Cybersecurity and the Connected Home - PowerPoint Presentation

Cybersecurity and the Connected Home Recognizing the risk, adopting best practices, harnessing the potential Rawlson O’Neil King CABA Communications Director

About CABA Vision CABA advances the connected home and intelligent buildings sectors. Mission CABA enables organizations and individuals to make informed decisions about the integration of technology, ecosystems and connected lifestyles in homes and buildings. The Continental Automated Buildings Association (CABA) is a leading international, not-for-profit, industry organization that promotes advanced technologies in homes and buildings.

Benefits Competitive intelligence Collaborative research opportunities Efficient access to information Promotion of products and services World's largest research libraryIndustry events and workshops Updated news and dataActive industry councils Networking opportunitiesMarketing support Influence industry trends Cost savings in research and travel

Research Program The CABA Research Program offers a range of opt-in technical and advisory research services designed to provide industry stakeholders with collaborative market research and R&D opportunities. Offers collaborative Landmark Research Projects and Boutique Multi-Client Research Projects

Landmark Research Cybersecurity and the Connected Home Landmark Research Report Examines the proliferation of connected devices and the Internet of Things ( IoT) in the home and how it has created many new cybersecurity risks Utilizes both industry expert interviews and consumer surveys Focuses on trends, impacts and business cases

Research Vendor

CABA and the following members funded this landmark research: Funding Members

Cybersecurity vulnerabilities are already present within the connected home and could potentially impact further market penetration of connected home products and solutions. As a result of consumer skepticism and perceived risks, CABA sought to understand the implications of this disruptive trend on their end customers, their value proposition, and, ultimately, their businesses. The research examined the issue of cybersecurity in the connected home from the perspective of consumers, vendors and service providers, industry associations, and think tanks. It referenced an existing body of literature in the public domain that pertains to this issue to corroborate findings obtained through consumer and industry research processes. The key focus areas of the project included the following:  Understanding consumers’ and industry’s perspectives on the extent of risk Exploring ways to address consumer’s skepticism with effective communication Understanding process changes and strategic measures to be adopted internallyOpportunities for collaborations and partnerships to address a common challenge Overview and Focus Areas

Frost & Sullivan used a combination of primary and secondary research methodologies for this project. The description of each is provided below in Table ES 1. Methodology and Definition Definition of a Connected Home For the purpose of this research, a connected home is defined as “a residential environment where owners/occupiers use smart devices, appliances, communication features, controls, centralized hubs, and other functionalities that are enabled by information technology that anticipates and responds to the needs of the occupants, working to promote their comfort, convenience, security, and entertainment, among other functions.”

Cybersecurity and The Connected Home: An Overview Summary of Key Findings

Cybersecurity and the Connected Home IoT and the Origin of Cyber Risks The Evolving World of Connected Homes A connected home is characterized by the presence of devices, communication services, and applications that interconnect and communicate with one another to respond and adapt to the consumer’s needs and comforts. The connected home has a wide scope, from one or more personal devices connected to a home area network to a comprehensive, home-wide integrated platform that eliminates all silos. The incorporation of connectivity into these automated or digital components significantly changed the demand dynamics, enabling users to manage multiple aspects of the home and their lifestyle from any location. The Connected Home and the Internet of Things (IoT)The overlay of smart devices with an IP network neutralizes the complexities of navigating the internal and external networks of the connected home. Activities centering on IoT are delivering increasingly unique advantages and novel challenges. Advantages include real-time access, vast data generation and analytics, and interconnectivity of devices, applications, and platforms to support interdependent functions. These advantages by themselves, however, offer little value unless the data and networks are simultaneously shared, thus permitting access to multiple service providers to tap into a connected home’s network, systems, and devices. This unprecedented access is where cyber risks in the connected home originate.

Connected Home and IoT: Snapshot of Open Access and Information Flow Connected home combines home controls, media, telemetry and personal communications into one integrated platform

Cybersecurity Threat Components Current Threat Scenario

Risk Exposure and Stakeholders Impacted The accountability for a consumer’s cyber breach incident will ultimately be transferred to the connected device and platform vendor, placing them at a greater risk. Progressively, the risk exposure minimizes for the rest of the ecosystem partners, albeit moderately.

