Development of a Risk Assessment Methodology for (I)IoT Devices
We have initially investigated existing work on risk assessment for (I)IoT, then worked on synthesizing this work into our own methodology. The main background sources we have identified are:
- NIST Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products
- NIST Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks
- NIST IoT Device Cybersecurity Capability Core Baseline
- NIST Creating a Profile Using the IoT Core 3 Baseline and Non-Technical Baseline
- The OWASP Top 10 Internet of Things risks
- European Cyber Security Organisation (ECSO) Technical Paper on Internet of Things (IoT) based on WG6 activities (SINTEF is involved).
- ETSI EG 203 251: Methods for Testing & Specification; Risk-based Security Assessment and Testing Methodologies.
- ENISA Hardware Threat Landscape and Good Practice Guide
- ENISA Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures
The novelty of our work is to add more risk consideration on the used and unused capabilities of (I)IoT devices and the resources needed to exploit these capabilities. This enables cost effective risk assessments to be done based on specifications and our reference data.
(I)IoT Device Security: Security Testing and Development
The focus of this activity was to extend the capabilities of our lab and our own knowledge on hardware security. We have thus acquired additional equipment, such as a ChipWhisperer and several development boards. Along the year, we have performed security testing on partner’s IoT devices and provided them with actionable advice on how to improve the security of their digital solutions. Often, a small improvement makes a big difference in terms of IoT security.
A second focus was to play with ICS security, and especially how we can use virtualization to explore security in ICS systems. As part of this, we discussed with NTNU, with the idea to strengthen our collaboration on this topic in 2023.
SINTEF is a large organization, with research groups working in a lot of domains. As a result, SINTEF also has many laboratories with advanced equipment. A goal for us this year was also to see how we could use equipment used in other domain for security research. For instance, we have now access to an advanced CT Scanner which we can use to perform non-intrusive reverse engineering on IoT devices.