Despite the growing spread of Internet of Things (IoT) ecosystems, their security assessment is still an open issue. Identifying threats, vulnerabilities, and attacks is a costly and time-consuming process, incompatible with their time-to-market. Undoubtedly, the introduction of automated security assessment techniques would increase the security level of many IoT products, while containing the costs. In this article, we introduce ESSecA, an Expert System for Security Assessment that guides penetration testers during the assessment of IoT systems, in a threat-intelligence-driven perspective. ESSecA bases its analysis on different knowledge-bases, some maintained by MITRE. Starting from the system model, ESSecA produces a Threat Model and a list of Attack Plans for each identified threat. This information can be used by penetration testers to perform a systematic security test of the target IoT infrastructure. We applied the technique to a typical home automation system, the Open Energy Monitor, providing some attack patterns for its security evaluation.

ESSecA: An automated expert system for threat modelling and penetration testing for IoT ecosystems

Rak M.;Salzillo G.;Granata D.
2022

Abstract

Despite the growing spread of Internet of Things (IoT) ecosystems, their security assessment is still an open issue. Identifying threats, vulnerabilities, and attacks is a costly and time-consuming process, incompatible with their time-to-market. Undoubtedly, the introduction of automated security assessment techniques would increase the security level of many IoT products, while containing the costs. In this article, we introduce ESSecA, an Expert System for Security Assessment that guides penetration testers during the assessment of IoT systems, in a threat-intelligence-driven perspective. ESSecA bases its analysis on different knowledge-bases, some maintained by MITRE. Starting from the system model, ESSecA produces a Threat Model and a list of Attack Plans for each identified threat. This information can be used by penetration testers to perform a systematic security test of the target IoT infrastructure. We applied the technique to a typical home automation system, the Open Energy Monitor, providing some attack patterns for its security evaluation.
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11591/464655
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 25
  • ???jsp.display-item.citation.isi??? 18
social impact