Evaluate and Improve Your IoT Deployment Security
Answer questions about your IoT deployment to receive a security score, identify vulnerabilities, and get prioritized recommendations for improvement.
viewof deploymentType = Inputs.select([
"Smart Home / Consumer",
"Commercial Building",
"Industrial/Manufacturing",
"Healthcare Facility",
"Critical Infrastructure",
"Agriculture/Outdoor"
], {label: "Deployment Type:", value: "Smart Home / Consumer"})
viewof deviceCount = Inputs.select([
"1-10 devices",
"11-50 devices",
"51-200 devices",
"201-1000 devices",
"1000+ devices"
], {label: "Device Count:", value: "11-50 devices"})Answer each question honestly to get an accurate security posture score.
assessmentData = [
{
category: "Device Security",
icon: "🔐",
weight: 1.5,
questions: [
{
q: "Are default passwords changed on all devices?",
options: ["All devices", "Most devices", "Some devices", "No/Unknown"],
scores: [10, 6, 3, 0],
tip: "Default passwords are the #1 IoT vulnerability (Mirai exploited this)"
},
{
q: "Do devices receive regular firmware updates?",
options: ["Auto-update enabled", "Manual but regular", "Occasionally", "Never/Can't update"],
scores: [10, 7, 3, 0],
tip: "Unpatched devices remain vulnerable to known exploits indefinitely"
},
{
q: "Is secure boot enabled on devices?",
options: ["Yes, verified", "Partially", "No", "Unknown"],
scores: [10, 5, 0, 2],
tip: "Secure boot prevents unauthorized firmware from running"
}
]
},
{
category: "Network Security",
icon: "🌐",
weight: 1.3,
questions: [
{
q: "Are IoT devices on a separate network segment/VLAN?",
options: ["Dedicated IoT VLAN", "Some segmentation", "Same as other devices", "Unknown"],
scores: [10, 6, 1, 2],
tip: "Network segmentation limits lateral movement if one device is compromised"
},
{
q: "Is network traffic encrypted (TLS/DTLS)?",
options: ["All traffic encrypted", "Most traffic", "Some traffic", "Unencrypted"],
scores: [10, 6, 3, 0],
tip: "Unencrypted traffic can be intercepted and read by attackers"
},
{
q: "Is there a firewall controlling IoT traffic?",
options: ["Dedicated firewall rules", "General firewall", "Router only", "None"],
scores: [10, 6, 3, 0],
tip: "Firewalls can block unauthorized connections to/from IoT devices"
}
]
},
{
category: "Authentication & Access",
icon: "🔑",
weight: 1.4,
questions: [
{
q: "Is multi-factor authentication used for admin access?",
options: ["MFA required", "MFA available", "Password only", "No authentication"],
scores: [10, 6, 2, 0],
tip: "MFA prevents unauthorized access even if passwords are compromised"
},
{
q: "Are device certificates used for authentication?",
options: ["PKI with certificates", "Shared secrets", "API keys only", "None"],
scores: [10, 6, 3, 0],
tip: "Certificate-based auth is stronger than shared secrets"
},
{
q: "Is there role-based access control (RBAC)?",
options: ["Fine-grained RBAC", "Basic roles", "All-or-nothing", "Unknown"],
scores: [10, 6, 2, 2],
tip: "RBAC limits damage from compromised accounts"
}
]
},
{
category: "Data Protection",
icon: "🛡️",
weight: 1.2,
questions: [
{
q: "Is sensitive data encrypted at rest?",
options: ["AES-256 or equivalent", "Some encryption", "No encryption", "Unknown"],
scores: [10, 5, 0, 2],
tip: "Encryption at rest protects data if storage is compromised"
},
{
q: "Are data retention policies implemented?",
options: ["Automated policies", "Manual deletion", "Data kept indefinitely", "Unknown"],
scores: [10, 6, 1, 2],
tip: "Retaining unnecessary data increases breach impact"
