IEEE Systems, Man and Cybernetics Magazine - July 2019 - 32

from the perspective of the utilities' risk and presents a set
of observations and recommendations concerning utility
deployment of the IoT. I highlight why utility and infrastructure operators should carefully consider risk as they
incorporate this embedded, often autonomous networked
technology into their systems.
Reliability, Cost, and Efficiency Challenges
Utilities and other infrastructures (e.g., road systems,
ports, water management facilities, power systems, gas networks, railways, airports, wastewater systems, and other
similar critical services and infrastructures) face the need
to become smarter, more automated, and further interconnected to meet a broad set of reliability, cost, and efficiency
challenges. Society is becoming increasingly dependent on
many of these systems, which are, in turn, becoming
increasingly complex and costly, while being expanded to
handle higher capacities. These developments place rising
demands on new technology to enable improved operations. Much of this new technology comes in the form of
what has been dubbed the IoT, the devices and systems
that densely monitor, record, and autonomously actuate
operational aspects of a system to ensure reliability and
efficiency [1], [2]. However, with the adoption of this IoT
technology, these utilities may actually become more vulnerable to cyberattack and other failure modes. This article
considers the adoption and deployment of a broad set of
IoT devices into the utility infrastructure and the security
risk that is associated with this adoption.
While not attempting an exhaustive summary, it is useful to discuss how IoT systems would be adopted into each
utility simply to highlight the trend. In the gas and water
industries, the IoT infrastructure includes a host of sensors
and regulators for the control of gas or water flow from
wells and for monitoring all the way through plant processing and final delivery to the customer. Sensors are being
deployed on roads to count frequency and load weights carried across various points, as well as to monitor and assess
the integrity of bridges and other structures. The electricity
industry, a long-time user of a variety of supervisory control and data acquisition (SCADA) systems, is moving from
a one-way distribution network to a very complex two-way
system, with not only feedback and real-time control but
also distributed generation, to be incorporated into the
power grid. The water-management industry, which oversees harbors, dikes, and similar structures and facilities,
has implemented various sensors and actuators critical in
the management of transportation systems and for flood
prevention and control. As a result, all of these utilities now
depend on these networked devices to ensure reliable operations. These are not just simple monitors; rather, they are
very complex systems with feedback that directly control
major operational aspects of these various utilities.
While there are clear advantages driving this move
toward IoT-based system adoption [3], the risks are still
poorly understood, and the models that should be applied
32

IEEE SYSTEMS, MAN, & CYBERNETICS MAGAZINE Ju ly 2019

to assess this risk and build in appropriate safeguards are
also poorly developed. Ultimately, utilities seek to maintain a highly reliable and resilient infrastructure, which
means they must minimize the impact of a failure of this
new technology, should such a failure occur. The IoT represents a range of devices and will include everything from
cheap and disposable consumer goods (e.g., light bulbs) to
costly and critical industrial control systems (e.g., sensors
for chemical plants). Some of these systems will therefore
demand far more secure and reliable designs than others.
Recognizing this diversity of IoT products, I do not mean
to cast aspersions on well-designed IoT systems; however,
as I will discuss, even these better-designed systems present challenges that are not being appropriately considered
in operational risk modeling.
This work was motivated by a discussion that I had
with risk-assessment experts from leading utilities, where
it was stated that many utilities did not realize the full
extent of vulnerabilities within IoT devices, nor were they
sure how to incorporate that risk and uncertainty into
their current risk-assessment models. I subsequently conducted more detailed interviews to assess these claims.
Through a semistructured interview process, I engaged
risk managers from five major utilities. The stated motivation for the interviews was to assess the understanding of
IoT vulnerability and risk in future infrastructures. The
key findings were as follows:
1) The understanding of IoT-related security vulnerabilities varies.
2) The impact of software vulnerabilities is poorly comprehended.
3) The risk models are poorly specified because the managers cannot gauge likelihood.
4) In the managers' view, IoT manufacturers were responsible for mitigating this risk.
These findings were supported by a recent 2018 study
that identified IoT vulnerabilities as a primary concern for
the technical leadership of utilities [4]. Additionally, this article was motivated by findings in a recent Broadband Internet
Technical Advisory Group (BITAG) study, which I led [1], as
well as by research at Carnegie Mellon University's CyLab,
which explored software vulnerabilities in a range of IoT
devices and found widespread vulnerabilities [5].
Background
This background serves principally as a primer and to
establish a common understanding of key concepts. It may
be skipped by readers familiar with these concepts.
The IoT
While there is no real consensus on a specific definition of
IoT, several proposed definitions represent the diverse set
of systems and devices with very different operating and
threat modes. According to the BITAG, the IoT "comprises
devices that function as sensors, actuators, controllers, and
activity recorders. These devices typically interact with

IEEE Systems, Man and Cybernetics Magazine - July 2019

Table of Contents for the Digital Edition of IEEE Systems, Man and Cybernetics Magazine - July 2019