Comprehensive Review of Security Requirements for Mitigating Threats and Attacks on IoT Assets

Aftab Alam Janisar - Department of Computer and Information Science Universiti Teknologi Petronas, Seri Iskandar Perak Malaysia
Khairul Shafee bin Kalid - Department of Computer and Information Science Universiti Teknologi Petronas, Seri Iskandar Perak Malaysia
Aliza Bt Sarlan - Department of Computer and Information Science Universiti Teknologi Petronas, Seri Iskandar Perak Malaysia
M. Aqeel Iqbal - Department of Software Engineering Faculty of Engineering & Information Technology Foundation University Islamabad, Pakistan
Muhammad Amir Khan - School of Computing Sciences, College of Computing Informatics and Mathematics, Universiti Teknologi MARA, Selangor, Malaysia


Citation Format:



DOI: http://dx.doi.org/10.62527/joiv.8.3-2.3084

Abstract


Machine learning and artificial intelligence are increasingly being utilized to automate identifying and defining security requirements (SR) and addressing diverse IoT security issues. Despite its extensive environment, IoT-focused cyberattacks had the largest attack surface. IoT security requirements include data confidentiality, integrity, authentication, access control, and privacy. Inadequate emphasis on assessing security requirements leads to attacks and threats. To address the security issues that threaten the IoT environment, additional security measures are required to protect IoT-based applications from threats and other vulnerabilities. However, the absence of the security requirement assessment in IoT systems architecture jeopardizes security, exposing the system to vulnerabilities and risking organizational assets and reputation while also escalating the cost and time required to address security issues.  In this study major threats and attacks are identified relevant to the assets of IoT security requirements. To systematically identify, analyze, and address potential security threats and attacks related to IoT assets, this research proposes a three-step methodology: (1) analysis of the IoT security requirements, (2) Identification of threats and attacks in IoT, and (3) IoT assets centric security threats and attacks. An illustrative example of IoT asset security is provided to highlight potential attacks and threats relevant to IoT assets. This approach offers a practical and clear foundation for the early identification of IoT security requirements and their seamless integration into requirements engineering (RE) activities, contributing to a more secure and resilient IoT system architecture.

Keywords


Security threats; security attacks; assets; security vulnerabilities; requirement engineering; security requirements; IoT.

Full Text:

PDF

References


D. Ghelani, "Cyber security, cyber threats, implications and future perspectives: A Review," Authorea Preprints, 2022. doi:10.22541/au.166385207.73483369/v1.

M. M. Hasan, G. Kousiouris, D. Anagnostopoulos, T. Stamati, P. Loucopoulos, and M. Nikolaidou, "CISMET: a semantic ontology framework for regulatory-requirements-compliant information systems development and its application in the GDPR case," International Journal on Semantic Web and Information Systems (IJSWIS), vol. 17, no. 1, pp. 1-24, 2021. doi:10.4018/IJSWIS.2021010101.

R. Guizzardi, G. Amaral, G. Guizzardi, and J. Mylopoulos, "An ontology-based approach to engineering ethicality requirements," Software and Systems Modeling, vol. 22, no. 6, pp. 1897-1923, 2023. doi:10.1007/s10270-023-01115-3.

D. Sousa-Dias, D. Amyot, A. Rahimi-Kian, and J. Mylopoulos, "A Review of Cybersecurity Concerns for Transactive Energy Markets," Energies, vol. 16, no. 13, p. 4838, 2023. doi: 10.3390/en16134838.

J. Kaur and K. Ramkumar, "The recent trends in cyber security: A review," Journal of King Saud University-Computer and Information Sciences, vol. 34, no. 8, pp. 5766-5781, 2022. doi:10.1016/j.jksuci.2021.01.018.

E. Kavakli, P. Loucopoulos, and Y. Skourtis, "Capability oriented RE for Cybersecurity and Personal Data Protection: Meeting the challenges of SMEs," in 2022 IEEE 30th International Requirements Engineering Conference Workshops (REW), 2022: IEEE, pp. 244-249. doi: 10.1109/rew56159.2022.00053.

