In this article, Product Manager Morten Zimmer shares some of the steps OJ Electronics takes to ensure data privacy and prevent hacking, enabling clients to meet present and future requirements within this complex area.
What’s the Problem?
Smart homes and the Internet of Things are bringing many benefits in terms of greater comfort, more energy-efficient consumption patterns and just plain fun! But IoT devices also involve new exposures to risk.
“IoT devices are always part of a much wider network than many think of. When we talk intelligent thermostat security with people, they often smile a bit and say: What are the hackers going to do? Turn up the heat? – but of course the potential risks go much further than that. The thermostats are part of a wider system inside the building – one that also connects to a far vaster remote control system outside the home. These systems involve direct protocols, cloud protocols, APIs and more. So as we always say: If the hackers are in one of your devices, they are in your home.“
Morten Zimmer, Product Manager, OJ Electronics
Cybercrime and Cyberattacks On the Rise
The risk is real. In the US, the monetary damage caused by reported cybercrime is rising rapidly: according to Statista, the figure was 4,200 million dollars in 2020. In 2022, the figure had risen to a staggering 10,300 million dollars, and the trend is growing.
Interestingly, the FBI’s 2022 internet crime report has the same figures for losses, but the number of complaints made in 2020 and 2022 are not that different: 791,790 complaints in 2020 and 800,944 in 2022. This suggests that those who are hit by attacks are hit worse.
Some of these attacks are made for direct financial gain, others simply to cause disruption and havoc. In a climate of growing international unrest and concerns, taking precautions makes good sense.
Programs and Legislation to Counteract Cyberattacks
Recognizing this, governments worldwide are taking steps to counteract the mounting risks. In the US, the Cyber Trust Mark is the most recent major initiative. Introduced in the summer of 2023, this voluntary cybersecurity certification and labeling program seeks to promote greater cybersecurity across connected devices in the United States. The aim is to establish an IoT device cybersecurity baseline, strengthen security of smart devices, and protect user privacy. Says Morten Zimmer: “We are keeping, as ever, an eye on all official labeling programs that are relevant to us – including upcoming ones. The topic has attention from all major authorities, so clearly it has ours too!”
In the EU, the so-called RED directive has been amended to promote greater cyber resilience. Essentially, the new legislation requires wireless devices connected to the internet to comply with relevant articles of the Radio Equipment Directive (RED) – and it applies to all products placed in the EU market from August 2025. The amended act introduces new legal requirements for cybersecurity safeguards that manufacturers must heed when designing and making products. It also helps protect user privacy and personal data, prevent the risks of monetary fraud and promote the resilience of our communication networks. If you are interested in what this mandatory legislation means for products designed in Europe, you can read more here: https://ec.europa.eu/commission/presscorner/detail/en/ip_21_5634
Why This Matters to You
Cyberattacks are clearly a real and growing risk, and failing to take precautions can have dire consequences. An attack can affect you financially – very much so. And it can have potentially devastating impact on your brand. In worst-case scenarios, malicious hacking can ruin a company through a combination of direct costs – including fines, which can be very large in some states, compensation to affected clients – and the loss of turnover due to a damaged reputation, says Morten Zimmer, adding that of course, this is not the most likely scenario. But with industries and their products becoming increasingly entangled, taking precautions also becomes a way of taking care of each other. By making sure that you and your suppliers meet the current legislation at any given time and stay ahead of the data security curve, you protect your business against losses, fines and legal action.
The Steps We Take
Fortunately, much can be done to prevent, counteract and mitigate cyberattacks. Here at OJ Electronics, we take many different steps to ensure that our devices are cyber resilient and meet today’s standards. And firm security measures are part of the newest platform we use to create our thermostats (read more about our R&D platform here). For example, we subject our own company to rigorous testing by external security partners, and we have many procedures in place to maximize security. These include hosting policies, in-house processes, and the protocols used in our devices.
We share what we do with you now because our approach covers many general topics that will be relevant to many businesses.
