Industry workshops reiterate the difficulties of assessing risks in IoT coupled systems

The aim of the Cyber Risk Assessment for Coupled Systems (CRACS) Project is to conduct scoping work to identify the new risks in Internet-of-Things (IoT) Coupled Systems, and explore the development of new methodologies, by working with multiple stakeholders. Over the last quarter academics, Dr Jason R. C. Nurse, Prof Sadie Creese and Prof David De Roure, at the University of Oxford have taken significant steps towards this goal, and to the wider benefit of the security research in the PETRAS community.

The first step has been the drafting of a working paper that thoroughly investigates the risks in IoT coupled systems, and argues as to why current risk assessment approaches are inadequate in identifying, prioritising and addressing these issues. Coupled systems are those which are highly interconnected, dynamic and include social components; all of these aspects add to the cyber-risk present. A summarised version of this working paper titled, “Security risk assessment in Internet of Things systems”*, will be published in a special issue of IEEE IT Professional on Establishing Trust in the Internet of Things in September/October 2017.

The real value of this working paper however, has been in informing engagement with stakeholders. Over the last few months, they have conducted a series of workshops with user partners (Fujitsu, NSC and others), aimed at gathering industry insight and feedback on their research (with the working paper used as input to the workshops). This allowed the research team to better understand whether the issues identified were the most significant for organisations working in the IoT space, and whether there were any additional concerns that should feed into the project. Overall, the findings from the workshops reiterated the importance of the CRACS project, and the extremely difficult challenge of assessing risks in dynamic, autonomous and heavily connected IoT systems.

In addition to the valuable feedback that was gathered in the workshops (particularly on issues such as propagation of cyberattacks and real-world challenges of risk assessment in complex systems), the Oxford academics were also able to identify scenarios to guide the project’s next steps. Whilst these have not been finalised, they are likely to be in the space of Smart Health, Smart Cities or Smart Manufacturing. These are all significant application areas of the IoT and domains where the prevalence of cyber-risk and cyber-attacks will substantially increase in the future.

*Interested parties can contact jason.nurse@cs.ox.ac.uk for a preprint as necessary.