The Smart Grid Social Networking Security Checklist contains five categories for implementing basic security controls. These categories are:
- Information Sharing
The following controls should be implemented to safeguard your Smart Grid / Social Networking device deployment.
Account Name – Utilize an account name that does not easily identify you or your device. For example, if you setup a PicoWatt device, do not name your device ‘Quincy-Magoo-BedRoom-PicoWatt.’ Choose something less obvious like ‘QmPi1.’ While this is a classic example of security through obscurity, it will prevent you from being identified by simple Google queries looking for Smart Grid devices that integrate with social networking sites. Additionally, avoid using your user email address account ID. For example, if your email address is firstname.lastname@example.org, do not name the device mr.magoo.
Personal Information – Do not post unnecessary information to the account. In particular, avoid entering location-based information into the account. If a Facebook page is setup for your smart device, you probably do not need to enter the city, state, or post a picture of the device. Hopefully, you won’t need to check the Facebook page to remind yourself of this information.
Secure Login – When your Smart Grid device connects to social networking sites, make sure that it is utilizing a secure protocol, such as HTTPS. A warning earlier in this chapter called out that some third party applications utilize HTTP and not HTTPS to transmit your login credentials. Ensuring that you are utilizing a secure protocol when providing login credentials to social networking sites will help protect your device’s social networking account. Additionally, ensure that the application transmits your session credentials securely as well. As long as your current login session is valid, your session credentials, such as a session cookie, are your login credentials.
Unique Password – In addition to the standard complexity requirements, choose a unique password for each of the social networking accounts. Avoid using passwords that you use for other accounts, such as your email account. If someone is able to compromise your email account, they would then be able to access your social networking account.
Password Sharing – While the traditional recommendation of not sharing your password with other persons still applies, you should also not share your other account passwords with the social networking site. For example, Facebook allows you to enter your email address and email account password to automatically identify friends in your email account’s address book.
Security Questions – Apply the same password security controls to the security questions. Some social networking sites will utilize security questions, such as what is your mother’s maiden name or what is your favorite restaurant, to provide an additional layer of security or to change your “forgotten” password. The problem is that this information can usually be obtained by reading your social networking profile. By choosing complex and unique answers (that are factually incorrect), you will be able to prevent someone from intelligently guessing the answer.
Information Sharing Controls
Privacy – When you setup your Smart Grid device’s social networking profile, make sure that you set it to ‘private.’ This will prevent anyone from viewing your Smart Grid devices information updates. Once you have configured the profile as ‘private,’ allow only the users (or accounts) you want to be able to view your Smart Grid device’s information. For Facebook and Twitter, requests must be sent from the user account that would like to be able to view the Smart Grid device’s updates.
Third-Party Application Sharing – Avoid using any unnecessary third-party applications. Social networking sites highly encourage the development of application add-ons. When you attempt to use these add-ons, the applications will try to access the information in your profile, which may make your information accessible to the third-party.
- Segmentation – When installing your Smart Grid device on your local area network, segment it from the rest of your home’s network devices. This can be done through Firewall access control lists, or via switch virtual local area networks with access control lists. Segmenting your Smart Grid device will help prevent unauthorized access to the rest of your devices in the case that Smart Grid device is compromised.
- Browsing – When you are logged into the social networking account, avoid browsing to other social networking profiles or websites. Additionally, explicitly logout and close the browser before browsing to other web pages. Restricting your browsing habits while logged in will help avoid cross-site request forgery attacks against your device’s social networking profile.