XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE Towards a Standard-based Security and Privacy of IoT System’s Services Christophe Feltus IT for Innovative Services (ITIS) Luxembourg Institute of Science and Technology (LIST) Luxembourg christophe.feltus@list.lu 0000-0002-7182-8185 Thierry Grandjean IT for Innovative Services (ITIS) Luxembourg Institute of Science and Technology (LIST) Luxembourg thierry.grandjean@list.lu Djamel Khadraoui IT for Innovative Services (ITIS) Luxembourg Institute of Science and Technology (LIST) Luxembourg djamel.khadraoui@list.lu Jocelyn Aubert IT for Innovative Services (ITIS) Luxembourg Institute of Science and Technology (LIST) Luxembourg jocelyn.aubert@list.lu Abstract— The Internet of Things (IoT) industry increases rapidly and becomes progressively more devoted to critical business services. IoT adoption generates two kinds of challenges: cybersecurity risks and privacy concerns. In order to generate a trust environment and provide confidence to IoT business services, LIST will partnered with private companies to implement an integrated framework and software tools for assessing and monitoring IoT system’s service security and privacy. SPRINT assessment and monitoring foresees (1) an aggregated publicly available security and privacy integrated referential database dedicated to IoT services (SPRINT-REF), and (2), an IoT service-oriented assessment and monitoring methods based on this referential (SPRINT-METH). Compared to existing approaches, SPRINT-METH innovation is that it is service-oriented rather than device-oriented, as well as based recognized existing professional standards. Finally, the SPRINT toolbox (3) will include two assets: a software web service component aiming to assess the IoT system’s service at the time of design, and an IoT Security Operations Centre to monitor IoT security and privacy at run time (SPRINT- TOOL). Keywords—IoT security, IoT privacy, system’s services, system assessment, system monitoring, standard-based. I. INTRODUCTION The IoT industry is gradually becoming more dedicated to critical business activities [1] like in smart-cities (smart- mobility, smart-building, etc.), the control of vital signs in healthcare [2], or the monitoring of railway infrastructure. According to Gartner [3], the amount of IoT devices will increase to up to 20.6 billion units installed by 2020 with 7.4 billion in business activities (cross-industry and vertical- specific) including thousands of different devices and manufacturers. Gartner also foresees a progression of the IoT investment in professional services from 570 billion dollars in 2016 to 2.071 billion in 2021 [4]. This expansion will cause industry-wide concerns about whether IoT devices can be managed securely and reliably [3]. Accordingly, IoT adoption poses two kinds of challenges for organizations: risks related to security [5] and privacy [6]. For these reasons, developing a new framework (green box of Fig. 1) for monitoring and assessing such sensitive systems with the massive volume of data they generate, and elaborating the corresponding tools to support the latter (blue box), is paramount. Although frameworks for assessing and monitoring the security and privacy of IoT services have already been the focus of numerous research studies [7-10] and proprietary initiatives [11]. It is worth noting that these solutions still face the following limitations: (1) they are partially based on IoT standards [12], (2) they mainly address IoT devices but do not concern the IoT-System’s Services (IoT-SS) [13], (3) they are not publicly available, and (4) they concern generic IoT environments [7-10] but are not sector specific. A. Standard based IoT Assessment. A simplified IoT framework, following [14, 15], may be structured in three layers: the perception layer, which includes the physical devices that sense data and digitalize it for transportation, the network layer, which includes infrastructure protocols, and the application layer, which consists of the user interface enabling access to the data. Based on this three-layer approach, all existing IoT platforms [16] (e.g. AWS (Amazon Web Services) IoT, Azure IoT Suite, Brillo/Weave from Google, etc.) propose their own architecture, which must comply to the standards associated with the different layers. This is however not the case in practice, where existing assessment frameworks [7-10] tend to analyse security and privacy based on requirements mostly gathered from scientific publications or professional guidelines but not directly associated to a portfolio of relevant standards like the GDPR, ISO/IEC 27001 and ISO/IEC 15408. SPRINT-REF will be founded on the integration of this initial list of standards based on the aggregation of security and privacy IoT related metrics. Fig. 1. SPRINT building blocks