The Evolution of IoT Security: A Critical Review of Threat Landscapes (2015–2026)

Strategic Research Review

A practitioner’s reading of Abomhara & Køien’s 2015 taxonomy, revisited in the era of Ransomware‑as‑a‑Service, AI‑driven intrusion, supply‑chain compromise, and post‑quantum cryptography across consumer, industrial, healthcare, and smart‑city IoT.

Primary Reference Abomhara & Køien (2015)

2026 Context RaaS, AI‑assisted campaigns, supply‑chain risk, post‑quantum transition

Intended Readers Security engineers, architects, and researchers looking for a structured evolution narrative

1. Introduction: From Conceptual Model to Real‑World Turbulence

The Internet of Things (IoT) has grown significantly. It has transformed the way we perceive both the virtual and physical world, forming a new area in which numerous devices interconnect and interact autonomously (Tariq et al., 2023; Shah et al., 2022). However, it has also created a large and complex attack surface, making cybersecurity extremely critical. Recent surveys classify deployments into consumer, industrial/OT, healthcare, and smart‑city environments and show how each introduces distinct threat patterns (Shah et al., 2022).

Mohamed Abomhara and Geir M. Køien, in their 2015 paper “Cyber Security and the Internet of Things: Vulnerabilities, threats, intruders, and attacks”, were among the first to attempt to structure and describe these new threats in IoT (Abomhara & Køien, 2015). Their work was conducted at a time when IoT was beginning to transition from a concept to a reality, and it represented an initial attempt to grasp the challenges on the horizon. This article examines their paper through the eyes of a modern cybersecurity practitioner. It seeks to understand their taxonomy, evaluate its conclusions in the context of subsequent research, and contrast it with what we now know after a decade of large‑scale botnets, Ransomware‑as‑a‑Service, AI‑driven attacks, and deep supply‑chain risks (Tariq et al., 2023; Butun et al., 2022).

Technical Context: IoT Attack Surface, Then vs. Now

Around 2015, many IoT deployments consisted of monolithic firmware running on small microcontrollers, reachable via a few TCP/UDP ports or proprietary RF links. Security failures were dominated by static credentials, missing transport encryption, and unauthenticated management interfaces (Abomhara & Køien, 2015; Tariq et al., 2023). By the mid‑2020s, typical IoT stacks include containerized edge platforms, protocol gateways, cloud APIs, and deep software dependencies, all coupled to business‑critical processes in consumer, industrial, healthcare, and smart‑city settings (Butun et al., 2022; Shah et al., 2022).

2010–2015 Dominant Failure Static Credentials and Cleartext Management
Default passwords, open debug ports, and unauthenticated web consoles on consumer cameras, small industrial gateways, and networked medical devices (Abomhara & Køien, 2015).

2024–2026 Dominant Failure Supply‑Chain Exploits and Autonomous Exploitation
Vulnerabilities in shared libraries, cloud services, and orchestration platforms exploited by organized criminal groups and AI‑assisted tools across consumer, industrial, and healthcare deployments (Tariq et al., 2023; Nemec Zlatolas et al., 2024).

2. How the Original Paper Approached IoT Security

Abomhara and Køien did not conduct empirical measurements or propose new cryptographic protocols. Their key aim was to perform a descriptive study and build a framework that could help others understand IoT security issues systematically, at a time when the field was still emerging (Abomhara & Køien, 2015). They decomposed the ecosystem into components—assets, weaknesses, threats, and the individuals and groups who generate threats—and then classified each of these in detail.

The methodology they used was an in‑depth review of the literature and assimilation of existing knowledge. They aggregated data from research articles, industry reports, and technical standards to create a comprehensive model of the IoT environment. This can be divided into several important stages (Abomhara & Køien, 2015).

1. Defining the Domain

They began by establishing clear definitions for core IoT concepts—entities, devices, and services—creating a shared vocabulary for their analysis and for subsequent work.

2. Identifying Core Security Principles

The authors framed their investigation around established cybersecurity goals, including confidentiality, integrity, authentication, availability, accountability, auditing, and non‑repudiation, adapting them to the unique context of IoT devices and services.

