Toby Considine Toby Considine

The Trader’s perspective on Transactive Energy

Transactive energy has been notoriously difficult to pull off. The few successful implementations were not interoperable. The people who knew markets did not understand electricity and its use. The people who knew the economic value and operation of building systems did not understand markets. The large regulated economic entities that today control the distribution of electric power see price as something determined by the utilities commission. The bulk power market operators, with the deepest understanding of power markets have been unable to shed their legacy of control.

The US National Institute of Standards & Technology (NIST) defines transactive energy (TE) as “a system of economic and control mechanisms that allows the dynamic balance of supply and demand across the entire electrical infrastructure using value as a key operational parameter.” TE essentially uses markets to create spontaneous order out of the chaos of free-agent users of energy using different control systems and technologies to live their own best lives. Markets are algorithms are cooperative algorithms that generate solutions to changing supply and demand without the imposition of central control.

More than a decade ago, NIST and the US Department of Energy sponsored the development of communication standards to enable deployment of TE. The result, OASIS Energy Interoperation, saw little adoption. It was too complex. Products developed by different people interoperated only with difficulty. The work of several brilliant economists to define markets in time (or time-of-use) inspired the original specification. But, as any student in business school knows, economics helps understand business, but is not assist market participants accomplish their goals by making daily buying and selling decisions.

Financial traders can use any market in the world; but must know the different rules that govern each market. There are rules for trading hours, for after-market trading, and for market characteristics. There are Order Book venues, which you may recognize if you have traded stocks. There are Auction venues in which everyone who is “in the money” gets the same price. There are Quote-driven venues in which individuals negotiate directly. Each of these rewards different trading strategies.

There are standard ways to interact in financial markets, ways to buy and sell, ways to negotiate directly, ways to express how each market works. The FIX Trading Community (FIX) Protocol Association is the premier developer of communication and business practice standards across financial exchange. The adoption of FIX standards and specifications drives greater transparency of financial markets around the world.

The committee working on CTS has been meeting with representatives of FIX for more than a year. The economists who drove Energy Interoperation posited the smart toaster, a shorthand for the least sophisticated device able to autonomously participate in a TE market. No one is going to program the smart toaster; it must be able to find local markets, discover the trading rules of each, and begin buying. More sophisticated systems can understand venue mechanisms develop strategies that support their more sophisticated strategies. For example, a battery both buys and sells over time. The battery owner can configure policies to support purposes not shared with the market. FIX has taught the committee how to define market descriptions and rules that enable a machine to self-configure for trading in the local markets.

CTS does not design or specify any TE market. FIX has helped CTS to describe any market in time. CTS will support both the toaster and the battery in understanding how each market works, that is, it will support the individual energy trader’s participation in any market based on time.

Read More
Toby Considine Toby Considine

Chatelaine Security for Smart Buildings and Cities.

 There is a growing recognition that traditional models of cybersecurity are inadequate to secure complex systems, and to detect security flaws in systems of systems. (Many definitions essentially declare complex systems and systems of systems to be equivalent terms.) Full-stack systems are too fragile and ponderous to readily address smart cities, or even smart buildings. The spatial web anticipates unbounded numbers of systems interacting, each with its own technology, and purpose, and even perhaps frame of spatial reference.

 I read this week of applying behavioral economics to cybersecurity and calling the result (and the new book) “Security Chaos Engineering”. It seems aligned with models for security in actor-based systems, which seem to me the only way to develop the IoT at true scale.

 Actors do not know what other actors do in a system. Actors receive messages from other actors in potentially massive concurrent computation systems. In response to a message it receives, an actor can: make local decisions, create more actors, send more messages, and determine how to respond to the next message received. Actors can only affect each other indirectly through messaging, and cannot know the state of other actors.

 You may recognize this as the fundamental model of cloud-native computing, whether the cloud is in a far away data center, or in many such data centers, or in an on-premises cloud, or in some hybrid of the above. Some name this approach microservices. What makes it work is well defined invariant interfaces, that is, fully defined messages between systems. Any system, then, no matter how large or complex can participate AS IF an actor so long as it limits a specific interaction to these commonly-defined messages.

 Transactive energy is essentially a means to replace an integrated control system with a system of systems, with each economic actor clearly a separate system.

