cham, 132--143.

[100]

Prabhakaran Kasinathan, Claudio Pastrone, Maurizio A. Spirito, and Mark Vinkovits. 2013. Denial-of-service detection in 6LoWPAN based Internet of Things. In Proceedings of the IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob’13). IEEE, 600--607.

[101]

Prabhakaran Kasinathan, Claudio Pastrone, Maurizio A. Spirito, Mark Vinkovits, Nils O. Tippenhauer Jemin Lee Shachar Siboni, Asaf Shabtai, and Yuval Elovici. 2016. Advanced security testbed framework for wearable IoT devices. In Proceedings of the IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob’13), Vol. 16.

[102]

Kaspersky. 2017. Kaspersky Labs Targeted Attacks Detection Solution Is Certified by ICSA Labs. Retrieved from https://www.kaspersky.com/about/press-releases/2017_targeted-attacks-detection-solution-certified-by-icsa-labs.

[103]

F. Keblawi and D. Sullivan. 2006. Applying the common criteria in systems engineering. IEEE Secur. Priv. Mag. 4, 2 (Mar. 2006), 50--55.

[104]

Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, and Jeffrey Voas. 2017. DDoS in the IoT: Mirai and other botnets. Computer 50, 7 (2017), 80--84.

Digital Library

[105]

Willibald Krenn, Rupert Schlick, Stefan Tiran, Bernhard Aichernig, Elisabeth Jobstl, and Harald Brandl. 2015. MoMut—UML model-based mutation testing for UML. In Proceedings of the IEEE 8th International Conference on Software Testing, Verification and Validation (ICST’15). IEEE, 1--8.

[106]

Ievgeniia Kuzminykh and Anders Carlsson. 2018. Analysis of assets for threat risk model in avatar-oriented IoT architecture. In Internet of Things, Smart Spaces, and Next Generation Networks and Systems (Lecture Notes in Computer Science), Olga Galinina, Sergey Andreev, Sergey Balandin, and Yevgeni Koucheryavy (Eds.). Springer International Publishing, Cham, 52--63.

[107]

Abdelkader Lahmadi, Cesar Brandin, and Olivier Festor. 2012. A testing framework for discovering vulnerabilities in 6LoWPAN networks. In Proceedings of the IEEE 8th International Conference on Distributed Computing in Sensor Systems. IEEE, 335--340.

Digital Library

[108]

Eliot Lear, Dan Romascanu, and Ralph Droms. 2019. Manufacturer Usage Description Specification (RFC 8520). Retrieved from https://tools.ietf.org/html/rfc8520.

[109]

Seokcheol Lee, Sungjin Kim, Ken Choi, and Taeshik Shon. 2018. Game theory-based security vulnerability quantification for social Internet of Things. Fut. Gen. Comput. Syst. 82 (May 2018), 752--760.

[110]

Bruno Legeard and Arnaud Bouzy. 2013. Smartesting CertifyIt: Model-based testing for enterprise IT. In Proceedings of the IEEE 6th International Conference on Software Testing, Verification and Validation. IEEE, 391--397.

Digital Library

[111]

Wenbin Li, Franck Le Gall, and Naum Spaseski. 2018. A survey on model-based testing tools for test case generation. In Tools and Methods of Program Analysis, Vladimir Itsykson, Andre Scedrov, and Victor Zakharov (Eds.), Vol. 779. Springer International Publishing, Cham, 77--89.

[112]

Caiming Liu, Yan Zhang, Jinquan Zeng, Lingxi Peng, and Run Chen. 2012. Research on dynamical security risk assessment for the Internet of Things inspired by immunology. In Proceedings of the 8th International Conference on Natural Computation. IEEE, 874--878.

[113]

Fred Long, Dhruv Mohindra, and Robert C. Seacord. 2011. The Cert Oracle Secure Coding Standard for Java (1st ed.). Addison Wesley Pub. Co. Inc., Upper Saddle River, NJ.

[114]

Florian Lugou, Ludovic Apvrille, and Aurélien Francillon. 2016. Toward a methodology for unified verification of hardware/software co-designs. J. Cryptog. Eng. (Nov. 2016), 1--12.