Risk Exposure and Stakeholders Impacted (continued) Technology Vendors and ISPs - greatest risk exposure; loss of consumer confidence, potential legal ramifications, impact on brand image and reputation Utilities - exposed to financial risks (bogus billing, power thefts, and brownouts); structural and operational challenges in rehabilitating infrastructure Insurance – challenges in evaluating risks; lack of technical professionals; risk delineation dilemma (high-risk versus low-risk)Cloud Services/Third Parties – limited risk; consumers and vendors will bear the majority of damages in trusting these entities with data

Best Practices for Stakeholders

Issues and Challenges in Addressing Cybersecurity Issues to Consider in Balancing Security and Functionality Changes needed to vendors’ present cybersecurity endeavors—internal team engagement, external partner processes, budget allocation, product testing time, outsourcing cybersecurity to specialists Incremental investment exposure — investment phasing options and return scenarios to prove the business case Ability to transfer incremental cost to consumers — options for maintaining competitive pricing, bundle strategy to offset incremental cost with other value adds Other considerations — acquisition of technical skills and resource allocation for product development and testing requirements

Consumer Perception Analysis Summary of Key Findings

Objectives and Qualification Process Key Objectives of the Consumer Research Survey The survey uncovered the following: Current and future adoption of various connected home technologies Perception of the degree of cybersecurity risks of connected home technologies and negative experiences (e.g., breaches) if any Cybersecurity measures used by connected home owners Key differences in the attitudes and behavior of connected home solution adopters, potential adopters, and non-adopters Expectations of cybersecurity providers for connected home solutions, and the degree of satisfaction with those expectations Cybersecurity risks and actual security problems experienced Screening Criteria Had to be 18 years or older Had Internet access Resided in either the U.S. or Canada Played a role in the decision-making process for investments in connected home solutions, consumer electronics, and communication technologies Qualified respondents were further categorized by the following: Geographic distribution — urban, suburban, rural Type of dwelling unit — detached, semi-detached, townhouse, apartment, condominium Adoption profile — adopters, potential adopters, non-adopters The screening questions revealed that classifying the sample, at the very top level, into adopters, potential adopters, and non-adopters would provide the best backdrop for further analysis. Adopters were defined as consumers who owned and operated at least one or more connected devices that fell within the above definition of a connected home.

Consumer Research Profiling

Profile of Adopters

Present and Future Adoption Status Classification of the Respondents Classifying the sample into adopters, potential adopters, and non-adopters was done based on responses to two questions presented to the respondents after the qualifying questions. Figures 22 and 23 present the outcome concerning respondents’ present status and future intent towards connected home technology adoption.

Present and Future Adoption Status The outcome of the questions associated with Figures 22 and 23 were used in the following manner: Respondent who selected the option “None” in response to both questions pertaining to Figures 22 and 23 were classified as non-adopters. Respondents who selected the option “None” in response to the question in Figure 22 but not in Figure 23 were classified as potential adopters. The remainder of the respondents were classified as adopters.

Top Benefits and Concerns for Adopters Among the usual concerns of initial set up costs and ongoing maintenance costs, which are typically associated with connected home consumers, the results indicated an upward trend for issues related to security breaches on the smart home network, data security, and loss of privacy. This highlights the growing skepticism and the sense of vulnerability that consumers associate with connected solutions, despite a desire to adopt them. While this perception may not have developed through well-informed cybersecurity knowledge, it reveals that consumers are starting to question the true benefits and tradeoffs associated with connectedness. Although there is growing concern among respondents in general, an encouraging trend is emerging; respondents showed higher confidence in the security of more devices to control connected home solutions. For adopters, because this confidence reinforces their willingness to use more connected devices, the need to protect them from cyber risks and vulnerabilities is critical. Figure 31: Connected Home: Benefits and Concerns of Adopters

Expectation of Cybersecurity from Vendors/ Service Providers Existing relationships and experience with connected home solution providers are instrumental in determining which vendors are trusted more than others in provisioning cybersecurity measures and overall home and data security, including privacy protection. This explains the trust ratings given to home security solution providers and home monitoring solution providers. Cybersecurity provisioning will cut across numerous vendors’ solution portfolios in the connected home space. This will present opportunities for connected home vendors to tie up with home security and automation specialists to formulate a multi-channel or multi-vendor strategy to efficiently promote cybersecurity solutions for connected homes.

