Communications - January 2013

tion. This applies both to commands that elicit immediate reactions and commands that elicit delayed reactions (for example, turn on the sprinklers at 10 a.m.).

4. Execution integrity. A device should not deviate from its intended operating specification. More specifically, security vulnerabilities should not allow unintended behaviors that violate other security goals.

Digital Data Goals. These are security goals that pertain to a user’s digital data.

1. Data privacy. Defenses should protect the confidentiality of the user’s data (for example, leaked data could result in embarrassment, loss of reputation, financial damage, or legal repercussions due to possession of information or evidence of activities incompatible with local laws).

2. Data integrity. Defenses should ensure that the user’s data is not corrupted. Non-critical data can be an inconvenience if lost (such as minor corruption of address book), but critical or irreplaceable data can present major emotional or logistical challenges (such as losing photos of deceased family members). Alternatively, undetected, intentional changes to data or the addition of new data could have legal (for example, illicit materials), financial (for example, inaccurate tax paperwork), emotional (for example, SMSs or email messages being sent to unintended recipients), or physical (such as inaccurate medical logs) consequences.

3. Data availability. Defenses should ensure the user’s data does not suffer from malicious access interruptions.

Environment Goals. We must also consider security goals that pertain to the home infrastructure and general environmental conditions.

1. Environment integrity. Defenses should protect against single or multiple cyber-physical devices accepting commands that maliciously change the home environment—particularly if those changes might harm the home or its occupants (for example, lowering the thermostat could result in poor sleep, increased susceptibility to illness, or damage to water pipes).

2. Activity pattern privacy. Defenses should protect against accidentally revealing information about the activities of home occupants. Such disclosure could be the direct result of one data

if a device
is mobile, then
the chances
are higher that
it will come
into contact
with malicious
or infected
networks or
devices.

source, or inference and cross-referencing from multiple sensors. Activity patterns could reveal information that is embarrassing (for example, intimate habits) or informative to a miscreant (for example, whether or not occupants are asleep). We consider two special cases:

˲ Presence privacy. Defenses should protect against accidentally revealing whether or not the home is occupied, as this can facilitate physical attacks on the home and enable cyber-physical attacks that might otherwise be detected and interrupted.

˲ Occupant identities. Defenses should protect against accidentally revealing the identities and number of occupants, thereby supporting freedom and privacy of association. As an example of privileged information, one may not wish to reveal that a young child is home alone.

3. Sensed data privacy. Defenses should protect against confidentiality leaks of sensor data (such as audio or video feeds) of shared and private home spaces.

4. Sensor validity. The readings from environmental sensors should be valid and immune to technical tampering. Sensor readings generally remain susceptible to tampering in the analog channel. Altered sensors might cause financial harm (for example, inaccurate power metering) and/or physical harm (for example, disabled home intrusion sensor facilitating a break-in). Alternatively, a miscreant who is unable to alter the function of a home system directly might instead tamper with sensor readings in an effort to alter the actions of the actuator in a feedback loop. In some scenarios, homeowners themselves may be considered the adversary (such as tampering with power meter readings to reduce billing17 altering medical sensor readings for health insurance fraud).

5. Sensor availability. Sensor readings should be available without interruption according to their regular schedule. For example, the failure of a sensor can lead to physical harm or damage (such as the burglar alarm, the smoke detector, the temperature sensor in refrigerator).