A Review of Security Standards and Frameworks for IoT-Based Smart Environments

Assessing the security of IoT-based smart environments such as smart homes and smart cities is becoming fundamentally essential to implementing the correct control measures and effectively reducing security threats and risks brought about by deploying IoT-based smart technologies. The problem, however, is in finding security standards and assessment frameworks that best meets the security requirements as well as comprehensively assesses and exposes the security posture of IoT-based smart environments. To explore this gap, this paper presents a review of existing security standards and assessment frameworks which also includes several NIST special publications on security techniques highlighting their primary areas of focus to uncover those that can potentially address some of the security needs of IoT-based smart environments. Cumulatively a total of 80 ISO/IEC security standards, 32 ETSI standards and 37 different conventional security assessment frameworks which included 7 NIST special publications on security techniques were reviewed. To present an all-inclusive and up-to-date state-of-the-art research, the review process considered both published security standards and assessment frameworks as well as those under development. The findings show that most of the conventional security standards and assessment frameworks do not directly address the security needs of IoT-based smart environments but have the potential to be adapted into IoT-based smart environments. With this insight into the state-of-the-art research on security standards and assessment frameworks, this study helps advance the IoT field by opening new research directions as well as opportunities for developing new security standards and assessment frameworks that will address future IoT-based smart environments security concerns. This paper also discusses open problems and challenges related to IoT-based smart environments security issues. As a new contribution, a taxonomy of challenges for IoT-based smart environment security concerns drawn from the extensive literature examined during this study is proposed in this paper which also maps the identified challenges to potential proposed solutions.


I. INTRODUCTION
The Internet of Things (IoT) is relatively a new and emerging technology that is gaining popularity among many stakeholders. According to [1] IoT technology has brought about revolutionary impacts in many areas of our lives. Besides, it has become a key enabler of innovation and success in a wide range of fields including IoT-based smart environments [2].
The associate editor coordinating the review of this manuscript and approving it for publication was Zheng Yan .
IoT has also paved the way for the emergence of other IoT-based smart technologies which allow individuals to connect and control smart devices and appliances remotely using computers, smartphones, or tablets through the internet. Interconnected devices in an IoT-enabled smart environment allow individuals to control different device functions remotely through the internet [1]. However, it is common in a smart environment to find both IoT, as well as other non-IoT devices and services, blend to enhance the quality of life of people [3]. Connecting one's devices and appliances to the Internet, VOLUME 9, 2021 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ however, exposes them as well as the data sensed, collected, and exchanged by them to a wide range of security threats and risks. Besides, every connected device can become a potential entry or attack point for malicious intruders hence the need for assessing and hardening IoT-based smart environments security. While IoT is still expected to impact many other upcoming areas of our lives [4]; there are inherent security and privacy concerns that need to be continuously addressed. However, due to the dynamic, and heterogeneous nature of IoT-based smart environments, addressing many of the security and privacy issues is always a challenge. Security assessment of IoT-based smart environments such as smart homes and smart cities, for example, can be hard in environments where the status, posture, or security landscape, as well as the extent of the network visibility is not known. What makes security assessment in IoT-enabled smart environments even more challenging is the fact that once deployed the type and nature of most interconnected IoT devices or appliances rarely offer ongoing professional support to individuals in either their design or operation phases [1]. The lack of ongoing professional support thus impacts the security and privacy needs of many IoT-based smart environments.
Confronted by the security challenges in IoT-based smart environments, the authors in this paper conducted a review of existing conventional security standards and assessment frameworks highlighting their primary areas of focus to uncover those that can potentially address some of the security needs of IoT-based smart environments. A total of 80 ISO/IEC security standards, 32 ETSI standards and 37 different security frameworks which included 7 NIST special publications on security techniques were reviewed. The findings of this study can help IoT practitioners, researchers and other stakeholders understand the state-of-the-art of the domain as well as help them identify new research directions and spark further discussions on the development of new security standards and assessment frameworks to address existing and future security problems in IoT-based smart environments.
As a contribution, this paper thus aims to fulfil the following objectives: 1) To review existing security standards and assessment frameworks which include NIST special publications on security techniques to uncover their primary areas of focus and exposed the state-of-the-art and background of the domain. 2) To identify and discuss open problems and challenges related to IoT-based smart environment security concerns.

3) To propose and discuss a taxonomy of challenges for
IoT-based smart environment, drawn from the extensive literature examined during this study, that also maps potential solutions to the identified open challenges and other future IoT smart technologies security issues.
As for the remaining part of the paper, section II presents an overview and motivation for this study while the background and existing research work are presented in section III. Section IV explains the research methodology used in this study followed by section V which presents reviews on conventional security standards and assessment frameworks.
Section VI presents open problems and challenges related to IoT-based smart environments. As a new contribution section VII proposes and discusses a taxonomy of challenges for IoT-based smart environment in tandem with proposed potential solutions to the identified challenges. Finally, the paper concludes in section VIII and makes mention of future research work.

II. OVERVIEW AND MOTIVATION
This review was motivated by the understanding that conventional security standards and assessment frameworks meant for use in non-IoT environments are very different and many may not directly address the needs of IoT-based smart environments. This paper thus investigates the potentials that conventional security standards and assessment frameworks have in addressing IoT-based smart environments security concerns by exposing their primary areas of focus as well as the state-of-the-art and background of the domain.
While the benefits and prospects of an expanded IoT-based smart environment are huge, so does the attack surface. Consequently, an increased number of IoT devices, ecosystems and integration has meant that many vulnerable endpoints are being witnessed daily, especially in smart homes, smart cities, global enterprises, and critical infrastructures. IoT-based smart environments are currently a trend that is daily expanding, however, this expansion comes with a lot of complexity, integration, and security issues in the different areas of application. Because of these foregoing, a review of existing conventional security standards and assessment frameworks is positioned to uncover key and perennial security issues in IoT-based smart environments.
Additionally, the authors note with concern that based on the literature that has been reviewed in this paper, there is still a deficiency of specialized security standards and assessment frameworks that are primarily inclined to IoT-based smart environments. For this reason, key discoveries and conclusions in this study are explicitly based on leveraging the content of existing conventional security standards and assessment frameworks that are deemed to have the potential to be used in IoT-based smart environments. This study also identifies and discuss open problems and challenges while at the same time proposing a taxonomy of challenges for IoT-based smart environment mapping the identified challenges to potential solutions that can help address existing and future IoT security issues.
Furthermore, based on the exploration and the review conducted in this paper, it is evident that many existing or proposed solutions have had a limited scope when exploring security standards and assessment frameworks, however, this study is explicitly not limited to security standards in general and consideration of assessment frameworks has also been included to enrich the study as well as allow for broad and in-depth findings. The combination of relevant literature in security standards and assessment frameworks in this study helps to avoid generalization and opens up this study to a wider scope. Figure 1 shows an overview of the overlapping key aspects that motivated this study which also forms the primary focus areas of this paper. The authors also acknowledge that the key aspects explored in this study as shown in Figure 1 are not only applicable in this study but can also be used in different IoT application areas including those outside the scope of this paper. This paper explicitly focused on existing conventional security standards and assessment frameworks and their potentials to be adapted to IoT-based smart environments. However, as a key aspect, this paper also looked at different open problems and challenges while at the same time proposing a taxonomy of challenges mapped to potential solutions as highlighted in Figure 1.