Hosting
Because of the entangled nature of the Internet of Things, it is well worth taking a look at the foundations for each individual company’s cloud offerings – after all, no-one starts from scratch. Says Morten Zimmer: To begin with the basis for the solutions we use, we should first take a look at the services we use as the basis for our own. Our solutions are mostly based on the Microsoft Azure cloud computing platform: using a major provider that sets the standard on the market has several benefits, including frequent security updates.
Data Centers in North America
Another aspect concerns the data centers we use. We operate on a global level, and we keep things contained within separate geographical areas. So the centers that serve our North American clients are located in North America; they won’t be affected by any disruptions in Europe. Our own databases are safeguarded in many ways, including geo-redundancy.
Working with a Security Partner
A key feature of OJ Electronics’ security strategy is working with an external security partner that subjects the company to rigorous real-life testing. We collaborate with an award-winning, certified security partner that’s widely recognized as a major capacity within the industry. They check us and our products very carefully. They come in for every major release – or once a certain interval has gone by, whichever comes first – to carry out penetration tests. These ‘pen-tests’ are also known as ‘ethical hacking’, and it’s exactly what it sounds like: they try to get into our devices and systems any way they can, exposing potential risks.
Testing According to Strict Security Standards
Throughout the process, the external company adheres to strict security standards: PTES, OWASP, OSSTMM. Very briefly, this means:
- PTES is short for Penetration Testing Execution Standard. It comprises seven main sections: the initial phase, describing the reasons for the pen-test; intelligence gathering and threat modeling phases where testers work behind the scenes to get a better understanding of the tested organization; vulnerability research, exploitation and post-exploitation, where they test our system for vulnerabilities.
- OWASP is short for Open Web Application Security Project, an industry initiative that has identified the 10 most common attacks that succeed against web applications. It has also established the Application Security Verification Standard (ASVS) which helps identify threats and provides a basis for testing technical security controls.
- Finally, our partner also works according to the Open Source Security Testing Methodology Manual (OSSTMM), which is peer-reviewed and maintained by the Institute for Security and Open Methodologies (ISECOM). The manual offers a security auditing methodology that considers regulatory and industry requirements, ensuring that all required regulations and frameworks are taken into account.
Says Morten Zimmer: “In these processes, we obviously receive documentation reports and recommendations. But even when we have responded to those recommendations, matters do not end there: we continue to keep an eye on things. We maintain a process of continuous review, re-investigating and acting where required. And we can heartily recommend that approach.”
Authorization Protocol Security
Speaking of what OJ Electronics specifically does to ensure state of the art security, the company uses the OAuth 2 authorization protocol. Short for “Open Authorization”, it is a standard which lets a given application access resources hosted by other web apps on behalf of a user. ”Really, it’s the industry standard for online authorization,” says Morten Zimmer. “It’s used by the largest players in the industry, including Google and Amazon, and we use it to handle delegated access in connection with our mobile apps, all APIs and supporter websites.”
Transport Security: Using the Future-Proof TLS 1.3 Protocol
Transport security is a key issue when discussing cyber security. “The risk is always greatest when you move data,” says Morten Zimmer. That’s when intruders can wedge their way in between the endpoints. One of the keyways we counteract this is by using the state-of-the-art transport protocol, TLS 1.3. While TLS 1.2 is still widespread, it is no longer state of the art—which is hardly surprising given that it dates from the year after Apple launched their first iPhone! The TLS 1.0 and 1.1 protocols have been phased out by now, and there can be no doubt that within this natural lifecycle, TLS 1.3 is poised to take over. That’s why we use it on all our new smart thermostats for the North American markets. It’s all about looking ahead to future demands.
In-house Company Routines
The way you conduct your everyday business in-house can also benefit from being scrutinized for potential security pitfalls and breaches. We constantly streamline our in-house procedures and routines, removing potential leaks. We make sure to limit what is accessible to individual members of staff, and access is only allowed to selected groups and roles.
