{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T08:26:17Z","timestamp":1773390377567,"version":"3.50.1"},"reference-count":35,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T00:00:00Z","timestamp":1773187200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Mexican Government"},{"DOI":"10.13039\/501100010567","name":"SECTEI","doi-asserted-by":"crossref","award":["CAR SECTEI\/079\/2024"],"award-info":[{"award-number":["CAR SECTEI\/079\/2024"]}],"id":[{"id":"10.13039\/501100010567","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100003069","name":"IPN","doi-asserted-by":"publisher","award":["SIP-20251080"],"award-info":[{"award-number":["SIP-20251080"]}],"id":[{"id":"10.13039\/501100003069","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["MAKE"],"abstract":"<jats:p>The increasing complexity and heterogeneity of Internet of Things (IoT) systems pose significant challenges for systematic security and vulnerability assessment. From a knowledge-centric perspective, IoT security analysis requires transforming heterogeneous asset information into structured and interpretable security knowledge. In this paper, we propose a structured methodology for vulnerability analysis that models the attack surface of an IoT system by explicitly linking asset characteristics to known vulnerabilities, security controls, and countermeasures. The approach starts with a visual representation of the system architecture, where hardware, software, and communication components are identified and described through their technical characteristics. These characteristics are automatically mapped to relevant vulnerabilities, security controls, and countermeasures using a dedicated software tool called AVCA (Asset Vulnerabilities and Countermeasures Analyzer). The tool generates graph-based analytical representations that model vulnerabilities\u2013countermeasures relationships in compliance with the Cloud Security Alliance (CSA) IoT Security Framework. From these graphs, attack\u2013countermeasure trees are derived to provide a clear and interpretable representation of potential threats and mitigation strategies. The proposed methodology was evaluated through a case study involving a representative IoT system and an exploratory applicability experiment with participants with different levels of experience in IoT and cybersecurity. The results suggest that the approach is feasible and practically applicable for supporting security analysts in the systematic assessment of IoT attack surfaces, vulnerability identification, and selection of appropriate countermeasures under the evaluated conditions. This work highlights the role of structured and interpretable knowledge extraction as a foundation for knowledge-centric and interpretable IoT security analysis.<\/jats:p>","DOI":"10.3390\/make8030070","type":"journal-article","created":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T14:43:18Z","timestamp":1773240198000},"page":"70","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["A Procedure for Vulnerability Analysis and Countermeasures in IoT Systems Based on Their Components Characteristics"],"prefix":"10.3390","volume":"8","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3772-3651","authenticated-orcid":false,"given":"Ponciano Jorge","family":"Escamilla-Ambrosio","sequence":"first","affiliation":[{"name":"Centro de Investigaci\u00f3n en Computaci\u00f3n, Instituto Polit\u00e9cnico Nacional, Mexico City 07738, Mexico"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Brandon Iv\u00e1n","family":"M\u00e9ndez-Barrera","sequence":"additional","affiliation":[{"name":"Centro de Investigaci\u00f3n en Computaci\u00f3n, Instituto Polit\u00e9cnico Nacional, Mexico City 07738, Mexico"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8436-3025","authenticated-orcid":false,"given":"Alberto Jorge","family":"Rosales-Silva","sequence":"additional","affiliation":[{"name":"Escuela Superior de Ingenier\u00eda Mec\u00e1nica y El\u00e9ctrica Unidad Zacatenco, Instituto Polit\u00e9cnico Nacional, Mexico City 07738, Mexico"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5212-350X","authenticated-orcid":false,"given":"Gina","family":"Gallegos-Garc\u00eda","sequence":"additional","affiliation":[{"name":"Centro de Investigaci\u00f3n en Computaci\u00f3n, Instituto Polit\u00e9cnico Nacional, Mexico City 07738, Mexico"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0105-1112","authenticated-orcid":false,"given":"Gilberto Lorenzo","family":"Mart\u00ednez-Luna","sequence":"additional","affiliation":[{"name":"Centro de Investigaci\u00f3n en Computaci\u00f3n, Instituto Polit\u00e9cnico Nacional, Mexico City 07738, Mexico"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2026,3,11]]},"reference":[{"key":"ref_1","unstructured":"Sarma, S., Brock, D.L., and Ashton, K. (2000). The Networked Physical World, MIT Auto-ID Center. White Paper MIT-AUTOID-WH-001."