See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/338361072

Towards a Standard-Based Security and Privacy of IoT System's Services

Conference Paper · December 2018

DOI: 10.1109/CSCI46756.2018.00201

CITATIONS READS
0 7

4 authors:

Christophe Feltus Thierry Grandjean

Luxembourg Institute of Science and Technology (LIST) Luxembourg Institute of Science and Technology (LIST)
111 PUBLICATIONS   468 CITATIONS    1 PUBLICATION   0 CITATIONS   

SEE PROFILE SEE PROFILE

Jocelyn Aubert Djamel Khadraoui

Luxembourg Institute of Science and Technology (LIST) Luxembourg Institute of Science and Technology (LIST)
34 PUBLICATIONS   254 CITATIONS    165 PUBLICATIONS   1,112 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

CLOVIS View project

Link-All View project

All content following this page was uploaded by Christophe Feltus on 28 May 2020.

The user has requested enhancement of the downloaded file.

 Towards a Standard-based Security and Privacy of
IoT System’s Services
Christophe Feltus Thierry Grandjean Jocelyn Aubert
IT for Innovative Services (ITIS) IT for Innovative Services (ITIS) IT for Innovative Services (ITIS)
Luxembourg Institute of Science and Luxembourg Institute of Science and Luxembourg Institute of Science and
Technology (LIST) Technology (LIST) Technology (LIST)
Luxembourg Luxembourg Luxembourg
christophe.feltus@list.lu thierry.grandjean@list.lu jocelyn.aubert@list.lu
0000-0002-7182-8185
Djamel Khadraoui
IT for Innovative Services (ITIS)
Luxembourg Institute of Science and
Technology (LIST)
Luxembourg
djamel.khadraoui@list.lu

Abstract— The Internet of Things (IoT) industry increases
rapidly and becomes progressively more devoted to critical
business services. IoT adoption generates two kinds of
challenges: cybersecurity risks and privacy concerns. In order
to generate a trust environment and provide confidence to IoT
business services, LIST will partnered with private companies
to implement an integrated framework and software tools for
assessing and monitoring IoT system’s service security and
privacy. SPRINT assessment and monitoring foresees (1) an
aggregated publicly available security and privacy integrated
referential database dedicated to IoT services (SPRINT-REF),
and (2), an IoT service-oriented assessment and monitoring
methods based on this referential (SPRINT-METH).
Compared to existing approaches, SPRINT-METH innovation
is that it is service-oriented rather than device-oriented, as well
as based recognized existing professional standards. Finally,
the SPRINT toolbox (3) will include two assets: a software web
service component aiming to assess the IoT system’s service at
the time of design, and an IoT Security Operations Centre to
monitor IoT security and privacy at run time (SPRINT-
TOOL).
Keywords—IoT security, IoT privacy, system’s services,
system assessment, system monitoring, standard-based.
I. INTRODUCTION
The IoT industry is gradually becoming more dedicated
to critical business activities [1] like in smart-cities (smart-
mobility, smart-building, etc.), the control of vital signs in
healthcare [2], or the monitoring of railway infrastructure.
According to Gartner [3], the amount of IoT devices will
increase to up to 20.6 billion units installed by 2020 with 7.4
billion in business activities (cross-industry and vertical-
specific) including thousands of different devices and
manufacturers. Gartner also foresees a progression of the IoT
investment in professional services from 570 billion dollars
in 2016 to 2.071 billion in 2021 [4]. This expansion will
cause industry-wide concerns about whether IoT devices can
be managed securely and reliably [3]. Accordingly, IoT
adoption poses two kinds of challenges for organizations:
risks related to security [5] and privacy [6]. For these
reasons, developing a new framework (green box of Fig. 1)
for monitoring and assessing such sensitive systems with the
massive volume of data they generate, and elaborating the
corresponding tools to support the latter (blue box), is
paramount. Although frameworks for assessing and
monitoring the security and privacy of IoT services have
already been the focus of numerous research studies [7-10]
and proprietary initiatives [11]. It is worth noting that these
solutions still face the following limitations: (1) they are
partially based on IoT standards [12], (2) they mainly
address IoT devices but do not concern the IoT-System’s
Services (IoT-SS) [13], (3) they are not publicly available,
and (4) they concern generic IoT environments [7-10] but are
not sector specific.
A. Standard based IoT Assessment.
A simplified IoT framework, following [14, 15], may be
structured in three layers: the perception layer, which
includes the physical devices that sense data and digitalize it
for transportation, the network layer, which includes
infrastructure protocols, and the application layer, which
consists of the user interface enabling access to the data.
Based on this three-layer approach, all existing IoT platforms
[16] (e.g. AWS (Amazon Web Services) IoT, Azure IoT
Suite, Brillo/Weave from Google, etc.) propose their own
architecture, which must comply to the standards associated
with the different layers. This is however not the case in
practice, where existing assessment frameworks [7-10] tend
to analyse security and privacy based on requirements mostly
gathered from scientific publications or professional
guidelines but not directly associated to a portfolio of
relevant standards like the GDPR, ISO/IEC 27001 and
ISO/IEC 15408. SPRINT-REF will be founded on the
integration of this initial list of standards based on the
aggregation of security and privacy IoT related metrics.
Fig. 1. SPRINT building blocks

XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE

B. IoT system’s service.
Most of the existing approaches focus on IoT devices
exclusively, which rarely consider the security and privacy of
the services provided by IoT system an integrated way (e.g.
IoT sensors on the railway to support predictive
maintenance). In case where there were security and privacy
concerns for unconnected devices, a small error did not bring
down the whole system, however, in a hyper-connected
world (IoT system), an error in one part of the system can
cause disorder throughout [17]. By extension, the chain
reaction of connected IoT services can be disastrous.
SPRINT is the best solution since it will focus on the security
and privacy assessment and monitoring of the IoT system’s
service on the overall chain of IoT related stakeholders
(manufacturers, services providers, final users, data owners,
subcontractors, etc.).
C. Security and privacy in operational IoT services.
IoT related frameworks are exploited in many fields,
such as industry (e.g. manufacturing, retail trade, information
services, finance and insurance [18]), mobility, healthcare,
smart cities, railway, and space. Each of these fields has a set
of sector-specific requirements, which must also be
considered by the IoT security and privacy assessment
framework, e.g.: mobility (ENISA guideline [19-21]),
healthcare (HCISPP [22], HIPAA [23]), railway ([24], or
smart cities (ENISA guideline [20]). In fact, existing
assessment frameworks do not systematically integrate the
above sector-specific security and privacy requirements.
SPRINT foresees the possibility of considering sector-
specific standards during the evaluation of well-determined
IoT system’s services.
Next section presents the research challenges, Sec. III
presents the SPRINT framework, Sec. IV introduces the
related works and Sec. V concludes the paper.
II. R&D CHALLENGES AND SCIENTIFIC METHODS
Two challenges come into sight concerning the design of the
framework:
A. Challenge 1: Collect, aggregate and integrate the
standards relevant for the management of the secure and
the privacy of IoT system’s services
Understanding the types of IoT-SS, the standards that
define them, and how they may be associated with other
services/devices to form a whole ecosystem is complex. In
parallel, understanding the system’s structure is paramount
for designing appropriate security and privacy protection
[26]. In recent years, the portfolio of standards defining those
services has become extremely vast [27]. They range from
generic to sector-specific ones. E.g., ISO/IEC 27001 that
provides best practice recommendations on information
security management, the GDPR (General Data Protection
Regulation - https://ec.europa.eu/commission/priorities/
justice-and-fundamental-rights/ data-protection) that
regulates the data protection and privacy for all individuals
within the EU and the ISO/IEC 15048 providing assurance
that the process of specification, implementation and
evaluation of a computer security product is conducted in a
rigorous, standard and repeatable manner. Aside these
publications, sector-specific standards also potentially apply
like NIST publishing their “Guidelines for Managing the
Security of Mobile Devices in the Enterprise” [12] that
provides a set of general security recommendations [28],
which affect business mobile-device security. These
standards are also very specific and well-focused, or strongly
oriented toward a dedicated application domain (e.g. good
practices and recommendations for intelligent public
transport [19], for smart cities [20] or smart cars [21] from
ENISA, or the functional safety of road vehicles (ISO 26262
standard [16])). In this vast ecosystem where standards are
sometime complementary, sometime competitive, it is
challenging for an IoT provider to grasp the IoT services
anatomy and to reasonably select requirements to comply
with [17]. Accordingly, one first research question arises:
RQ1: Which services constitute an IoT-SS and what is the
exhaustive list of security and privacy requirements, counter
measures, and metrics to be considered to protect this system?
Answering this question requires elaborating a
compendium of IoT services based on a review of the market
and a compendium of related security and privacy
requirements, counter measures, and metrics. To elaborate
the latter, we first analyze the most relevant generic security
and privacy frameworks, to know: GDPR, ISO/IEC 27001
and ISO/IEC 15408 in order to extract and model the generic
security and privacy requirements that most often apply on
IoT-SS. Afterward, we analyze in more detail two specific
business cases related to the railway context in partnership