Of course, our employees are extremely trustworthy, but security measures are there to protect against all eventualities. Our managed company identity set-up ensures that only employees and trusted partners can access our cloud solutions, and if you change jobs or leave the company, your access disappears immediately. What is more, our own users can only access resources within well-defined OJ networking boundaries. Even then, you need more than just a password: we insist on multi-factor authentication. These are all strong steps towards preventing unwanted access.
The way you conduct your everyday business in-house can also benefit from being scrutinized for potential security pitfalls and breaches. We constantly streamline our in-house procedures and routines, removing potential leaks. We make sure to limit what is accessible to individual members of staff, and access is only allowed to selected groups and roles.
Of course, our employees are extremely trustworthy, but security measures are there to protect against all eventualities. Our managed company identity set-up ensures that only employees and trusted partners can access our cloud solutions, and if you change jobs or leave the company, your access disappears immediately. What is more, our own users can only access resources within well-defined OJ networking boundaries. Even then, you need more than just a password: we insist on multi-factor authentication. These are all strong steps towards preventing unwanted access.
Systems Closely Monitored
The OJ Electronics systems are automatically monitored 24/7: We keep a close eye on everything that goes on. System uptime is constantly monitored, and we use multiple automated monitoring systems. If anything seems amiss, our engineering staff are alerted immediately so that timely action can be taken.
Databases Protected by Firewalls, Geo-redundancy and Backup Routines
Good database protection and backup routines are a key aspect of data security: Our databases are protected with great rigor: We have strict firewall rules, and our firewalls are regularly updated, upgraded and maintained. This happens automatically, ensuring that no time is lost when an upgrade is out.
We’ve touched upon the theme of geo-redundance in connection with data centers, and we apply the same principles to our databases: all data is replicated across several different sites, and it is well protected against threats that include fires, earthquakes and even nuclear attacks. Backups are taken as a matter of course, according to the grandfather-father-son rotation principle, and we also take automated snapshots. It’s all part of our overall endeavor to maintain top-notch data security.
Data Protection
Data protection and privacy regulations have very much been shaped by the European Union’s General Data Protection Regulation (GDPR). While it was developed and adopted in Europe, the GDPR imposes obligations on any organization anywhere in the world that targets or collects data pertaining to EU citizens. As Morten Zimmer says: “The regulation imposes harsh fines against those who violate its strict privacy and security standards, and it has formed the basis for American rules and regulations within the field. In fact, many US states now apply even stricter requirements. For example, some states will impose fines of up to 10,000 dollars per connected device in cases of breach – which can run to millions. So it’s well worth your effort to comply with all rules. The systems we use at OJ Electronics are easy to maintain to cover any upcoming changes, and they are set up to handle all legislative demands so that you need not worry about setting them up. Basically, we make sure that you can comply with all regulations and responsibilities simply and easily.” Data protection and privacy regulations have very much been shaped by the European Union’s General Data Protection Regulation (GDPR). While it was developed and adopted in Europe, the GDPR imposes obligations on any organization anywhere in the world that targets or collects data pertaining to EU citizens. As Morten Zimmer says: The regulation imposes harsh fines against those who violate its strict privacy and security standards, and it has formed the basis for American rules and regulations within the field. In fact, many US states now apply even stricter requirements. For example, some states will impose fines of up to 10,000 dollars per connected device in cases of breach – which can run to millions. So it’s well worth your effort to comply with all rules. The systems we use at OJ Electronics are easy to maintain to cover any upcoming changes, and they are set up to handle all legislative demands so that you need not worry about setting them up. Basically, we make sure that you can comply with all regulations and responsibilities simply and easily.
“As we have highlighted, data security and protection involve many risk factors and many steps that can – and should – be taken. We have shared some of our own approaches, deliberations and procedures. While we work specifically with thermostats, many of these issues are relevant whenever you select suppliers on the IoT market: Do they have the right kind of hosting sorted? Do they subject themselves to rigorous independent testing on a regular basis? Do they use the future-ready TLS 1.3 protocol?
All these questions are well worth asking. And if you have any questions about what you have just read, do ask us.“
Morten Zimmer, Product Manager, OJ Electronics