AI security and cyber risk in IoT systems – Frontiers

The Evolving Threat Landscape of AI-Powered IoT Ecosystems

The merging of Artificial Intelligence (AI) with Internet of Things (IoT) technology brings about a new era in cyber risk. This is marked by a complex interweaving of sophisticated threats that require an equally advanced approach to manage and mitigate them. This article delves into specific, technologically advanced examples that highlight the unique cyber risks brought about by AI in IoT environments, drawing from the foundational concepts in “Cyber Risk in IoT Systems.”

One of the challenges posed by the use of AI in IoT is autonomous decision-making, which can amplify cyber risk. For example, AI-driven IoT devices in smart cities could autonomously manage traffic flow based on real-time data. However, a compromised AI algorithm could create chaotic traffic patterns, causing widespread disruption. Data integrity is vital in AI-IoT systems, and data manipulation poses a risk. For instance, in healthcare IoT devices, AI algorithms process patient data for predictive diagnostics. The AI’s predictive outcomes could be dangerously inaccurate if these data streams are manipulated—say through a man-in-the-middle attack intercepting and altering data from IoT health monitors. Similarly, AI model poisoning, where the AI’s learning inputs are subtly tainted, could lead to erroneous learning, echoing the data integrity and manipulation concerns highlighted in the article.

Integrating AI into IoT brings unique AI-specific risks, such as adversarial machine learning. For example, in a network of interconnected smart home devices, an adversary could manipulate input data to an AI-powered security camera, causing it to misidentify or overlook intrusions. These AI-specific threats necessitate a novel approach to cybersecurity, diverging from traditional risk management strategies.

Addressing these enhanced risks requires a multifaceted and advanced approach. There is a need for risk assessment frameworks that specifically account for AI components in IoT ecosystems. This would involve understanding not only physical and data flow dependencies but also the AI algorithmic dependencies. Leveraging AI’s capabilities for security in IoT networks presents a proactive defense mechanism. However, the implementation of such AI-driven security measures must be carefully managed to ensure they do not introduce new vulnerabilities.

The integration of AI into IoT amplifies the need for comprehensive regulatory and ethical frameworks, addressing not only data privacy and security concerns but also the ethical implications of AI decisions, particularly in areas where these decisions impact human safety. Given the complexity of AI in IoT, collaboration across disciplines is essential. Cybersecurity experts, AI researchers, IoT developers, and policymakers must work together to create advanced and resilient cybersecurity solutions that address the unique challenges posed by the AI-IoT convergence.

In conclusion, the combination of AI and IoT presents a complex array of cyber risks that require advanced, specific, and comprehensive management strategies. Future research and practical approaches should focus on developing sophisticated AI-resilient security frameworks, enhancing regulatory standards, and promoting interdisciplinary collaborations, thus ensuring the secure advancement of AI within IoT systems.

The Challenges of IoT Cyber Risk Assessment

The distributed ownership and control of IoT systems is considered the one factor contributing to the number of zero-day exploits exacerbated by IoT (Meakins, 2019). Although there are many different cybersecurity approaches, they seem insufficient or not targeted at the right areas. This leads to a lack of security that creates unnecessary difficulty for IoT-connected producers and customers. The growth of the IoT market could increase significantly if policymakers have the methodology to assess, predict, analyze, and address the risks of IoT-related cyber-attacks in the communications network. Without the appropriate risk assessment methodology, cyber risk could have costly consequences.

Connecting cyber risk with IoT through impact models can provide feedback sensors and real-time data mechanisms to assist and enable industries and policymakers to understand and visualize the problem and address the risk created by IoT-related cyber-attacks. IoT risk and the risk of cyber-attacks can be explained by established methods for calculating risk. Risk = Likelihood × Consequences, and cyber-risk can be defined as a function of:

R = Σ s p(s) x(s)

Where:
– R—risk
– s—the description of a scenario (undesirable event)
– p—the probability of a scenario
– x—the measure of consequences or damage caused by a scenario
– N—the number of possible scenarios that may cause damage to a system

The model above for calculating risk is classical (DoD, 2017), but the question remains how IoT risk and cyber-attack risk can be estimated. Since we do not have the precise measurements and concrete number of IoT cyber risks, an answer is difficult to present and justify with a desirable degree of certainty that the estimation is correct. Therefore, we discuss how IoT risk and the risk of cyber-attacks can be estimated assuming possession of the required data.