with a local operator. This analysis allows the formalization
and integration of specific security and privacy requirements
with generic ones from the railway sector.
B. Challenge 2: Operational privacy and security
continuous assessment and monitoring for IoT services
Standalone IoT devices are generally well-known by IT
experts and the service they offer is part of these devices’
specifications. Concerning IoT-SS, these services are
generally more complex and more sophisticated, and the IoT
experts responsible for the security and privacy of these
services generally lack the appropriate assessment methods.
The second challenge thus consists of providing a
methodology to support IoT stakeholders in assessing and
monitoring the security and privacy of the IoT-SS,
considering the compendium of IoT services security and
privacy standards. Alongside this, in order to ensure the
repeatability of the reference method and its adoption by
security and privacy providers, a supporting toolbox is
required. Accordingly, the second research question is:
RQ2: Which method can be used to assess the security
and privacy of the IoT-SS based on the standard in a
repeatable, unequivocal, traceable way, and what toolbox is
required to reliably deploy this method?
Answering RQ2 consists of defining the assessment
method and design a toolbox including a web service
component to support the IoT-SS assessment, at the design
time, and an IoT dedicated SPOC (Security and Privacy
Operations Centre) to monitor IoT business services, at the
run time. Additionally, the IoT SPOC allows new
vulnerabilities and threats in the production environment to
be detected and should be forwarded to the CSIR (Computer
& Security Incident Response Team) afterwards in order to
be integrated into dedicated databases and disseminated to a
wider public.
The research method that we select to design the
framework is design science [29]. Accordingly, the core
assets (i.e. the assessment methodology and the software
toolbox) will be developed following an iterative approach,
alternating steps of development and steps of tests.
Afterwards SPRINT plans to assess and validate the SPRINT
framework and toolbox based on real cases in the railway
sector.
III. SPRINT ASSESSMENT AND MONITORING
FRAMEWORK
A. Result 1: Define a reference method for assessing and
monitoring IoT system’s services (SPRINT-REF and
SPRINT-METH).
SPRINT first objective consists of supporting the IoT
services security and privacy providers in assessing and
monitoring the IoT service ecosystem, based on recognised
professional standards, in a repeatable and unequivocal way,
and by assuring the traceability chain to standards
requirements. Therefore, SPRINT will propose a publically
available referential of IoT services security and privacy
(SPRINT-REF) based on an extensive analysis of generic
IoT standards together with security and privacy standards in
an integrated method (SPRINT-METH).
With the complexity of interconnected IoT systems and the
set of standards dedicated to supporting the security and
privacy these systems, the elaboration of two compendiums
is required: (1) an IoT services compendium, and (2) a
compendium of related security and privacy requirements
(including counter-measures and metrics associated to the
deployment these requirements). The compendium of IoT
service consists of a collection and classification of IoT
reusable services extracted from well-known IoT
frameworks [16], from references relevant at a scientific
level (e.g. [7-10]), and from sectorial case studies. This
compendium aims to grow up and improve according to each
new uses case analysed.
Similarly, the compendium of security and privacy
requirements consists of an exhaustive analysis of the
security and privacy requirements necessary for each of these
IoT services. The latter will focus on the analysis of
dedicated security and privacy standards (mainly: ISO/IEC
27001, ISO/IEC 15408 and GDPR). These compendiums, in
a form of database, constitute the kernel of the proposed
assessment framework. The latter may potentially be
completed with sector-specific requirements such as those
dedicated to the rail freight [24].
In parallel to both compendium, a reference method to assess
and monitor security and privacy aspects related to the IoT-
SS will also be elaborated. This method is expected to be
easily and rapidly exploitable and thus appropriate for the
market. It aims to support the IoT security and privacy
providers in using the compendiums of IoT system’s services
security and privacy requirements, counter-measures and
related metrics. This method will be elaborated using an
iterative approach and is founded on existing but incomplete
approaches like [7-10, 25].
