Domotics - a can-o-worms

This morning, I’ve been browsing and thinking about ISO/IEC 27403, a draft ISO27k standard on the infosec and privacy aspects of “domotics” i.e. IoT things at home.

 

Compared to a [reasonably well controlled] corporate situation, there are numerous ‘challenges’ (risks) in the home setting e.g.:

• Limited information security awareness and competence by most people. IoT things are generally just black-boxes.
• Ad hoc assemblages of networked IT systems - including things worn/carried about the person (residents and visitors) and work things, not just things physically installed about the home (e.g. smart heating controls, door locks and cat feeders).
• Things are not [always] designed for adequate security or privacy since other requirements (such as low price and ease of use) generally take precedence. Finite processing and storage capacities, plus limited user interfaces, hamper/constrain their security capabilities.
• Lack of processes for managing security and privacy systematically at home. If anything, activities tend to be ad hoc/informal and reactive rather than proactive.
• Informality: the home is a relatively unstructured, unmanaged environment compared to the typical corporate situation. Few domotics users even consider designing a complete system, although certain aspects or subsystems may be intentionally designed or at least assembled for particular purposes (e.g. entertainment).
• Dynamics and diversity: people, devices and services plus the associated challenges and risks, are varied and changeable. The home is a fairly fluid environment anyway, and innovation is driving the tech at quite a pace.
  
• Limited ability to control who may be present in/near the home and hence may be interacting with IoT devices e.g. adult residents plus children, owners, visitors, installers, maintenance people, neighbours, intruders ...  Physically securing things against accidental or malicious interaction is difficult, while networking compounds the issue.
• Limited ability to manage and control IoT device and service supply chains, as well as the installation, configuration, use, monitoring  and maintenance of devices and services, with little if any coordination among the parties.

Good luck to anyone seriously attempting to secure their own home, or for corporations concerned about securing their employees including home workers (execs and plebs) and an increasingly mobile and tooled-up workforce. 

For instance, I have only a rough idea of what IoT things are in my home, some of which are not mine and are not under my control. Security configuration is, at best, an ad hoc activity when (some) things turn up. Security monitoring and management (e.g. patching) are almost nonexistent, in practice. Being an infosec professional and geek, I do my level best to contain and protect work-related and personal info but it is hard going in such an open, dynamic and potentially hostile environment. “Zero trust” just about sums it up.

The practical limitations, in turn, open the door to all manner of mischief and misfortune.  It’s a veritable can-o-worms I tell you.