},
{
q: "Is personal data anonymized/pseudonymized?",
options: ["Full anonymization", "Pseudonymized", "Raw PII stored", "No personal data"],
scores: [8, 6, 0, 10],
tip: "Anonymization reduces privacy breach severity"
}
]
},
{
category: "Monitoring & Detection",
icon: "👁️",
weight: 1.1,
questions: [
{
q: "Is there logging of security events?",
options: ["Centralized SIEM", "Local logs", "Minimal logging", "No logging"],
scores: [10, 6, 2, 0],
tip: "Without logs, you can't detect or investigate breaches"
},
{
q: "Is there intrusion detection (IDS/IPS)?",
options: ["Active IDS/IPS", "Passive monitoring", "None", "Unknown"],
scores: [10, 6, 0, 2],
tip: "IDS can detect attacks in progress"
},
{
q: "Are there alerts for anomalous behavior?",
options: ["ML-based anomaly detection", "Threshold alerts", "Manual review", "None"],
scores: [10, 7, 3, 0],
tip: "Automated alerts enable faster incident response"
}
]
},
{
category: "Physical Security",
icon: "🏢",
weight: 0.9,
questions: [
{
q: "Are devices physically secured from tampering?",
options: ["Tamper-evident/resistant", "Locked enclosures", "Basic housing", "Exposed"],
scores: [10, 7, 4, 0],
tip: "Physical access can enable firmware extraction and debug port attacks"
},
{
q: "Are debug ports (JTAG/UART) disabled?",
options: ["Disabled in production", "Password protected", "Enabled", "Unknown"],
scores: [10, 6, 0, 2],
tip: "Debug ports are common attack vectors for firmware extraction"
}
]
},
{
category: "Incident Response",
icon: "🚨",
weight: 1.0,
questions: [
{
q: "Is there a documented incident response plan?",
options: ["Tested IR plan", "Documented plan", "Informal process", "None"],
scores: [10, 7, 3, 0],
tip: "Plans reduce response time and improve breach containment"
},
{
q: "Can compromised devices be remotely isolated?",
options: ["Automated isolation", "Manual capability", "Requires physical access", "Cannot isolate"],
scores: [10, 6, 2, 0],
tip: "Quick isolation prevents lateral movement and data exfiltration"
}
]
},
{
category: "Vendor & Supply Chain",
icon: "📦",
weight: 0.8,
questions: [
{
q: "Are device vendors' security practices assessed?",
options: ["Formal assessment", "Basic review", "Trust vendor", "No assessment"],
scores: [10, 6, 2, 0],
tip: "Vendor vulnerabilities become your vulnerabilities"
},
{
q: "Is there a software bill of materials (SBOM)?",
options: ["Complete SBOM", "Partial inventory", "None", "Unknown"],
scores: [10, 5, 0, 2],
tip: "SBOMs help identify vulnerable components quickly"
}
]
}
]
// Create answer state
mutable answers = Object.fromEntries(
assessmentData.flatMap((cat, ci) =>
cat.questions.map((_, qi) => [`q_${ci}_${qi}`, null])
)
)
// Global function to update answers (needed for onclick handlers in OJS)
window.updateSecurityAnswer = (ci, qi, oi) => {
const event = new CustomEvent('security-answer-update', { detail: { ci, qi, oi } });
document.dispatchEvent(event);
};// Render assessment questions
html`
<div style="display: flex; flex-direction: column; gap: 25px;">
${assessmentData.map((category, ci) => html`
<div style="background: white; border-radius: 12px; padding: 20px; box-shadow: 0 2px 10px rgba(0,0,0,0.1);">
<h3 style="margin-top: 0; color: #2C3E50; display: flex; align-items: center; gap: 10px;">
<span style="font-size: 28px;">${category.icon}</span>
${category.category}
<span style="font-size: 12px; color: #666; margin-left: auto;">Weight: ${category.weight}x</span>
</h3>
${category.questions.map((q, qi) => html`