P. Loucopoulos, E. Kavakli, and J. Mascolo, "Requirements engineering for cyber physical production systems: The e-core approach and its application," Information Systems, vol. 104, p. 101677, 2022. doi:10.1016/j.is.2020.101677.

N. T. Y. Huan and Z. A. Zukarnain, "A Survey on Addressing IoT Security Issues by Embedding Blockchain Technology Solutions: Review, Attacks, Current Trends, and Applications," IEEE Access, vol. 12, pp. 69765-69782, 2024, doi:10.1109/access.2024.3378592.

J. S. Yalli, M. H. Hasan, N. S. Haron, M. U. Rehman Shaikh, N. Y. Murad, and A. L. Bako, "Quality of Data (QoD) in Internet of Things (IOT): An Overview, State-of-the-Art, Taxonomy and Future Directions," International Journal of Advanced Computer Science & Applications, vol. 14, no. 12, 2023. doi:10.14569/ijacsa.2023.01412110.

M. Abdullahi et al., "Detecting Cybersecurity Attacks in Internet of Things Using Artificial Intelligence Methods: A Systematic Literature Review," Electronics, vol. 11, no. 2, 2022, doi:10.3390/electronics11020198.

A. Shukla, B. Katt, L. O. Nweke, P. K. Yeng, and G. K. Weldehawaryat, "System security assurance: A systematic literature review," Computer Science Review, vol. 45, 2022, doi:10.1016/j.cosrev.2022.100496.

A. A. Janisar, K. S. bin Kalid, A. B. Sarlan, and A. R. Gilal, "Security Requirements Assurance: An Assurance Case Perspective," in 2023 IEEE 8th International Conference On Software Engineering and Computer Systems (ICSECS), 2023: IEEE, pp. 78-83. doi:10.1109/icsecs58457.2023.10256374.

A. Janisar, K. Shafee, A. Sarlan, U. Maiwada, and A. A. Salameh, "Securing Software Development: A Holistic Exploration of Security Awareness in Software Development Teams," International Journal of Academic Research in Business and Social Sciences, vol. 14, no. 1, 2024, doi:10.6007/ijarbss/v14-i1/20545.

A. A. Janisar, K. Shafee bin Kalid, A. B. Sarlan, and U. D. Maiwada, "Software Development Teams Knowledge and Awareness of Security Requirement Engineering and Security Requirement Elicitation and Analysis," Procedia Computer Science, vol. 234, pp. 1348-1355, 2024, doi:10.1016/j.procs.2024.03.133.

H. Hibshi, S. Jones, and T. Breaux, "A Systemic Approach for Natural Language Scenario Elicitation of Security Requirements," IEEE Transactions on Dependable and Secure Computing, pp. 1-1, 2021, doi: 10.1109/tdsc.2021.3103109.

H. HaddadPajouh, A. Dehghantanha, R. M. Parizi, M. Aledhari, and H. Karimipour, "A survey on internet of things security: Requirements, challenges, and solutions," Internet of Things, vol. 14, 2021, doi:10.1016/j.iot.2019.100129.

Y. Al-Hadhrami and F. K. Hussain, "DDoS attacks in IoT networks: a comprehensive systematic literature review," World Wide Web, vol. 24, no. 3, pp. 971-1001, 2021. doi:10.1007/s11280-020-00855-2.

S. Alharbi, A. Attiah, and D. Alghazzawi, "Integrating Blockchain with Artificial Intelligence to Secure IoT Networks: Future Trends," Sustainability, vol. 14, no. 23, p. 16002, 2022. doi:10.3390/su142316002.

A. Shukla, B. Katt, L. O. Nweke, P. K. Yeng, and G. K. Weldehawaryat, "System security assurance: a systematic literature review," arXiv preprint arXiv:2110.01904, 2021. doi:10.1016/j.cosrev.2022.100496.

M. Humayun, M. Niazi, M. Assiri, and M. Haoues, "Secure Global Software Development: A Practitioners’ Perspective," Applied Sciences, vol. 13, no. 4, 2023, doi: 10.3390/app13042465.

