We are building a new home and intend to install an extensive home automation and security network throughout the entire house (three levels). I have done a lot of research on network topology and home automation so feel very comfortable in the direction we are going. However, when it comes to home automation, I am not totally comfortable with the "security" aspects of the various end-use devices. While I plan to use products from established companies, I still have concerns with how secure their devices are from "hacking". I am a bit of a techie so am comfortable with some programming and integration of code developed by others to facilitate rules, etc. I am also relatively comfortable with networking technology in general and, therefore, managing the network once it is setup.
Following is my current thinking on the critical aspects/requirements:
I want to completely isolate my personal PC network from penetration via home automation devices. However, I want my personal PC to receive alerts, etc. when any rule is triggered. I also want to control devices and insert rules into the HE network as the need arises.
I intend to hardwire as many of the devices as possible using PoE or the electrical wiring network. I suspect there will be some devices that will need to be networked with our WiFi but plan to keep those as limited as possible.
I will be using a modem-to-router-to-switch network configuration with WiFi access.
My preferred providers -- for networking hardware is Cisco; for home automation is Lutron, Innoveli, GE/Jasco, Sengled and Amazon; for home automation network is Hubitat.
I realize that this effort is substantial and will take time to fully implement. During the building process, we will be installing cabling and devices (e.g. Lutron Caseta switches) throughout the house. Integration into the home automation process with rules etc. will come over time. So, initially, I expect to use the Lutron switched in a "manual" mode until I determine/implement the rules into HE.
Without making this a longer post than it already is, I would like some thoughts on the following questions.
Is it realistic for me to receive alert from devices/rules while, at the same time, insulating my personal PC network from hacking attempts that may emanate for a security weakness within a device?
Can I leverage the WiFi network to receive alerts but still manage the rules and other aspects that control the "system" through the PC network?
We plan to contract with a security monitoring service for those times when we are away from home. I suspect that may need to be separate/independent from everything else. What suggestions or recommendations do you have for integrating (if possible) security monitoring services?
I may not have covered everything so would appreciate any thoughts, suggestions, observations, or experiences that would help me further develop this plan. Thanks in advance ...
I am confused by what your goals are because the systems you have indicated (Lutron Caseta, GE/Jasco, Sengled, iNovelli) are not by themselves IP-exposed. The controllers they are paired to may be exposed - although you can firewall them away as well.
That being said I would recommend keeping your professionally monitored security system distinct from your home automation system.
While not perfect, Zwave and Zigbee devices are relatively safe from outside hacking, as long as your hub (Hubitat, Smartthings, etc) is not compromised. Just avoid the Wifi (or more accurately cloud based) crap unless it can be made to run locally in some form or another.
I would think that the Wifi network itself (the router) is more prone to being compromised than Zigbee or Zwave.
While I am not a security expert, I think that there are very few cases of home automation stuff being a security risk, unless you are a member of congress or someone on that level. In that case, a commercial hub is probably not the right solution for you.
You can do this if you only intend to receive alerts while on your local network. You might be annoyed with getting alerts when ANY app is triggered, but you can pare that down to certain alerts.
Yes. Keep it separate. I think there are ways to integrate some systems into Hubitat, but if security is truly your end goal, worry about the security system first, and if it integrates or is somehow able to be tied into Hubitat that would be a bonus.
With respect to the goals, that is the reason I selected the brands I did, including HE. However, I anticipate that I won't be able to adhere to that goal for every device AND I am not totally clear on the vulnerability of Z-wave/Zigbee devices. Admittedly I may be a bit paranoid on this point but I prefer not to take the risk if I can avoid it. As for the security monitoring service, that is where my current thinking is. Therefore, I have started to think about what devices I want to have monitored, e.g. perimeter devices (glass break, door open) and fire/head devices vs. those that I want to be informed of, e.g. motion and water leak sensors. Motion because that would mean a perimeter breach and water leak because they would automatically shutoff the water once a leak was detected.
Saw a very attractive offer for Wyze monitored security. For 59 bucks you get a hub, 2 contact sensors & a motion detector. 5 USD per month for monitoring. Doesn't integrate with HE, but is a genuine security system. Extra sensors are very cheap. The 59 includes hardware and 1st year of monitoring.
If you wire contact and motion sensors to an alarm panel, you can use Konnected to integrate those sensors with Hubitat.
Wired sensors have the advantage of no batteries to change, and avoids the pitfalls inherent to any wireless signal transmission. Though I agree with others the “security” benefit is probably minimal for the average homeowner, reliability of the wired vs. wireless signal transmission seems like a more realistic benefit.
I wouldn't be too too worried about Zwave/Zigbee security. (Unless maybe you live in the heart of silicon valley where all your neighbors work in tech?)
What networking hardware software do you plan on using? I'm not sure on your budget or if you own anything yet, but if security and customization are your goals you might want to ditch the ISP provided gateway router and check out Ubiquiti - Unifi. You could get something like a UDM-Pro, a couple APs, and a hard drive to use their proprietary cameras for local recording. Additionally their software is very good. Lots of resources on YouTube to help segregate your network using VLANS and firewall rules for your IoT devices. Check out Crosstalk Solutions.