Cyber Breach Experiences of Consumers The degree of vulnerability associated with various connected home systems is closely reflected in the market penetration trends of these systems. Home security and entertainment are, by far, the two most popular connected home systems in terms of consumer adoption. Not surprisingly, adopters considered these systems to be the most vulnerable, owing to their high presence. Media and entertainment topped the list, with 18 percent of adopters identifying these as the most vulnerable systems, followed by security at 13 percent. The reasons cited for such vulnerabilities ranged from a lack of periodic updates, to the nature of connected systems in question. The majority, however, stated that inadequate security updates from vendors, or updates that must be paid for, was the main issue.

Cyber Breach Experiences of Consumers (continued) A modest 10 percent of adopters stated that the reason for the breach was due to their own error in operating the system. However, the majority, or 54 percent of adopters cited the reason as being a vendor/service provider glitch in the system in question. There were instances where the breach could be attributed to both a service providers’ glitch and a homeowner’s error in system operation. However, connected home systems clearly fall short of being cybersecure, which is an area that vendors and service providers must focus and take action on. The average response time of vendors and service providers in the event of a breach was rated favorably by respondents. Overall, 83 percent of respondents who experienced a connected home system breach resolved the issue with their vendor or service provider within 24 hours.

Cybersecurity and Threat to Privacy Cybersecurity vulnerabilities were particularly associated with third-party accessed devices within the home. The majority of households that use cloud-hosted home control hubs, security systems, and energy monitoring services are aware that their devices are being accessed or monitored by third-parties. Security and whole home control hubs were identified as systems that required the most third party access across the U.S. and Canada. In evaluating vulnerability, the threat to privacy was a key concern among respondents. Cybersecurity confidence in utility smart meters and online TVs were lowest when compared to home control hubs.

Cybersecurity and Insurance Protection Insurance protection was found to be relatively low across both the U.S. and Canada, particularly in Canada, with only 11 percent of respondents claiming to have insurance coverage. Insurance was typically acquired through the home insurance provider in both countries. Adopters were comparatively more inclined to use insurance protection, with 42 percent of adopters having insurance cover against cyber risks. However, this comprises just 16 percent of the total respondents.

Review of Cybersecurity Domain issues Summary of Key Findings

Addressing Key Issues and Challenges Addressing cybersecurity concerns involves navigating a myriad of critical issues and challenges for all stakeholders involved. The measures that consumers can adopt to secure their devices and connected network are far simpler. However, their successful implementation depends largely on the ecosystem of stakeholders being able to successfully adopt their share of cybersecurity measures, and creating products and solutions that offer the assurance of cybersecurity to the consumer.

Standards and Protocols incorporating Cybersecurity Standards, Protocols, and Certification Description ISA99 Standard The ISA99 standards development committee brings global industrial cybersecurity experts together to develop ISA standards on industrial automation and control systems security. Although not prescriptive, the majority of the connected home device suppliers currently use these standards to achieve product resilience. Subjective treatment and interpretation of standard components; lacks specificity with regard to various types of connected devices; cannot be enforced Z-Wave S2 Framework Announced in December 2015 and made available for Beta test in February 2016 Strong AES 128 encryption; secure key exchange using Elliptic Curve Diffie -Hellman (ECDH); authenticated deployments removes ”man-in-the-middle” attack vector; tunneling all Z/IP traffic through a secure TLS 1.1 tunnel Requires third-party testing and certification through UL, involving additional costs; lack of regional/global compatibility of devices; cannot be enforced Thread Protocol Developed by the Thread Group Consortium; has applications in smart connected homes; specification was completed in mid-2015 with certified devices being made available for the market Advantages include it being low-power, open, resilient, IPv6-based, and secure by default; it also offers a fast time to market for interested IoT device makers; comes with built-in security that is enabled by default and mandatory for all devices; requires two-way authorization; inter device communication features DTLS encryption Limitations include need for alliance certifications, support issues, early adoption challenges