3. Categorizing Threats and Vulnerabilities

They systematically identified and classified general threats (human versus natural), specific attack vectors (physical, reconnaissance, denial‑of‑service, access, privacy), and system weaknesses, distinguishing design flaws (vulnerabilities) from configuration flaws (exposures).

4. Classifying Intruders

A significant part of their investigation was dedicated to profiling threat actors, categorizing them into individuals, organized groups, and intelligence agencies based on motivations, capabilities, and resources.

This descriptive and classificatory methodology was appropriate for a foundational work. The goal was not to optimize a single algorithm, but to bring structure to a chaotic and rapidly emerging field, providing a framework that subsequent empirical and solution‑driven research could extend (Sicari et al., 2015; Butun et al., 2022).

Technical Deep Dive: The Dolev–Yao Intruder Model in IoT Networks

One of the most forward‑looking aspects of Abomhara and Køien’s work is their use of the Dolev–Yao (DY) intruder model as a benchmark for robust security. In DY, the adversary is assumed to have complete control over the communication channel: they can overhear, intercept, delete, delay, replay, and inject messages at will. The only limitation is that they cannot break the underlying cryptographic primitives or derive secrets without keys (Abomhara & Køien, 2015).

✅ Eavesdrop on telemetry between consumer devices and cloud back‑ends.
✅ Drop or delay commands in industrial and healthcare control loops to cause unsafe states.
✅ Modify payloads in transit, such as altering actuator setpoints or sensor values.
✅ Inject spoofed messages that appear to originate from legitimate edge nodes or services.

In 2026, this “network‑omnipotent” attacker is not just theoretical. Consumer IoT relies on home routers and ISPs, industrial telemetry crosses carrier networks and VPNs, hospitals depend on Wi‑Fi and remote access, and smart‑city systems operate over public infrastructure. Modern Zero‑Trust architecture essentially takes the Dolev–Yao assumption as a starting point: do not trust the network. Instead, trust strong identities, cryptographic guarantees, and explicit policy enforcement, as formalized in NIST SP 800‑207 and related guidance (NIST, 2020; MITRE ATT&CK, 2024).

3. The Central Questions: Still the Right Checklist in 2026

The article does not pose a formal, testable hypothesis. Instead, its investigation is guided by a central exploratory question: How can the complex and multifaceted security challenges of the Internet of Things be systematically identified, classified, and understood? (Abomhara & Køien, 2015, p. 66). This overarching question is broken down into specific guiding questions that must be addressed to achieve a secure IoT ecosystem.

❓ What are the assets?

❓ Who are the principal entities?

❓ What are the threats?

❓ Who are the threat actors?

❓ What capabilities and resources do they have?

❓ What threats affect which assets and interfaces?

❓ Is the current design protected against these threats?

❓ What security mechanisms could be used against them?

In 2026, these questions remain a useful checklist for any IoT deployment, regardless of domain. Assets now include not only sensor data and control logic, but also on‑device ML models and Software Bill of Materials (SBOM) metadata (Shah et al., 2022). Threat actors include not only individuals, groups, and agencies, but also professional RaaS ecosystems and supply‑chain adversaries (Nemec Zlatolas et al., 2024; Aldosari, 2025). Security mechanisms encompass not only classical PKI and access control, but also blockchain‑anchored provenance and post‑quantum‑resistant key exchange (Li et al., 2024).

4. The Decade of Evolution: From Static Baseline to AI and Quantum‑Aware Defense

2015: The Static Baseline

Threat Model: Manual exploitation of exposed services and static credentials.

IoT devices were often “dumb” targets: unattended, low‑power, and reachable with factory credentials. Attackers scanned IPv4 ranges for open Telnet, HTTP, and proprietary ports, logged in with defaults like “admin/admin”, and repurposed devices for spam, small DDoS, or data collection (Abomhara & Køien, 2015; Tariq et al., 2023).

2016–2017: Weaponization via Botnets

Threat Model: Distributed denial of service from compromised consumer and edge devices.

