Connected Homes - what are the cyber security and data privacy challenges?
17 March 2017
As energy suppliers delve deeper into Connected Home technology, the cyber security and data privacy risks are becoming increasingly apparent. These risks broadly fall into two categories: risks to systems and risks to data.
Risks to systems result from targeted attacks on vulnerable devices, with the goal of compromising the device in order to, for example, knock it offline, add it to a bot-net to attack others, change device settings and firmware, or gain access to the wider home network.
Risks to data result from attacks that target the data used by these devices to monitor and report the activities and energy consumption of the end-customer. This includes real-time energy usage information, device status information and even live camera feeds. Clearly there are significant privacy risks if this data is compromised, and additionally, were it possible to obtain access and monitor this traffic, criminals and other interested parties could remotely gain in-depth knowledge of the activities of the inhabitants – for example, when they are away, when they are asleep and even whether doors and windows are unlocked or open.
What are the challenges for the supplier?
For the Connected Home, we can split the challenges for suppliers into three areas: the devices within the customer’s home itself; the external services provided as part of the Connected Home offering; and the privacy of customer.
Connected Home Devices
Energy suppliers need to provide assurance that the devices they offer into the connected home ecosystem are protected from accidental or deliberate compromise - particularly as they will be placing them into an untrusted environment. In many cases, if a malicious device were to cause a failure of a supplier device, ultimately the energy supplier may feel the consequences.
As the devices within the Connected Home send an increasing amount of data over the internet to cloud services for processing and storage, energy suppliers need to ensure that this data is secured both in transit and at rest. Suppliers are seeking to combine data from Smart Meters and Connected Homes into a single data warehouse, or ‘data lake’, for the purpose of analysing energy consumption and consumer behaviour to drive business decisions. Clearly encryption is key to providing this protection, though suppliers are placing a large amount of reliance on third-party assurance to implement security mechanisms correctly and protect customer data.
In addition, energy suppliers will be offering remote customer support services which introduce another attack vector and increase the opportunities for social engineering attacks on customers - for example customers being asked for account credentials or personal details, which can be hugely successful in this type of environment.
As the general public becomes increasingly aware of the cyber and privacy risks stemming from connected devices, suppliers are under increasing pressure to demonstrate the way in which their products protect the privacy rights of the individual. Suppliers are challenged with balancing privacy sensitivities with the need to obtain richer data to enable meaningful analytics; this has become increasingly important in light of new privacy regulations, such as the General Data Protection Regulation (GDPR), whose implications many suppliers are still struggling to understand before this comes into force in May 2018.
What can suppliers do to address the challenges?
First and foremost, suppliers need to ensure that as a business they are operating at a high level of cyber security maturity. This will not only help them in defending their internal systems, but should also ensure that the ‘security by design’ principle is used in all aspects of the Connected Home offering.
Tailored strategies will be necessary to address the individual needs of each scenario. For example:
- Suppliers in the Connected Home market may need to partner with trusted third parties and only allow a small number of these devices to connect to their ecosystem, thereby minimising the risk from rogue devices.
- Suppliers should push for a form of industry standard product assurance, which would allow them to label their devices as ‘approved’ and reduce their exposure to being left at fault if the customer adds ‘unapproved’ devices to their network.
- For cloud services, suppliers will need to provide third party assurance over the service provider they use to ensure they are effectively managing the risks to customer data.
- Suppliers should review their incident response capability and how they manage data breaches, particularly in light of the incoming GDPR requirements for timely reporting of data privacy incidents.
- Customer privacy must be prioritised and transparent; strategies for privacy by design and communication to the general public of how you are managing customer data are required.
For more information, contact Niko Kalfigkopoulos - Energy, Utilities & Mining Cyber Security Senior Manager, PwC and visit our website.