TY - GEN
T1 - How to Quantify the Security Level of Embedded Systems? A Taxonomy of Security Metrics
AU - Longueira-Romerc, Angel
AU - Iglesias, Rosa
AU - Gonzalez, David
AU - Garitano, Inaki
N1 - Publisher Copyright:
© 2020 IEEE.
PY - 2020/7/20
Y1 - 2020/7/20
N2 - Embedded Systems (ES) development has been historically focused on functionality rather than security, and today it still applies in many sectors and applications. However, there is an increasing number of security threats over ES, and a successful attack could have economical, physical or even human consequences, since many of them are used to control critical applications. A standardized and general accepted security testing framework is needed to provide guidance, common reporting forms and the possibility to compare the results along the time. This can be achieved by introducing security metrics into the evaluation or assessment process. If carefully designed and chosen, metrics could provide a quantitative, repeatable and reproducible value that would reflect the level of security protection of the ES. This paper analyzes the features that a good security metric should exhibit, introduces a taxonomy for classifying them, and finally, it carries out a literature survey on security metrics for the security evaluation of ES. In this review, more than 500 metrics were collected and analyzed. Then, they were reduced to 169 metrics that have the potential to be applied to ES security evaluation. As expected, the 77.5% of them is related exclusively to software, and only the 0.6% of them addresses exclusively hardware security. This work aims to lay the foundations for constructing a security evaluation methodology that uses metrics so as to quantify the security level of an ES.
AB - Embedded Systems (ES) development has been historically focused on functionality rather than security, and today it still applies in many sectors and applications. However, there is an increasing number of security threats over ES, and a successful attack could have economical, physical or even human consequences, since many of them are used to control critical applications. A standardized and general accepted security testing framework is needed to provide guidance, common reporting forms and the possibility to compare the results along the time. This can be achieved by introducing security metrics into the evaluation or assessment process. If carefully designed and chosen, metrics could provide a quantitative, repeatable and reproducible value that would reflect the level of security protection of the ES. This paper analyzes the features that a good security metric should exhibit, introduces a taxonomy for classifying them, and finally, it carries out a literature survey on security metrics for the security evaluation of ES. In this review, more than 500 metrics were collected and analyzed. Then, they were reduced to 169 metrics that have the potential to be applied to ES security evaluation. As expected, the 77.5% of them is related exclusively to software, and only the 0.6% of them addresses exclusively hardware security. This work aims to lay the foundations for constructing a security evaluation methodology that uses metrics so as to quantify the security level of an ES.
KW - assurance
KW - embedded systems
KW - evaluation
KW - quantitative security
KW - security level
KW - security measurement
KW - security metrics
KW - taxonomy
UR - https://www.scopus.com/pages/publications/85111139630
U2 - 10.1109/INDIN45582.2020.9442219
DO - 10.1109/INDIN45582.2020.9442219
M3 - Conference contribution
AN - SCOPUS:85111139630
T3 - IEEE International Conference on Industrial Informatics (INDIN)
SP - 153
EP - 158
BT - Proceedings - 2020 IEEE 18th International Conference on Industrial Informatics, INDIN 2020
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 18th IEEE International Conference on Industrial Informatics, INDIN 2020
Y2 - 21 July 2020 through 23 July 2020
ER -