III. BACKGROUND AND EXISTING RESEARCH WORK
Like many other fields, the IoT domain is growing very fast. However, with this growth comes many cybersecurity challenges. Previous research in the IoT domain has mostly focused on finding control measures to address deficiencies in different areas of IoT including security, privacy, vulnerabilities, and resiliency [5]- [8]. However, the need for security standards and assessment frameworks that specifically focuses on IoT-based smart environments is also as important as the research itself. As part of the background and existing research work, this section will focus on the security and privacy concerns for IoT-based smart environments as well as existing research on security standards or assessment frameworks. It is also important to note at this point that privacy is not a primary focus of this study and is not explored further beyond the background section.

A. SECURITY AND PRIVACY CONCERNS IN IoT-BASED SMART ENVIRONMENTS
In IoT-based smart environments, a lot of data and information get shared among various devices. Without a good security standard or security assessment mechanism in place, the data and information moving in and around these environments can become susceptible or vulnerable to a variety of security threats and risks [9]. Some of the concerns relating to data and information in IoT-based smart environments as discussed by [3], [5]- [12] are summarized in the subsections below.

1) SECURITY CONCERNS
• Data and Information Leakage: In any IoT smart environment, without proper security mechanisms that protect data and information from malware and other malicious intruders, personal information could easily be leaked resulting in security breaches [11].
• Eavesdropping: With information moving in and around IoT-based smart environments and over to the Internet, malicious attackers can take advantage of unsecured network communications and steal data as it is being transmitted between the connected IoT devices which can lead to other serious security breaches.
• Hacking: Most of the data and information collected by IoT devices within smart environments may be stored on internet-accessible systems like the ''Cloud''. Many cloud-based IoT devices and systems are known to have security vulnerabilities and can easily be victims of hacking and cyberattacks as data transmission like video data from cameras may not even be encrypted when sent over the internet.
• Software Exploitation:Because of the lack of standardization in many IoT-based smart environments, rogue software can easily find its way into IoT devices through firmware upgrade and trusted boot, device acquisition as well as apps and services. This can affect service delivery by altering device configurations. Besides, many IoT devices run on autonomously lightweight versions of the well-known operating system which hackers can search for software vulnerabilities and exploit them to gain privileged access to sensitive information [7].
• IoT Device Security: Because of the lack of specialized universal approved IoT security standards or security assessment frameworks, some devices may be manufactured with poor security baselines such as old and unpatched embedded operating systems and software, weak, guessable, or hard-coded passwords, insecure data transfer and storage, among others. This makes such IoT devices vulnerable to different security threats and attacks.
• IoT Device Hijacking and Ransomware: As a result of poor security, lack of specialized universal approved IoT security standards, assessment frameworks, and rising numbers in the use of IoT devices, many of these devices may soon become easy targets of ransomware attacks.
• Technology Minded and Security Aware Users: With the growing innovation of IoT technologies, many users are yet to understand how modern IoT devices are designed and function. This makes it easy for attackers VOLUME 9, 2021 to use social engineering to trick IoT device users into providing sensitive data or information which can be used to gain access into smart environment networks, such as smart homes and smart cities, putting everyone's life at risk.
• Insufficient IoT Device Testing and Updates: Most of the IoT devices are produced quickly to meet the increasing market demands and hence do not undergo proper testing or follow any acceptable security standards or assessment frameworks. Users mostly put their trust in the manufactures to test the IoT devices as well as provide security control measures. However, due to high demands, many manufacturers focus more on creating and releasing new products to the market without having proper testing or putting security control measures in place. Besides, old IoT devices may no longer be updated or take long to be updated resulting in security risks in IoT-based smart environments.
• Lack of Active Device Monitoring: Monitoring IoT devices can be challenging [10]. This is because most of the existing monitoring tools and practices especially those focusing on the cloud were traditionally designed to monitor time-series metric data with no focus on modern IoT devices or their processes. Lack of active IoT device monitoring tools makes it hard to have full network visibility in IoT-based smart environments. Besides, there exist a lack of such tools that can be used to directly monitor individual IoT devices deployed in IoT-based smart environments.
• Shortage of Efficient and Robust Security Protocols: The lack of efficient and robust security protocols including proper IoT security standards, assessment frameworks and safeguards could lead to security breaches in smart environments leading to personal data exfiltration [10], [13].
• Impersonation:With many IoT devices in smart environments lacking strong authentication or access control mechanisms, it becomes easy for intruders to impersonate a legitimate user and use the credentials or any other information that gives them access to existing IoT resources in an IoT-based smart environment [7]. Successful impersonation could further be used to escalate other serious security attacks.
• Health and Safety of Users: If a hacker gains access to an IoT-based smart environment such as smart homes, he or she may, for example, try to change medical prescriptions or order products that the homeowner does not need or is allergic to. As a result, the health of the homeowner and the entire family is at risk because they may not have time to verify the automation processes initiated by the hackers [14].
• Denial of Service (DoS/DDoS): With the advancement in technology, hackers can try to cause a DoS/DDoS to existing hubs in IoT-based smart environment networks or the sensors themselves [7]. However, attackers can also access the network and send bulk messages to IoT devices such as Clear To Send (CTS) and Request To Send (RTS) [11] causing DoS attacks to legitimate IoT devices.
• Other Security Threats: With the rapid growth in the number and usage of IoT devices, other security threats may also exist in IoT-based smart environments such as home invasions, trespass, falsification [11] rogue and counterfeit IoT devices, botnet attacks, physical attacks, unintentional damage or loss, disasters and outages, failures or malfunctions, [3] dynamic systems, authentication, unsecured wireless network problems [5], side-channel attack, man-in-the-middle, identity theft, advanced persistent threat (APT) [13], jamming, function creep, buffer overflow, large-scale unauthorized data mining, surveillance, unauthorized access or deletion or modification of data, worms, viruses and malicious code [15], the openness of the networked systems, weak passwords, fixed firmware [16], resource constraints, headless nature of IoT devices, tamper-resistant packages, heterogeneous protocols, dynamic characteristics, longevity expectations [17] among many other security threats.