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"164","DOI":"10.4236\/jcc.2015.35021","article-title":"Internet of Things (IoT): A Literature Review","volume":"3","author":"Madakam","year":"2015","journal-title":"J. Comput. Commun."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"1687","DOI":"10.1007\/s11277-020-07446-4","article-title":"Internet of Things (IoT), Applications and Challenges: A Comprehensive Review","volume":"114","author":"Khanna","year":"2020","journal-title":"Wirel. Pers. Commun."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Lee, I. (2020). Internet of Things (IoT) Cybersecurity: Literature Review and IoT Cyber Risk Management. Future Internet, 12.","DOI":"10.3390\/fi12090157"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"2103","DOI":"10.1109\/JIOT.2018.2869847","article-title":"Internet of Things (IoT) Cybersecurity Research: A Review of Current Research Topics","volume":"6","author":"Lu","year":"2018","journal-title":"IEEE Internet Things J."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Boeckl, K., Fagan, M., Fisher, W., Lefkovitz, N., Megas, K.N., and Scarfone, K. (2019). Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, National Institute of Standards and Technology.","DOI":"10.6028\/NIST.IR.8228"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1016\/j.ijcip.2019.01.001","article-title":"Cyber Security Challenges for IoT-Based Smart Grid Networks","volume":"25","author":"Kimani","year":"2019","journal-title":"Int. J. Crit. Infrastruct. Prot."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1109\/MSP.2016.4","article-title":"Learning Internet-of-Things Security \u201cHands-On\u201d","volume":"14","author":"Kolias","year":"2016","journal-title":"IEEE Secur. Priv."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"154112","DOI":"10.1109\/ACCESS.2021.3125979","article-title":"IOTSECM: A UML\/SysML Extension for Internet of Things Security Modeling","volume":"9","author":"Tryfonas","year":"2021","journal-title":"IEEE Access"},{"key":"ref_10","unstructured":"Holzinger, A., Langs, G., Denk, H., Zatloukal, K., and M\u00fcller, H. (2024). Research Frontiers in Machine Learning & Knowledge Extraction. Mach. Learn. Knowl. Extr., 8."},{"key":"ref_11","first-page":"3","article-title":"Navigating IoT Security: Insights into Architecture, Key Security Features, Attacks, Current Challenges and AI-Driven Solutions Shaping the Future of Connectivity","volume":"81","author":"Hassan","year":"2024","journal-title":"Comput. Mater. Contin."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"100888","DOI":"10.1016\/j.iot.2023.100888","article-title":"A Review of the Security Vulnerabilities and Countermeasures in Internet of Things Solutions: A Bright Future for Blockchain","volume":"23","author":"Pourrahmani","year":"2023","journal-title":"Internet Things"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"3511","DOI":"10.1007\/s10115-023-01860-3","article-title":"Cybersecurity Knowledge Graphs","volume":"65","author":"Sikos","year":"2023","journal-title":"Knowl. Inf. Sys."},{"key":"ref_14","unstructured":"Roy, S., Panaousis, E., Noakes, C., Laszka, A., Panda, S., and Loukas, G. (2023). SoK: The MITRE ATT&CK Framework in Research and Practice. arXiv."},{"key":"ref_15","unstructured":"Jordan, B., Piazza, R., and Darley, T. (2021). STIX\u2122 Version 2.1, OASIS Open. Available online: https:\/\/docs.oasis-open.org\/cti\/stix\/v2.1\/stix-v2.1.html."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3625094","article-title":"A Systematic Review of IoT Security: Research Potential, Challenges, and Future Directions","volume":"56","author":"Fei","year":"2023","journal-title":"ACM Comput. Surv."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Coston, I., Plotnizky, E., and Nojoumian, M. (2025). Comprehensive Study of IoT Vulnerabilities and Countermeasures. Appl. Sci., 15.","DOI":"10.3390\/app15063036"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"00085","DOI":"10.1051\/bioconf\/20249700085","article-title":"Attack Graph-Based Security Metrics: Concept, Taxonomy, Challenges and Open Issues","volume":"97","author":"Ahmad","year":"2024","journal-title":"BIO Web Conf."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Lashkaripour, Z., Khosravi-Farmad, M., Montazerolghaem, A., and Rezaee, R. (2025). BSAGIoT: A Bayesian Security Aspect Graph for Internet of Things (IoT). arXiv.","DOI":"10.21203\/rs.3.rs-6742203\/v1"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Budiyanto, S., Silalahi, L.M., Hakim, A.R., Hamid, A., and Hanafi, D. (2024). Vulnerability Analysis on Internet of Things (IoT) Networks Using Raspberry Pi and OWASP. Proceedings of the 2024 FORTEI-International Conference on Electrical Engineering (FORTEI-ICEE), Badung, Indonesia, 24\u201325 October 2024, IEEE.","DOI":"10.1109\/FORTEI-ICEE64706.2024.10824490"},{"key":"ref_21","first-page":"100567","article-title":"ViLanIoT: A Systems Representation","volume":"38","author":"Happa","year":"2024","journal-title":"J. Ind. Inf. Integr."