With this week’s launch of the Internet of Things Alliance Australia’s (IoTAA) security awareness guides, this seems a good time to remind the solar industry that we’re part of the Internet of Things – and so far, we seem to take a pretty relaxed attitude to security.
The IoTAA was created in 2016 by a group of industry, academic, and government stakeholders who saw the explosive growth of “non-IT” Internet-attached devices, and believed collaboration could improve IoT standards, network resilience, privacy, safety and security.
On Tuesday, it launched two guides, available here:
- the IoTAA IoT Users Security Awareness Guide, and
- the IoTAA IoT Providers Security Awareness Guide.
The Alliance plans to follow-up these guides with the launch of a Security Trust Mark later this year (it was announced in 2019, here).
With millions of devices already in Australian homes, it might look like the industry is chasing a bolted horse, but there’s no doubt that the real surge has only just begun. As Department of Home Affairs acting assistant secretary for technology policy Jill Ogden told the launch Zoom call:
“Over a third of Australians added a smart device to their home during the pandemic just to make it more comfortable.
“It’s important that the rapid growth in devices doesn’t hinder the adoption of security.”
If you’re a keen tech security-watcher, you know IoT devices are already a security challenge. I don’t follow security advisories as closely as I used to, but IoT security is a quagmire. Many vendors grab generic “white box” computing modules from the lowest-cost manufacturers possible, wrap those modules up in a product, write the bare minimum of software, and only reluctantly (if at all) patch insecure products.
That’s one thing the IoTAA wants to change. Its strategy in launching the two guides is twofold: to teach users to ask the security questions before they buy the products, and to get manufacturers to treat security as something that will become a selling point for products.
Enex TestLabs MD Matt Tett told the Zoom call the Alliance wants consumers to view product security like car owners view vehicle safety: nobody today would consider buying a car with two-star crash safety, because there are so many six-star alternatives. Tett added:
“In ICT, it’s whack-a-mole, we lost the fight with security. With IoT, we can’t let that happen.”
Tett said the Alliance wants vendors in this space to understand that security is the foundation for privacy and safety.
And safety is an important point here. Julia Fossi, director of international, strategy and futures at the Office of the eSafety Commissioner, spoke of how that office has seen “smart home” products become part of domestic abuse . For example, an estranged partner punishing his ex-partner by taking control of her home’s thermostat, or Internet-connected toys being recruited as stalkers.
“Services can get weaponised in the most unexpected ways,” Fossi told the Zoom call.
Solar Needs Security
If abuse-via-devices hasn’t been reported in the home solar market, it’s not because we’re especially diligent. For example, it’s hard to find a solar inverter vendor whose website lists security updates to its firmware, and describes what vulnerabilities its updates are fixing.
This is serious, given the potential for abuse should someone gain malicious access to inverter controls.
As it becomes the norm for inverters and other solar power-related devices to be internet-connected, more devices will be exposed to the Internet, and some of those will be insecure. Products will be shipped with baked-in default administrative passwords, or they’ll use unencrypted communications for logins, or the manufacturer will grab white-box firmware from an upstream supplier without giving it a security audit.
It would surely be good to see the industry get active in this space – before we get splashed across the Internet because of a massive security breach. How Fronius handled a vulnerability in 2019 is a good guide to where we could start.
Reading The Guides, So You Don’t Have To
Since I’m hopefully talking to the industry here, I’ll pick up the guide for industry (the IoTAA IoT Providers Security Awareness Guide).
You’ll be as pleased as I was to know the guides are brief – fewer than 20 pages rather than hundreds! That’s because the Alliance knew it couldn’t cover the hundreds of vendors already in the IoT market, so the guides are as generic as possible.
The high points of what’s asked of vendors are:
- Make clear security claims – know your product’s security, and describe it accurately to consumers; don’t ship products with default admin passwords, make sure software is kept updated, and run your own vulnerability disclosure program.
- Vendors must secure their own businesses, so malicious actors can’t discover secrets that make products insecure.
- Adopt “security by design”, meaning apply security considerations from the beginning of software development.
- The same should apply to safety and privacy – they should be embedded in product development.
- Secure your supply chain, so products can’t be compromised between the factory and the user.
- Get expert parties to conduct security evaluations of your products and services.
- Get familiar with the IoT security codes and standards that apply to your industry.
About Richard Chirgwin
RSS - Posts
Speak Your Mind