Going green has some cyber security red flags

With COP 26 underway in Glasgow there is great focus on what we can do to save the planet and rectify years of environmental damage. One of the key elements of the future will be how we live our lives day-to-day in ways that minimize our impact on the planet. Smart homes that consume and store power efficiently will play an important role.

We’ve already seen a dramatic increase in the number of household smart devices, connected to the internet and indirectly to the power grid. But, if these devices are critical to a greener, more renewable future they need to be secured correctly.

IoT devices has long been a worry for the cyber security industry, but given the impact of devices that will help us deliver the needed environmental change, the cyber risks could be significant. Discussions have often centered on small numbers of critical devices but what if thousands of solar panels on houses could be switched off at the same time and reduce supply? What if thermostats could be turned up at the same time to increase demand ? What if thousands of small local energy storage in homes could be disabled at the same time? All of these systems on their own are of limited impact, the individual household would suffer but the grid would be stable and nobody else would be impacted, but if attackers exploit a vulnerability at scale and the numbers were large enough, the potential for a noticeable impact is sizeable.

Home devices are often made at very low price point, they operate in a highly competitive market and we want people to install simple, cheap devices that will manage the consumption of energy efficiently. Worryingly it appears some are not built to the highest security standard and if operating in a home environment, are they patched, maintained or even setup properly. Specialist search engines make locating IoT solar devices, inverters and others on the internet easy. To some extent it’s a hackers’ playground.

There are multiple different standards, including the UK’s IoT Security Trust Mark which is voluntary and still at the pilot stage, for building and securing IoT devices, albeit there is no mandate for manufacturers to actually implement them. Compliance with standards comes at a cost and this will increase the unit cost per device for consumers which may stifle adoption and impact the environment. At the heart of this problem is a requirement to understand risk and the potential primary, secondary and even tertiary impacts.  Where does critical national infrastructure end in a highly distributed energy market with tens of thousands if not millions of devices that can supply or take energy?

A coordinated  cyber-attack on these devices would cause minor issues for individual consumers, but could cause serious and wide ranging issues for the country.

One thing is certain: Demand for these devices has to grow if we want make a material difference to the health of our planet, consequently the impact of a cyber-attack will be more widely felt. With the potential impacts being severe, is this the time for manufacturers of smart devices to join together to set standards? If they don’t they may find regulators step in and do it for them.