 This last week found me discussing the implications of these approaches for cybersecurity standards. Traditional cybersecurity doctrine, including for cyberphysical systems, assume to much homogeneity of systems, in internal design and in purpose, and thus make assumptions of cybersecurity agent omniscience that is unachievable. In complex systems, it is far easier to influence the system your system relies on than to ever touch your system. Even within a single system, a man-in-the-middle exploit on sensors can more easily be replaced with some chewing gum on the sensor, or with a light tap of a mallet on the sensor, or even remote infrasonic attacks on a sensor array.

 What one can do is monitor the patterns of interactions (messages) between distributed actors, likely with ML (machine learning), and notice that one of the systems is acting less and less as expected. This can work even in a zero-trust environment, in which all the actual messages are encrypted. One still cannot know automatically whether the changes of behavior are due to enemy action, or merely change in programmed motivation.

 Maggie had the misfortune of being on a four-and-a-half-hour drive with me last week, and so endured a long description of this approach and of the week’s conversations. She promptly declared this to be a chatelaine model. Hmmm.

 A chatelaine is the mistress of a large estate (chateau) who may not know everything that is going on, but has all the keys, and notices patterns. There is no butter in the in the bin – is the milk-maid on vacation—did she get married—was she fired—did the cow run dry—do we need a new cow? The chatelaine can notify the owner, and she can invent a plan of action and investigation. I liked it. It is a much more approachable, easier to understand, term than “chaos security engineering”.

 I want a chatelaine in the message fabric.

Read More
Toby Considine Toby Considine

Cyberphysical Security using Digital Twin Actors.

There are several popular definitions for digital twins. Mine is that a digital twin is a low-resolution model of a remote system, usually of a single aspect or dimension of that system. This model relies on an abstraction as the basis for understanding what the remote system is doing, and for predicting what it might do. Because the twin is abstract, it requires neither the computing power of the original nor does it require the user of the twin to understand systems that he does not. A twin is simpler if the twinned system is simpler.

There are several popular definitions for digital twins. Mine is that a digital twin is a low-resolution model of a remote system, usually of a single aspect or dimension of that system. This model relies on an abstraction as the basis for understanding what the remote system is doing, and for predicting what it might do. Because the twin is abstract, it requires neither the computing power of the original nor does it require the user of the twin to understand systems that he does not. A twin is simpler if the twinned system is simpler.

The industries that manage energy and control buildings remain enmired in the model of monolithic big programs. Some innovators have embraced the actor model, small programs that interact with each other through formal messages. An actor should encapsulate technical volatility, that is, keep the other actors unaware of changes in technology or controls. This model is ideal for edge-based computing, which should ideally follow cloud-native principles.

As actors are decomposed into a single source of volatility, say a physical process, or a single interaction, the actors get smaller and more numerous. As the actors get smaller, it is easier to twin them. When actors and their twins are small enough, they simplify predicting failures and improving cybersecurity.

I have written before that software architectures for complex physical systems should move toward a cloud-native architecture. Cloud-native does not mean hosted in a far-off big-tech cloud; but rather that systems should be written AS IF they are hosted in such clouds. (See the Cloud Native Computing Foundation (https://www.cncf.io/) for a fuller discussion). The CNCF is a top-level project of the Linux Foundation. Cloud-native actors encapsulate volatility (things that change) and communicate with each other through messages sent to well-defined interfaces.

Connections, as defined in the CNS/CP specification, define an open registry of interface definitions. Each Connection Profile describes the interface of a supplier and for a consumer. Systems that operate complementary interfaces can communicate.

When you twin a simple actor, you decide which behaviors are important. Even complex systems can be factored to expose one or more simple Connection Profiles. One Connection Profile may be for energy use, another for vibration analysis. As a twin listens to the connection, it learns patterns of behavior. Eventually, those patterns will become predictable, the basis for a model, and then a model-actor. This should be part of commissioning.

Once you have a model actor, you have a tool for theory-free management of IoT and you have a model for cyber-physical security.

Many approaches to integrating things into systems of systems bring compounding complexity into those systems. In a complex system of systems, it is unlikely that the developer has the expertise in each system as does the original developer of each system. In the unlikely circumstance that the developer possesses such detailed knowledge of each system, nobody but the original integrator will be able to maintain the system of systems. The system of systems will not last, will not support growth to include additional systems, and will lose value over time.

A model actor is built not by replicating the a 4D model of an entire complex system, but instead by specifying the outwardly observable behaviors of a complex system. If I send the system and its model actor a message, they should each in turn respond by sending similar messages to other systems. This can enable the integration of systems of systems using the model actors as components, free from the risks of manipulating a system that operates a physical process—risks that may be dangerous or expensive.

