IEEE Systems, Man and Cybernetics Magazine - July 2019 - 34

(or exploiting) vulnerabilities in
Canada and the United States,
software. To better understand
started because of a software bug
Today, IoT devices
autonomous security, think about
in an alarm system. The National
are shipped from
the typical effort associated with
Infrastructure Advisory Council
reducing the attack surface associdefines critical infrastructure
the factory with
ated with software on a device. In
resilience as follows: "The ability
outdated software
an autonomous scenario, vulnerato reduce the magnitude and/or
bilities are continuously identified
duration of disruptive events. The
and vulnerabilities
and eliminated from the system. As
effectiveness of a resilient infraand no clear path
new devices are installed, they are
structure or enterprise depends
examined individually and as part
upon its ability to anticipate,
to mitigation.
of a larger system to determine
absorb, adapt to, and/or rapidly
whether vulnerabilities have been
recover from a potentially disrupintroduced. As discussed below,
tive event." A system that is resilthe software on IoT devices is often cobbled together by
ient should recover from disruptive events with minimal
developers with inadequate experience in software engiimpact on its intended operations [12].
neering and security, which results in devices with known
vulnerabilities [1].
Trends in IoT Security
A New Class of Hybrid Infrastructure
Information and communications technologies have long
played a role in connecting control and monitor systems
that already exist within utilities. The growing IoT (these
systems that monitor, control, and communicate directly
with this physical infrastructure), while extending to earlier, simpler SCADA systems, is also being deployed at a
higher density. Together, the IoT and information communications technology (ICT) will play a role in independently linking all operational and maintenance aspects of a
utility, thereby becoming an indispensable and integral
part of the infrastructure. As Paul Schulman has
remarked: "This form of horizontal connection creates
enormous opportunities, but at the same time brings enormous and largely unexplored risks" [13]. A key desire of
those managing an IoT utility infrastructure is to be able
to maintain tight monitoring of systems while also being
able to respond instantly to system failures. While the IoT
moves us to machine-time response (real-time operation),
it also will serve a critical role in planning and even billing.
This forms a new class of indispensable, hybrid infrastructure, which creates a host of opportunities for improving
utility operations, and opens the possibility of new business service models, such as one that extends third-party
security services (e.g., security as a service) to encompass
these IoT systems.
Software Security
Software security spans a broad set of mechanisms and
considerations. In this article, I focus on software vulnerabilities that might be exploited or might otherwise compromise the intended operation of a system. From a defensive
perspective, software security seeks to ensure that software operates properly even when malicious attacks or
unintended detrimental conditions arise. Researchers
studying software security are putting significant effort
into the creation of autonomous tools for fixing
34

IEEE SYSTEMS, MAN, & CYBERNETICS MAGAZINE Ju ly 2019

Vulnerabilities of the IoT
A recent BITAG report identified a broad set of IoT vulnerabilities. These include the following:
◆ lack of software and security knowledge of the manufacturer
◆ lack of incentives for the manufacturer to adopt secure
methods
◆ the common integration of poorly written publicly
available code (including core operating system code)
◆ the inability to update these IoT systems
◆ the inability to disable these systems
◆ the lack of industry standards dictating levels of security from a software perspective
◆ the lack of information pertaining to the risk profile of
each device [1].
These various vulnerabilities do not include concerns
relating to the supply chain of the software, hardware, and
integration required in creating and delivering these IoT
devices. In sum, a much more thorough and robust process
is needed to ensure the availability of well-written code
that is safe and accountable from inception, all the way
through to end system deployment.
Today, IoT devices are shipped from the factory with
outdated software and vulnerabilities and no clear path
to mitigation. Furthermore, these devices often lack security features common in more general-purpose computing devices because of the lack of processing, storage,
or battery capability, which results in unencrypted communications and potential data leaks that could reveal confidential information and/or violate an individual's privacy.
These IoT devices may also lack the ability to be updated,
meaning that they will become susceptible to attacks and
their vulnerabilities will persist.
Attacks on Utilities
The utility industries have an excellent track record of
understanding vulnerabilities and risks in their current



IEEE Systems, Man and Cybernetics Magazine - July 2019

Table of Contents for the Digital Edition of IEEE Systems, Man and Cybernetics Magazine - July 2019

Contents
IEEE Systems, Man and Cybernetics Magazine - July 2019 - Cover1
IEEE Systems, Man and Cybernetics Magazine - July 2019 - Cover2
IEEE Systems, Man and Cybernetics Magazine - July 2019 - Contents
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 2
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 3
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 4
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 5
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 6
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 7
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 8
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 9
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 10
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 11
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 12
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 13
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 14
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 15
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 16
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 17
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 18
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 19
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 20
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 21
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 22
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 23
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 24
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 25
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 26
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 27
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 28
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 29
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 30
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 31
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 32
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 33
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 34
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 35
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 36
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 37
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 38
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 39
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 40
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 41
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 42
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 43
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 44
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 45
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 46
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 47
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 48
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 49
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 50
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 51
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 52
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 53
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 54
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 55
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 56
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 57
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 58
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 59
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 60
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 61
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 62
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 63
IEEE Systems, Man and Cybernetics Magazine - July 2019 - 64
IEEE Systems, Man and Cybernetics Magazine - July 2019 - Cover3
IEEE Systems, Man and Cybernetics Magazine - July 2019 - Cover4
https://www.nxtbook.com/nxtbooks/ieee/smc_202110
https://www.nxtbook.com/nxtbooks/ieee/smc_202107
https://www.nxtbook.com/nxtbooks/ieee/smc_202104
https://www.nxtbook.com/nxtbooks/ieee/smc_202101
https://www.nxtbook.com/nxtbooks/ieee/smc_202010
https://www.nxtbook.com/nxtbooks/ieee/smc_202007
https://www.nxtbook.com/nxtbooks/ieee/smc_202004
https://www.nxtbook.com/nxtbooks/ieee/smc_202001
https://www.nxtbook.com/nxtbooks/ieee/smc_201910
https://www.nxtbook.com/nxtbooks/ieee/smc_201907
https://www.nxtbook.com/nxtbooks/ieee/smc_201904
https://www.nxtbook.com/nxtbooks/ieee/smc_201901
https://www.nxtbook.com/nxtbooks/ieee/smc_201810
https://www.nxtbook.com/nxtbooks/ieee/smc_201807
https://www.nxtbook.com/nxtbooks/ieee/smc_201804
https://www.nxtbook.com/nxtbooks/ieee/smc_201801
https://www.nxtbook.com/nxtbooks/ieee/systems_man_cybernetics_1017
https://www.nxtbook.com/nxtbooks/ieee/systems_man_cybernetics_0717
https://www.nxtbook.com/nxtbooks/ieee/systems_man_cybernetics_0417
https://www.nxtbook.com/nxtbooks/ieee/systems_man_cybernetics_0117
https://www.nxtbook.com/nxtbooks/ieee/systems_man_cybernetics_1016
https://www.nxtbook.com/nxtbooks/ieee/systems_man_cybernetics_0716
https://www.nxtbook.com/nxtbooks/ieee/systems_man_cybernetics_0416
https://www.nxtbook.com/nxtbooks/ieee/systems_man_cybernetics_0116
https://www.nxtbook.com/nxtbooks/ieee/systems_man_cybernetics_1015
https://www.nxtbook.com/nxtbooks/ieee/systems_man_cybernetics_0715
https://www.nxtbook.com/nxtbooks/ieee/systems_man_cybernetics_0415
https://www.nxtbook.com/nxtbooks/ieee/systems_man_cybernetics_0115
https://www.nxtbookmedia.com