Cyber Risk in IoT Systems
Cyber Risk in IoT Systems
Cyber Risk in IoT Systems
net/publication/331867864
CITATIONS READS
3 1,691
6 authors, including:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Petar Radanliev on 02 April 2019.
a
Department, University, City, Country; bDepartment, University, City, Country
a
Oxford e-Research Centre, Department of Engineering Sciences, University of Oxford,
UK, petar.radanliev@oerc.ox.ac.uk, david.deroure@oerc.ox.ac.uk; bWMG Cyber
Security Centre, University of Warwick, carsten.maple@warwick.ac.uk; cSchool of
Computing, University of Kent, UK, j.r.c.nurse@kent.ac.uk; dImperial College London,
UK, r.nicolescu@imperial.ac.uk; eSTEaPP, Faculty of Engineering Science, University
College London, u.ani@ucl.ac.uk
Funding: This research was funded by the UK EPSRC with project [grant number
EP/N02334X/1 and EP/N023013/1] and by the Cisco Research Centre [grant number 2017-
169701 (3696)].
Acknowledgments: Sincere gratitude to the Fulbright Commission for supporting this project
with the Fulbright Visiting Fellowship at MIT and the University of North Carolina.
Keywords: cyber risk; Internet of Things; cyber risk impact assessment; cyber
risk estimation; cyber risk insurance
The Internet of Things (IoT) represents the idea of networked objects communicating
their data which can be controlled across other objects, systems and servers.
unconscious actions from one IoT agent or device to another IoT agent or device. This
differentiates the IoT from the Internet, the automation and the reduction of human
input, which is a requirement for the Internet to function. The development of IoT has
given us opportunities for social and economic interaction in a wide number of areas
such as supply chain management, social media, medicine and energy consumption (for
example, smart health devices). IoT provides advanced connectivity that goes beyond
domains, and applications. All of this is very exciting, but with new technologies comes
new types of risks, and current risk assessment and risk management methods haven’t
Risk is all around us, and governments, businesses and individuals engage in risk-based
decisions countless times every day. Risk can generally be regarded as the potential for
some event to occur, be it positive or negative. For example, let’s consider an individual
risk like drinking alcohol; we know the negative medical effects and the associated cost
to the NHS alcohol consumption has, yet it is considered by many as a positive social
event and people continue drinking despite the risks to their health. If we think about
businesses, they face strategic, compliance, operational, financial and reputational risks
on a regular basis, all of which could affect their profitability or ability to function.
However, this paper is about the IoT and currently, many businesses are looking to
adopt new forms of technology (such as the IoT, Blockchain and Artificial Intelligence)
to increase the efficiency and effectiveness of their services. This opens them up to the
risks that come along with these technologies. While these technologies have the
potential to improve their productivity, there is also the potential for the business to be
exposed to a series of technical, ethical, security and privacy risks – it is these aspects of
To properly understand risk, and by extension risk in the IoT, we need to consider its
main components. An organisation’s assets form the basis for risk. By assets, we mean
they have developed, or it could be data or information about their customers. From
this, we can see that there are many different types of asset, and that the harm or
damage to an asset will come in different forms - how this damage or harm could
happen can occur in different ways, and we call these threats. Threats are those actions
that target assets to cause some negative result (for example, remember the ransomware
attacks on the NHS in 2017?); threat events will also have some likelihood or
probability of success. Therefore, we think that risk is the probability that a threat event
will occur and result in negative impact on or harm of an asset. An IoT-based example
like a company laptop or a smart phone, which then causes several IoT sensors to be
production line. While there are many application domains for the IoT, such as
Connected and Autonomous Vehicles, Health and Well-being, Industry 4.0 and Smart
Grid, for organisations to consider cyber security risk solely in the context of their
particular domain would give misinformed results, since the IoT is an ecosystem with
platforms and services shared by different application domains [1]. In the following
table, we explore the main cyber risks that many businesses face. We use the term
‘cyber risk’ in line with the Institute for Risk Management definition of:
“Cyber risk’ means any risk of financial loss, disruption or damage to the reputation of
https://www.theirm.org/knowledge-and-resources/thought-leadership/cyber-risk/
Understanding what is meant by risk is only the first step when we are considering the
potential risks in IoT. The next step is to be able to assess the risk, which involves the
tasks of; Identifying (or defining) the risk this is the action of developing a clear
understanding of what organisational IoT assets are targeted by which threats, and what
Estimating the risk; this step aims to measure the IoT risk based on the likelihood of the
threat occurring and the impact on the organisation’s IoT infrastructure if it does occur.