2) PRIVACY CONCERNS
Privacy in IoT-based smart environments according to [18] means that ''information about individuals must be protected and should not be exposed without explicit consent from the owners under any circumstances''. Because of the ease of connectivity of IoT devices to the internet, and the lack of proper security mechanisms or common security standards and assessment frameworks designed for IoT-based smart environments, the risk of exposure of personal data or information into the hands of malicious attackers can be high [10]. Some of the privacy concerns related to IoT-based smart environments include: • Data Storage and Usage: with the introduction of cloud storage by third parties [19], [20] many IoT devices can easily store generated or collected data from smart environments in public cloud infrastructure. The problem, however, is that there is a lack of standardization on how to store and process IoT data from different sources that are mostly unstructured and can lead to a breach of privacy. This, therefore, calls for the development of universal security and privacy standards, best practices, methods, and tools that can consistently handle IoT data as well as ensure that distributed data is securely accessed and transported [21] with high levels of privacy either to the public or private clouds.
• Tracking and Location Privacy: Because of the ease and availability of internet connectivity to IoT devices, tracking users based on location is very common. Once a malicious attacker identifies a user, they can collect data that tracks the user behaviour [18] including location history which the attacker can use to stalk a user leading to a breach of privacy.
• Context-Aware or Situational Privacy: As a result of poor security mechanisms implemented in some IoT devices, detecting, spotting, and locating users' movement, activities, and gathering data based on actions can be possible [16] leading to a breach of privacy.
• Sensed, Generated or Collected Data Privacy: Some manufactures of IoT devices can design their firmware to collect data sensed or generated by the devices especially about the usage of services and other data about their customers. The data or information collected in this manner may not fully adhere to the privacy needs of the users, especially during transmission and may lead to a breach of user privacy.
• User Privacy Information Mining: Because of nonfully protected network communication in IoT networks, privacy mining as discussed by [22] can be used to mine private information from smart homes or smart cities leading to other serious security and privacy breaches.
• Other privacy concerns that have been identified in the literature include user profiling, utility monitoring and controlling [18], collection, use and disclosure of IoT data without the users' consent, de-identification of IoT data, dependency on vendors, interoperability, managing IoT devices, accountability, and transparency [23].
As mentioned earlier, this paper will not discuss privacy concerns further. The next section elaborates on some of the existing research work on security assessment frameworks.

B. EXISTING RESEARCH WORK
In literature, several security standards, assessment frameworks, and special publications on security techniques exist which can be used in different environments (e.g., network security, world wide web security, applications security, telecommunication among other areas). However, these security standards and assessment frameworks were primarily designed with specific application environments in mind hence different steps or processes for different environments are involved as highlighted later in section V. Researchers in the IoT domain have also proposed different approaches and techniques to address different IoT deficiencies and forms the basis of the existing research work in this section.
In [24], the authors proposed IoT-based integrated home security and monitoring system. The authors argued that home security remains a critical issue hence the need for a security and monitoring system for IoT-based smart home environments. Their proposed system, however, focused on detecting intruders, room temperature, humidity, rain, fire, as well as monitor the light condition. The security of the individual devices and the entire security landscape of the smart home after device deployment was not considered in their research which can leave the smart home vulnerable to a variety of security threats and risks.
An end-to-end security assessment framework based on Software Defined Network (SDN) to evaluate the security level for CloudIoT was developed by [25]. Their study was motivated by the existence of numerous choices of cloud-resource providers and IoT devices and not necessarily IoT-based smart environments. Their research stated that evaluating the security levels of both the cloud-resource providers and IoT devices is very important in promoting the adoption of CloudIoT and reduce business security risks [25]. The current paper, however, focuses on reviewing security standards and assessment frameworks to identify those that have the potential to address IoT-based smart environments security concerns.
Another study by [26] argued that security has become a vital factor for any IoT smart environment. For this reason, they proposed in their research an Identified Security Attributes (ISA) framework to evaluate the security features of the Internet of Health Things (IoHT) based devices in the healthcare environment. Their study was motivated by the understanding that fragile patient's data always moves from IoT devices to servers. During transmission, patient's data can fall into the hands of malicious attackers. For this reason, their study concluded that proper security is indispensable for IoHT based equipment due to their exposure to different security attacks [26].
Research by [27] stated that the rapid growth of IoT-based systems raises security concerns making a security assessment framework for IoT systems imperative. The authors then proposed an assessment framework to evaluate the security features of IoT-based equipment using hybrid multi-criteria decision making (MCDM) methodology and later carried out an empirical study on the assessment of IoT-based healthcare devices [27].
More research by [28] claimed that patient's data is very critical and so is its secure transmission in smart healthcare applications. In their research [28] proposed a framework to protect medical information from external threats which the authors claim has both scientific as well as economic significance as it consumes less possible resources of lowpowered medical devices; thus, it could be used for real-time healthcare applications.
In another research, the authors in [29] state that ''in inventory automation, real-time check on items, their information management, and status management, monitoring can be carried out using IoT''. However, the data that flows among the devices in the network demands a security assessment framework that ensures authentication, authorization, integrity, and confidentiality. For this reason, the authors proposed ''a lightweight IoT-based security assessment framework for inventory automation using wireless sensor networks [29].
Research by [30] proposed a secure and compliant continuous assessment framework for evaluating the security and compliance levels of cloud services. The proposed framework facilitates cloud service to customers to select an optimal cloud service provider (CSP) who satisfies their desired security requirements. However, the framework also enables cloud service customers to evaluate the compliance of the selected CSP in the process of using cloud services [30]. VOLUME 9, 2021 Research by [31] designed and implemented a risk assessment framework for cloud service providers meant to provide assurance that will lead to higher confidence of cloud service consumers on one side and cost-effective and reliable productivity of cloud service providers and resources organized by individual infrastructure providers on the other side.
Denning et al. [32] proposed a framework for evaluating security risks associated with technologies used at home. On the same note, Kang et al. [33] proposed an enhanced security framework for smart devices in a smart home environment meant to provide integrity using self-signing and access control techniques for preventing security threats such as data modification, leakage, and code fabrication. Table 1 below provides a summary of the existing work discussed and their primary focus areas. Infer from the summarized research works in Table 1 that most of it does not directly focus on providing security assessment for IoT-based smart environments, but only specific application areas thus do not fully cater for all the primary security needs of IoT-based smart environments. Table 1 further justifies the need for developing new security standards and assessment frameworks for IoT-based smart environments. The next section discusses the research methodology used to conduct the review in this paper.