Cybersecurity for physical systems is potentially much more complicated than cybersecurity for pure software systems. A may hack a system by feeding it poor or incorrect sensor data or physically damaging a component that will cause the system to misbehave. If that system is part of a system of systems, a single physical system may then misinform other systems, causing them to fail in ways that appear identical to proper operation. A physical system operated outside its proper bounds may harm that system in undefined ways

A model actor enables a system of systems to detect when a whole system is behaving badly. If a model-actor has a history of predicting the responses of the modeled system, then that is evidence of damage or harm or degradation of the modeled system. In effect, the model-actor becomes part of continuous unit testing of a complex system. Systems connected by CNS/CP do not require that integrators have a deep understanding of the remote system; instead, they define the limited interactions two such systems will have. If a system is an actor that can communicate as described by a connection profile, then the model-actor can learn to interact in the same way.

A continuing problem of complex systems of systems is that they often respond in unanticipated and undesirable ways. Energy storage systems frequently discharge completely long before the moment a smart grid needs it most. Environmental controls may respond to new energy-saving policies at a pace that reduces the utility of the space managed. If we name the internal processes of such systems as controls, we can name the abstract management of these systems as policies. The bad outcomes named in this paragraph are examples of policy failures in systems of systems.

If I can run each new policy through the model actors before I use it in my actual integration, then I can try out each policy in advance, watching the simulation of the model-actor responding to live behavior with the other systems under the new policies. By keeping the interactions and behaviors local, one can run and test policy changes in systems of systems without losing privacy or security, or resilience by bringing all interoperations up into the cloud.

Standard connections for integrating systems of systems will be demonstrated at this year’s AHR show. These will naturally focus on using connection profiles where they can demonstrate quick benefits for systems of systems. The real value is in cybersecurity: they define limited interactions, they create system groups that can be twinned, and they enable service-based security monitoring.

Read More

Today's Power Markets are Too Big

The span of power markets today is too big. Market participation by net metering applying tariffs across a whole region makes no sense if power from the seller cannot physically get to the would-be buyer. Power markets are intrinsically local. Atop this, one must factor in the line loss transforming up from the local small-scale prosumer

For such local markets, there needs to be some equivalence of market participant scale…

The span of power markets today is too big. Market participation by net metering applying tariffs across a whole region makes no sense if power from the seller cannot physically get to the would-be buyer. Power markets are intrinsically local. (This is net of transmission/distribution line capacity and topology, whether or not particular transformers can “run backward”, etc.). Atop this, one must factor in the line loss transforming up from the local small-scale prosumer

For such local markets, there needs to be some equivalence of market participant scale. A large factory does not order wholesale supplies from the corner store in any non-power market. A bidder who works at an order of magnitude larger scale than anyone else deforms the local market. A local market may reach aggregate scale large enough to participate with bigger players.

Once one breaks the market down into the local smaller markets, storage can easily participate, either as part of portfolio management within a prosumer, or independently as a merchant battery within the local market. Local markets open the way to replace central battery control with autonomous power storage systems.

Different storage systems have different participation characteristics; fast or slow charge, fast or slow discharge, switching from charge to discharge, etc. Running a specific storage technology into the wrong participation scenario can degrade the system, or even result in “rapid unplanned energy discharge” (fire and explosions). We need the room to experiment with different strategies for market participation for different storage technologies, or even hybrid storage systems wherein several technologies are working together as a single participant. This experimentation will not happen in a centrally owned, operated, and regulated environment.

Large central markets may try to emulate this by targeting specific prices at specific devices or groups of devices. This attempt at direct control by proxy across neighborhood and region will not work much better than direct control does.

Read More

New Daedalus

Daedalus designed buildings, automated statues, and built wings for human flight. Daedalus worked by eye and hand, his designs scratched with a stylus on wax tablets. Until recently, we merely perfected his means of work, using better pens, and paper, and finally drawing on computers.

It is only recently that we have begun to leave the methods of Daedalus behind.

Simulations and digital twins guide each decision. Intelligence, or at least behaviors, imbue each system and device. Cyberphysical systems replace household servants and chauffeurs, operate factories, and manage energy logistics. The most pressing concerns are how intelligent systems and buildings will respond to us, and to each other.


What would the concerns of a New Daedalus be, in our world, with our tools, and facing our challenges?