<div style="margin: 15px 0; padding: 15px; background: #f8f9fa; border-radius: 8px;">
<div style="font-weight: bold; color: #2C3E50; margin-bottom: 10px;">
${q.q}
</div>
<div style="display: flex; flex-wrap: wrap; gap: 8px;">
${q.options.map((opt, oi) => html`
<button
type="button"
onclick=${() => window.updateSecurityAnswer(ci, qi, oi)}
style="padding: 8px 16px; border-radius: 20px; border: 2px solid ${answers[`q_${ci}_${qi}`] === oi ? '#16A085' : '#dee2e6'};
background: ${answers[`q_${ci}_${qi}`] === oi ? '#E8F6F3' : 'white'}; cursor: pointer;
color: ${answers[`q_${ci}_${qi}`] === oi ? '#16A085' : '#666'}; font-size: 13px;">
${opt}
</button>
`)}
</div>
<div style="font-size: 12px; color: #7F8C8D; margin-top: 8px; font-style: italic;">
💡 ${q.tip}
</div>
</div>
`)}
</div>
`)}
</div>
`scores = {
const categoryScores = assessmentData.map((cat, ci) => {
let totalPossible = 0;
let totalEarned = 0;
let answeredCount = 0;
cat.questions.forEach((q, qi) => {
const answer = answers[`q_${ci}_${qi}`];
totalPossible += 10;
if (answer !== null) {
totalEarned += q.scores[answer];
answeredCount++;
}
});
return {
category: cat.category,
icon: cat.icon,
weight: cat.weight,
score: answeredCount > 0 ? Math.round((totalEarned / totalPossible) * 100) : null,
earned: totalEarned,
possible: totalPossible,
answered: answeredCount,
total: cat.questions.length
};
});
// Calculate weighted overall score
let weightedSum = 0;
let weightTotal = 0;
categoryScores.forEach(cs => {
if (cs.score !== null) {
weightedSum += cs.score * cs.weight;
weightTotal += cs.weight;
}
});
const overallScore = weightTotal > 0 ? Math.round(weightedSum / weightTotal) : 0;
return { categoryScores, overallScore };
}
// Get risk level
riskLevel = scores.overallScore >= 80 ? { level: "Low Risk", color: "#27AE60", icon: "✅" } :
scores.overallScore >= 60 ? { level: "Medium Risk", color: "#F39C12", icon: "⚠️" } :
scores.overallScore >= 40 ? { level: "High Risk", color: "#E67E22", icon: "🔶" } :
{ level: "Critical Risk", color: "#E74C3C", icon: "🚨" };
html`
<div style="display: grid; grid-template-columns: 1fr 2fr; gap: 30px; margin: 20px 0;">
<!-- Overall Score -->
<div style="background: white; border-radius: 16px; padding: 30px; text-align: center; box-shadow: 0 4px 15px rgba(0,0,0,0.1);">
<div style="font-size: 72px; font-weight: bold; color: ${riskLevel.color};">
${scores.overallScore}
</div>
<div style="font-size: 18px; color: #666; margin: 10px 0;">Security Score</div>
<div style="padding: 10px 20px; background: ${riskLevel.color}; color: white; border-radius: 25px; display: inline-block; font-weight: bold;">
${riskLevel.icon} ${riskLevel.level}
</div>
<div style="margin-top: 20px; text-align: left;">
<div style="font-size: 13px; color: #666; margin-bottom: 10px;">Score Breakdown:</div>
<div style="font-size: 12px; color: #888;">
<div>• 80-100: Low Risk ✅</div>
<div>• 60-79: Medium Risk ⚠️</div>
<div>• 40-59: High Risk 🔶</div>
<div>• 0-39: Critical Risk 🚨</div>
</div>
</div>
</div>
<!-- Category Breakdown -->
<div style="background: white; border-radius: 16px; padding: 20px; box-shadow: 0 4px 15px rgba(0,0,0,0.1);">
<h4 style="margin-top: 0; color: #2C3E50;">Category Scores</h4>
${scores.categoryScores.map(cs => html`
<div style="margin: 12px 0;">
<div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 5px;">
<span style="font-size: 14px;">${cs.icon} ${cs.category}</span>
<span style="font-weight: bold; color: ${cs.score >= 80 ? '#27AE60' : cs.score >= 60 ? '#F39C12' : cs.score >= 40 ? '#E67E22' : cs.score === null ? '#999' : '#E74C3C'};">
