Cybersecurity of Power—Resources

As we work to define the cybersecurity of things, power demands its own security models, outside of SCADA security and distributed controls. Power is both a resource and a vector, and each of these offers vulnerabilities to cyberattack. This article describes cybersecurity of the resource.

As we work to define the cybersecurity of things, power demands its own security models, outside of SCADA security and distributed controls. Power is both a resource and a vector, and each of these offers vulnerabilities to cyberattack. This article describes cybersecurity of the resource. A later article will discuss cybersecurity of the vector.

Distributed cybersecurity is a model that distributes responsibility across autonomous nodes or systems. These nodes may send or receive cybersecurity directives. They may request or share situation awareness. Each node is responsible for securing itself and reporting when it is under attack.

The developing OASIS OpenC2 (Open Command & Control) specification defines cybersecurity as a service. The sender of a command requests what it wants accomplished without using step-by-step instructions. If the receiver accepts the command it must determine and execute its own procedure to fulfill that request.

As a resource, a power system must defend certain characteristics. These characteristics include frequency, voltage, and the shape of the waveform itself. Cyberattacks on the power resource can interfere with proper system operation or they can escalate into direct cyberphysical effects. The well-known Aurora demonstration by DHS used repeated subtle waveform manipulation, to cause a large dynamo to rip itself out of its concrete moorings. Any cyberprocess that is able to manipulate the fundamental power signal can be an effective attack on the Internet of Things.

When a distributed cybersecurity language such as OpenC2 shares information about an attack through the power vector, it may act as a warning, or it may describe what the requestor wants reported back. Because Power is likely shared between many nodes on the same circuit, anything that has a strong effect on one node, perhaps low-value and poorly defended, can be a means to attack other nodes on the same circuit. I know of substations in the Midwest, supplying a limited number of industrial customers, wherein the operating margin is so small that activity in one factory can cause and has caused significant damage to equipment in another factory. Situation awareness coming back from one node may be useful to gain a broader understanding of attacks on other nodes.

Attacks on power through a nearby un-protected node can cause damage to all nodes on the same circuit. A large user can cause changes to voltage, to power factor, or to other power attributes even without the subtle wave harmonics demonstrated in Aurora. They may even cause delayed effects, as a sustained reduction in power factor may prevent power storage systems from re-charging properly over several days. As tomorrow’s grid incorporates a growing number of renewables, this offers a growing vulnerability.

Because they are working sharing a resource, a cyber-response may help defend nearby nodes. If a node is able to actively manage frequency or power factor, it may defend nearby resources.

I will write soon on Power Distribution as a Cybersecurity Vector.

Read More

ESIF and Security at the Edge of Smart Grids

I attended the NREL ESIF Cybersecurity Workshop last month. ESIF names the Energy Systems Integration Facility. The workshop demonstrated both what should be done to secure future energy systems, and how difficult, labor intensive, and non-scalable this is using standard practice.

The first morning showed off the ESIF’s model of how to secure the un-securable.

I attended the NREL ESIF Cybersecurity Workshop last month. ESIF names the Energy Systems Integration Facility. The workshop demonstrated both what should be done to secure future energy systems, and how difficult, labor intensive, and non-scalable this is using standard practice.

The first morning showed off the ESIF’s model of how to secure the un-securable. Using a rat’s nest of proprietary products, all communications to and from every sensor were firewalled and only specific interactions enabled. No messages were encrypted so every message could be inspected for appropriateness. The security infrastructure was itself secured and logged.

The rest of the conference aimed at specific interoperable approaches to accomplish the goals of securing Operational Technology or OT.

Part of the problem with securing OT is a fundamentally outmoded approach to operation. At a time when computing was expensive, phone lines cheap, and data logging infrequent, a model developed of putting every sensor and every actuator directly connected to a single computer. This model has long been named SCADA (Supervisory Control and Data Acquisition).

Two things happened to break the SCADA model. Phone companies moved out of the business of providing actual wires to connect sites, and moved toward shared networks. SCADA systems have never been fully secure in shared networks. Systems became more complex, and required faster response. In power distribution, this is due to a combination smaller operating margins (excess power available at every moment), more systems to control, including smart meters, and the arrival of distributed energy resources (DER).