[115]

Imran Makhdoom, Mehran Abolhasan, Justin Lipman, Ren Ping Liu, and Wei Ni. 2018. Anatomy of threats to the Internet of Things. IEEE Commun. Surv. Tutor. (2018), 1--1.

[116]

Mark Miller. 2018. D3.2 European cybersecurity and privacy Research and Innovation Ecosystem. Retrieved from https://www.cyberwatching.eu/sites/default/files/D3.2_European_cybersecurity_and_privacy_Research_%26Innovation_Ecosystem.pdf.

[117]

S. N. Matheu, J. L. Hernandez-Ramos, and A. F. Skarmeta. 2019. Toward a cybersecurity certification framework for the Internet of Things. IEEE Secur. Priv. 17, 3 (May 2019), 66--76.

[118]

Sara N. Matheu-Garcia, Jose L. Hernandez-Ramos, and Antonio F. Skarmeta. 2018. Test-based risk assessment and security certification proposal for the Internet of Things. In Proceedings of the IEEE 4th World Forum on Internet of Things (WF-IoT’18). IEEE, 641--646.

[119]

Sara N. Matheu-Garcia, Jose L. Hernandez-Ramos, Antonio F. Skarmeta, and Gianmarco Baldini. 2019. Risk-based automated assessment and testing for the cybersecurity certification and labelling of IoT devices. Comput. Stand. Interf. 62 (Feb. 2019), 64--83.

[120]

David Maynor. 2011. Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research. Elsevier. Google-Books-ID: JWgNVFtbWJ4C. Retrieved from https://www.elsevier.com/books/metasploit-toolkit-for-penetration-testing-exploit-development-and-vulnerability-research/maynor/978-1-59749-074-0.

[121]

G. Mcgraw. 2004. Software security. IEEE Secur. Priv. Mag. 2, 2 (Mar. 2004), 80--83.

[122]

Kais Mekki, Eddy Bajic, Frederic Chaxel, and Fernand Meyer. 2019. A comparative study of LPWAN technologies for large-scale IoT deployment. ICT Express 5, 1 (Mar. 2019), 1--7.

[123]

Bruno Melo, Paulo Licio Geus, and Andre A. Gregio. 2017. Robustness testing of CoAP server-side implementations through black-box fuzzing techniques. In Proceedings of the Brazilian Symposium on Information Security and Computer Systems. 533--540. Retrieved from https://pdfs.semanticscholar.org/487b/7a45bc5962fd2cdf65da2caa05fcaef64591.pdf.

[124]

Microsoft. 2018. The STRIDE Threat Model. Retrieved from https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx.

[125]

Microsoft. 2010. DREAD scheme. Retrieved from https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff648644(v=pandp.10)#dread.

[126]

Charlie Miller and Zachary Peterson. 2007. Analysis of mutation and generation-based fuzzing. Retrieved from http://mirror.picosecond.org/defcon/defcon15-cd/Speakers/Miller/Whitepaper/dc-15-miller-WP.pdf.

[127]

MITRE. 2011. Common Weakness Risk Analysis Framework (CWRAF). Retrieved from https://cwe.mitre.org/cwraf/.

[128]

MITRE. 2014. CWE—Common Weakness Scoring System (CWSS). Retrieved from https://cwe.mitre.org/cwss/cwss_v1.0.1.html.

[129]

Robert Montante. 2018. Using Scapy in teaching network header formats: Programming network headers for non-programmers (abstract only). In Proceedings of the 49th ACM Technical Symposium on Computer Science Education (SIGCSE’18). ACM, New York, NY, 1106--1106.

Digital Library

[130]

K. Moore, R. Barnes, and H. Tschofenig. 2016. Best Current Practices for Securing Internet of Things (IoT) Devices. Retrieved from https://tools.ietf.org/html/draft-moore-iot-security-bcp-00.

[131]

Geoff Mulligan. 2007. The 6LoWPAN architecture. In Proceedings of the 4th Workshop on Embedded Networked Sensors (EmNets’07). ACM, New York, NY, 78--82.