Cybersecurity: NIST Framework Since the NIST framework was released, critical industry sectors have taken steps to align their security guidance to the framework. It can also offer a good starting point for the connected home industry as a model for its industry-specific cybersecurity framework, using directly applicable principles and modifying them or replacing them with more focused ones. Key elements of the framework which are beneficial to the connected home industry are: Benefits include incorporating a common language, collaboration opportunities, the ability to demonstrate due care in adopting the framework, the ability to promote better security within the vendor supply chain, and cost efficiency in cybersecurity spending. The framework represents the clear direction of regulator interest in asking government and private agencies to adopt the framework; it could soon evolve into a voluntary, but de facto standard for cybersecurity. The framework, or any of its innate methodologies, could be used as the basis for a meritorious defense in any post-breach investigation by regulators or in litigation. Documenting its use internally can help organizations potentially avoid conclusions of negligence in implementing cybersecurity best practices. For those adopting the framework, they can demonstrate that prudent practices and due care were used in-line with nationally recognized industry standards. It offers a higher bar for cybersecurity controls, yielding consistent expectations from regulators and consumers alike as to what cybersecurity means within each industry sector.

Privacy Incorporation by Design Privacy-by-design ( PbD ) advances the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation. PbD can offer a strong foundation to vendors and service providers to redefine their solutions as cybersecure.

Optimal Cybersecurity Value Proposition Summary of Key Findings

Rational Risk Evaluation Actual versus Notional Risks Understanding cyber risks in the connected home space calls for the delineation of actual risks from notional ones. To analyze this issue, a select group of popular connected home devices were rated for their actual versus notional risks, both from a consumer and industry standpoint. Frost & Sullivan looked at various independent security-related studies testing connected home systems for breach potential. The risks associated with a breach of a connected system such as a smart TV or security camera could be far more damaging (considering the potential for data and personal information loss to the consumer) than a utility smart meter or an energy management device.

Interdependency in Risk Sharing In practice, the more dependent partners are on a particular service provider to cater to the connected home, the higher the level of accountability in risk sharing for that service provider. Aggregators are an indispensible segment of the connected home value chain, with assimilators and integrators largely depending on their connectivity and communication to offer their solutions. This makes the aggregate risk (which is the sum of intragroup and intergroup risk) highest for aggregators. Correspondingly, they are also required to assume a higher level of accountability in cybersecurity breaches, not just by themselves, but on behalf of the assimilators and integrators supported by their communication infrastructure, networks, and cloud.

Cybersecurity Response Plan The response plan for connected home vendors and service providers in dealing with cybersecurity will encompass crucial elements targeted at: Recognizing the risks Creating remedial methods Extending those methods to work with partners and the internal organization Training, and collaborating with industry peers to plan for contingencies

Conclusions and Recommendations Summary of Key Findings

Key Conclusions The top findings of this research validate some of the early hypotheses around the nature and causes of cybersecurity risk within the connected home, and the triggers that aggravate it to reach unmanageable proportions. If not addressed appropriately and timely, the growing concerns and loss of consumer confidence in connected solutions could impede market growth. At the same time, the research also confirms that a measured approach to assessing risks is necessary, given that the profile and intensity of risk vary, and consumer perceptions do not always correspond accurately to the actual risk potential. Education and awareness creation will help drive focus to the right practices that both consumers and the industry can adopt to address cyber risks.

Recommendations of this Research Designing for security is important to achieving cybersecurity compliance and avoiding costly consequences. Addressing cybersecurity for consumers can be far better achieved when it starts at the internal organization level. Cybersecurity is a collective responsibility. Collaborative initiatives are vital to achieving industry-wide compliance and bringing focus to implementing cybersecurity measures with the right set of legislation, standards, and policy initiatives.

Next Steps in Implementation The immediate set of milestones will center on organizations putting their own cybersecurity processes in place in terms of securing their connected home solutions and taking the internal steps necessary to accomplish it. Since standards, policy, and regulatory processes are expected to take time to formulate, these are projected as mid-term milestones. Given the widening scope of cyber risks, it is imperative for industry participants to review market growth prospects against evaluated risks and costs of conducting business. Reviewing policy directives and updating those per market requirement is essential, as the impact of cyber threats could assume significantly different proportions in the future.

Continental Automated Buildings Association (CABA) 613.686.1814 Toll free: 888.798.CABA (2222) Fax: 613.744.7833 caba@caba.org www.CABA.org www.twitter.com/caba_news www.linkedin.com/groups?gid=2121884