By Mark Milby and Ian Blanding
For years we’ve heard the specter of cybersecurity raised at nearly every conference or workshop focused on energy efficiency technologies or program design. In most cases it’s discussed only superficially, more like a vague threat on the horizon or a worrisome issue to be given more thought soon. This isn’t surprising, as security experts and cyber operations professionals are rarely present at energy efficiency industry meet ups, and most program implementation folks probably don’t peruse recent literature on cryptography and network vulnerability on a regular basis. But a growing reliance on connected devices, data collection and remote or automated control of energy-intensive equipment to achieve energy savings is necessitating a harder look at these trends and their implications for security.
Opportunity (and Vulnerability) of Connected Devices
This was the main topic of discussion at a roundtable in Chicago hosted a few months ago by the Delta Institute featuring experts from Argonne National Laboratory, West Monroe Partners and others. The conversation was rooted in the implications of a trend that has become increasingly more apparent in our industry – that is, that smart/connected devices and large-scale data sharing represent the next frontier for much of the energy efficiency space. This is occurring not just due to parallel consumer trends, but also out of necessity. Consider how in many home appliance categories, state and national standards have succeed in raising the efficiency bar high enough to render continued, significant efficiency advancements unlikely. Then consider how the increased automation of set points, run times, power output and other control functions holds enormous savings potential.
This potential makes it clear that connected devices represent the future for many aspects of energy efficiency program efforts. We’re already seeing this in the Midwest, where utility incentives for smart thermostats have recently become commonplace and many other intelligent efficiency technologies are being incorporated into utility programs, such as predictive analytics for Building Automation Systems (BAS), networked lighting controls, mobile apps for Home Energy Management Systems (HEMS) and a range of smart home energy products.
The Future is Here – But Are We Ready?
According to many estimates (see here, here and here) the number of connected devices globally is already in the billions and will increase to at least 50 billion by 2020. Given this dramatic but expected increase in connectivity, the panel laid out near-term scenarios with significant energy efficiency potential. Connectivity could pave the way for a home or apartment to communicate directly with the grid and schedule appliances to run on off-peak hours. It could enable a building automation system to communicate directly with dozens of mechanical systems and alert an operator about issues or inefficiencies in real-time. Whatever the scenario, the technology to make it happen either currently exists or will soon, leaving little time for the EE community to take full stock of the digital risks involved in these new opportunities.
A Gray Area for Consumer Protection
What we may not be considering properly is how much responsibility comes with billions of connected things and trillions of data points. A central question remains unanswered: Who will ensure that these devices provide maximum social benefit with minimal consequence? According to the panel, many technology developers and manufacturers are exclusively in the business of creating and selling products, leaving it up to the consumer to protect themselves. And not only that, but many industry-standard mechanisms for protecting consumers may be lacking. Digital security giant Symantec describes it this way: “Poor security on many Internet of Things (IoT) devices makes them soft targets...many devices are often designed to be plugged in and forgotten after a very basic setup process... present[ing] a unique lure for remote attackers.”
Take software updates for example, often a product developer’s front-line defense against hacking and other security breaches. How many of us click “ignore” rather than downloading an update? What many of us don’t understand (or care enough about) is that an update could be a critical patch to improve consumer security, but by doing nothing, we leave ourselves vulnerable. Some estimates put the number of connected devices in the average US home in 2025 into the hundreds. Will all this stuff receive timely updates regularly? Carry the right encryption systems? Send data securely? Communicate transparent terms and conditions to users?
2017: A Year in High-Profile Cybersecurity Threats
In 2017, Americans were inundated with news about cyber threats. This included a massive Equifax hack that left 143 million vulnerable, multiple groups proving that most IoT devices in the home can be accessed remotely, and the just-discovered vulnerability in Apple’s HomeKit software that allowed “unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs”.
Solutions on the Horizon (aka Don’t Panic)
On the bright side, the consumer electronics industry appears to be collaborating on common solutions, and major efficiency product providers are taking this seriously. Nest, backed by Google’s Vulnerability Reward Program, welcomes security researchers to try to find vulnerabilities in their smart thermostat products and share the results so the company can improve. Apple extensively vets new products before allowing them to access the HomeKit platform. DesignLights Consortium (DLC) has added information about security to its Qualified Products List for networked lighting controls. Cybersecurity is being extensively studied in BAS to make them inaccessible to unauthorized users and prevent jumping from the BAS network into other systems (which is what happened to Target through an HVAC company a few years back).
Although this may all sound like the doom and gloom scenario we’ve become accustomed to hearing, connected devices, big data, automation and networked grid resources present opportunities too important to back away from. The energy efficiency industry should embrace this technological revolution, but take the time to understand the unique challenges that will come with implementation. Connected devices are here to stay, so the sooner the industry can harness the good and manage the bad, the sooner we can enter the next frontier of energy efficiency.