B. Result 2: Develop the support for companies to assess
and monitor IoT-SS 24/7 (SPRINT-TOOL)
The second objective of SPRINT consists (1) in the
elaboration of a web service component to support the IoT
assessment framework, and (2) the elaboration of a specific
IoT SPOC monitoring tool. Fulfilling this objective is
paramount for the project since it constitutes the pillars for
the adoption of the IoT-SS security and privacy assessment
framework by the IoT related stakeholders.
The software component to support the IoT assessment aims
to carry out and automate the assessment of the IoT-SS at
design time (aka security and privacy by design).
Accordingly, this component supports the execution of the
reference method including the specifications from the IoT
service, and the security and privacy requirements
compendiums. This software assists security providers in
generating sound and well-documented assessment reports
and thereby report on satisfaction with the security and
privacy requirements like those from the GDPR, ISO/IEC
27001, and ISO/IEC 15408.
The elaboration of a SPOC is dedicated to carrying out
security and privacy and automating the assessment of the
IoT-SS at run time. Accordingly, this software of incident
management supports the execution of the reference method
in compliance with the specifications from the IoT service,
and the security and privacy requirements compendiums.
This software aims to contribute to supporting IoT providers
in raising the alert about a situation not conforming to the
requirements and in proposing correction measures.
IV. RELATED WORKS
Asset innovation consists in a security and privacy
framework for IoT system’s services deployed in an IoT
assessment web service software and in a monitoring tool.
Few assessment frameworks already exist in the literature.
For instance, [7] proposes a security assessment framework
for IoT services using multi-criteria decision-making
methods, which assess IoT solutions following security
requirements from scientific literature. In the same vein, a
framework for automating the security analysis of IoT is
proposed in [8] to assess security based on a graphic model.
This framework allows discovering attack scenarios,
assessing security using metrics and evaluating the
effectiveness of defence scenarios. A more applied
assessment framework is also proposed by the Global
System Mobile Association [9] in the form of a paper-based
survey. The security and privacy standards against which the
IoT devices are evaluated are limited to the common criteria
[30], NIST publications, and the octave risk assessment
framework [31]. Additionally, more recently the Armour
Project [10] has identified the need to cope with dynamic
systems, dynamic threats, and real users working in real
organisations, and proposed a certification framework of IoT
devices based on the common criteria. Finally, Nominet [32]
proposes a fully tooled solution for the management of the
privacy, but it is not security-oriented and does not offer a
SOC for privacy.
 Although these initiatives tend to build a security
environment for the IoT solutions, they do not propose a
publicly available framework that integrates security and
privacy of IoT services’ systems, based on standards
assessments and considering the sector specificities (Fig. 2).
Fig. 2. SPINT vs. Competitors
Therefore the framework foreseen by SPRINT is new in
Luxembourg, and on the international market, given that it
considers together three scientifically elaborated assets: (1)
the compendium of IoT services and related security and
privacy requirements (SPRINT-REF), (2) the reference
method to assess the level of the compliance of IoT solutions
with relevant standards (SPRINT-METH), and (3) the
toolbox to reliably deploy this method (SPRINT-TOOL).
V. CONCLUSION
The paper presents a security and privacy framework
dedicated to IoT system’s service, based on reference
standards and dedicated to specific sectors. This framework
is composed of IoT security and privacy database
(compendium) and is supported by a monitoring and an
assessment tool. The framework is transferrable to all IT
providers wishing to support and prepare IoT service users in
different sectors in labelling their solutions. Hence, this
labelling appropriation of the reference framework will
contribute to generating new business activities, with the
goal to strengthening the consumer’s trust in, and the wide
acceptance of, IoT-based solutions. Beside this factual
business impact, the IoT security and privacy label (foresee
as an indirect result of SPRINT), empowered by the IoT
services security and privacy reference framework, aims to
confer mechanisms to certify the expertise of the