IV. METHODOLOGY
In conducting the review process, the authors in this paper adopted the guidelines and principles that shows systematic methods that uphold the theoretical validity of the study. These guidelines pinpoint the need for identifying the key study area, sampling, extracting useful data and interpreting the validity of these data and finally mapping the outcome as potential results. Based on the same notion, this study primarily focused on identifying the relevant articles on security standards and assessment frameworks including NIST special publication on security techniques, examining them to find whether they satisfy the suggested selection criteria and disseminating the findings while identifying the existing research gaps or challenges as is shown in Figure 2. The review methodology used in this study comprises of three primary phases as follows: • Phase I: Study area identification, the definition of research questions, sampling and defining the key search strategy or criteria.
• Phase II: Applying the search strategy or criteria to known literature, conducting snow bowling search, database search, evaluating the search and defining the selection criteria.
• Phase III: Identifying the accepted literature, articles, papers, websites and web documents for review and reviewing based on the selected key study topic.

A. PHASE I: STUDY AREA IDENTIFICATION
Study area identification in the context of this paper was based on several research questions that also formed the basis of the whole study. Given that the objective is to review the current state of the art of security standards and assessment frameworks, this holds as the guiding principle that shows the key activities that could be leveraged for IoT-based smart environments. Based on this objective the key research questions for this study have been coined as follows: • RQ1: What is the current state of the art of conventional security standards and assessment frameworks with regards to IoT-based smart environments security concerns?
• RQ2: Which of the existing conventional security standards and assessment frameworks can be adapted to help address some of the primary security requirements of IoT-based smart environments?
• RQ3: What are the open problems and challenges based on the existing exceptions in the security standards and assessment frameworks? Basing our study on the above-mentioned research question, the next phase addresses the key search strategy.

B. PHASE II: SEARCH STRATEGY
The second phase is based on conducting an online search. The scope of this study has been inclined towards security standards and assessment frameworks which also include NIST special publications on security techniques. As a result, the authors explored Google Scholar, ACM, Springer Link, IEEE Xplore, Web of Science, Web Search Engines and Scopus with the queries and search strings shown in Table 2. After conducting a keyword search based on the criteria mentioned in Table 2, the number of papers, online articles, web documents and other special publications obtained is summarized in Table 3.

C. PHASE III: IDENTIFYING AND REVIEWING THE LITERATURE
To filter the selected papers, online articles, and special publications the following approach was adopted: • The paper, article, websites, web document or other special publications are only included in the next phase when all the authors agree that they hold some relevance based on the study objectives.
• Doubted papers, articles, websites, web documents or any other special publications are jointly reviewed to show if they satisfy the selection criteria in part or fully as shown in Figure 2.
• Papers, articles, websites, web documents or any special publications considered not to be relevant by all the authors were deleted or removed from the selection criteria.
• All accepted papers, articles, websites, web documents and special publications were included in a repository ready to be reviewed. During this phase, all the gathered literature, 831 in total was subjected to thorough readings by the authors with two objectives in mind: the first objective was to extract all the relevant data needed for our study while the second objective was to check for the correctness and relevance of the extracted data. The information considered from each literature was inclined towards the primary objectives of this study. After reviewing the titles, abstracts, and sections of all the 831 identified literature resources shown in Table 3, a total of 617 literature resources were deemed irrelevant and excluded from the selection criteria. Of the 214 that remained, 131 were categorized as doubtful. Consultation and discussions formed the basis of this process especially on any agreement and consensus to be made on any of the literature under contention or categorized as doubtful. After many considerations based on the content of each paper, article, websites, web documents and other literature resources, a total of 149 data items were extracted from the accepted literature that was deemed relevant by the authors which included, 80 ISO/IEC security standards, 32 ETSI standard and 37 different security assessment frameworks (including 7 NIST special publications on security techniques). The 149 identified data items formed the final repository for review and are summarized in Table 4.
The next section presents a review of all the selected security standards and assessment frameworks including the NIST special publications on security techniques. This section aims to uncover the primary focus area of each of the security standard and assessment frameworks identified and selected from the literature to find out which of them potentially addresses some of the security requirements or needs of IoT-based smart environments and if not, can be adapted to handle IoT-based smart environments security concerns.

V. REVIEW OF EXISTING SECURITY STANDARDS AND ASSESSMENT FRAMEWORKS
Existing security standards offer insight into recommended security controls, processes, procedures, baselines, and guidelines that are deemed ideal for networks and in some cases mandatory for compliance [34]. Most existing security assessment frameworks, on the other hand, offer security best practices, methods and guidelines that organizations can embrace to get the best results for implementing a successful program [34]. However, IoT-based smart environments networks raise new security concerns that are not directly addressed by most of the existing conventional security standards and assessment frameworks [3]. This section of the paper, therefore, reviews the existing security standards and assessment frameworks including some NIST special publications identified and selected from the reviewed literature highlighting their primary areas of focus to uncover those that can potentially be adapted to address the security needs of IoT-based smart environments. Table 4 shows a summary of the different security standards and assessment frameworks identified, selected and discussed in this section including the owner and the primary focus area of each standard and framework. Note also that some of the standards and assessment frameworks discussed in this section are specialized by industry or geographic region. A more detailed description of each identified standard and assessment framework is given in the sub-section to follow.

1) NIST CYBERSECURITY FRAMEWORK
The NIST cybersecurity framework was created based on a set of industry standards and best practices to help organizations manage their critical infrastructure cybersecurity risks [35]. Because IoT is becoming a part of critical infrastructure, this framework has the potential to be used in IoT-based smart environments. The framework consists of a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, offering detailed guidance for developing individual organizational profiles. Specifically, the framework is broken down into five key functions (identify, protect, detect, respond, and recover) that manage the risks to data and information security [36].
• Identify: Helps organisations develop an understanding of how to manage cybersecurity risk to systems, people, assets, data, and capabilities [37] including asset management, business environment, and information technology governance through comprehensive risk assessment and management processes.  • Protect: Helps organisations develop and implement appropriate safeguards to ensure the delivery of critical services [37]. This phase also includes defining security controls for protecting data and information systems including access control, training and awareness, data security, information protection procedures, and maintaining protective technologies [31].
• Detect: Helps organisations develop and implement appropriate activities to identify the occurrence of a cybersecurity event [37] as well as offering guidelines for detecting anomalies in security, monitoring systems, and networks to uncover security incidences [36].
• Response: Helps organisations develop and implement appropriate activities to act regarding a detected cybersecurity incident [37]. This also includes recommendations for planning responses to security events, mitigation procedures, communication processes during a response, and activities for improving security resiliency [36].
• Recovery: Helps organisations develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident [37] as well as guidelines that a company can use to recover from attacks [36].