These measures can be qualitative (e.g., ratings using the levels, high, medium and low)
the risk; once we have a list of the risks and each one has been estimated, the next step
is to prioritise the risks. This essentially provides a ranking of the risks based on their
estimated levels. We consider these three steps as the best process of IoT risk
assessment. Figure 1, below, sets this out, and also demonstrates that this is a
1
See https://www.csoonline.com/article/3247868/vulnerabilities/spectre-and-meltdown-
explained-what-they-are-how-they-work-whats-at-risk.html for a further discussion of
Spectre and Meltdown.
Figure 1: The risk assessment process
Risk management builds on the risk assessment process described above. While risk
management techniques are well developed and used in a variety of areas, there remains
a significant challenge in managing risk in certain application domains. There are four
• IoT risk mitigation – this involves either reducing the likelihood of the risk
happening or reducing the impact of the risk. In IoT risk management, this
• IoT risk transfer – this involves outsourcing the risk to a third-party. In this
• IoT risk avoidance – this involves removing the risk. An example would be to
remove the IoT asset where the risk has originated; and
• IoT risk acceptance – this involves accepting the risk as it stands, due to either
the risk falling within the organisational risk appetite or the aggregated risk
The type of treatment selected for each risk is based on its estimated level, the costs
associated with the treatment, and the organisation’s overall tolerance for risk [3]. In the
IoT, these factors are constantly changing and therefore, form one of the unique
data. This technology creates serious safety risks and ethical concerns. For example,
IoT devices can outlive humans, so the questions arises; who owns the data on an IoT
device if and when the owner dies? Another example might be where smart meter
information can be used to see when householders are at home; or if an autonomous car
is on a collision course, does it protect the driver or the pedestrian, or a child in the car
or child on the road? While the ethical questions triggered by the IoT are intriguing,
currently we only have philosophical debates with no real answers, and as stated
previously, the focus of this book is the economic impact of IoT cyber risk. In this and
following sections, we discuss the related IoT risk assessment approaches that have
been used to date, and discuss how we think these approaches can be adapted to assess
One of the main difficulties of the IoT is that it is developing at a faster rate than other
technologies, and governments have not been able to catch up with standards and
security regulations. We found that there are, currently, no risk assessment standards to
govern companies in assessing the new types of risk before implementing IoT
technologies and solutions [5].In the present climate, given the lack of unified global
standards and regulations, businesses are pursuing economic profits from IoT solutions,
but when it gets to understanding the risk to their operations, businesses are often just
As part of our research, we did an analysis of the existing cyber risk assessment
today apply qualitative approaches to measuring cyber risk (e.g. OCTAVE, TARA,
NIST). Quantitative approaches are mostly present in the cyber security models (e.g.
Risk Lens).
3.2 Defining new IoT Risk Assessment approach with Dependency Modelling
Given the diversity of cyber risk assessment approaches, to develop a unified cyber risk
assessment approach for IoT risk, we need to start looking at the dependencies. To
Interactions within IoT can be seen as complex, tightly coupled relationship structures
amongst the systems, sub-systems and components. The proper functioning of one or
more sub-systems rely to some degree upon another system’s proper functionality(ies).
Therefore, there is a dependency relationship between them that can either be direct (a
first order) or indirect (a higher order) [20]. For example, normal functions for
components and services on the application layer (that is, the front end of the IoT
architecture, which may be the user interface that displays received information to the
user) of the IoT typically depend on the normal functioning of transmission of data (the
network layer), and the perception layer (which perceives the physical properties of
things). If a service on a perception layer is impaired, it can affect the functioning of the
connected service on the network or application layers. This suggests an entire risk
landscape that is not about the failure of one specific IoT component, but the failure of
they depend on. This dependency amongst IoT sub-systems can also cause impacts or
failures to cascade from one affected system or component onto another; aggravating
Risk management is a separate process that follows on from risk assessment and is
eventually risk acceptance. In the following section, we give an overview of the steps
involved in incident response and recovery. We end this section with a discussion of
cyber insurance, which represents a method for risk transference for companies.