Malware families automated what manual scanners had done before, enrolling hundreds of thousands of consumer cameras, home routers, and small gateways into botnets. These were used to launch high‑volume DDoS attacks against DNS providers and major services, proving that resource‑constrained devices could be turned into powerful weapons when orchestrated at scale (Tariq et al., 2023; Shah et al., 2022).

2018–2020: The Regulatory Awakening

Response: Security‑by‑design baselines and bans on default passwords.

California SB‑327, NISTIR 8259, and ETSI EN 303 645 introduced concrete requirements: unique device credentials, clear support lifetimes, and minimal exposed services (NIST, 2020; ETSI, 2020). Vendors began adopting secure boot, signed updates, and onboarding flows that forced password changes, shifting responsibility from end‑users to manufacturers.

2021–2023: Supply‑Chain and RaaS at Scale

Threat Model: Exploitation of shared libraries and monetized extortion.

Vulnerabilities in widely used libraries and protocol stacks—such as logging components—demonstrated that a single flaw could impact consumer hubs, industrial controllers, and medical devices simultaneously (Nemec Zlatolas et al., 2024; Shah et al., 2022). Meanwhile, Ransomware‑as‑a‑Service operators targeted factories, hospitals, and municipalities, using compromised IoT/OT nodes as footholds to disrupt services and extract ransom (Aldosari, 2025).

2024–2026: Zero‑Trust, CRA, and Quantum‑Aware Design

Threat Model: Persistent adversaries and “harvest‑now, decrypt‑later” risks.

IoT security architectures increasingly adopt Zero‑Trust principles: segmentation, continuous authentication, and explicit authorization for every request (NIST, 2020). The EU Cyber Resilience Act (CRA) introduces mandatory vulnerability‑handling and incident‑reporting obligations for products with digital elements, including IoT. Reporting duties begin on 11 September 2026, and the full set of CRA cybersecurity requirements applies to new products placed on the EU market from December 2027 (European Commission, 2026; Cyber Resilience Act 2022; Scandog, 2025). At the same time, post‑quantum cryptography standards are finalized, and research explores post‑quantum and quantum‑secure blockchains tailored for IoT (Li et al., 2024; Alshahrani et al., 2025).

5. Reference Architecture: Where Security Actually Lives

Building on Abomhara and Køien’s abstraction of entities, devices, and services (Abomhara & Køien, 2015), a modern IoT security architecture can be viewed as four interacting layers. Each layer has its own assets, threats, and controls across consumer, industrial, healthcare, and smart‑city deployments (Shah et al., 2022; Butun et al., 2022).

Layered Logical Architecture

Read this top‑to‑bottom: each row is a layer, and each cell highlights core functions, assets, and security controls.

Core Functions

Typical Assets

Key Security Controls

1. Device Layer

Embedded sensors, actuators, PLCs, medical endpoints, meters, roadside units.

Firmware images, local configuration, hardware IDs, on‑device ML models, short‑term telemetry buffers.

Secure boot, signed firmware, hardware roots of trust (TPM/secure elements), device‑unique keys, local rate‑limiting, basic anomaly checks.

2. Edge / Gateway Layer

Field gateways, industrial edge nodes, hospital aggregators, city‑edge controllers; protocol translation (Modbus, OPC UA, MQTT, CoAP).

Aggregated telemetry, command queues, local digital twins, cached credentials and policies.

Termination of TLS/DTLS/OSCORE, mutual authentication with devices and cloud, local access‑control enforcement, micro‑segmentation, secure tunnelling (VPNs, SD‑WAN).

3. Cloud / Control Plane

Device‑management platforms, fleet configuration, analytics and AI services, orchestration, API gateways, customer‑facing applications.

Long‑term telemetry stores, policies, user identities, digital twins, model artefacts, audit logs.

Strong authentication (OIDC/OAuth2), fine‑grained authorization (ABAC/RBAC), encryption at rest and in transit, secure DevSecOps pipelines, SBOM-aware deployments, backup and recovery.

4. Trust and Monitoring Fabric

PKI and key lifecycle, blockchain/DLT services, SIEM/SOAR, threat‑intelligence feeds, MITRE ATT&CK‑mapped analytics.

CA hierarchies, CRLs/OCSP, ledger entries (device IDs, firmware hashes, attestations), normalized logs and alerts, detection rules.