2) NIST RISK MANAGEMENT FRAMEWORK (RMF)
The Risk Management Framework (RMF) [38] provides a comprehensive, flexible, repeatable, and measurable 7-step process (prepare, categorize, select, implement, assess, authorize, and monitor) that any organization can use to manage information security and privacy risks.
• Prepare: Takes care of the essential activities to prepare an organization for managing security and privacy risks.
• Categorize: Helps an organisation to categorize the system and information processed, stored, and transmitted based on impact analysis.
• Select: Helps organisations select the set of NIST SP 800-53 [39] controls to protect the system based on risk assessment.
• Implement: Helps an organisation implement the controls and document how controls are deployed.
• Assess: Helps an organisation in assessment to determine if controls are in place, operating as intended, and producing the desired results.
• Authorize: This involves senior officials in an organisation making risk-based decisions to authorize the system (to operate).
• Monitor: Helps an organisation to continuously monitor control implementation and risks to the systems. With the growing security and privacy concerns in IoT-based smart environments, this framework has the potential to be adapted for use in function-specific areas of IoT security and privacy risks management. VOLUME 9, 2021

3) NIST PRIVACY FRAMEWORK
The NIST privacy framework was developed to help organizations identify and manage privacy risks as well as build innovative products and services while protecting individuals' privacy [40]. The core functions of the framework are as below: • Identify: Help organisations develop an understanding of how to manage privacy risks for individuals arising from data processing.
• Govern: Help organisations develop and implement the organizational governance structure to enable an ongoing understanding of the organization's risk management priorities that are informed by privacy risk.
• Control: Help organisations develop and implement appropriate activities to enable them or individuals to manage data with sufficient granularity to manage privacy risks.
• Communicate: Help organisations develop and implement appropriate activities to enable them as well as individuals to have a reliable understanding of how data are processed and associated privacy risks.
• Protect: Help organisations develop and implement appropriate data processing safeguards. From this framework, the identify, control, and protect functions can help manage privacy issues in IoT-based smart environments.

4) NIST SP 800-53
This special publication on security matters provides security and privacy controls for information systems and organizations [39] to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of security threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

5) NIST SP 800-30
This special publication was developed to guide organisations in conducting information systems risk assessments [41].

6) NIST SP 800-37
The NIST SP 800-37 special publication describes and provides guidelines for applying the RMF to information systems and organizations [42].

7) NIST SP 800-39
This special publication was developed to guide an integrated, organization-wide program for managing information security risk to organizational operations (mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems [43].

8) NIST SP 800-12
NIST SP 800-12 [44] was primarily designed for federal and governmental agencies but can also be used by others focusing on control and computer security within an organization.

10) NIST SP 800-53R1
NIST SP 800-53R1 [46] was designed with a focus on protecting the confidentiality, integrity, and availability of the system and its information.

11) HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
HIPAA was developed to provide guidelines for enabling health plans, health care providers and health care clearinghouses to implement sufficient controls for securing employee or customer health information and protect sensitive patient health information from being disclosed without the patient's consent or knowledge [82]. With the growing number of wearable IoT medical devices, HIPAA can be adapted for use in IoT-based smart health systems.

12) FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA)
FERPA was developed to protect the privacy of student education records [47] and applies to all schools that receive funds under an applicable program of the U.S. Department of Education [47].

13) PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)
PCI DSS was designed to help protect the safety of card data [48] and defines a set of requirements intended to ensure that all organisations that process, store, or transmit credit card information maintain a secure environment [49] to reduce credit card fraud. With the increasing usage of near field communication, PCI-DSS can be enforced in IoT devices such as smartphones that are sometimes used for processing credit card information.

14) CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)
Developed by the United States Department of Defence (DoD), CMMC is used to measure defence contractors' capabilities, readiness, and sophistication in cybersecurity [50]. The cybersecurity maturity model provides a framework or a pathway for organizations to periodically assess or measure the maturity of a security program and guidance on how to reach the next level [51].

15) CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2)
Developed by the U.S. Department of Energy (DOE) C2M2 enables organizations to voluntarily measure the maturity levels of their cybersecurity capabilities consistently [52].

16) FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL (FFIEC) CYBERSECURITY ASSESSMENT TOOL
Like the CMMC and C2M2, the FFIEC Cybersecurity Assessment Tool (FFIEC-CAT) is meant to help organisations identify their cybersecurity risk level and determine the maturity of their cybersecurity programs. The assessment tool provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time [53] as well as to measure risk levels across several categories, including delivery channels, connection types, external threats, and organizational characteristics [54].

17) NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION (NERC) 1300
Developed by NERC, this standard is meant to help organisations in reducing risks to the reliability of the bulk electric systems from any compromise of critical cyber assets [55].

18) NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRASTRUCTURE PROTECTION (NERC-CIP)
The NERC-CIP standards were developed to provide specific guidance on cybersecurity for the North American power systems. A list of all the applicable standards is available at [56]. The increasing use of smart inverters and other IoT devices in electricity distribution companies can benefit from adapting both NERC 1300 and NERC-CIP standards

19) AMERICAN NATIONAL STANDARDS INSTITUTE (ANSI)/INTERNATIONAL SOCIETY OF AUTOMATION (ISA) (ANSI/ISA 62443)
The ANSI together with the ISA developed ANSI/ISA 62443 which is part of the IEC 62443 international series of standards on industrial communication networks -information technology security for networks and systems. This standard defines processes, techniques and requirements for Industrial Automation and Control Systems (IACS) and includes secure product development lifecycle requirements meant to help in developing and maintaining secure products [57]. IoT device manufacturers can benefit from the use of ANSI/ISA 62443 in their product development lifecycle and help produce secure IoT products.

20) GENERAL DATA PROTECTION REGULATION (GDPR)
The GDPR was designed for the European Union and imposes data privacy and security obligations onto organizations anywhere, so long as they target or collect data related to people in the EU [58]. This may also be adapted to suit specific environments where IoT devices are used to collect and distribute data related to individuals.