Incidence response and recovery (IR&R) for IoT typically adopts similar approaches
already common to digital and computing systems. Key phases of an incident response
and recovery procedure for IoT systems include planning, detection, analysis and
The Planning phase, or Incident Response (IR) Preparation, involves activities that work
to make sure that IoT-User organisations are in a state of readiness for the prompt
(3) Forensic evidence management in line with relevant security guidelines and
practices;
(4) Awareness and response strategies to common security threats such as Denial of
insider threat, exploit kits, information leakage, and identity theft [13], [22].
However, the scope and number of questions that need consideration and answers have
only increased in the process of planning for an effective response to IoT security
incidents compared to traditional IT systems. For example, let’s think about a self-
driving vehicle that crashes and kills a pedestrian. The car relies on radar sensors to
detect obstacles, which evidently can fail, resulting in a crash. This is a complex human-
good solution path would include viewing IoT incident response considering the
mission process of the IoT devices and system. This can support understanding of how
malicious actors might exploit the normal infrastructure (device or system) functionality
failures and impacts to hide malicious actions. Greater understanding can be achieved
through ensuring that security experts responsible for securing the operations of IoT
systems clearly understand the threat models that drive the systems [23]. Security
experts also need to be conscious and responsive to the dynamic states of the security
The primary aim of incidence response is to discover and stop security threats and their
frameworks that can be adapted for IoT [5], [24]. While it may not be feasible to
prevent all security compromises in IoT, effective response and management of threats
are needed, which must be built on well-structured and holistic incidence response plans
and procedures.
the beginning of what is considered a ‘threat’ in an IoT system for which critical
devices, as well as from supporting cloud service providers [23], [25]. IoT
devices use trusted credentials for exchanges which when compromised can
result in significant vertical and horizontal impacts across the system. Only
complex monitoring as described above can provide timely visibility necessary
of information [13].
handle the complexities involved in the IoT, where massive numbers of nodes
and millions of data are involved, hence the need for newer more tailored IoT-
centric systems.
or method for handling future incidents; again, traditional systems struggle and
IoT-specific digital forensic and incident response tools are necessary. In the
specific perspectives. Using effective threat intelligence tools and processes that
relate to the IoT application sector is a good place to start, as threat indicators
and protective patterns are often shared and made available on threat intelligence
isac.org/blog/home/about/).
From these, further analysis can be explored evaluating the scope of compromise,
recognition of the potential for attacks to employ anonymity and other anti-forensic
capabilities characterised in the IoT domain, is required. Since IoT systems are data
availability are also crucial. This can be complemented with IoT devices and
gateway forensic analysis to provide acceptable proof of the breach of IoT devices
and systems.
activities do not happen translate to incidents in IoT systems, not least of all
processes within the system. What is key, is that affected devices, services, or
• The Eradication phase leads on from the containment phase and focuses on the
long-term removal of threats, and ensures that the system is no longer vulnerable
to the threat. Typical activities in this phase include policy updates and
evaluating whether existing security policies can sufficiently address any threats
that have been identified; if not, security policy upgrades need to be adopted and
approaches for security patching that would provide the necessary security
actor in a network. The IoT can benefit from gateway devices that support the
alerting an active attacker on the network. In this way, the attacker’s actions and
activities can be observed and studied in great detail to inform decisions for
• The Recovery phase is the process of restoring the system to normal working
order. Typical actions may include restoring systems using backups, system re-
way that it does not cause significant delays or disruptions for the normal
from breaches, and reporting these lessons in a structured way that helps to form
reflective meetings that bring together both senior executives and technical
experts [7], [19]. In the reflective reviews, privacy checks, root cause analysis,
system. Using root cause analysis, organisations can easily understand the
failure of their security and determine how to strengthen the weaknesses as well
poor the response went and why, and what a better response may look like in the
future [5]. Overall, lessons learned should be evaluated and amended as required
including the incident response plan, the network access control (NAC) plan,
IoT brings inherent cyber risks that span multiple functional sectors with varied degrees
of dependencies. Further, IoT systems often operate on platforms that cut across
geographical boundaries for which appropriate cyber incident response and recovery
plans and strategies are required. Collaborative Incident Response and Recovery
(IR&R) utilises shared threat intelligence and should evolve based upon this
intelligence. This is required since the security risk landscape is continually evolving so
that an incident response plan which was appropriate yesterday might not be today; a
plan that seems effective today could also be ineffective tomorrow. Effective IR&R
incidents in a way that fosters cooperation through the exchange and sharing of
Such an approach should enable both proactive and reactive capacities, and also enforce
and assure trust and privacy among IoT infrastructures, and cooperating organisations.