Digital Library

[132]

Tewodros Legesse Munea, I. Luk Kim, and Taeshik Shon. 2017. Design and implementation of fuzzing framework based on IoT applications. Wirel. Person. Commun. 93, 2 (Mar. 2017), 365--382.

[133]

Steven Murdoch, Mike Bond, and Ross J. Anderson. 2012. How certification systems fail: Lessons from the ware report. IEEE Secur. Priv. Mag. 10, 6 (2012), 1--1.

[134]

National Cybersecurity Center of United Kingdom. 2017. Foundation Grade explained. Retrieved from https://www.ncsc.gov.uk/articles/foundation-grade-explained.

[135]

National Cybersecurity Center (UK). 2016. CPA SC Overwriting Tools for Magnetic Media v2-1. Retrieved from https://www.ncsc.gov.uk/content/files/protected_files/document_files/CPA%20SC%20Overwriting%20Tools%20for%20Magnetic%20Media%20v2-1.pdf.

[136]

National Cybersecurity Centre (UK). 2016. Process for performing commercial product assurance foundation grade evaluations. Retrieved from https://www.ncsc.gov.uk/content/files/protected_files/document_files/Process%20for%20Performing%20CPA%20Foundation%20Grade%20Evaluations%202-4.pdf.

[137]

NCC Group. 2016. Commercial Product Assurance and Common Criteria. Retrieved from https://www.nccgroup.trust/uk/our-services/cyber-security/compliance-and-accreditations/cpa-and-cc/.

[138]

NCC Group. 2007. CERT C Programming Language Secure Coding Standard. Retrieved from http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1255.pdf.

[139]

NCC Group. 2016. Threat prioritisation: DREAD is dead, baby?Retrieved from https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/march/threat-prioritisation-dread-is-dead-baby/.

[140]

Ricardo Neisse, Gianmarco Baldini, Gary Steri, Abbas Ahmad, Elizabeta Fourneret, and Bruno Legeard. 2017. Improving Internet of Things device certification with policy-based management. In Proceedings of the Global Internet of Things Summit (GIoTS’17). IEEE, 1--6.

[141]

Ricardo Neisse, Gary Steri, Igor Nai Fovino, and Gianmarco Baldini. 2015. SecKit—A model-based security toolkit for the Internet of Things. Comput. Secur. 54 (Oct. 2015), 60--76.

[142]

NIST. 2019. Glossary of Key Information Security Terms. Retrieved from https://www.nist.gov/publications/glossary-key-information-security-terms-2.

[143]

NIST. 2006. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. Retrieved from https://csrc.nist.gov/publications/detail/fips/200/final.

[144]

NIST. 2014. Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0. Retrieved from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.

[145]

NIST. 2018. Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. Technical Report. National Institute of Standards and Technology. https://doi.org/10.6028%2Fnist.cswp.04162018

[146]

NIST. 2018. Risk Management Framework for Information Systems and Organizations. Retrieved from https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-2/draft/documents/sp800-37r2-draft-fpd.pdf.

[147]

Jason R. C. Nurse, Sadie Creese, and David De Roure. 2017. Security risk assessment in Internet of Things systems. IEEE Computer Society, IT Pro (2017).

Digital Library

[148]

Ruth Motunrayo Ogunnaike. 2017. Vulnerability Detection and Resolution in Internet of Things (IoT) Devices. Master Thesis. University of Washington.

[149]

Adebayo Omotosho, Benjamin Ayemlo Haruna, and Olayemi Mikail Olaniyi. 2019. Threat modeling of Internet of Things health devices. J. Appl. Secur. Res. 14, 1 (Jan. 2019), 106--121.

[150]

Online Trust Alliance. 2017. IoT Security 8 Privacy Trust Framework v2.5. Retrieved from https://otalliance.org/system/files/files/initiative/documents/iot_trust_framework6-22.pdf.

[151]

Openstack. 2014. Security/OSSA-Metrics. Retrieved from https://wiki.openstack.org/wiki/Security/OSSA-Metrics#Calibration.

