The Internet of things (IoT) has become an integral part of our life
at both work and home. However, these IoT devices are prone to vulnerability exploits due to their low cost, low resources, the diversity
of vendors, and proprietary firmware. Moreover, short range communication protocols (e.g., Bluetooth or ZigBee) open additional
opportunities for the lateral movement of an attacker within an organization. Thus, the type and location of IoT devices may significantly
change the level of network security of the organizational network.
In this paper, we quantify the level of network security based on
an augmented attack graph analysis that accounts for the physical
location of IoT devices and their communication capabilities. We
use the depth-first branch and bound (DFBnB) heuristic search algorithm to solve two optimization problems: Full Deployment with
Minimal Risk (FDMR) and Maximal Utility without Risk Deterioration (MURD). An admissible heuristic is proposed to accelerate the
search. The proposed method is evaluated using a real network with
simulated deployment of IoT devices. The results demonstrate (1)
the contribution of the augmented attack graphs to quantifying the
impact of IoT devices deployed within the organization on security,
and (2) the effectiveness of the optimized IoT deployment.