21) SYSTEMS AND ORGANIZATIONS CONTROLS (SOC2)
Designed by the American Institute of CPAs (AICPA), SOC2 enable organizations that collect and store personal customer information using cloud services to maintain proper security as well as security requirements to which vendors and third parties must conform [36]. SOC2 reports are meant to protect the needs of users requiring detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users' data and the confidentiality and privacy of the information processed by these systems [59] which may also include IoT-based smart systems. Also, SOC2 provides Software-as-a-Service (SaaS) companies with guidelines and requirements for mitigating data breach risks and strengthening their cybersecurity postures [36].

22) THREAT ASSESSMENT AND REMEDIATION ANALYSIS (TARA)
TARA was developed as part of a MITRE portfolio of systems security engineering practices that contribute to the achievement of mission assurance for systems during the acquisition process [60]. TARA primarily focuses on identifying and assessing cyber vulnerabilities and selecting countermeasures effective at mitigating those vulnerabilities. The capabilities of TARA can easily be adapted for IoT-based smart environments to help in identifying and assessing cyber vulnerabilities.

23) OPERATIONALLY CRITICAL THREAT, ASSET, AND VULNERABILITY EVALUATION (OCTAVE)
OCTAVE was developed by the Software Engineering Institute at Carnegie Mellon University on behalf of the U.S Department of Defence to help in identifying and managing information security risks [61]. It is anchored on three basic aspects: build asset-based threat profiles, identify infrastructure vulnerabilities, and develop a security strategy and plans. OCTAVE defines a comprehensive evaluation method that helps an organization to identify the information assets that are important to the organization, the threats to those assets, and the vulnerabilities that may expose those assets to the threats. OCTAVE also helps organisations understand what information is at risk [61].

24) INFORMATION ASSURANCE FOR SMALL AND MEDIUM ENTERPRISES (IASME) GOVERNANCE
Developed by the IASME consortium, the IASME governance standard is used to accredit a business's cybersecurity posture [62]. The standard includes such areas as, risk assessment and management, monitoring, change management, training and managing people, backup, and incident response and business continuity. There were suggestions for the IASME consortium to deliver IoT certification to give confidence to consumers and businesses that IoT devices have attained a minimum accepted level of security [63].

25) HEALTH INFORMATION TRUST (HITRUST)
The HITRUST Alliance developed a framework that is a combination of the Department of Defense (DoD) Cybersecurity Maturity Model (CMMC) framework and the New York (NY) DOH Office of Health Insurance Programs. HITRUST-CSF primarily focuses on security and privacy issues in organisations [64].

26) CENTER FOR INTERNET SECURITY V7 (CIS V7)
Developed by the CIS, CIS v7 helps organisations to enhance their security standards [65] by listing actionable cybersecurity requirements for enhancing security standards in all organizations [36].

27) CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGIES (COBIT)
COBIT [66] was developed by the Information Systems Audit and Control Association (ISACA) and focuses on IT security, governance, and management in organizations that want to improve product quality and, at the same time, adhere to enhanced security best practices [36].

28) NZISM PROTECTIVE SECURITY REQUIREMENTS (PSR) FRAMEWORK
Developed by the New Zealand government the framework is part of the National Security Intelligence Service's Protective Security Requirements (PSR) and outlines the government's expectations for managing personnel, physical and information security including the baselines and minimum mandatory security standards for government departments and agencies [67].

29) COMMITTEE OF SPONSORING ORGANIZATIONS (COSO)
COSO of the Treadway commission is dedicated to developing frameworks and guidance on enterprise risk management, internal control, and fraud deterrence [68]. Among the frameworks developed under the COSO umbrella are: This framework addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk as well as meet the demands of an evolving business environment [68].
• Internal Control-Integrated Framework: This framework helps organizations design and implement internal controls [68].

30) AUSTRALIAN SIGNALS DIRECTORATE (ASD) ESSENTIAL 8
Developed by ASD in collaboration with the Australia Cyber Security Centre (ACSC), the Essential 8 is meant to help organisations protect their systems against a range of adversaries [69].

31) 10 STEPS TO CYBERSECURITY
This is an initiative of the National Cyber Security Centre (NCSC) in the UK and provides 10 steps of general guidance on how organisations can protect themselves in cyberspace [70].

32) TECHNICAL COMMITTEE ON CYBER SECURITY (TC CYBER) FRAMEWORK
TC CYBER developed a framework [71] that recommends a set of requirements for improving privacy awareness for individuals or organizations as well as improving the telecommunication standards across countries located within the European zones [36]. TC CYBER initiatives are split across 9 key areas where standardization can help bring better security [71] which are understanding the cybersecurity ecosystem, protection of personal data and communication, consumer IoT security and privacy, cybersecurity for critical national infrastructures, network security, cybersecurity tools and guides, direct support to EU legislation, and quantumsafe cryptography.

33) NEW ZEALAND PRIVACY ACT 2020
Developed by the parliamentary counsel office in New Zealand the Privacy Act 2020 promote and protect individual privacy [72].

34) CONSORTIUM FOR IT SOFTWARE QUALITY (CISQ)
CISQ develops security standards meant for developers to maintain when developing software applications [73] as well as assess the risks and vulnerabilities present in completed software applications or those under development. Developers use the CISQ standards to measure the size and quality of their software programs [36].

35) FEDERAL RISK AND AUTHORIZATION MANAGEMENT PROGRAM (FedRAMP)
FedRAMP developed a framework to provide a standardized approach to security authorizations for cloud service offerings [74]. The framework can enable government agencies to evaluate cyber threats and risks to different infrastructure platforms, cloud-based services, and software solutions [36].

36) FEDERAL INFORMATION SECURITY MODERNIZATION ACT (FISMA)
Developed by the Cybersecurity and Infrastructure Security Agency (CISA), FISMA [75] is aimed at helping federal agencies implement adequate measures to protect critical information systems from different types of attacks as well as help them develop and maintain highly effective cybersecurity programs [36].

37) SECURITY CONTENT AUTOMATION PROTOCOL (SCAP)
OpenSCAP developed the SCAP standard with a focus on automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement [76]. SCAP aims to standardize the processes through which security software programs communicate security issues, configuration information, and vulnerabilities [36].