management operation. IoT technologies are booming and we can observe cyber risks
accountability and liability. In consequence, cyber insurance has often been investigated
as a possible market-based solution to the problems of cyber security [4]. However, the
cyber insurance market faces challenges in its ability to measure and assess risks and to
design and manage cyber risks efficiently. Some of the major problems cyber insurers
face is the lack of historical data on risks, a lack of claims data, the volatility of the
rather immature IoT technology and markets and the increased scope for cyber security
risks. Looking at the broader perspective, governments and the insurance industry are
The current model of cyber insurance works as a risk mitigation tool and covers the
costs of losses caused by human malicious activity or natural disasters. In this context,
many of the problems in the banking and financial sector and their failures of the past
decade can be directly tied to model failure or overly optimistic judgments in the setting
of assumptions or the parameterisation of a model [1]. Now, a new public policy has
emerged in which insurance companies act as clearing houses for information, integrate
businesses seeking liability coverage [29]. For example, new and traditional insurers
such as software or networking companies. However, recent research shows that this
view of cyber insurance as a delegated policy tool has limitations in producing the
anticipated coordination benefits and indeed may erode the aggregate level of security
It should be recognised that the IoT represents a huge opportunity for insurers to
harness and understand the right kind of data at the right time. IoT can thus represent a
part of the solution to improved coverage and liability of non-tangible digital assets and
to the dynamic nature of cyber-attacks. IoT can provide a part of response to the general
agreement that there is simply not enough data to actually understand the risks and also
reduce the resource allocation problems arising from incomplete information regarding
parties’ actions (moral hazard) and characteristics (adverse selection). However, the
analysis and correlation of large IoT data sources and the use of new digital forensics
and methods might not be enough sometimes. For example, despite the fact that
algorithms used to calculate cyber-risk metrics can analyse and correlate vast amounts
of data, the methodologies that inform actuarial models may still struggle to make sense
of, and integrate, the real-time information that is available from IoT devices.
Over-reliance on modelling in cyber insurance can also conceal insidious and difficult
to detect processes [5], [26], such as in case of the ‘normalization of deviance [4]. The
context, IoT can help by making use data to increase transparency and predictability of
and improve the assumptions that these models are based on. The constant inspection of
granular IoT data and the possibility of sharing aggregates of IoT data and to increase
transparency between parties can help insurers and re-insurers to understand strict
liability and its sharing across parties across complex ecosystems. Parties can
collaborate to prevent risks cascading and to investigate possible “black swan” events
(an event that is unprecedented and unpredicted, but on reflection, was bound to
happen) in relation to the use of digital devices, which are likely to increase in number,
at least in the short term. Formal methods for trustworthiness assessment may then help
inform insurance models for complex IoT ecosystems. Such developments would
temper the proliferation of false beliefs due to over-reliance on the ‘accuracy’ of the
outputs from computing models, which can lend an apparent objectivity to the results
From a risk management point of view, one important question is; what architectural
manufacturing floors and other production activities where only a few people normally
associate with IT. The boundaries between IT systems and manufacturing may not be so
obvious. This represents a particular challenge as, in spite of new investments in IoT
and broad concerns with cyber risks, the manufacturing industry as a whole is still
vulnerability that IoT solutions currently have in relation to cyber-attacks and the
capability of such solutions to establish and maintain different sorts of rights, such as
the right to privacy. The relatively recent DDoS attacks that exploited simple but poorly
secured IoT end devices, such as baby monitors with immutable default passwords,
show that – on the one hand – the model of low-cost, low-security IoT solutions is not
sustainable and that – on the other hand – organisations and individuals need to protect
From a public policy point of view, it has been argued that insurers became ‘de facto
Indeed, there has been research trying to understand the link between security controls
and cyber insurance proposal forms [28]. In this context, IoT can help shape public
policies that are beneficial for the insurance sector and the society at large. For example,
compliance with both national and international industry standards as well as internal
policies. The challenges facing organisations in standards compliance for IoT systems
are significant [6] However, insurers can design dynamic insurance policies that would
not only reflect the changes in behaviour and characteristics of businesses and the
contexts in which they operate, but will also allow the creation of insured ecosystems
transferred between businesses and insurers (or re-insurers) in near real time, e.g. by
using smart contracts. These measures can improve some of the current challenges in
cyber risk and also contribute to the improvement of existing regulation, public policies
Current developments in the IoT ecosystems allow innovative ways to design cyber
• mitigate risk management and facilitate new developments in this area, such as
risk engineering;
reduce risks;
• investigate the use of Smart Contracts to manage cyber risks within the insured
environment.