[152]

OWASP. [n.d.]. OWASP Application Security Verification Standard (ASVS) Project. Retrieved from https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology.

[153]

Euopean Parliament. 2019. Regulation (EU) 2019/881 of the European Parliament and of the council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (Cybersecurity Act). Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32019R08818from=EN.

[154]

J. M. Porup. 2016. Underwriters Labs refuses to share new IoT cybersecurity standard. Retrieved from https://arstechnica.com/information-technology/2016/04/underwriters-labs-refuses-to-share-new-iot-cybersecurity-standard/.

[155]

Yanzhen Qu and Philip Chan. 2016. Assessing vulnerabilities in Bluetooth low energy (BLE) wireless network based IoT systems. In Proceedings of the IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS). IEEE, New York, NY, 42--48.

[156]

Petar Radanliev, David C. De Roure, Jason R. C. Nurse, Rafael Mantilla Montalvo, and Peter Burnap. 2019. Standardisation of cyber risk impact assessment for the Internet of Things (IoT). (2019), 50. Retrieved from https://www.preprints.org/manuscript/201903.0109/v2.

[157]

RASEN project. 2015. D3.2.3. Techniques for Compositional Test-Based Security Risk Assessment v.3. Retrieved from http://www.rasenproject.eu/downloads/985/.

[158]

Vinay Sachidananda, Shachar Siboni, Asaf Shabtai, Jinghui Toh, Suhas Bhairav, and Yuval Elovici. 2017. Let the cat out of the bag: A holistic approach towards security analysis of the Internet of Things. In Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security (IoTPTS’17). ACM Press, 3--10.

Digital Library

[159]

Hunor Sandor and Gheorghe Sebestyen-Pal. 2017. Optimal security design in the Internet of Things. In Proceedings of the 5th International Symposium on Digital Forensic and Security (ISDFS’17). IEEE, 1--6.

[160]

Martin Schneider, Jurgen Grossmann, Ina Schieferdecker, and Andrej Pietschker. 2013. Online model-based behavioral fuzzing. In Proceedings of the IEEE 6th International Conference on Software Testing, Verification and Validation Workshops. IEEE, 469--475.

Digital Library

[161]

Robert C. Seacord. 2014. CERT C Coding Standard, Second Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems. Addison-Wesley Professional, Upper Saddle River, NJ.

[162]

SEI CERT. 2016. Coding Standards. Retrieved from https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards.

[163]

SEI CERT. [n.d.]. SEI CERT Perl Coding Standard. Retrieved from https://wiki.sei.cmu.edu/confluence/display/perl.

[164]

Alireza Shameli-Sendi, Rouzbeh Aghababaei-Barzegar, and Mohamed Cheriet. 2016. Taxonomy of information security risk assessment (ISRA). Comput. Secur. 57 (Mar. 2016), 14--30.

[165]

Z. Shelby, K. Hartke, and C. Bormann. 2014. The Constrained Application Protocol (CoAP) (RFC7252). Retrieved from https://tools.ietf.org/html/rfc7252.

[166]

V. L. Shivraj, M. A. Rajan, and P. Balamuralidhar. 2017. A graph theory based generic risk assessment framework for internet of things (IoT). In Proceedings of the IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS’17). IEEE, 1--6.

[167]

Sabrina Sicari, Alessandra Rizzardi, Daniele Miorandi, and Alberto Coen-Porisini. 2018. A risk assessment methodology for the Internet of Things. Comput. Commun. 129 (Sept. 2018), 67--79.

[168]

Saijda Sorsa. 2018. Protocol Fuzz Testing as a Part of Secure Software Development Life Cycle. Ph.D. Dissertation. Tampere University of Technology. Retrieved from https://dspace.cc.tut.fi/dpub/bitstream/handle/123456789/25667/Sorsa.pdf?sequence=3.

[169]

International Organization for Standardization. 2018. ISO/IEC 31000 - Risk Management. IEC. Retrieved from https://www.iso.org/iso-31000-risk-management.html.

