British Gas Works to Address New Security Threats and Conquer the Smart Home
Energy utilities are early movers in the home Internet of Things (IoT) market - especially in the European market place - with British Gas in the UK among the innovation leaders through its Hive Smart Thermostat launched in September 2013. The solution has already been widely deployed not just with its own energy customers but those of rivals as well.
Hive comes in three parts, a control unit to modulate the boiler, a wireless thermostat and a hub connecting to the existing broadband Wi-Fi enabled router. This enables users to set the thermostat remotely via their smart phones for both heating the home and hot water, with support for geo tracking so that heating can be set up to come on automatically say when the owner is driving home on a winter’s day.
However, this is really just the tip of the iceberg, since the stated intention is to expand from this base to many other IoT applications in the home – including security monitoring and intelligent domestic appliances. British Gas’ goal is to exploit the synergy that will follow connection between the different islands of “smart home” IoT and become the leading platform of this type. Alongside standardization and management, one of the major considerations as IoT devices are deployed and connected is the range of security issues that must be addressed. British Gas has thus far been proactive on various security related aspects by directly addressing the privacy of the user’s energy consumption data and messages sent to the system from the smartphone - highlighting the use of encryption and standard password protection for access to the account.
But British Gas is well aware that it will have to go a lot further to counter emerging threats as its IoT strategy unfolds. Like other IoT participants, the organization is following the OWASP’s (Open Web Application Security Project) Internet of Things Top Ten Project, which sets out to monitor the principle emerging threats, their impact and ways to protect against them.
Some of these threats are highly relevant for the Hive project, such as the risks posed by flaws or exploits that are uncovered in the software or firmware in the IoT devices. As with the other risk categories the remedies are not difficult to identify but in this case do require some expertise to deploy, with the fundamental requirement being that the device must be updateable remotely in real time.
British Gas is certainly off to the right start by ensuring that the Hive thermostat and boiler controller can indeed be remotely updated and has already had cause to exploit this capability. A software fault came to light in January 2015 that prevented 40 of its customers being able to control the system from their smart phones, which could be serious if say they had left their heating full on all day by mistake after leaving on vacation and wanted to turn it off remotely. This was swiftly remedied by a remote software update.
Yet as the applications get more complex even an organization with the resources of British Gas may struggle to implement all the recommendations from that OWASP project and other sources. The IoT security challenge is even broader than OWASP suggests, in part because as the scope of the field expands into services and applications not previously dreamed of, it will be impossible in advance to anticipate all of the potential threats. For this reason it will be important to develop a comprehensive proactive threat monitoring capability for the IoT in general.
At Verimatrix we are exploring partnerships with a number of IoT service providers to ensure that these emerging threats are fully countered. We will be able to address readily the various threat models posed by emerging multi-layered IoT environments by extending our existing set of solutions, since this has been designed from the ground up to embrace diverse services, clients and target platforms.