Certificate management, post‑quantum‑ready key‑exchange and signatures, blockchain‑based integrity, centralized and distributed monitoring, automated response (isolating devices, revoking credentials).

From a defender’s perspective, this layered model also clarifies where different classes of threats should be mitigated. Physical tampering and side‑channel attacks concentrate on the device layer. Protocol exploits and man‑in‑the‑middle attacks live primarily at the device–edge and edge–cloud interfaces. Identity abuse and privilege escalation show up in the cloud and application layers, while long‑term stealth—such as supply‑chain backdoors or key misuse—is detected most effectively in the trust and monitoring fabric. Mapping Abomhara and Køien’s threat categories onto these layers helps teams design controls where they will have the most impact (MITRE, 2024; CISA, 2023).

This layered view connects directly back to the 2015 taxonomy. Assets span all four layers. Threats and intruders can be mapped to specific techniques at each layer using frameworks like MITRE ATT&CK for ICS, and long‑term trust anchors increasingly rely on quantum‑aware PKI and blockchain research (Li et al., 2024; Alshahrani et al., 2025).

6. New Axes in the 2026 Landscape: RaaS, AI, and Supply‑Chain Risk

6.1 Professionalized Cybercrime and RaaS

Abomhara and Køien were correct in identifying financial gain as a key motivation for cybercrime (Abomhara & Køien, 2015). However, the threat has evolved from relatively isolated actors into large‑scale organized crime rings that utilize advanced tactics such as Ransomware‑as‑a‑Service (RaaS). These operations increasingly target critical services, including industrial production, healthcare, and municipal infrastructure, by abusing IoT and OT devices as entry points or leverage for extortion. For example, attackers may exploit an exposed VPN appliance or OT gateway, encrypt adjacent file shares and control systems, and then demand payment to restore operations (Aldosari, 2025; Nemec Zlatolas et al., 2024).

6.2 AI as Defender and Attack Surface

The 2015 paper does not discuss the role of artificial intelligence. Today, AI and machine learning are central to the new dynamics of threats and defenses. On one hand, AI‑driven intrusion‑detection systems and anomaly detectors can sift through vast volumes of telemetry from industrial sensors, consumer devices, medical equipment, and smart‑city nodes to detect abnormal behavior (Messinis et al., 2024). On the other hand, adversarial AI introduces new attack vectors: data‑poisoning and model‑evasion attacks can compromise IoT infrastructures from within, in ways that traditional threat models did not anticipate (Tariq et al., 2023; Mauri & Damiani, 2022).

2026 Threat Model: An Agentic AI Kill Chain in IoT

Autonomous Reconnaissance AI agents continuously scan IPv4/IPv6 ranges, cloud APIs, and SBOM databases for specific firmware versions, library combinations, and misconfigurations across consumer, industrial, and healthcare IoT estates.

Automated Exploit Selection and Model Manipulation Based on discovered targets, the system automatically selects exploits and may attempt to corrupt on‑device ML models (for example, anomaly detectors) so that later malicious activity appears benign to local and central monitoring (Messinis et al., 2024; Tariq et al., 2023).

Swarm‑Level Execution and Evasion Compromised devices form a coordinated swarm that adapts traffic patterns, timing, and commands to stay below detection thresholds, supporting objectives such as stealthy data exfiltration or coordinated disruption.

Fully autonomous “agentic” campaigns are still emerging rather than ubiquitous. However, early research and tooling trends point strongly in this direction, particularly as AI becomes more deeply integrated into both offensive and defensive security workflows.

6.3 Supply‑Chain and Third‑Party Dependencies

According to the original paper, intruders are classified as individuals, groups, or agencies. In 2026, a crucial additional dimension is the supply chain. Modern IoT infrastructure consists of complex interconnections of third‑party software, hardware, and cloud services. A vulnerability in any stage of this chain—from build systems to shared libraries—can generate weaknesses in millions of devices yet to be deployed (Nemec Zlatolas et al., 2024; Butun et al., 2022).