[170]

Bernard Stepien and Liam Peyton. 2014. Innovation and evolution in integrated web application testing with TTCN-3. Int. J. Softw. Tools Technol. Transf. 16, 3 (June 2014), 269--283.

Digital Library

[171]

Michael Sutton, Adam Greene, and Pedram Aminir. 2007. Fuzzing—Brute force vulnerability discovery. Addison-Wesley Professional, 1--51.

[172]

Farid Molazem Tabrizi and Karthik Pattabiraman. 2016. Formal security analysis of smart embedded systems. In Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC’16). ACM Press, 1--15.

Digital Library

[173]

Martin Tappler, Bernhard K. Aichernig, and Roderick Bloem. 2017. Model-based testing IoT communication via active automata learning. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation (ICST’17). 276--287.

[174]

Emmeline Taylor and Katina Michael. 2016. Smart toys that are the stuff of nightmares. IEEE Technol. Soc. Mag. 35, 1 (Mar. 2016), 8--10.

[175]

Ralf Tonjes, Eike Steffen Reetz, Klaus Moessner, and Payam Barnaghi. 2012. A test-driven approach for life cycle management of Internet of Things enabled services. In Proceedings of the Future Network and Mobile Summit. Retrieved from http://info.ee.surrey.ac.uk/Personal/P.Barnaghi/doc/IoTest-Paper.pdf.

[176]

Petar Tsankov, Mohammad Torabi Dashti, and David Basin. 2012. SECFUZZ—Fuzz-testing security protocols. In Proceedings of the 7th International Workshop on Automation of Software Test (AST’12). IEEE, 1--7.

[177]

Underwriters Laboratories. 2017. UL 2900 Standards Process. Retrieved from https://industries.ul.com/cybersecurity/ul-2900-standards-process.

[178]

Underwriters Laboratories (UL). 2017. Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems. Retrieved from https://standardscatalog.ul.com/standards/en/standard_2900-2-1.

[179]

Margus Valja, Matus Korman, and Robert Lagerstrom. 2017. A study on software vulnerabilities and weaknesses of embedded systems in power networks. In Proceedings of the 2nd Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG’17). ACM Press, 47--52.

Digital Library

[180]

VERACODE. 2006. VerAfied Methodology. Retrieved from https://help.veracode.com/reader/kJC1iOtXp8N rCtV8P9jhw/UQa oUCwYhluVREDo4480g.

[181]

Alexandre Vernotte. 2013. Research questions for model-based vulnerability testing of web applications. In Proceedings of the IEEE 6th International Conference on Software Testing, Verification and Validation. IEEE, 505--506.

Digital Library

[182]

Vasaka Visoottiviseth, Phuripat Akarasiriwong, Siravitch Chaiyasart, and Siravit Chotivatunyu. 2017. PENTOS—Penetration testing tool for Internet of Thing devices. In Proceedings of the IEEE Region 10 Conference (TENCON’17). 2279--2284.

[183]

Jeffrey Voas and Phillip A. Laplante. 2018. IoT’s certification quagmire. (Apr. 2018).

[184]

Dong Wang, Xiaosong Zhang, Ting Chen, and Jingwei Li. 2019. Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface.

[185]

Huan Wang, Zhanfang Chen, Jianping Zhao, Xiaoqiang Di, and Dan Liu. 2018. A vulnerability assessment method in industrial Internet of Things based on attack graph and maximum flow. IEEE Access 6 (2018), 8599--8609.

[186]

Zhongru Wang, Yuntao Zhang, Zhihong Tian, Qiang Ruan, Tong Liu, Haichen Wang, Zhehui Liu, Jiayi Lin, Binxing Fang, and Wei Shi. 2019. Automated vulnerability discovery and exploitation in the Internet of Things. Sensors 19, 15 (July 2019).

[187]

Weibull. 2004. Basic concepts of FMEA and FMECA. ([n.d.]). Retrieved from http://www.weibull.com/hotwire/issue46/relbasics46.htm.

[188]

Chanoksuda Wongvises, Assadarat Khurat, Doudou Fall, and Shigeru Kashihara. 2017. Fault tree analysis-based risk quantification of smart homes. In Proceedings of the 2nd International Conference on Information Technology (INCIT’17). IEEE, 1--6.