${cs.score !== null ? `${cs.score}%` : '—'}
</span>
</div>
<div style="background: #eee; border-radius: 10px; height: 12px; overflow: hidden;">
<div style="background: ${cs.score >= 80 ? '#27AE60' : cs.score >= 60 ? '#F39C12' : cs.score >= 40 ? '#E67E22' : cs.score === null ? '#ccc' : '#E74C3C'};
width: ${cs.score || 0}%; height: 100%; transition: width 0.5s;"></div>
</div>
<div style="font-size: 11px; color: #999; margin-top: 2px;">
${cs.answered}/${cs.total} questions answered
</div>
</div>
`)}
</div>
</div>
`recommendations = {
const recs = [];
assessmentData.forEach((cat, ci) => {
cat.questions.forEach((q, qi) => {
const answer = answers[`q_${ci}_${qi}`];
const score = answer !== null ? q.scores[answer] : null;
if (score !== null && score < 7) {
// Low-scoring answers need recommendations
const priority = score === 0 ? "Critical" : score <= 3 ? "High" : "Medium";
const priorityColor = priority === "Critical" ? "#E74C3C" : priority === "High" ? "#E67E22" : "#F39C12";
recs.push({
category: cat.category,
icon: cat.icon,
question: q.q,
currentAnswer: q.options[answer],
priority,
priorityColor,
tip: q.tip,
improvement: q.options[0], // Best option
weight: cat.weight,
impact: (10 - score) * cat.weight // Higher impact = more improvement possible
});
}
});
});
// Sort by impact (priority)
return recs.sort((a, b) => b.impact - a.impact);
}
html`
<div style="background: white; border-radius: 12px; padding: 20px; box-shadow: 0 2px 10px rgba(0,0,0,0.1);">
<h3 style="margin-top: 0; color: #2C3E50;">📋 Security Improvement Roadmap</h3>
${recommendations.length === 0
? html`<div style="padding: 30px; text-align: center; color: #27AE60; font-size: 18px;">
✅ Complete the assessment above to receive recommendations
</div>`
: html`
<div style="font-size: 14px; color: #666; margin-bottom: 15px;">
Found <strong>${recommendations.length}</strong> areas for improvement, sorted by impact:
</div>
${recommendations.slice(0, 10).map((rec, i) => html`
<div style="border-left: 4px solid ${rec.priorityColor}; padding: 15px; margin: 10px 0; background: #f8f9fa; border-radius: 0 8px 8px 0;">
<div style="display: flex; justify-content: space-between; align-items: start;">
<div>
<span style="font-weight: bold; color: #2C3E50;">${i + 1}. ${rec.icon} ${rec.category}</span>
<span style="font-size: 11px; padding: 2px 8px; border-radius: 10px; background: ${rec.priorityColor}; color: white; margin-left: 10px;">
${rec.priority}
</span>
</div>
<div style="font-size: 12px; color: #666;">
Impact Score: ${Math.round(rec.impact)}
</div>
</div>
<div style="margin: 10px 0; font-size: 14px; color: #2C3E50;">
<strong>Issue:</strong> ${rec.question}
</div>
<div style="display: grid; grid-template-columns: 1fr 1fr; gap: 15px; margin-top: 10px;">
<div style="padding: 10px; background: #FADBD8; border-radius: 6px;">
<div style="font-size: 11px; color: #E74C3C; font-weight: bold;">Current State:</div>
<div style="font-size: 13px; color: #943126;">${rec.currentAnswer}</div>
</div>
<div style="padding: 10px; background: #D5F4E6; border-radius: 6px;">
<div style="font-size: 11px; color: #27AE60; font-weight: bold;">Recommended:</div>
<div style="font-size: 13px; color: #1E8449;">${rec.improvement}</div>
</div>
</div>
<div style="font-size: 12px; color: #7F8C8D; margin-top: 10px;">
💡 ${rec.tip}
</div>
</div>
`)}
${recommendations.length > 10 ? html`
<div style="text-align: center; padding: 15px; color: #666; font-style: italic;">
+ ${recommendations.length - 10} more recommendations...