Businesses face strategic, compliance, operational, financial, and reputational risks regularly, all of which could affect their profitability or ability to function. Many businesses are looking to adopt new forms of technology (such as IoT, Blockchain and Artificial Intelligence) to increase the efficiency and effectiveness of their services. This exposes them to the risks that accompany these technologies. While these technologies have the potential to improve their productivity, there is also the potential for the business to become increasingly susceptible to a series of security risks—this is the aspect of focus in this paper.

In Table 1, we explore the main cyber risks that many businesses face, and we define definitions for different types of cyber risks. We use the term “cyber risk” in line with the Institute for Risk Management definition of: “Cyber risk means any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems.” (Institute of Risk Management, 2019).

Table 1. Defining the types of cyber risk from IoT systems.

To relate the findings, an IoT-based example of this is the probability of a phishing attack on a connected corporate device occurring, like a company laptop or a smart phone, which then leads to the infection of that device. This infection could propagate to other IoT sensors in the company and consequently cause the disruption of their manufacturing plant’s production line.

While there are many application domains for IoT, for organizations to consider cyber security risk solely in the context of their domain would give misinformed results, since IoT is an ecosystem with platforms and services shared by different application domains. Understanding what is meant by risk is only the first step when we are considering the potential risks in IoT. The next step is to be able to assess the risk, which involves the tasks of:

1. Identifying (or defining) the risk—the action of developing a clear understanding of what organizational IoT assets are targeted by which threats and what harm could happen if those attacks are successful (Tanczer et al., 2018).
2. Estimating the risk—this task aims to measure IoT risk based on the likelihood of the threat occurring and the impact on the organization’s infrastructure if it does occur. These measures can be qualitative (e.g., ratings using the levels, high, medium, and low) or quantitative (e.g., based on mathematical estimations and calculations).
3. Prioritizing the risk; once we have a list of the risks and each one has been estimated, the next task is for a company to prioritize the risks. This essentially provides a ranking of the risks based on their estimated levels.

Figure 1 sets out this IoT risk assessment process, demonstrating that it is a continuous process.

The risk assessment process described above is part of risk management. While risk management techniques are well developed and used in various IT areas, there remains a significant challenge in managing IoT risk. Here, we include our findings in the form of four basic ways to resolve IoT risk:

1. IoT risk mitigation involves either reducing the likelihood of the risk happening or reducing the impact of the risk. In IoT risk management, this might include implementing IoT risk controls.
2. IoT risk transfer—this involves outsourcing the risk to a third party. In this instance, via cyber insurance for example.
3. IoT risk avoidance—this involves removing the risk. An example would be to remove IoT asset where the risk has originated.
4. IoT risk acceptance—this involves accepting the risk as it stands, due to either the risk falling within the organizational risk appetite or the aggregated risk being sufficiently within the accepted risk levels.

The type of treatment selected for each risk is based on its estimated level, the costs associated with the treatment, and the organization’s overall tolerance for risk. In IoT, these factors are constantly changing, and this aspect represents one of the unique challenges when managing risks in dynamic IoT environments.

Existing Cyber Risk Assessment Approaches and Their Limitations

IoT represents interconnected technologies continuously communicating and sharing data. This technology creates serious safety risks and ethical concerns. For example, IoT incorporated into autonomous vehicles introduces safety risk, however, the device owner and the data owner are not necessarily the same (Anthonysamy et al., 2017), because there is no legal basis to actually own data. The data owner is the data curator or controller. Here we are making the point about the legal impossibility to own data. Because there is no owner of data, but rather an entity that has the legal right to control and steward the data.

In the following sections, we discuss how the existing risk assessment approaches can be adapted to assess the nature of IoT risk. These designs need data to support, and the data is very sensitive and private. There has been a number of suggestions on how to resolve this concern. Back in 2014, the original “Cyber Supply Chain Management and Transparency Act of 2014” (Royce, 2014) was proposed and suggested that that US government agencies obtain a software bill of materials’ (SBOMs) for all new software. This led to the “Internet of Things Cybersecurity Improvement Act of 2017” (Howard, 2017), and more recently, “The US Executive Order on Improving the Nation’s Cybersecurity of May 12, 2021, (Biden, 2021) ordered The National Institute of Standards and Technology (NIST) to issue guidance on “providing a purchaser a Software Bill of Materials (SBOM) for each product.” These efforts in the US are related to resolving the specific issue of sharing sensitive and private company data on cyber vulnerabilities, exploits, threats, and this has been a very sensitive topic for a long time.

