Professional Documents
Culture Documents
net/publication/338361072
CITATIONS READS
0 7
4 authors:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Christophe Feltus on 28 May 2020.
Abstract— The Internet of Things (IoT) industry increases paramount. Although frameworks for assessing and
rapidly and becomes progressively more devoted to critical monitoring the security and privacy of IoT services have
business services. IoT adoption generates two kinds of already been the focus of numerous research studies [7-10]
challenges: cybersecurity risks and privacy concerns. In order and proprietary initiatives [11]. It is worth noting that these
to generate a trust environment and provide confidence to IoT solutions still face the following limitations: (1) they are
business services, LIST will partnered with private companies partially based on IoT standards [12], (2) they mainly
to implement an integrated framework and software tools for address IoT devices but do not concern the IoT-System’s
assessing and monitoring IoT system’s service security and Services (IoT-SS) [13], (3) they are not publicly available,
privacy. SPRINT assessment and monitoring foresees (1) an
and (4) they concern generic IoT environments [7-10] but are
aggregated publicly available security and privacy integrated
referential database dedicated to IoT services (SPRINT-REF),
not sector specific.
and (2), an IoT service-oriented assessment and monitoring
methods based on this referential (SPRINT-METH). A. Standard based IoT Assessment.
Compared to existing approaches, SPRINT-METH innovation A simplified IoT framework, following [14, 15], may be
is that it is service-oriented rather than device-oriented, as well structured in three layers: the perception layer, which
as based recognized existing professional standards. Finally, includes the physical devices that sense data and digitalize it
the SPRINT toolbox (3) will include two assets: a software web for transportation, the network layer, which includes
service component aiming to assess the IoT system’s service at infrastructure protocols, and the application layer, which
the time of design, and an IoT Security Operations Centre to consists of the user interface enabling access to the data.
monitor IoT security and privacy at run time (SPRINT-
Based on this three-layer approach, all existing IoT platforms
TOOL).
[16] (e.g. AWS (Amazon Web Services) IoT, Azure IoT
Keywords—IoT security, IoT privacy, system’s services, Suite, Brillo/Weave from Google, etc.) propose their own
system assessment, system monitoring, standard-based. architecture, which must comply to the standards associated
with the different layers. This is however not the case in
practice, where existing assessment frameworks [7-10] tend
I. INTRODUCTION to analyse security and privacy based on requirements mostly
The IoT industry is gradually becoming more dedicated gathered from scientific publications or professional
to critical business activities [1] like in smart-cities (smart- guidelines but not directly associated to a portfolio of
mobility, smart-building, etc.), the control of vital signs in relevant standards like the GDPR, ISO/IEC 27001 and
healthcare [2], or the monitoring of railway infrastructure. ISO/IEC 15408. SPRINT-REF will be founded on the
According to Gartner [3], the amount of IoT devices will integration of this initial list of standards based on the
increase to up to 20.6 billion units installed by 2020 with 7.4 aggregation of security and privacy IoT related metrics.
billion in business activities (cross-industry and vertical-
specific) including thousands of different devices and
manufacturers. Gartner also foresees a progression of the IoT
investment in professional services from 570 billion dollars
in 2016 to 2.071 billion in 2021 [4]. This expansion will
cause industry-wide concerns about whether IoT devices can
be managed securely and reliably [3]. Accordingly, IoT
adoption poses two kinds of challenges for organizations:
risks related to security [5] and privacy [6]. For these
reasons, developing a new framework (green box of Fig. 1)
for monitoring and assessing such sensitive systems with the
massive volume of data they generate, and elaborating the
corresponding tools to support the latter (blue box), is
Fig. 1. SPRINT building blocks