ATIS I-0000072

This report uses the ATIS Security Architectural Risk Analysis (ARA) to establish a framework for assessing a generic IoT asset?s cybersecurity risk. That asset might be an application, a service, or something else. Its primary function might be to collect and manipulate data, or it might be to perform some task, simple or complicated. It might be a standalone device, or it might work in coordinated fashion with a few or many other applications, services, or machines. It might be a low-level spoke in a wheel, or it might be a critical component of some vast mechanism. As an IoT "thing," it could be nearly anything, and for the purpose of this analysis, exactly what it is does not matter. It is simply "the asset."

This paper establishes the fundamentals that permit an examination of the risks to the asset from cyber-attacks that might be launched from anywhere, with a wide range of intents.