The most recent effort that we are making to resolve these issues is the new the Vulnerability Exploitability eXchange (VEX) (NTIA, 2021), which has already been adopted as a profile in the Common Security Advisory Framework (CSAF) (OASIS, 2022). This article however, is more closely related to the updated version of the Common Vulnerability Scoring System Calculator (CVSS) (NIST, 2022), which is the Stakeholder-Specific Vulnerability Categorization (CISA-SSVC) (CISA, 2022) and it relates to the SSVC decision threes.

One of the main problems with IoT is that this technology is developing at a fast rate and in multiple directions so that governments and national and international institutions face difficulties to standardize and enforce regulations in this field. These difficulties are related, for example, with the continuing changing environment of IoT (Brass et al., 2018) or with the relatively much slower legislative and standardization processes (e.g., Schindler et al., 2013; Brass et al., 2019).

We found that there are currently no risk assessment standards to govern companies in assessing the new types of risk before implementing IoT technologies and solutions. In the present climate, given the lack of unified global standards and regulations, businesses are pursuing economic profits from IoT solutions, but as it pertains to understanding the risk to their operations, businesses are often lacking in their approach to security.

As part of our research, we conducted an analysis of the existing cyber risk assessment approaches to enable us to provide basic guidance on how to develop a unified approach to risk assessment. Most cyber risk assessment approaches represent some similarities and after reviewing one we tend to get the general feeling that they all seem familiar. Hence, for differentiating these frameworks, for the reader and for our own research, in Table 2 we tried to define the main differences between the cyber risk assessment frameworks that we reviewed in this article.

Table 2. Analysis of cyber risk assessment approaches.

The selection process involved firstly conducting a literature review on the topic of “most used” and “most prominent” cyber risk assessment approaches. Secondly, we consulted a number of experts in the field from Cisco Systems that are responsible for this function. This consultation was conducted in the period between year 2018 and 2023, initiated with a scoping workshop in June 2018 and concluded with a closing workshop in January 2023. The consultation was conducted as case study action research, and included personal interviews with 43 cybersecurity experts, 13 workshops, two demonstration projects for gathering feedback, and 6 months long action research at Cisco locations.

The analysis in Table 2 provides guidance and concludes that most of the cyber security frameworks today apply qualitative approaches to measuring cyber risk, while quantitative approaches are mostly present in the cyber security models. The analysis in Table 2 also confirms that none of these approaches resolves adequately the cyber risk assessment in IoT, at least not individually or in isolation.

Presented with the diversity of cyber risk assessment approaches analyzed in Table 2 and given that existing risk methods do not address entirely the cyber risk from IoT, questions emerge on: (a). how can these approaches be combined into a unified model, and (b). how can we be certain that a unified model addresses IoT context. We try to address these questions in the following section through a dependency model that presents a unified approach for improved standards, governance, and policy on data strategies.

A Unified Cyber Risk Assessment Model for IoT Systems

In this section, a unified cyber risk assessment approach for IoT risk is explored via dependency modeling (DM) approach and a step-by-step process is included, enabling other companies to replicate this cyber risk assessment process.

Dependency modeling (DM) is a goal-oriented method of representing the interactions and inter-reliance amongst system components or elements using same to reason about the scope of risk feasible (Cherdantseva et al., 2022). DM works on the assumption that risks emerge from interactions and interdependencies which need to be recognized in order to effectively manage and guard against the impacts of the risks (Alpcan and Bambos, 2009). DM for security risk assessment can work through analyzing the vulnerabilities that can be found in IoT network/system components—evaluating the interactions and service flow amongst connected components including hardware infrastructure, software platforms (applications), processes, services, users, etc., and how these threats and vulnerabilities affect both the target components and others connected.

Generally, these are explored considering how the entire system functions and objectives are impacted. Security threats and vulnerabilities can emerge or exist in diverse forms, ranging from design flaws in hardware, software, and processes, as well as competency limitation in users, which can easily be exploited by malware, social engineering, etc. Thus, the service or functional dependencies amongst IoT system components can be used to design a unified approach for IoT risk assessment.

In doing this, we consider contexts from IoT literature and use cases in the model definition and verification.