38) ETSI STANDARDS
The European Telecommunications Standards Institute (ETSI) is a nonprofit organisation dedicated to producing telecommunications standards that can be used throughout Europe. 1 However, ETSI also develops standards for different areas of cybersecurity and the Internet of Things (IoT). Because of the vast number of standards developed by ETSI, in this section, we sample some of those that focus on addressing some components of cybersecurity and the Internet of Things (IoT). For a comprehensive list of all the ETSI standards, the reader is advised to consult [71] and [82].
To be in line with the objectives of this study, Table 5 summarizes sampled ETSI standards and their primary focus areas either touching on cybersecurity or the IoT-based smart environments like smart cities, smart grids, smart metering, smart body area networks and Smart Cards. The next section presents a summary of the ISO/IEC 27000 Series of standards on information technology security techniques identified to support this study and shown in Table 6.  Table 6 is a collection of published standards as well as others under development (as at the time of this study) related to information technology, security techniques, privacy, incidence response and risk management that can be used across a wide range of types and sizes of business organisations.
The summary presented in Table 6 shows different standards in the ISO/IEC 27000 family in tandem with their primary focus areas [77]. Note that of all the 80 ISO/IEC 27000 series of standards identified in this study only 8 which is 10% of all the standards have a direct focus on IoT security and privacy with 5 published and 3 under development at the time of this study.
As is evident from Table 6, the ISO/IEC 27000-series of standards are broad in scope and cover a variety of areas including privacy, confidentiality, integrity, availability, technical information technology and other cybersecurity areas. However, a good number of the standards also cover information technology and security techniques. All the 80 ISO/IEC 27000-series standards listed in Table 6 apply to organizations of all sizes especially in assessing and mitigating cyber security and information risks. It is also important to note at this point that the ISO/IEC 27000-series of standards are continuously updated to be in line with the dynamic nature of cybersecurity as well as the ever-changing security threats, vulnerabilities and other impacts of cyber security incidents. For a compressive discussion of the individual standards listed in Table 6, the reader can consult [77]. Discussing and evaluating individual standards is outside the scope of this study, however, future research may consider individual discussions and evaluations of specific standards identified. Table 6 at this point again justifies the need to develop new standards and assessment frameworks focusing on IoT-based smart environments as only 10% of the listed standards have a direct focus on IoT security and privacy. This is because most of the security standards and assessment frameworks identified in this paper were not designed to directly address the security needs of IoT-based smart environments. This is arguable because of the dynamic nature of digital technology. For this reason, new security standards and assessment frameworks will need to be developed to specifically address the security needs of IoT-based smart environments. The next section briefly explains open problems and challenges related to IoT-based smart environments security issues.

VI. OPEN PROBLEMS AND CHALLENGES FOR IoT-BASED SMART ENVIRONMENTS
This section provides a brief description of open problems and challenges related to IoT-based smart environments security concerns. However, the problems and challenges can also be considered as potential areas for future research directions.
Some of the open problems and challenges identified are briefly discussed below. VOLUME 9, 2021

A. LACK OF STANDARDIZATION
The lack of standardized approaches that can scale beyond conventional network requirements into IoT-based smart  security standards and assessment frameworks to address both current and future IoT security concerns.

B. TECHNOLOGY EVOLUTION
Technology evolution makes IoT devices function smoothly as standalone systems or part of existing solutions to improve the life and quality of IoT devices users. However, many manufactures of IoT devices do not incorporate security designs and make use of different protocols and technologies that create complex configurations in IoT-based smart environments. Standards and assessment frameworks needed to be developed to streamline the way different IoT technologies are designed, manufactured, and implemented.

C. SECURITY AND PRIVACY
Security and privacy are inherent challenges to many IoT application domains. The hacking of IoT devices is causing serious security and privacy challenges that have the potential to drag into the unforeseeable future of IoT. With new IoT devices being manufactured daily and added into existing networks, their connectivity to the internet provides malicious actors with an entry point to smart environments where they can carry out their malicious activities, especially since many of the IoT devices suffer from known security loopholes. Poor security and privacy can expose people's lives as well as their health to malicious individuals through hack attacks.

D. CONNECTIVITY
With new IoT devices entering the market daily, connectivity issues are becoming a challenge as well. New communication models, protocols and technologies need to be developed to support the tens, hundreds and thousands of new devices being connected to the internet daily.

E. LAW ENFORCEMENT AND REGULATIONS
Being relatively a new technology, the Internet of things presents legal issues in different jurisdictions with regards to applicable laws and regulations. For a detailed account [78] and [79] present in their research, some of the legal and ethical issues associated with IoT smart environments.

F. OTHER IoT CHALLENGES
Other challenges found in the literature include compatibility, interoperability, scalability, intelligent analysis and actions, reliability, management of IoT network and its resources, data confidentiality and visualization [80]. As a new contribution, the next section presents the proposed taxonomy that classifies the different challenges related to IoT smart environments and their proposed potential solutions.

VII. TAXONOMY OF CHALLENGES FOR IoT-BASED SMART ENVIRONMENT AND PROPOSED POTENTIAL SOLUTIONS
In this section, we present a taxonomy of challenges for IoT-based smart environments in tandem with proposed potential solutions. Figure 3 shows a high-level overview of the different IoT-based smart environment challenges discussed in this section.

A. SCOPE OF THE PROPOSED TAXONOMY
Fundamentally, the taxonomy in this section has been drawn from the examined literature in this paper. The taxonomy was VOLUME 9, 2021 necessitated by the existence of key security and privacy challenges in IoT-based smart environments. Logically, while the key considerations could be inclined on the security of data, devices and key technologies being utilized, our study was inclined to the relevant considerations (methods/techniques) in IoT-based smart environments that are centred on handling security and privacy as well as how the data that is generated in these environments are managed securely. These insights have been considered while combing through the existing security standards and assessment frameworks. Furthermore, they formed a foundation that has enabled effective and systematic exploration of security standards and assessment frameworks which in the long run have also been used to define the scope of the taxonomy as well as a baseline for identifying open problems and challenges that are relative to IoT-based smart environment.
With many known challenges in IoT-based smart environments, attempts have been made to address specific challenges by different stakeholders. The contribution in this paper is, however, an exceptional effort in the direction of a taxonomy of challenges for IoT-based smart environments based on the examined literature in this paper. The scope of the taxonomy is, thus, restricted to the literature reviewed by the authors in this study. It is also important to note that, the various challenges identified and discussed in this paper are not, in whatever way an exhaustive list, however, the taxonomy was created taking into consideration the major challenges associated with IoT-based smart environments as shown in Figure 3. The next section explains the proposed taxonomy in this study.