This reality makes SBOMs, secure development pipelines, and trusted update channels fundamental requirements. Agencies such as ENISA and NIST now treat supply‑chain attacks as critical threats, emphasizing the need for transparency and rapid impact assessment when a new vulnerability or compromise is discovered (CISA, 2023; Cyber Resilience Act 2022).

7. Logical Follow‑Up Directions: Extending the 2015 Framework

The work of Abomhara and Køien provides fertile ground for numerous follow‑up studies, many of which are now active areas of research. Based on their foundational framework, several directions are particularly important in 2026.

7.1 Lightweight, Quantum‑Resistant Cryptography

The authors rightly pointed out that IoT devices have limited resources and cannot easily support heavyweight security mechanisms (Abomhara & Køien, 2015). With the rise of quantum computing, a key next step is to design lightweight post‑quantum cryptographic methods that offer strong security while using minimal computing power and energy, especially for long‑lived devices (Nemec Zlatolas et al., 2024; Alshahrani et al., 2025). Evaluations on Cortex‑M‑class microcontrollers show that NIST‑selected schemes are feasible but significantly more expensive than current ECC, so careful algorithm and protocol choices are critical (PQC for IoT surveys).

7.2 AI‑Driven, Attacker‑Centric Threat Modelling

The taxonomy in 2015 is static. A logical evolution is dynamic, attacker‑centric threat modelling, such as the Attacker‑Centric Approach (ACA) proposed for virtual healthcare (Herath et al., 2024). This shifts focus from system weaknesses alone to adversary motivations and tactics, incorporating continual feedback from threat intelligence and enabling AI‑driven intrusion detection to prioritize the most plausible paths.

7.3 Blockchain and DLT for Trust and Integrity

Trust was identified as a key issue in the original paper. Blockchain and other distributed ledger technologies provide new ways to anchor device identities, firmware provenance, and security‑relevant events in tamper‑resistant logs, improving data integrity, access control, and non‑repudiation (Nemec Zlatolas et al., 2024; Li et al., 2024). Most practical designs rely on permissioned ledgers and use gateways as clients, which reduces load on constrained devices but raises important questions about privacy and governance (Blockchain‑for‑IoT surveys).

7.4 Operationalizing Intruder Profiles with MITRE ATT&CK

The original intruder taxonomy groups attackers into individuals, groups, and agencies. Frameworks like MITRE ATT&CK for ICS translate this into concrete techniques and procedures, such as “Initial Access: Exploit Public‑Facing Application” or “Impair Process Control” (MITRE, 2024). Applying ATT&CK to IoT and OT environments provides a bridge between high‑level intruder profiles and observable behaviors, supporting more precise detection and response.

Taken together, these directions suggest a research agenda that goes beyond patching today’s vulnerabilities. It aims at end‑to‑end, adversary‑aware systems that are cryptographically agile, explainable under formal models like Dolev–Yao, and empirically grounded in real‑world adversary behaviour catalogued by frameworks such as MITRE ATT&CK. My goal with this review is to provide a bridge between the early conceptual work of 2015 and these emerging lines of work, so that practitioners and researchers can situate their own contributions inside a coherent evolution of IoT security thinking.

8. Conclusion: Why a 2015 Taxonomy Still Matters in 2026

The paper “Cyber Security and the Internet of Things” by Abomhara and Køien was a seminal early work on IoT security. It adopted a descriptive, taxonomic approach to structuring a new and complex field, providing one of the first clear inventories of vulnerabilities, threats, and intruders. Its conclusions on IoT device weaknesses and the need for a holistic approach to security were prescient and remain valid today (Abomhara & Køien, 2015; Tariq et al., 2023).

At the same time, the last decade has witnessed a remarkable transformation of the cybersecurity landscape. The professionalization of cybercrime, the introduction of AI both as a defensive tool and as a target, and the growing sophistication of global supply chains have added new dimensions to IoT security challenges (Nemec Zlatolas et al., 2024; Messinis et al., 2024). Although the original framework remains an informative teaching and modelling tool, it must be supplemented with up‑to‑date knowledge on RaaS, AI, supply‑chain risk, blockchain, and post‑quantum cryptography to be fully useful in practice.

