The Unmeasurable Benefit of a Home Lab

I’m always trying to think of relatable ways to describe the challenges of industrial control system (ICS) cybersecurity. Whether you are a critical infrastructure operator, a cybersecurity consultant, or a vendor, it is important to recognize and understand the nuances of design, equipment selection, deployment, and maintenance as they relate to cybersecurity. My advice to students, practitioners, and researchers would be to build and maintain a home lab. The extra challenge would be to treat this lab like a critical infrastructure system and realize how important every step of the process is.

I’ll give a brief overview of my home lab to help connect the dots to the real-world implications. The exact design of my home lab isn’t important for this discussion; however, for context just know that I have a next-generation firewall, a wireless access point, an Ethernet switch, and a Z-wave hub that connects all of my equipment. The network includes approximately 30 devices, such as wireless cameras, door sensors, smart plugs, energy sensors, smart thermostats, Raspberry Pi devices, a Linux server, and family media devices. Most of the network has an aspect of plug-and-play capability; however, remember we are pretending that this is an ICS network (not too far of a stretch with emerging technologies).

Here is the part where things get tricky if we are aiming for safety, reliability, and economics of the system. The challenges are endless. For example:

• The microwave interferes with 2.4 GHz Wi-Fi, and the 5 GHz signal cannot reach everywhere.
• The Z-wave USB stick could only be mapped to my ZwaveJS2MQTT docker container by rebuilding the configuration.
• The Wi-Fi cameras had to be flashed with custom firmware to support the Real-Time Streaming Protocol (RTSP).
• The economics of monitoring the fridge doors couldn’t be justified in balance with our responsibility to watch the kids.
• The screen on my laptop is broken, so SSH and RDP are my only access options.
• The concept of “no firmware Fridays” applied to internet disruptions before bedtime.
• My Raspberry Pi that acts as my DNS server corrupted the microSD card, which couldn’t be repaired. Chaos was avoided by having a backup DNS address programmed into the router.

The stories of the growth and struggles associated with my home lab are also the source of my expanded knowledge of the capabilities of virtualization, how to navigate different operating systems, the importance of documentation by others and myself, and how to troubleshoot problems. I’ve made mistakes while designing my system, such as purchasing a Z-wave hub that doesn’t support the Zigbee protocol, which would have only cost $5 (USD) more. I’ve also recognized how easy it is to misconfigure a firewall, have issues with intrusion prevention system tuning, and set up certificates and multifactor authentication for remote access.

Especially during the pandemic, my kids would have been unhappy customers if there had been a network failure. Like many real-world customers, I am limited in time, skills, and funding to perfect my home lab. I depend on the support of the community, and the cybersecurity risks scare me at times…

• Visitors want access to my Wi-Fi.
• Almost none of my devices automatically update themselves or notify me in a convenient way when security updates are available.
• My doorbell camera sends my credentials unencrypted to the cloud.
• I had to take down my website because it was almost always vulnerable.
• I haven’t automated disaster recovery backups.
• Devices such as my Raspberry Pi wireless train controller are unsupported projects that no longer receive security updates.
• My thermostat has a microphone, but no voice controls.
• My son says the computer password out loud every time he logs in like it’s two-factor voice controlled.

The journey is continuous, the learning possibilities are endless, and the fun never stops!