IEEE Systems, Man and Cybernetics Magazine - July 2019 - 35

device's role in a proposed deploysystems, and generally provide
ment scenario. One could argue
remarkable reliability and resilienWeaknesses in
about the specific values that were
cy in the face of natural events (e.g.,
IoT software have
determined, but given the current
weather and animal destruction of
state of IoT software security, it is
physical infrastructure), human
already resulted in
likely that risk (and uncertainty)
error (e.g., backhoe cuts, misconsignificant outages.
will increase with the adoption of
figuration, and complex failure
IoT devices.
modes), and, more recently, cyberLikelihood is a probability that
attacks. IoT integration increases
an event will occur. Impact can be
the attack surface by implementing
measured on any scale, such as a seven-point Likert scale as
devices with a high likelihood of additional vulnerabilities,
used here or assigned a monetary value to make it more easily
and does so in a multiplicative manner because of the vast
understood. Uncertainty refers to the lack of perfect informanumber of potentially deployed devices and the communication concerning the likelihood or impact estimates. It can be
tions functions associated with these devices. We have
useful to use the product of the likelihood and impact as a sinalready seen cyberattacks in recent years, directed at utiligle number representing system or device risk (particularly
ties, exploiting the still nascent IoT and ICT infrastructures,
when integrated into a large risk model); however, this can
and these include attacks from nation states, terrorists, foralso hide important information, such as a high-impact, lowprofit hackers, and lone wolves. Examples of such attacks
probability event. Clearly, a device with high impact and high
include the 1) Stuxnet worm attack on Iranian nuclear facililikelihood should be given close scrutiny. Devices traditionally
ties [14], 2) attacks on the power grid in Ukraine [15], 3) the
used by utilities to monitor and control their networks were
attack by Iranian hackers on the Bowman Avenue Dam in
characterized by low likelihood of failure; well-understood
New York [16], and 4) distributed denial of service attacks
failure modes; and low uncertainty. This made assessing the
on buildings and heating, ventilation, and air-conditionrisk associated with these devices rather straightforward. The
ing systems in Finland [17]. Weaknesses in IoT software
higher likelihood and greater uncertainty of IoT-enabled syshave already resulted in significant outages. A nearly sixtem failure make risk assessment more challenging compared
fold increase in the number of large attacks in 2017, comto that for traditional systems. Furthermore, IoT devices prespared to 2016, suggests a trend toward larger attacks [18].
ent new failure modes, if for no other reason than their conWhile deployment of IoT infrastructure is still nascent,
nection to the Internet.
the growth is expected to be exponential in the coming
As Table 1 shows, the water-quality sensor had both
years, so we should not be surprised to see more attacks
high potential impact and high likelihood of failure. The
on utility infrastructures.
failure likelihood was a function of the poorly designed
and implemented software and the impact a function of
Assessing Risk
device placement and system operations. Each of these
I assessed a representative set of IoT-enabled utility devicfactors could be improved through better product design
es, including gas valves, sewage gauges, power breakers,
(by the vendor) and system engineering (by the utility).
water-quality sensors, smart meters, access locks, and
Continuing with Table 1, the smart meter had a fairly high
traffic monitors. I found software vulnerabilities in all
likelihood of failing but with a low impact factor because
seven categories of devices I tested, although not in all of
of the isolated nature of smart meter failure. However, an
the devices. To demonstrate potential risk, Table 1 presassigned impact number might not properly capture the
ents the likelihood and impact of failure involving comporeal impact. There could be several impacts that might
nents associated with five utility IoT devices. While this is
occur, each having its own likelihood, or several system
a simple example, it is not a "toy" example; it involved real
failure scenarios could occur (e.g., isolated smart meter
devices evaluated with a well-known method [19], first
failure and a distributed denial-of-service attack). Underfrom a security and design perspective and then from a
standing the independence of these failures and their probpotential operational-impact perspective. Impact was
ability will be critical in modeling the risk. Many of the
assessed based on potential system failures given a

Table 1. Risk of utility IoT devices.
Device
Risk

Gas valve

Sewer gauge

Power breaker

Water-quality sensor

Smart meter

Likelihood (p-value ± standard error of the mean)

0.3

0.2

0.4

0.6

Impact (on scale of 1-7 with 7 the highest impact)

Ju ly 2019

IEEE SYSTEMS, MAN, & CYBERNETICS MAGAZINE

IEEE Systems, Man and Cybernetics Magazine - July 2019

Table of Contents for the Digital Edition of IEEE Systems, Man and Cybernetics Magazine - July 2019