energies Article On the Design of IoT Security: Analysis of Software Vulnerabilities for Smart Grids Christos-Minas Mathas 1, Costas Vassilakis 1,* , Nicholas Kolokotronis 1, Charilaos C. Zarakovitis 2,3 and Michail-Alexandros Kourtis 2 1 Department of Informatics and Telecommunications, University of the Peloponnese, 22100 Tripolis, Greece; [email protected] (C.-M.M.); [email protected] (N.K.) 2 Institute of Informatics and Telecommunications, National Centre for Scientific Research Demokritos, 15341 Athens, Greece; [email protected] (C.C.Z.); [email protected] (M.-A.K.) 3 Innovation Department, Axon Logic P. C., 14231 Athens, Greece; [email protected] * Correspondence: [email protected]; Tel.: +30-2710372203 Abstract: The 5G communication network will underpin a vast number of new and emerging services, paving the way for unprecedented performance and capabilities in mobile networks. In this setting, the Internet of Things (IoT) will proliferate, and IoT devices will be included in many 5G application contexts, including the Smart Grid. Even though 5G technology has been designed by taking security into account, design provisions may be undermined by software-rooted vulnerabilities in IoT devices that allow threat actors to compromise the devices, demote confidentiality, integrity and availability, and even pose risks for the operation of the power grid critical infrastructures. In this paper, we assess the current state of the vulnerabilities in IoT software utilized in smart grid applications from a source code point of view. To that end, we identified and analyzed open-source software that is Citation: Mathas, C.-M.; Vassilakis, used in the power grid and the IoT domain that varies in characteristics and functionality, ranging C.; Kolokotronis, N.; Zarakovitis, from operating systems to communication protocols, allowing us to obtain a more complete view C.C.; Kourtis, M.-A. On the Design of IoT Security: Analysis of Software of the vulnerability landscape. The results of this study can be used in the domain of software Vulnerabilities for Smart Grids. development, to enhance the security of produced software, as well as in the domain of automated Energies 2021, 14, 2818. https:// software testing, targeting improvements to vulnerability detection mechanisms, especially with a doi.org/10.3390/en14102818 focus on the reduction of false positives. Academic Editors: Keywords: Internet of Things; software vulnerabilities; security; robustness Luis Hernández-Callejo and George Halkos Received: 17 March 2021 1. Introduction Accepted: 12 May 2021 The 5G communication network will enable new applications to emerge in many Published: 14 May 2021 societal and economic functions such as energy, transport, and health by providing im- proved and new features over its predecessors with respect to capacity, delay, service Publisher’s Note: MDPI stays neutral development, energy consumption, connectivity, and more. The next generation network with regard to jurisdictional claims in will support an increasingly diverse set of new and emerging services, paving the way for published maps and institutional affil- iations. unprecedented performance and capabilities in mobile networks. It introduces a new core network architecture with the main feature being network slicing which will enable the offering of dedicated network slices enabling services per need. This allows for flexible, smart and scalable adaptation of the network resources available at a given time to meet the requirements of the services supported [1]. All these characteristics will enable further Copyright: © 2021 by the authors. proliferation of the IoT, introducing the “5G-enabled IoT” era, which will support the Licensee MDPI, Basel, Switzerland. deployment of a massive number of IoT devices towards covering the ever-increasing This article is an open access article demand for wireless services, delivering advanced and secure applications and services— distributed under the terms and conditions of the Creative Commons including blockchain-supported services (e.g., [2–4])—and stimulating economic and social Attribution (CC BY) license (https:// growth [5]. creativecommons.org/licenses/by/ The Internet of Things (IoT) refers to Internet-enabled devices that can communicate, 4.0/). sense, and make changes in their environment. They comprise an extensively diverse range Energies 2021, 14, 2818. https://doi.org/10.3390/en14102818 https://www.mdpi.com/journal/energies Energies 2021, 14, 2818 2 of 27 of consumer, enterprise, and industrial products like smart meters, smart watches, smart TVs, connected cars, inventory optimization sensors, and face recognition cameras. Various predictions have been published about the rate of the IoT proliferation over the next years. According to a survey conducted by IHS Markit, the number of connected IoT devices will increase by 12% on average annually starting from 27 billion in 2017 to reach 125 billion in 2030 [6]. Another survey conducted by Statista, estimates the connected IoT devices will reach 75 billion in 2025 [7]. The 5G technology along with the ever-increasing IoT will greatly benefit innovation in the power sector, through its utilization in smart grids. The coupling of 5G with smart grids will pave the way for efficient power consumption, management, and monitoring, along with automation and intelligent control [8]. This will result in a transformation of today’s power network bringing radical changes in the production, transmission, and consump- tion of electricity while supporting bidirectional flow of data and power between power providers and end-consumers. Specifically, smart grids will connect the whole supply chain of the industry; from the existing legacy control and communications infrastructure, to the generation and transmission systems, to the distribution network and the end-consumers’ premises [9]. The information transmitted in smart grids is generated by IoT devices called smart meters, and this information is utilized to supply the aforementioned applications and benefits. The smart grid communication channels also accommodate the exchange of control information between smart meters, meter data management systems, and other systems that partly comprise the power grid. Even though 5G technology has been designed by taking security into account, the underlying cyber security threat landscape is evolving rapidly. The advent of the IoT has not only brought benefits; it has also brought serious security and privacy considerations. Numerous publications have provided a comprehensive mapping of the threat landscape in IoT, smart grid and 5G systems and the identification of relevant mitigation strategies, including [10–17]. More specifically, reference [10] portrays the threat landscape of next generation IoT-enabled smart grids, while reference [15] examines the security measures that are deemed appropriate for smart grids. The work in [16] presents dimensionality reduction-based approaches for detecting and classifying internet-scale probing attempts in the IoT, while reference [17] discusses artificial intelligence (AI)-based techniques for performing intrusion detection in critical infrastructures. Reference [11] focuses on the hardware trojans targeting IoT devices. Reference [13] provides an extensive analysis of 5G security, while reference [14] reviews the 5G specification and identifies aspects of user privacy and security that are not adequately covered Considering the above, we can conclude that the main body of knowledge in the field focuses on policy, procedural, protocol design, architectural and contextual (including human) factors. It is important, however, to note that the root causes of many major security incidents that have been reported, including the Mirai botnet [18] and Stuxnet [19], and that can be traced to software faults. The importance of software faults is very high, considering that the very essence of the IoT is that they are accessible publicly through the Internet and, therefore, architectural defenses cannot offer full protection by completely isolating devices with vulnerable software. As smart grids infrastructure includes IoT devices (e.g., smart meters) that perform critical operations and handle sensitive information they are attractive targets for adversaries as well. The current literature reports numerous types of attack against smart grids. Attackers may attempt to capture or alter the data flowing through a smart grid network, thus compromising the confidentiality or integrity of the system respectively. Most importantly, attackers may attempt to disrupt the operation of the system, thus compromising its availability [12]. The need for decreased costs to create market demand, along with huge competition, has led to a situation where the security aspect of device software and firmware does not receive enough attention, and consequently products reaching the market suffer from various of vulnerabilities, allowing threat actors to compromise them with little or no effort at all. Indicatively, reference [20] reports that out of 13 small office-home office (SOHO) Energies 2021, 14, 2818 3 of 27 router and network attached storage (NAS) devices tested, all of them had vulnerabilities resulting in 125 common vulnerability exposures (CVEs), while the response of some of some of the manufacturers to the vulnerability reports filed to them was from non-existent to suboptimal. Most vulnerabilities can be traced to insecure coding practices by the software devel- opers
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages27 Page
-
File Size-