5 Conclusion
The design of a holistic model for IoT risk assessment and risk management remains a
challenge. To design such a model, research should focus on: IoT economic impact, IoT
machine ethics, IoT sensor networks, IoT safety, IoT cyber security and IoT equipment
combined. Interdisciplinary research such as this would benefit smart city design,
intelligent transport design, smart grid design and individual industries and services
(e.g. commercial and industrial IoT equipment), by bridging gaps between cyber risk
In this paper we have given you an overview of the current research on quantification of
IoT cyber risk, with specific new models on this topic, such as the dependency
modelling and cyber risk mitigation and transference strategies (e.g. cyber risk
insurance). We refer to a number of models and risk assessment articles and technical
publications that have emerged recently in the research literature. We believe that this
research is useful and important, since currently there are no specific standards to
govern the assessment of IoT cyber risk. So, we hope that this paper helps more people
to understand and consider the many issues around risk in IoT systems and ultimately,
that it can make a contribution to the design of a holistic approach to IoT risk
assessment.
6 References
[1] C. Maple, “Security and privacy in the internet of things,” J. Cyber Policy, vol. 2,
you can’t understand it, you can’t properly assess it!’: The reality of assessing
the future developments in IoT risk analysis and IoT cyber insurance,” in Living
in the Internet of Things: Cybersecurity of the IoT - 2018, 2018, vol. 2018, no.
and P. Burnap, “Future developments in cyber risk assessment for the internet of
visualising and mitigating cyber risk from IoT technologies,” Oxford, 2019.
“The Industrial Internet-of-Things in the Industry 4.0 supply chains of small and
the risk from the IoT to the digital economy,” Oxford, 2019.
[11] P. Radanliev, D. C. De Roure, J. R. C. Nurse, P. Burnap, E. Anthi, U. Ani, L.
the supply chain – discussion on supply chains decision support system for the
principles for cyber risk impact assessment from Internet of Things (IoT),”
Oxford, 2019.
839–850.
Formulation,” Int. J. Supply Chain Manag., vol. 4, no. 2, pp. 62–67, Jun. 2015.
and integration design based on practice and theory in the North Wales slate
Green-field Supply Chain Integration,” Oper. Supply Chain Manag. An Int. J.,
“Supply Chain Design for the Industrial Internet of Things and the Industry 4.0,”
Oxford, 2019.
Distributed Interdependent Systems,” IEEE Comput., vol. 50, no. 4, pp. 72–79,
2017.
[23] B. Russell and D. Van Duren, Practical internet of things security : a practical,
indispensable security guide that will navigate you through the complex realm of
[24] L. Taylor, P., Allpress, S., Carr, M., Lupu, E., Norton, J., Smith, H. Blackstock,
J., Boyes, H., Hudson-Smith, A., Brass, I., Chizari, D. Cooper, R., Coulton, P.,
Craggs, B.,Davies, N., De Roure, B. Elsden, M., Huth, M., Lindley, J., Maple,
C., Mittelstadt, A. Nicolescu, R., Nurse, J., Procter, R., Radanliev, P., Rashid, R.
Sgandurra, D., Skatova, A., Taddeo, M., Tanczer, L., Vieira-Steiner, T. Watson,
J.D.M., Wachter, S., Wakenshaw, S., Carvalho, G., and P. S. R.J., Westbury,
2018.
for integrating the Industrial Internet of Things in the Industry 4.0,” Oxford,
2019.
[27] R. Nicolescu, M. Huth, P. Radanliev, and D. De Roure, “State of The Art in IoT -
security controls in cyber insurance proposal forms,” J. Internet Serv. Appl., vol.
[29] L. Allodi and F. Massacci, “Security Events and Vulnerability Data for
Cybersecurity Risk Estimation,” Risk Anal., vol. 37, no. 8, pp. 1606–1627, Aug.
2017.
Models and Approaches for Building Design Principles for the Internet-of-things