Luxembourgish and worldwide IoT companies. Accordingly,
the latter will benefit from a recognition of the services
offered and an official endorsement that will contribute to
establishing a trusted environment for themselves, their
customers and their business partners.
REFERENCES
[1] G. Guemkam, C. Feltus, C. Bonhomme, P. Schmitt, D. Khadraoui,
and Z. Guessoum, “Reputation based dynamic responsibility to agent
for critical infrastructure”. In IEEE/WIC/ACM International
Conference on Intelligent Agent Technology, 2011.
[2] S. Sicari, A. Rizzardi, L. A. Grieco, and A. Coen-Porisini, “Security,
privacy and trust in Internet of Things: The road ahead. Computer
networks”, 76, 2015, pp. 146-164.
View publication stats
[3] F. Troni, “Consider All Cost Elements When Planning for an Internet
of Things Initiative”, July 2015, Gartner ID: G00278428.
[4] https://www.lemondeinformatique.fr/actualites/lire-28-pour-les-
depenses-mondiales-2018-en-securite-de-l-iot-71229.html
[5] C. Feltus, E. Grandry, T. Kupper, and J. N. Colin, “Model-driven
Approach for Privacy Management in Business Ecosystem”. In
MODELSWARD, 2017, pp. 392-400.
[6] E. Grandry, C. Feltus, and E. Dubois, “Conceptual integration of
enterprise architecture management and security risk management”.
In 2013 17th IEEE International Enterprise Distributed Object
Computing Conference Workshops, pp. 114-123, IEEE.
[7] K. C. Park, and D. H. Shin, “Security assessment framework for IoT
service”. Telecommunication Systems, 64(1), 2017, pp. 193-209.
[8] M. Ge, J. B. Hong, W. Guttmann, and D. S. Kim, “A framework for
automating security analysis of the internet of things”. Journal of
Network and Computer Applications, 83, 2017, pp. 12-27.
[9] https://www.gsma.com/iot/iot-security-assessment/
[10] https://www.armour-project.eu/
[11] https://www.threatstack.com/blog/the-internet-of-things-meets-
continuous-security-monitoring-at-ayla-networks/
[12] M. Souppaya, and K. Scarfone, “Guidelines for managing the security
of mobile devices in the enterprise”. NIST 2013, 800, 124.
[13] H. Suo, J. Wan, C. Zou, and J. Liu, “Security in the internet of things:
a review”. In IEEE ICCSEE, 2012, pp. 648-651.
[14] http://internetofthingsagenda.techtarget.com/definition/IoT-device
[15] M. Conti, A. Dehghantanha, K. Franke, and S. Watson. “Internet of
Things security and forensics”, 2018, pp. 544-546.
[16] ISO 26262. Road vehicles – Functional safety. International Standard,
November 2011.
[17] I. Lee, and K. Lee, “The Internet of Things (IoT): Applications,
investments, and challenges for enterprises”. Business Horizons,
58(4), 2015, pp. 431-440.
[18] M. Ammar, G. Russello, and B. Crispo, “Internet of Things: A survey
on the security of IoT frameworks”. JISA 38, 2018, pp. 8-27.
[19] C. Levy-Bencheton, and E. Darra, “Cyber security and resilience of
intelligent public transport: good practices and recommendations”,
ENISA, 2015.
[20] C. Levy-Bencheton, and E. Darra. "Cyber security for Smart Cities -
An architecture model for public transport", ENISA, 2015.
[21] ENISA, “Cyber security and resilience of smart cars - good practices
and recommendations” , 2016.
[22] S. Hernandez, 2Guide to the HCISPP CBK”. CRC Press, 2014.
[23] Centers for Disease Control and Prevention. HIPAA privacy rule and
public health. “Guidance from CDC and the US Department of Health
and Human Services”. MMWR, 52(Suppl. 1), 2013, pp. 1-17.
[24] IEC Electronic Railway Equipment—Train Communication
Network—Part 1: General Architecture, Part 3-1: Multifunction
Vehicle Bus; Switzerland: 2012. IEC 61375-1:2012
[25] H. Abie, and I Balasingham, “Risk-based adaptive security for smart
IoT in eHealth”. 7th Int. Conf. on Body Area Networks, 2012, ICST.
[26] M. Abomhara, and G. M. Køien, “Security and privacy in the Internet
of Things: Current status and open issues”. In PRISMS, 2014
International Conference on (pp. 1-8). May 2014, IEEE.
[27] Z. Sheng, S. Yang, Y. Yu, A. Vasilakos, J. Mccann, and K. Leung,
“A survey on the ietf protocol suite for the internet of things:
Standards, challenges, and opportunities”. IEEE, 20(6), 2013.
[28] Joint task force – Transformation initiative, "Security and privacy
controls for federal information systems and organisations." NIST
Special Publication 800, no. 53, 2013, pp. 8-13.
[29] K. Peffers, T. Tuunanen, M. A. Rothenberger, and S. Chatterjee, “A
design science research methodology for information systems
research”. JMIS, 24(3), 2007, pp. 45-77.
[30] ISO/IEC_JTC1/SC27, Information technology — Security techniques
— Evaluation criteria for IT security, ISO/IEC 15408:2005. 2005.
[31] https://www.enisa.europa.eu/topics/threat-risk-management/risk-
management/current-risk/risk-management-inventory/rm-ra-
methods/m_octave.html
[32] https://www.nominet.uk/privacy/