IoT security research of the future will continue to build on the conceptual ground that Abomhara and Køien helped lay, pushing toward adaptive, intelligent, and resilient security solutions for an increasingly interconnected world. In a follow‑up article, I will focus exclusively on the current and future landscape: agentic AI kill chains, operationalizing the EU Cyber Resilience Act, deploying PQC in real‑world IoT products, and exploring quantum‑secure blockchain architectures in depth.

References and Further Reading

Abomhara, M., & Køien, G. M. (2015). Cyber security and the internet of things: Vulnerabilities, threats, intruders and attacks. Journal of Cyber Security and Mobility, 4(1), 65–88.
Aldosari, B. (2025). Cybersecurity in healthcare: New threat to patient safety. Cureus, 17(5), e83614. https://doi.org/10.7759/cureus.83614
Alshahrani, A., et al. (2025). Quantum Blockchain for Internet of Things: A systematic review. Computers and Electrical Engineering. Abstract: https://www.sciencedirect.com/article/abs/pii/S0045790625004677
Butun, I., Österberg, P., & Song, H. (2022). Landscape of IoT security. Computer Science Review, 43, 100467. ScienceDirect
CISA (2023). Software Bill of Materials (SBOM) resources. https://www.cisa.gov/sbom
Cyber Resilience Act (2022). Cyber Resilience Act 2022: A silver bullet for cybersecurity of IoT systems? Computer Law and Security Review. https://www.sciencedirect.com/article/pii/S0267364924000761
European Commission (2026). Cyber Resilience Act – Reporting obligations. https://digital-strategy.ec.europa.eu/en/policies/cra-reporting
ETSI (2020). EN 303 645 – Cyber Security for Consumer Internet of Things. https://www.etsi.org/technologies/iot/cyber-security-for-consumer-iot
Herath, S., Gelman, H., Hastings, J., & Wang, Y. (2024). Safeguarding virtual healthcare: A novel attacker‑centric model for data security and privacy. arXiv. https://arxiv.org/abs/2412.13440v1
Li, F., et al. (2024). Post‑Quantum Blockchain Security for the Internet of Things: Survey and Future Directions. IEEE Communications Surveys and Tutorials. https://ieeexplore.ieee.org/document/10401941/
Mauri, L., & Damiani, E. (2022). Poisoning Attacks Against Machine Learning: A Survey. ACM Computing Surveys.
Messinis, S., Temenos, N., Protonotarios, N. E., Rallis, I., Kalogeras, D., & Doulamis, N. (2024). Enhancing internet of medical things security with artificial intelligence: A comprehensive review. Computers in Biology and Medicine, 170, 108036. https://doi.org/10.1016/j.compbiomed.2024.108036
MITRE (2024). MITRE ATT&CK ICS Matrix. https://attack.mitre.org/matrices/ics/
Nemec Zlatolas, L., Welzer, T., & Lhotska, L. (2024). Data breaches in healthcare: Security mechanisms for attack mitigation. Cluster Computing, 27, 8639–8654. https://doi.org/10.1007/s10586-024-04507-2
NIST (2020). NISTIR 8259 – Foundational Cybersecurity Activities for IoT Device Manufacturers. https://csrc.nist.gov/publications/detail/nistir/8259/final
NIST (2020). SP 800‑207 – Zero Trust Architecture. https://csrc.nist.gov/publications/detail/sp/800-207/final
Scandog (2025). Cyber Resilience Act timeline: key deadlines for 2026 and 2027. https://scandog.io/blog/security-compliance/cyber-resilience-act-timeline
Shah, S. S., et al. (2022). Internet of Things: Security and solutions survey. Scientific Reports. https://pubmed.ncbi.nlm.nih.gov/36236531/
Sicari, S., Rizzardi, A., Grieco, L. A., & Coen‑Porisini, A. (2015). Security, privacy and trust in Internet of Things: The road ahead. Computer Networks, 76, 146–164.
Tariq, U., Ahmed, I., Bashir, A. K., & Shaukat, K. (2023). A critical cybersecurity analysis and future research directions for the Internet of Things: A comprehensive review. Sensors, 23(8), 4117. https://doi.org/10.3390/s23084117