[189]

Tianshui Wu and Gang Zhao. 2014. A novel risk assessment model for privacy security in Internet of Things. Wuhan Univ. J. Nat. Sci. 19, 5 (Oct. 2014), 398--404.

[190]

Dianxiang Xu, Manghui Tu, Michael Sanford, Lijo Thomas, Daniel Woodraska, and Weifeng Xu. 2012. Automated security test generation with formal threat models. IEEE Trans. Depend. Sec. Comput. 9, 4 (July 2012), 526--540.

Digital Library

[191]

Guangquan Xu, Yan Cao, Yuanyuan Ren, Xiaohong Li, and Zhiyong Feng. 2017. Network security situation awareness based on semantic ontology and user-defined rules for Internet of Things. IEEE Access 5 (2017), 21046--21056.

[192]

Haiyun Xu, Jeroen Heijmans, and Joost Visser. 2013. A practical model for rating software security. In Proceedings of the IEEE 7th International Conference on Software Security and Reliability. IEEE, 231--232.

Digital Library

[193]

S. Yoo and M. Harman. 2012. Regression testing minimization, selection and prioritization: A survey. Softw. Test. Verif. Reliab. 22, 2 (Mar. 2012), 67--120.

[194]

Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun. 2019. FIRM-AFL—High-throughput greybox fuzzing of IoT firmware via augmented process emulation. 1099--1114. Retrieved from https://www.usenix.org/conference/usenixsecurity19/presentation/zheng.

[195]

Changying Zhou and Stefano Ramacciotti. 2011. Common criteria: Its limitations and advice on improvement. ISSA Journal (2011). Retrieved from https://www.difesa.it/SMD_/Staff/Reparti/II/CeVa/Pubblicazioni/Estere/Documents/CommonCriteria_ISSA%20Journal_0411.pdf.

[196]

Wei Zhou, Yan Jia, Yao Yao, Lipeng Zhu, Le Guan, Yuhang Mao, Peng Liu, and Yuqing Zhang. 2019. Discovering and understanding the security hazards in the interactions between IoT devices, mobile apps, and clouds on smart home platforms. 1133--1150. Retrieved from https://www.usenix.org/conference/usenixsecurity19/presentation/zhou.

Cited By

Gaurav AArya V(2024)Foundations of CybersecurityMetaverse Security Paradigms10.4018/979-8-3693-3824-7.ch004(77-107)Online publication date: 21-Aug-2024
https://doi.org/10.4018/979-8-3693-3824-7.ch004
Abu-Mahfouz AAlrabaee SKhasawneh MGergely MChoo K(2024)A Deep Learning Approach to Discover Router Firmware VulnerabilitiesIEEE Transactions on Industrial Informatics10.1109/TII.2023.326977420:1(691-702)Online publication date: Jan-2024
https://doi.org/10.1109/TII.2023.3269774
Agbodoh-Falschau RLamzihri OGagnon S(2024)When Misleading Information Hits: How Canadian Companies React?Corporate Reputation Review10.1057/s41299-024-00203-4Online publication date: 26-Oct-2024
https://doi.org/10.1057/s41299-024-00203-4
Show More Cited By

Index Terms

A Survey of Cybersecurity Certification for the Internet of Things
1. General and reference
  1. Document types
    1. Surveys and overviews
2. Security and privacy
  1. Formal methods and theory of security
    1. Security requirements
  2. Systems security
    1. Vulnerability management

Recommendations

Internet of Things security

The Internet of things (IoT) has recently become an important research topic because it integrates various sensors and objects to communicate directly with one another without human intervention. The requirements for the large-scale deployment of the IoT ...
Cyberentity Security in the Internet of Things

A proposed Internet of Things system architecture offers a solution to the broad array of challenges researchers face in terms of general system security, network security, and application security.
Taxonomy and analysis of security protocols for Internet of Things
Abstract
The Internet of Things (IoT) is a system of physical as well as virtual objects (each with networking capabilities incorporated) that are interconnected to exchange and collect information locally or remotely over the Internet. Since ...
Highlights
- We first discuss essential security requirements that are needed to secure IoT environment. We also discuss the threat model and various attacks related to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 53, Issue 6