M. R. Shaikh, R. Ullah, R. Akbar, K. Savita, and S. Mandala, "Fortifying Against Ransomware: Navigating Cybersecurity Risk Management with a Focus on Ransomware Insurance Strategies," Int. J. Acad. Res. Bus. Soc. Sci, vol. 14, no. 1, pp. 1415-1430, 2024. doi:10.6007/ijarbss/v14-i1/20566.

F. F. S. Flores and S. R. d. L. Meira, "(UN)Ethical Software Engineering : A critical review about Software Engineering in face of Security Requirements in the IoT/ IoE Society," presented at the 2021 IEEE International Systems Conference (SysCon), 2021. doi:10.1109/SysCon48628.2021.9447113.

M. F. Hassan, R. Akbar, K. Savita, R. Ullah, and S. Mandala, "Ransomware Classification with Deep Neural Network and Bi-LSTM," Journal of Advanced Research in Applied Sciences and Engineering Technology, vol. 47, no. 2, pp. 266-280, 2024. doi:10.37934/araset.47.2.266280.

M. u. Rehman, R. Akbar, M. Omar, and A. R. Gilal, "A Systematic Literature Review of Ransomware Detection Methods and Tools for Mitigating Potential Attacks," in International Conference on Computing and Informatics, 2023: Springer, pp. 80-95. doi:10.1007/978-981-99-9589-9_7.

A. A. Janisar, K. S. Kalid, A. Sarlan, and A. A. Mohammad Salameh, "Comprehensive Analysis of Security Requirements Engineering Approaches with Assurance Perspective," Journal of Advanced Research in Applied Sciences and Engineering Technology, pp. 104-119, 2024, doi: 10.37934/araset.54.2.104119.

N. Qadir and R. Ahmad, "SecRS template to aid novice developers in security requirements identification and documentation," International Journal of Software Engineering and Computer Systems, vol. 8, no. 1, pp. 45-52, 2022. doi: 10.15282/ijsecs.8.1.2022.5.0095.

Y. Li and Q. Liu, "A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments," Energy Reports, vol. 7, pp. 8176-8186, 2021. doi: 10.1016/j.egyr.2021.08.126.

R. Nath N and H. V Nath, "Critical analysis of the layered and systematic approaches for understanding IoT security threats and challenges," Computers and Electrical Engineering, vol. 100, 2022, doi: 10.1016/j.compeleceng.2022.107997.

A. L. Mujeeb-ur-Rehman, Z. Hussain, F. H. Khoso, and A. A. Arain, "Cyber security intelligence and ethereum blockchain technology for e-commerce," International Journal, vol. 9, no. 7, 2021. doi:10.30534/ijeter/2021/21972021.

A. Anjum, A. Siddiqua, S. Sabeer, S. Kondapalli, C. Kaur, and K. Rafi, "Analysis Of Security Threats, Attacks In The Internet Of Things," Int. J. Mech. Eng, vol. 6, pp. 2943-2946, 2021.

K. Tsiknas, D. Taketzis, K. Demertzis, and C. Skianis, "Cyber threats to industrial IoT: a survey on attacks and countermeasures," IoT, vol. 2, no. 1, pp. 163-186, 2021. doi:10.3390/iot2010009

A. Mukalazi and A. Boyaci, "The Internet of Things: a domain-specific security requirement classification," in 2022 International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA), 2022: IEEE, pp. 1-8. doi:10.1109/hora55278.2022.9800035.

N. M. Karie, N. M. Sahri, W. Yang, C. Valli, and V. R. Kebande, "A review of security standards and frameworks for IoT-based smart environments," IEEE Access, vol. 9, pp. 121975-121995, 2021. doi:10.1109/access.2021.3109886.

H. Alqarni, W. Alnahari, and M. T. Quasim, "Internet of things (IoT) security requirements: Issues related to sensors," in 2021 National Computing Colleges Conference (NCCC), 2021: IEEE, pp. 1-6. doi:10.1109/NCCC49330.2021.9428857.

E. Klotins et al., "SIoT framework: Towards an approach for early identification of security requirements for Internet-of-Things applications," e-Informatica Software Engineering Journal, 2021. doi:10.37190/e-Inf210103.