B. PROPOSED TAXONOMY OF CHALLENGES FOR IoT-BASED SMART ENVIRONMENT
The proposed taxonomy is an extended version of the different categories of challenges shown in Figure 3. Table 7 shows the details of the different challenges drawn from the reviewed literature in this paper. The taxonomy consists of five different categories of challenges arranged from top to bottom with the first one being the technical challenges. This is followed by the legal challenges, ethical challenges, operational challenges, and finally the adaptive challenges.
The sub-sections to follow briefly explains the various categories of the IoT-based smart environment challenges shown in Table 7. However, it is also important to note at this point that, the various sub-categories of the challenges shown in the second column of Table 7 focus more on specific challenges associated with each category. To simplify the understanding as well as present specific finer details of the proposed taxonomy, the authors organized the taxonomy into categories and sub-categories as shown in Table 7. Besides, when developing specialized IoT security tools that focus on addressing the individual but specific IoT challenges, the subcategories can be useful. Also, note that most of the subcategories of the challenges shown in Table 7 were only selected as common examples to facilitate this study and do not in any way represent an exhaustive list. To improve on the list of the specific sub-categories of the challenges to each named category, more research still needs to be done.

1) TECHNICAL CHALLENGES
In this paper, we view technical challenges as those that can be addressed using existing knowledge, expertise, and resources. They are easy to identify, define and their solution are based on known experts' knowledge and skills. Implementing the solutions to any of the identified technical challenges often falls to someone with the knowledge, expertise, and authority to do so. Examples of technical challenges faced by IoT-based smart environments identified for this study are shown in column two of Table 7.

2) LEGAL CHALLENGES
Legal challenges are related to legal specifics and may include both civil and criminal aspects. Several legal challenges affect IoT-based smart environments. Stakeholders note with concern, for example, how service providers use, store and secure users' personal information. Users and manufacturers of IoT devices, therefore, need to be aware of the legal challenges highlighted in Table 7, their complications and also understand that there are no concrete answers to them yet.

3) ETHICAL CHALLENGES
Many ethical challenges may arise from deploying IoT devices and services. Ethical challenges present people with tough choices of what is good or bad, what is acceptable or not acceptable among other choices. Usually, ethical challenges are hard to resolve in a manner that is consistent with accepted ethical guidelines. This is because they present difficult situations, especially when one must choose between two or more options yet neither of their choices resolves the situation ethically. Table 7 lists some of the examples of ethical challenges identified for this study.

4) OPERATIONAL CHALLENGES
With the growing number of IoT devices and their deployment in different smart environments, operational challenges are bound to occur. In an environment where IoT devices and services are deployed, operational challenges are those that could create waste, drain resources, impact operational performance, render a business less profitable and hinder growth. Different categories of operational challenges have been identified as examples to support this study and are shown in Table 7.

5) ADAPTIVE CHALLENGES
Unlike technical challenges, adaptive challenges as shown in Table 7 are difficult to identify. These type of challenges presents people with situations that have no known solutions [81]. In some cases, there may be too many solutions for a single adaptive challenge with no clear choice as well. Adaptive challenges are by nature, adaptive. This implies that they are complex, ambiguous unpredictable, volatile, fluid and change with circumstances [81]. Resolving adaptive challenges sometimes require people to learn new ways of doing things, change their attitudes, values and norms and adopt experimental mindsets [81]. Based on the general description of the challenges identified in this study and the small space in column three of Table 7, the proposed potential solutions for each category are listed separately in the next section and numbers i to xi. Note also that some of the proposed solutions apply to more than one category of the challenges as captured in column three of Table 7.

C. PROPOSED POTENTIAL SOLUTIONS TO THE IDENTIFIED CHALLENGES
IoT devices are becoming important components in deploying different types of services in smart environments. To overcome the different challenges described in this paper, this section presents proposed potential solutions that can help protect IoT-based smart environments and ensure services continuity and stability in future deployments. The proposed solutions include: i. Developing security assessment frameworks for IoT-based smart environments to secure the IoT network. ii. Developing IoT device-specific monitoring tools. iii. Implementing secure authentications for all IoT devices. iv. Encrypting IoT data moving in and out of IoT-based networks (Encrypted communication). v. Testing all IoT hardware before, during and after deployment (Testing IoT hardware). vi. Use public key infrastructure security methods for IoT devices and smart environments. vii. Developing and deploying only secure and trusted IoT applications. viii. Implementing identity management.
ix. Trust establishment for secure data transmission and object authentication. x. Hardening the security of the IoT networks including the use of strong login credentials. xi. Regulating and certifying IoT devices before use to avoid launching IoT devices in a rush. Note that every IoT device introduced into any network can be vulnerable to a variety of cyberattacks. The proposed solution identified above can help prevent potential future attacks in IoT-based smart environments. However, other IoT security solutions that can also be beneficial include the use of: • IoT security analytics, • End-to-end credentials • IoT API security methods, • Endpoint detection and response (EDR) tools • Dedicated network visibility tools and finally • Keeping up to date with the latest IoT security threats and breaches

VIII. CONCLUSION AND FUTURE WORK
Knowing that the security standards and assessment frameworks that can be deployed in IoT-based smart environments are quite different from those that can be used in non-IoT domains, the need for effective security standards and assessment frameworks for IoT-based smart environments is now inevitable. This is backed up by the fact that IoT-based smart environment security is dependent on a wide range of security checks which many existing security standards and assessment frameworks discussed in this study may not directly address. Besides, the security of IoT-based smart environments is determined by the installations and configurations made largely by sometimes untrained individuals. A combination of all these challenges makes the security of IoT-based smart environments much more difficult to develop, implement, enforce, and maintain. To address these challenges, this paper reviewed 80 ISO/IEC security standards, 32 ETSI standards and 37 different conventional security frameworks which included 7 NIST special publications on security techniques. The review process revealed the lack of security standards and assessment frameworks that directly addressed the security requirements and needs of IoT-based smart environments. As a new contribution, this paper proposed a taxonomy that classifies the different challenges related to IoT-based smart environments into a few well defined and easily understood categories drawn from the literature examined by the authors in this study. The taxonomy also included proposed potential solutions to the identified challenges. Such a taxonomy can help researchers and other stakeholders identify and formulate future research directions related to the security and privacy issues of IoT-based smart environments. As part of the future work, the authors plan to developed and test an IoT-based smart environment security assessment framework in a simulated smart environment and assess its effectiveness and efficiency based on some of the challenges identified in this study. In addition, it is the authors view that in future research we will explore how the current taxonomy would translate and fit in other environments given the changing and dynamic nature of the IoT-based ecosystems. However, more research still needs to be done to improve on the work conducted in this study as well as spark further discussions into the development of new security standards and assessment frameworks for IoT-based smart environments.