Invited Tutorial and Regular Papers

November 2021

803 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3441629

Editor:
Albert Zomaya
University of Sydney, Australia

Issue’s Table of Contents

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2020

Accepted: 01 July 2020

Revised: 01 December 2019

Received: 01 July 2019

Published in CSUR Volume 53, Issue 6

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Spanish Ministry of Economy and Competitiveness
Ministry of Education and Professional Training of Spain
European Commission through the SerIoT project
ERDF funds cofinantiation through the PERSEIDES project
CyberSec4Europe

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

38
Total Citations
View Citations
4,772
Total Downloads

Downloads (Last 12 months)919
Downloads (Last 6 weeks)115

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Gaurav AArya V(2024)Foundations of CybersecurityMetaverse Security Paradigms10.4018/979-8-3693-3824-7.ch004(77-107)Online publication date: 21-Aug-2024
https://doi.org/10.4018/979-8-3693-3824-7.ch004
Abu-Mahfouz AAlrabaee SKhasawneh MGergely MChoo K(2024)A Deep Learning Approach to Discover Router Firmware VulnerabilitiesIEEE Transactions on Industrial Informatics10.1109/TII.2023.326977420:1(691-702)Online publication date: Jan-2024
https://doi.org/10.1109/TII.2023.3269774
Agbodoh-Falschau RLamzihri OGagnon S(2024)When Misleading Information Hits: How Canadian Companies React?Corporate Reputation Review10.1057/s41299-024-00203-4Online publication date: 26-Oct-2024
https://doi.org/10.1057/s41299-024-00203-4
Huang ZXu ZWang XXu Z(2024)The analysis of credit governance in the digital economy development under artificial neural networksHeliyon10.1016/j.heliyon.2024.e3928610:20(e39286)Online publication date: Oct-2024
https://doi.org/10.1016/j.heliyon.2024.e39286
Matheu García SSánchez-Cabrera ASchiavone ESkarmeta A(2024)Integrating the manufacturer usage description standard in the modelling of cyber–physical systemsComputer Standards & Interfaces10.1016/j.csi.2023.10377787(103777)Online publication date: Jan-2024
https://doi.org/10.1016/j.csi.2023.103777
Homaei MMogollón-Gutiérrez ÓSancho JÁvila MCaro A(2024)A review of digital twins and their application in cybersecurity based on artificial intelligenceArtificial Intelligence Review10.1007/s10462-024-10805-357:8Online publication date: 10-Jul-2024
https://doi.org/10.1007/s10462-024-10805-3
Abdulghani HCollen ANijdam N(2023)Guidance Framework for Developing IoT-Enabled Systems’ CybersecuritySensors10.3390/s2308417423:8(4174)Online publication date: 21-Apr-2023
https://doi.org/10.3390/s23084174
Rabzelj MJužnič LVolk MKos AKren MSedlar U(2023)Designing and Evaluating a Flexible and Scalable HTTP Honeypot Platform: Architecture, Implementation, and ApplicationsElectronics10.3390/electronics1216348012:16(3480)Online publication date: 17-Aug-2023
https://doi.org/10.3390/electronics12163480
Belani HŠolić PPerković TPleština V(2023)IoT Ontology Development Process for Well-Being, Aging and Health: Challenges and Opportunities2023 8th International Conference on Smart and Sustainable Technologies (SpliTech)10.23919/SpliTech58164.2023.10193435(1-6)Online publication date: 20-Jun-2023
https://doi.org/10.23919/SpliTech58164.2023.10193435
Wang BCui MGao J(2023)Security authentication protocol for Industrial Internet of ThingsProceedings of the 2023 13th International Conference on Communication and Network Security10.1145/3638782.3638818(234-240)Online publication date: 6-Dec-2023
https://dl.acm.org/doi/10.1145/3638782.3638818
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Figures

Tables

Media

View Issue’s Table of Contents