The Slow March to Secure IoT Devices

Consumers worried about whether a smart plug or smart thermostat is safe enough to buy might not have to wait much longer for outside assurance the device has the necessary security. UL is on the verge of rolling out security ratings for Internet of Things (IoT), or smart home, devices.

UL’s new IoT security ratings (or standards) come in five tiers based on various requirements, including the following: 

• Software updates
  
• Data and cryptography
  
• Logical security
  
• System management
  
• Customer identifiable data
  
• Protocol security
  
• Process and documentation
  

The goal for the ratings is twofold: to make security of IoT devices or solutions more transparent and accessible to consumers and to help manufacturers and developers improve their security stance by implementing proven best practices.

UL's Five Tiers for Security Ratings of IoT Devices

(Source: UL)

The UL ratings cannot arrive too soon given recent reports of Ring cameras getting hacked and the intruders livestreaming their nefarious activities as they harass unsuspecting owners. The hacks aimed at Ring cameras replicate what an Illinois couple noticed earlier in 2019 when hackers breached their Nest security cameras, speaking to their child and spouting obscenities. In that Illinois incident, the couple suspected the hackers also commandeered a Nest thermostat, raising the temperature to 90°F.

For now, consumers will have to wait several months, or longer, for UL’s security ratings to have any meaningful influence on the market. UL says it is working with device manufacturers to implement the standards, which are still in the early stages. An announcement about the ratings is expected during the first quarter of 2020; however, UL anticipates a gradual acceptance of the standards as both vendors and consumers gain knowledge of what they mean in practical terms.

The HEM Perspective

The UL ratings dovetail with an emerging standard for smart home energy management systems (SHEMS) that the US Environmental Protection Agency’s ENERGY STAR program is shepherding. The primary goal for the SHEMS specification is to guarantee devices operate efficiently and only when needed, and that they optimize energy use, storage, and production. The SHEMS standard promotes device and system interoperability as well as security based on industry standards and best practices, meeting UL’s security standards.

Like UL’s standards, the SHEMS specification is on a slower track to market adoption. The first version of the SHEMS standard took effect in September 2019, and stakeholders say the first SHEMS-certified product bundles are expected to enter the market sometime in the second quarter of 2020. However, an energy savings metric for SHEMS is not expected until 2021; once that is established, version 2.0 of the SHEMS specification is likely to take effect in 2022 or 2023 (for background, read this blog on SHEMS).

These forthcoming standards portend much-needed safeguards for IoT-smart home products and services. Though it has taken a while for these standards to evolve, once in place, consumer hesitation should recede and the market should be on a pathway to its full potential.