I agree that if you do decide to keep the professional security monitoring service, keep it separate. If you really want notifications or rules triggered based on something like your front door opening, you could throw in a zigbee or zwave door sensor but you might be duplicating efforts depending on the security company.
I wouldn't worry about this. At best, someone could hack into your zwave/zigbee network and annoy you by turning lights on and off, but who would bother? I imagine it wouldn't be an easy thing to do, and there's really nothing for an attacker to gain.
Don't put security or property monitoring devices like water sensors on your HA system. These things belong on a UL-certified alarm system, with a professional monitoring service, in my opinion.
A proper alarm system will pretty much work without issue 24/7 with full battery backup. Your HE will never give you the same kind of reliability.
Also the motion sensors that are used in these systems (eg Bosch Tritechs) have significantly better discrimination/coverage/range than any you'll find for HA so minimal false alarms (correct me on this one if I'm mistaken but I doubt it).
And most importantly, I'd be surprised if in the US your insurance company will accept HE as being a 'proper' alarm system for ratings purposes.
Also keep in mind Lutron bridge communicates to 3rd party systems using telnet.. not exactly a secure encrypted channel. Now not sure what you could actually do with that but it's worth mentioning I think.
I could see a case for redundancy here. I have rules set up that it shuts off the water main and sends me a message if there is water sensed. But having a dedicated alarm system with monitoring would be a great addition to this automation.
Turn off your lights? But really, that is a pretty low risk. And you can basically isolate the Lutron and Hubitat to a secure network IF you are really that concerned.
Yeah you are right of course - I did say not sure what you could do with that - however it IS a potential attack vector and the OP seems very interested in securing things.
Not to pick on OP, and this isn't directed at him or anyone in particular. But there are probably far worse things in your home than a Hubitat or Lutron hub.
Most everything Google and Android is pretty awful, for example. Yet people willingly connect their phone/tablet to their home network, and have apps for ALL their devices. They are all sending data to the cloud.
People don't think one second about their smart TV phoning off to parts unknown either. My Android TV was one of the worst things in the house for sending stuff to China until I sideloaded a blocking app. It isn't perfect because it sometimes messes with the smart apps and casting on the TV, but I try to use other ways to connect to media (computer and HDMI).
Same with all the smart appliances. The TIVO, Roku, Chromecast, Youtube, and everything else you use daily. It is all tracking you, and building a file on you. But nobody blinks an eye at any of that.
It will be really hard to completely block all this stuff from the net.
My alarm system has the ability to shut the water off, if I connect a compatible zwave valve. Haven't done it yet, because my water line comes in underground and up through the slab and there's no place to mount the valve without rerouting some pipes. I do intend to do it though. But at least if water is detected, the monitoring station will do everything they can to contact me or my wife.
I wouldn't trust that sort of thing to HE, or any other HA system. Too many things can go wrong.
How does your alarm system exercise the decision to turn off the water main once a leak is detected?
Not exactly sure what you're asking.
If a leak is detected, the water valve would be turned off automatically (in addition to the monitoring company being notified, and a notification from the alarm app on our phones).
If you're asking how it knows there's a leak: PowerG Wireless Flood Detector | DSC Security Systems Security Products | DSC
Thanks to all for the advice & suggestions. I'm rethinking some of the home security monitoring devices (e.g. I did not realize the difference for motion detectors) so may be expanding that service AND keeping it totally separate from the "hub".
Given the advice here, I will focus a bit more on securing the hub. Also, I did not think about the false positives. We currently have a few Nest cameras and a significant majority of the alerts are false positives. I will have to be judicious in selecting what alerts I want to receive in our new home.
One additional question ... What are your thoughts on remote access via a smartphone or tablet? We use our Nest cameras quite often when we are on vacation and have some Sengled bulbs that we can turn on if needed. While the security monitoring service will handle the primary need, I am thinking we might want to turn on some lights or adjust the HVAC as we are approaching home after vacation travel. Turning off the irrigation system if weather conditions change would be another application. Note: we have a rain gauge on our current irrigation system but it does not always work properly.
Again, thanks in advance for any thoughts/comments ...
Also, I have been doing further research on Ubiquiti products. Their products and controller configuration are very intriguing. Can you use their controller & software interface with other hardware, e.g. Cisco switches, OR is it specific to their own products?
You can mix and match configurations BUT you will lose some centralized control. I have an OpnSense firewall running on a pc but have a cloud key and some gen 2 non-pro POE switches and some access points - UAC Pro & Flex.
I had considered going with a Dream Machine Pro but was sort of talked out of it by some folks here in the community at least for the short term. I think OpnSense allows me more security options but I lose integration with the rest of the stuff.
The user interface and control of the switches/access points via the cloud key are fantastic. Have not had any trouble so far and when I switched out my Orbi for the Flex & UAC Pro have not heard one complaint about access from the family. Also extremely easy to monitor whats going on. Highly recommend if you can afford it.