IEEE Systems, Man and Cybernetics Magazine - July 2019 - 37

coordination-more timely sharing of vulnerabilities,
attacks, and mitigations-is needed among all connected
and unconnected utilities. The issue of sharing among multiple independent actors complicates an already very difficult issue of ensuring security and privacy. This type of
data sharing about vulnerabilities, abuses, and attacks is
often best provided by a trusted third party. In this case, it
may be a completely independent entity or even a government agency. While it is not inevitable that a new entity is
required, since sharing could occur through coordination
among existing utilities, this action may require regulatory
intervention (or impending regulatory action). Third-party
infrastructure (a new company, joint venture, product, or
government agency) that monitors and coordinates among
utilities might arise. This approach might be a "cleaner"
solution: some traditional utility companies may lack
knowledge required to properly manage coordinated cyberinfrastructure; others might prefer sharing with a third
party than a possible competitor; and others may simply
have too few resources to address these issues alone.
Adopting Best Practices and Standards
Utilities need to adopt standards and best practices aimed
at minimizing, measuring, and mitigating IoT vulnerabilities. An important part of the ultimate solution will be the
adoption of the extensive set of security requirements put
forth by a wide variety of government, standards, and commercial bodies (as described earlier). As models emerge for
IoT vulnerability assessment and mitigation, it will be critical for the utilities to also incorporate these tools. Considerable efforts have been made to provide protections for
certain aspects of IoT security through the development of
cybersecurity requirements [20]-[23]. For example, North
American Electric Reliability Corporation's (NERC's) Critical Infrastructure Protection (CIP) standards provide valuable guidance for a set of security requirements, although
these are not focused on understanding and modeling the
risk and uncertainty that utilities face [20]. The NERC CIP
Configuration Change Management and Vulnerability
Assessments standard does begin to explore methods for
assessing vulnerabilities, but only in a manner that is
abstract and not specific to the IoT [21]. Other related guidance includes work from the National Institute of Standards and Technology (NIST) Cybersecurity Framework,
the U.S. Department of Energy/Carnegie Mellon University,
Electricity Subsector Cybersecurity Capability Management Maturity Model (ES-C2M2), and a number of International Standards Organization-approved standards and
other references [25], [26]. A variety of actions have been
taken in the United States at the state level to encourage
the adoption of security best practices and standards within certain sectors of the utilities [25].
Expertise
Utilities must gain expertise in IoT risk modeling and software security. Given the indispensable nature of the IoT in

future utilities, the question arises as to whether these utilities possess the specialized knowledge and skills to actually manage and secure this technology. As alluded to
earlier, hiring the right individuals or acquiring those skills
through other service organizations will be a critical and
perhaps somewhat costly necessity. Furthermore, utilities
will now need to coordinate in ways that were simply not
necessary previously. They must be more involved with
information sharing and response associated with these
new devices.
Policy and Regulation
What do we hope to achieve through regulation or policy?
Where are the problems that may not otherwise be
addressed due do a lack of appropriate incentives? Given
the scope of the problem, how should such interdependent
systems be regulated, as the current regulatory institutions are siloed along traditional, historically developed
sectors? Policy has a role in securing the utility IoT, but
there are many players involved in this space, which
means regulators must be especially careful to be fair as
they craft policies. This would almost necessarily involve
multiple stakeholders, public-private partnerships, and/or
utility partnering-with a heavy emphasis on best practices, reporting, and transparency. Some of the aforementioned industry recommendations could be useful for
consideration by regulators. Whatever the approach, it is
critical for industry to get ahead of pending crises to avoid
a heavy-handed and possibly ill-fitted made-for-all regulatory solution. An example where regulatory oversight
might arise is in the area of data sharing of security-related vulnerabilities and events. This type of cooperation and
disclosure has long been a challenge in the security space
[27]. Standards and policies could benefit from closer coordination among utilities within and across sectors.
Conclusion
The IoT represents a conundrum for utility providers and
policymakers. While the IoT could help reduce operational expenses and aid in faster detection and recovery from
faults, it also represents a new and highly uncertain security risk. Even if some of the risk of adoption can be transferred to the manufacturers of these devices and systems,
the utility is the entity that will be held accountable when
a failure arises. While recognizing the value of the IoT,
utilities should learn about how to maintain or enhance
the resilience of their future IoT-based infrastructure.
This requires that they determine who should build and
manage this infrastructure as well as determine what
design, operations, and management structures should be
put in place. Ensuring resilience necessitates utilities
developing a process for assessing the risk associated
with the integration of this type of technology into these
utilities and the subsequent design accounting for this
risk. Ultimately, utilities must have access to autonomously securable, trusted, and accountable IoT systems [24].
Ju ly 2019

IEEE SYSTEMS, MAN, & CYBERNETICS MAGAZINE

IEEE Systems, Man and Cybernetics Magazine - July 2019

Table of Contents for the Digital Edition of IEEE Systems, Man and Cybernetics Magazine - July 2019