Definition of a methodology for the security evaluation of Internet of Things devices

Resum

The development of a cybersecurity certification framework is an ambitious initiative that has generated a high interest worldwide, both in industry and research, as well as standardization and regulatory bodies. While in the United States this initiative is led by the NIST, in Europe, after the approval of the Cybsersecurity Act, ENISA has adopted the role of leading the development of such framework. Different challenges encourage and hinder the development of the certification framework, especially in the context of the Internet of Things (IoT). On the one hand, the wide variety of certification schemes, security standards and devices harden the comparison and establishment of basic security criteria. This is accentuated by the fact that current security certification schemes use subjective metrics that can be interpreted in a different way by experts. Furthermore, the same IoT device can operate in very different contexts that require a different security level, such as health and industry. On the other hand, the large number of attacks, vulnerabilities and threats associated to IoT devices leads to continuous changes in their security level, and could involve frequent updates and patches that affect the security level previously certified. This fact is not taken into account by current security certification schemes, which statically certify a specific version of a device and this is revoked when there is a security change. Therefore, a new and complete certification process is required, with the associated time and monetary costs. These problems stimulated the development of this thesis with the aim of designing a security evaluation methodology for IoT devices. The methodology was designed by combining security risk assessment and security testing for an objective risk evaluation. In a second part, the methodology was instantiated through technologies and mechanisms that allow the automation of the processes, facilitating the re-certification, and therefore, dealing with the high dynamism of IoT environments. Finally, we proposed a mitigation mechanism based on behavioral profiles, so that the attack surface of the IoT device can be reduced. The main purpose of this approach is to bring the results of the evaluation to the operation phase of the device. The implementation of this mechanism has been integrated with the results of the European project H2020 ANASTACIA. Finally, the proposed security evaluation methodology has been validated in several scenarios by considering different protocols. The methodology has been the usual in a computer science research project. The first stages were dedicated to analyze which properties of IoT devices hinder the security evaluation process, and the deficiencies of current security evaluation and certification schemes. This process was crucial for determining the way forward during the design of the security evaluation methodology. The participation in EU initiatives and the analysis of the efforts carried out by the European Commission, ENISA, the industry and the scientific community, has allowed to align the efforts of the thesis with ongoing institutional efforts in security certification. Furthermore, the proposed methodology is based on standards and tools that allow a fast and cost effective re-evaluation. The analysis of the current security evaluation and certification mechanisms revealed their shortcomings, especially those related to the dynamic nature of security. Thus, the instantiation of the methodology was carried out taking into account this fact to allow an efficient and automated security re-evaluation. Although the establishment of a cybersecurity certification framework still requires a joint coordination of all the stakeholders, the IoT security evaluation methodology proposed in this thesis is intended to serve as a basis for future approaches to such certification framework.