Poorly secured devices threaten individuals’ online security, privacy, safety, and could be exploited as part of large-scale cyber attacks. Recent high-profile breaches putting people’s data and security at risk include attacks on smart watches, CCTV cameras and children’s dolls.
– Margot James, Minister for Digital and the Creative Industries
Company
As part of the Government’s Clean Growth Strategy, a commitment of up to £7.6 million was made to promote demonstrations of innovative energy demand side response (DSR) technologies to reduce energy use in peak times and provide flexibility to the energy system.
Our Client was chosen to participate in this competitive cohort due to its innovative home energy management system that can directly control a community of domestic battery systems using advanced algorithmic controls and its cloud platform.
Product and features
Our Client’s system is part of a monitoring and control solution for home battery storage systems that enables their combined use for demand response services by energy utility companies, such as frequency regulation, and for self-consumption of solar energy by the battery owner/end-user.
It connects a battery system to a Cloud service via the end-user’s home network, monitoring and sending data, such as the grid frequency, the energy and power flows to the battery, and state of the battery. Based on this information, and from similar information from other battery systems connected to the service, the Cloud service communicates with the Device to instruct the battery to either, export the power stored in the battery to the grid by discharging, or to store electricity from the grid by charging. These commands are issued either in response to a request or need from the energy utility or end user. In return the end user receives a payment for participating in the service.
The Challenge
Our Client realised that the impact of deploying an insecure product into thousands of homes would be catastrophic and it was important to perform appropriate due-diligence when developing their connected product. Having multiple components meant that there was a variety of attack surfaces and appropriately securing them needed a holistic view.
Implementing security by design into their device and associated services was vital to their product and success.
Gemserv was chosen as a trusted security partner based on our strong experience in securing and reducing risks of IoT solutions within energy sector initiatives such as Energy Systems catapult and Energy Entrepreneurs Fund. Our significant expertise in Information security, data privacy, IoT and our unique position within the market, gives us a competitive edge and better insights to help our clients with compliance against best practices, standards, existing and emerging regulations.
Our Approach
Our client’s product is designed to be deployed in consumer homes and therefore the client identified that it would need to align with DCMS’s recommended Code of Practice and the newly formed ETSI TS 103 645 standard, in ensuring the product maintains secure characteristics such as, not using default passwords and storing credentials securely, implementing a vulnerability disclosure policy, keeping software updated, communicating securely, minimising exposed attack surfaces, ensuring software integrity, and ensuring that data is managed. In addition, the process ensured alignment with best practice guidelines from leading security organisations such as IoTSF, GSMA, and OWASP.
We started by looking at the end to end system architecture to understand components in the Edge, Cloud and the interconnections between them. Together with our unique Risk classification model, we assigned an Assessment classification that is relevant to its intended use environment. The next step was to assess the gaps within those components and we used our comprehensive assessment checklist that examines core areas such as Encryption, supply chain security, software update processes, business processes around Data privacy and user documentation amongst others. This helped us and our client’s team to develop a clear understanding of areas where security can be enhanced.
Our confidential report broke down key statistics of the assessment areas and their associated controls. Using a simple Red, Amber, Green system, statuses were clearly tagged and an easy to follow prioritised mitigations list was provided as part of the remediation plan. The report also showed how implementing the proposed mitigations could help solve any non-conformities and better align with DCMS’s code of practise to ensure our client’s product is secure by design.
During the engagement the client and Gemserv collaborated closely, discussing progress and outcomes at every step of the process. We worked towards a tight deadline and our experienced team ensured availability and maintained constant communications to conclude the engagement on time and within budget.