</div>
` : ''}
`
}
</div>
`html`
<div style="background: white; border-radius: 12px; padding: 20px; box-shadow: 0 2px 10px rgba(0,0,0,0.1);">
<h3 style="margin-top: 0; color: #2C3E50;">🛡️ Defense-in-Depth Layers</h3>
<p style="color: #666; font-size: 14px;">
Security should be implemented in layers. If one layer fails, others provide protection.
</p>
<div style="display: flex; flex-direction: column; align-items: center; gap: 0; margin: 20px 0;">
${[
{ layer: "Perimeter", desc: "Firewalls, Network Segmentation", score: scores.categoryScores[1]?.score, color: "#3498DB" },
{ layer: "Network", desc: "Encryption, IDS/IPS, Monitoring", score: scores.categoryScores[1]?.score, color: "#2980B9" },
{ layer: "Application", desc: "Authentication, Authorization, Input Validation", score: scores.categoryScores[2]?.score, color: "#1ABC9C" },
{ layer: "Data", desc: "Encryption at Rest, Access Controls, Anonymization", score: scores.categoryScores[3]?.score, color: "#16A085" },
{ layer: "Device", desc: "Secure Boot, Firmware Updates, Physical Security", score: scores.categoryScores[0]?.score, color: "#27AE60" }
].map((l, i) => html`
<div style="width: ${90 - i*12}%; padding: 15px 20px; background: ${l.score >= 70 ? l.color : l.score >= 50 ? '#F39C12' : l.score === null ? '#95a5a6' : '#E74C3C'};
color: white; border-radius: 8px; display: flex; justify-content: space-between; align-items: center;
opacity: ${l.score === null ? 0.5 : 1};">
<div>
<div style="font-weight: bold; font-size: 16px;">${l.layer} Layer</div>
<div style="font-size: 12px; opacity: 0.9;">${l.desc}</div>
</div>
<div style="font-size: 24px; font-weight: bold;">
${l.score !== null ? `${l.score}%` : '?'}
</div>
</div>
`)}
</div>
<div style="text-align: center; font-size: 13px; color: #666; margin-top: 15px;">
An attacker must penetrate all layers to reach your data. Strengthen the weakest layers first.
</div>
</div>
`| # | Vulnerability | Description | Related Assessment Area |
|---|---|---|---|
| I1 | Weak Passwords | Default/guessable credentials | Device Security, Authentication |
| I2 | Insecure Network | Unencrypted traffic, open ports | Network Security |
| I3 | Insecure Interfaces | Vulnerable APIs/web interfaces | Authentication & Access |
| I4 | Lack of Update Mechanism | No secure OTA updates | Device Security |
| I5 | Insecure Components | Outdated libraries, no SBOM | Vendor & Supply Chain |
| I6 | Insufficient Privacy | PII exposure, no consent | Data Protection |
| I7 | Insecure Data Transfer | Unencrypted protocols | Network Security |
| I8 | Lack of Device Management | No lifecycle management | Device Security |
| I9 | Insecure Defaults | Poor out-of-box security | Device Security |
| I10 | Lack of Physical Hardening | Exposed ports, no tamper detection | Physical Security |
This tool provides a general security assessment framework. For production deployments, engage professional penetration testers and security auditors who can evaluate your specific implementation details.