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"G\u00f3mez-Cabrera, A., Escamilla-Ambrosio, P.J., Rodr\u00edguez-Mota, A., and Happa, J. (2020). Towards a Visual Grammar for IoT Systems Representation and Their Cybersecurity Requirements. Proceedings of the 2020 IEEE Colombian Conference on Communications and Computing (COLCOM), Cali, Colombia, 7\u20138 August 2020, IEEE.","DOI":"10.1109\/COLCOM50121.2020.9219771"},{"key":"ref_23","unstructured":"Sahner, R.A., Trivedi, K.S., and Puliafito, A. (2012). Performance and Reliability Analysis of Computer Systems: An Example-Based Approach Using the SHARPE Software Package, Springer."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1016\/j.jnca.2017.01.033","article-title":"A Framework for Automating Security Analysis of the Internet of Things","volume":"83","author":"Ge","year":"2017","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_25","unstructured":"Hong, J., and Kim, D.S. (2012, January 3\u20135). HARMS: Hierarchical Attack Representation Models for Network Security Analysis. Proceedings of the 10th Australian Information Security Management Conference, Perth, Australia."},{"key":"ref_26","unstructured":"Cloud Security Alliance (CSA) (2021). Guide to the Internet of Things (IoT) Security Controls Framework v2, Cloud Security Alliance. Available online: https:\/\/cloudsecurityalliance.org\/artifacts\/guide-to-the-internet-of-things-iot-security-controls-framework-v2\/."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Asemani, M., Abdollahzadeh, F., and Jabbari, F. (2019). Understanding IoT Platforms: Toward a Comprehensive Definition and Main Characteristic Description. Proceedings of the 2019 5th International Conference on Web Research (ICWR), Tehran, Iran, 24\u201325 April 2019, IEEE.","DOI":"10.1109\/ICWR.2019.8765259"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"616","DOI":"10.1109\/COMST.2019.2953364","article-title":"Security of the Internet of Things: Vulnerabilities, Attacks, and Countermeasures","volume":"22","author":"Butun","year":"2020","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_29","unstructured":"G\u00f3mez-Cabrera, A. (2021). Visual Language for the Representation of Internet of Things Systems and Their Cyber Security Controls. [Master\u2019s Thesis, Centro de Investigaci\u00f3n en Computaci\u00f3n, IPN]."},{"key":"ref_30","unstructured":"M\u00e9ndez-Barrera, B. (2022). Analysis of Vulnerabilities and Cyber Security Countermeasures of IoT Systems Based on Their Components Characteristics. [Master\u2019s Thesis, Centro de Investigaci\u00f3n en Computaci\u00f3n, IPN]."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Bastian, M., Heymann, S., and Jacomy, M. (2009, January 17\u201320). Gephi: An Open-Source Software for Exploring and Manipulating Networks. Proceedings of the Third International AAAI Conference on Weblogs and Social Media, San Jose, CA, USA.","DOI":"10.1609\/icwsm.v3i1.13937"},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"100219","DOI":"10.1016\/j.cosrev.2019.100219","article-title":"A Review of Attack Graph and Attack Tree Visual Syntax in Cyber Security","volume":"35","author":"Lallie","year":"2020","journal-title":"Comput. Sci. Rev."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Malche, T., and Maheshwary, P. (2017). Internet of Things (IoT) for Building Smart Home Systems. Proceedings of the 2017 International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC), Palladam, India, 10\u201311 February 2017, IEEE.","DOI":"10.1109\/I-SMAC.2017.8058258"},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Khan, R., McLaughlin, K., Laverty, D., and Sezer, S. (2017). STRIDE-based threat modeling for cyber-physical systems. Proceedings of the 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe), Torino, Italy, 26\u201329 September 2017, IEEE.","DOI":"10.1109\/ISGTEurope.2017.8260283"},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Lund, M.S., Solhaug, B., and St\u00f8len, K. (2010). Model-Driven Risk Analysis: The CORAS Approach, Springer.","DOI":"10.1007\/978-3-642-12323-8"}],"container-title":["Machine Learning and Knowledge Extraction"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2504-4990\/8\/3\/70\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T05:45:10Z","timestamp":1773380710000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2504-4990\/8\/3\/70"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,3,11]]},"references-count":35,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2026,3]]}},"alternative-id":["make8030070"],"URL":"https:\/\/doi.org\/10.3390\/make8030070","relation":{},"ISSN":["2504-4990"],"issn-type":[{"value":"2504-4990","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,3,11]]}}}