ARES: Automated Risk Estimation in Smart Sensor Environments

Dimitriadis, Athanasios; Flores, José Luis Martínez; Kulvatunyou, Boonserm; Ivezic, Nenad; Mavridis, Ioannis

doi:10.3390/s20164617

Cited by 8 publications

(9 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…It is worth noting that CWE is used as a classification mechanism that differentiates CVEs by the type of vulnerability that they represent. A vulnerability will usually have only one associated weakness, and weaknesses can have one or more associated vulnerabilities [ 85 ].…”

Section: Proposed Approachmentioning

confidence: 99%

A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics

Longueira-Romero

Iglesias

Flores

et al. 2022

Sensors

Self Cite

View full text Add to dashboard Cite

The rapid evolution of industrial components, the paradigm of Industry 4.0, and the new connectivity features introduced by 5G technology all increase the likelihood of cybersecurity incidents. Such incidents are caused by the vulnerabilities present in these components. Designing a secure system is critical, but it is also complex, costly, and an extra factor to manage during the lifespan of the component. This paper presents a model to analyze the known vulnerabilities of industrial components over time. The proposed Extended Dependency Graph (EDG) model is based on two main elements: a directed graph representation of the internal structure of the component, and a set of quantitative metrics based on the Common Vulnerability Scoring System (CVSS). The EDG model can be applied throughout the entire lifespan of a device to track vulnerabilities, identify new requirements, root causes, and test cases. It also helps prioritize patching activities. The model was validated by application to the OpenPLC project. The results reveal that most of the vulnerabilities associated with OpenPLC were related to memory buffer operations and were concentrated in the libssl library. The model was able to determine new requirements and generate test cases from the analysis.

show abstract

Section: Proposed Approachmentioning

confidence: 99%

A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics

Longueira-Romero

Iglesias

Flores

et al. 2022

Sensors

Self Cite

View full text Add to dashboard Cite

show abstract

“…The score considers the control effectiveness to determine the residual risk. Through the process the assessor answers specified questions/consideration and can define the arbitrary controls and their effectiveness in the scale of [1][2][3][4][5]. The tool does not focus on identifying technical aspects of the implementations to shed light on privacy risks that can be raised due to actual threat vectors targeting the deployment.…”

Section: The Current Landscape In Pia Framework and Toolsmentioning

confidence: 99%

“…However, this evolution brings several new challenges (or makes existing unsolved challenges urgent to be tackled) with security, interoperability, integrability, and composability being some of the major concerns at both logical extremes of a network. Currently, such challenges are addressed by next-generation approaches including model-based standards, ontology, Business Process Model Life-Cycle Management (BPM LCM), context of business process, and a host of other transport protocols [1][2][3].…”

Section: Introductionmentioning

confidence: 99%

“…Risk assessment targets the identification of threats and of respective risk levels, thus, allowing for the overall risk management to keep cybersecurity risks under an acceptable threshold [4]. According to the Risk Management Framework (RMF) proposed by the National Institute of Standards and Technology (NIST), risk assessment can be performed in three tiers: the organizational; business process; and Information Systems tier [3]. In the era where "service is everything and everything is a service", this risk compartmentalization enables the emerging trend of the intelligent edge computing and the backend information service provider to operate in tandem, so as to provide flexible design choices that best meet business and operational goals.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Perfect Match: Converging and Automating Privacy and Security Impact Assessment On-the-Fly

et al. 2021

View full text Add to dashboard Cite

As the upsurge of information and communication technologies has become the foundation of all modern application domains, fueled by the unprecedented amount of data being processed and exchanged, besides security concerns, there are also pressing privacy considerations that come into play. Compounding this issue, there is currently a documented gap between the cybersecurity and privacy risk assessment (RA) avenues, which are treated as distinct management processes and capitalise on rather rigid and make-like approaches. In this paper, we aim to combine the best of both worlds by proposing the APSIA (Automated Privacy and Security Impact Assessment) methodology, which stands for Automated Privacy and Security Impact Assessment. APSIA is powered by the use of interdependency graph models and data processing flows used to create a digital reflection of the cyber-physical environment of an organisation. Along with this model, we present a novel and extensible privacy risk scoring system for quantifying the privacy impact triggered by the identified vulnerabilities of the ICT infrastructure of an organisation. We provide a prototype implementation and demonstrate its applicability and efficacy through a specific case study in the context of a heavily regulated sector (i.e., assistive healthcare domain) where strict security and privacy considerations are not only expected but mandated so as to better showcase the beneficial characteristics of APSIA. Our approach can complement any existing security-based RA tool and provide the means to conduct an enhanced, dynamic and generic assessment as an integral part of an iterative and unified risk assessment process on-the-fly. Based on our findings, we posit open issues and challenges, and discuss possible ways to address them, so that such holistic security and privacy mechanisms can reach their full potential towards solving this conundrum.

show abstract

“…Risk assessment is performed in three tiers: the organizational tier, the business process tier, and the information systems (IS) tier. In [ 6 ], a new approach is proposed for automated risk estimation in smart sensor environments at the IS tier (IS-related risk), called ARES. Organizations can use ARES to identify the assets operating under the business process together with the relevant risks.…”

mentioning

confidence: 99%