Cybersecurity and the IoT
Keeping data safe can be a complex problem
Consumers like the idea of having smart appliances, as evidenced by a recent report that forecasts the global home automation system market will grow from $32.11 billion in 2015 to $78.27 billion by 2022. However, along with the convenience of having a connected home or office comes the risk of someone hacking into the system and using that access for nefarious purposes.
Indeed, a report from Hewlett Packard highlights the risks that are present with connected systems, including the fact that 80 percent of IoT devices fail to require passwords of sufficient complexity and length; 70 percent of devices do not encrypt communications to the internet and local network; and 60 percent of devices raise security concerns with their user interfaces. As IoT devices become more prevalent, manufacturers are taking a greater role in making sure their customers’ data are secure.
When it comes to cybersecurity, the hard truth is that nothing is totally impenetrable, said Tim Vogel, marketing manager, KMC Controls. “The best way to protect information in the world of the IoT is to have limited user access based on credentials and multiple overlapping layers of security from the device level to the cloud and back out to the applications.”
Common sense goes a long way, too, as systems can be made more secure by following some fairly basic guidelines. “At the end of the day, the majority of breaches occur due to simple human errors like not changing default passwords, leaving behind technician keys that allow system access, or failing to isolate access to sensitive network areas like point-of-sale or payment-processing databases,” said Vogel.
OEMs are also working hard to make sure consumer data are protected as much as possible. “HVAC equipment security is very important to us, which is why we have developed systems with multiple layers of security from remote access to site level,” said Paul Rauker, vice president and general manager, systems and controls, Daikin Applied. “Our customers are protected with a continually updating solution. It’s important to keep security controls up to date and also add capabilities and functionality that can be managed on the internet, which helps eliminate unnecessary customer site visits.”
With thermostats and other IoT products being part of consumers’ daily lives, the security aspect becomes paramount, said Guy Medaris, vice president of sales and marketing, residential solutions, Emerson Climate Technologies Inc. “As the world of IoT gets complex with billions of devices, the cyberattacks could become more frequent and more sophisticated, but so will the technologies and processes to protect and prevent such attacks. As we develop new connected-home offerings, we are constantly exploring new ways to keep our assets and systems secure in order to stay ahead of threats.”
The security of connected devices has to be at the core of the design of any product — it should not be an afterthought, said Dan Goodman, CEO of Building 36. “Internet services have inherent security risks, and these same risks must be considered when designing devices connected to the internet. Security must be a top priority for companies building IoT devices and especially for the software platform that supports these devices. We dedicate a tremendous effort to maintain, update, and secure our system on an ongoing basis. A key value in the service we provide is through continuous updates and resources, giving consumers a reliable, secure, connected home while using technology to mitigate ongoing security risks.”
Making sure consumers feel secure is important, because a compromised thermostat can do more than just make the home uncomfortable — it can make it unsafe.
“If you were able to capture the scheduling data from a consumer’s thermostat, you could potentially anticipate when the consumer will not be in the home,” said Medaris. “For example, people tend to allow the temperature in the home to be lower while they are not there, and such information in the wrong hands could mean trouble.”
There is also the risk of someone taking remote access of a thermostat and doing damage by letting a house overheat or freeze, said Goodman. “The bigger risk, in my opinion, is that someone could essentially hijack the processor inside of an insecure connected device, load nefarious code on that processor, and then have local access to a home network behind the firewall. The attacker could use this as a springboard to launch attacks on computers or other devices on the local network. This motivates us to implement solutions to mitigate risk at the device level as well as the local and wide area network levels.”
Also, any home network can be used as a digital window into a consumer’s home, but the wireless thermostat must connect to that network, added Medaris. “By sniffing packets on the network [man-in-the-middle attack], one could try to gain access to the homeowner’s network and/or device. That is why we encrypt all of our data using Transport Layer Security (TLS) protocol for both front-end clients and thermostat communication.”
In addition, Emerson thermostats do not transmit the network credentials for the wireless access point that it’s connected to, said Medaris. “We also store and manage the thermostat data and the customer data in separate systems to mitigate risk. The thermostat must also initiate all conversations with the cloud. Any incoming message that isn’t in response to a previous message will be discarded.”
Keeping consumers’ security controls updated is also important, which is why all security patches and upgrades to the thermostat firmware are done by Emerson via secure over-the-air (OTA) updates. “We monitor and manage all OTA updates to every thermostat in the field, so we can pinpoint devices that did not get the updates and push that information to those devices individually or collectively,” said Medaris. “We also have the ability to seamlessly rollback an OTA update if there is a need.”
Not only must the technology be secure, but the people who install it must be trustworthy, as well. “That’s why HVAC professionals are in a prime position to offer these IoT services to homeowners,” said Goodman. “Beyond the thermostat, homeowners use our platform to control their door locks, garage doors, lights, and video cameras. We chose not to sell through retail outlets, because we strongly believe local HVAC professionals are already trusted to install, service, and repair the most critical systems in the home.”
And while conspiracy theorists may worry about manufacturers collecting personal data on customers through their thermostats or other IoT devices, the reality is that access to these devices is highly regulated, said Medaris. “Rule-based access control [RBAC] methods regulate access for authorized users, such as engineering or software solutions, and device data do not include personal customer data. All authorized users who have access to such data need to log in to gain access, and every action is logged in the system. Information collected by the IoT device is used by manufacturers to develop new features or improve service and troubleshooting.”
In addition to manufacturers ensuring their products are secure, contractors who offer IoT devices, such as thermostats, should take steps to help keep consumer data safe.
“If contractors install and provision a thermostat on behalf of the homeowner, they should not share the credentials of the homeowner [network or thermostat access] with anyone,” said Medaris. “They should also tell the homeowner to change the password at his or her earliest convenience.”
As can be seen, it takes a village to keep data safe, with manufacturers, contractors, and consumers all playing a role. But there is no question that manufacturers will continue to take the lead in cybersecurity, designing products that help keep customers safe and secure.
Publication date: 8/8/2016