As we move further into DER, we will see more diversity in ownership and in technology.

An owner of an expensive power production or storage system in a microgrid will want to operate it for their own benefit. As sophisticated owners add their own local monitoring and control software, they will begin to see how often remote operators mis-operate the locally-owned equipment, increasing maintenance requirements while shortening its life.

Distributed ownership and operation will also move toward diverse technology. A local owner will make his own investment decisions, and a remote operator such as a distribution utility may not know how to operate it. From the earliest efforts by utilities to tell owners operate buildings, following the energy price shocks of 1973, we have seen smart people forget that the primary purpose of a building system is not to provide managed load. (Consider the role of energy “efficiency” recommendations that did not consider health implications of short cycling HVAC in a Philadelphia Hotel in 1976).

The future of smart grids is on the edge, in autonomous systems that are built around a deep understanding of each buildings role and services. Edge based-operation offers both challenges and benefits to security. Incorporating systems with different ownership, and operated for different purposes makes security more complex. For now, regulatory mandates require that utilities still maintain detailed situation awareness into edge-based microgrids. Abstract interactions, including those based on the common transactive services, simplify security while reducing the attack surface. We will be rebalancing this border continually over the next decade.

The solution is abstract interactions between autonomous systems that can be locally operated and maintained. In power markets, this means that systems can negotiate whether to provide power or not, or to purchase power or not, while the inner workings of each system remain private. The interaction between the grid and a wind farm that occasionally sells power to the grid and a district associate that never buys power but occasionally sells it should be identical. Large system integration relies on integration using abstract communications, that is, the exchange of information that does not change often. Fragile or concrete information, such as the specific internal operations that are directly affected by changes in technology or equipment, are kept internal to the systems. This approach to integration is characterized as an “anti-fragile pattern”.

Until we reduce the attack surface, how will we increase security while increasing interaction? The ESIF security model requires too much hand-work, and does not support multiple ownership.

The Security Fabric Alliance has spent four years defining a more forward looking approach within the Object Management Group (OMG). OMG specifications are cookbooks for interoperable implementations of complex combinations of specifications by multiple vendors. The OMG Security Fabric, due out in February in 2018, incorporates best practices in military telemetry with directory-enabled security. Any communications must mutually authenticate before exchanging information. Despite this requirement, the Security Fabric has already been demonstrated in synchrophasor telemetry, a high volume, high frequency application. I look to the Fabric appearing in microgrids at the edge soon after its initial release.

Other efforts incorporate technologies to reduce wide area communications requirements and the effort to require detailed point-to-point security. Blockchain-style distributed immutable databases will replaces some requirements for remote data harvesting, and perhaps move into directory services to support security and policy. Edge-based Artificial Intelligence (AI) will reduce the manual set-up required for point-to-point and message-content based rules. I hope to write about these approaches later.

Read More

Architectural Principals of Transactive Energy

Transactive energy describes a pattern of integration where parties exchange the value or a commodity resource [power] over time and make forward commitments to sell or purchase that commodity. The Common Transactive Services (CTS) can be used in central auction-type systems, where a single entity announces or broadcasts prices or in markets were two or more parties come to a mutual agreement on price and delivery.

All forward transactions are committed, that is one party commits...

This post is part of the continuing Paths to Transactive Energy series. You can find them all listed by clicking on the matching metatag at the bottom of each post.

Transactive energy describes a pattern of integration where parties exchange the value or a commodity resource [power] over time and make forward commitments to sell or purchase that commodity. The Common Transactive Services (CTS) can be used in central auction-type systems, where a single entity announces or broadcasts prices or in markets were two or more parties come to a mutual agreement on price and delivery.

All forward transactions are committed, that is one party commits to delivering the service or commodity, one commits to buying it. If a provider wishes not to deliver, or if a purchaser wishes not to take delivery, they can participate in a separate negotiation, with a separate price, that can be netted against the original committed transaction. Such a buy-back resembles today’s Demand Response.

If one purchaser wishes to acquire more power at the last minute, and one wishes to acquire less, they can negotiate an exchange on the spot market. Different market structures and market rules will change the format, but not the substance of this transaction.

The CTS are essentially identical for any commodity resource or service. CTS works for transmission rights and ancillary services, as well as for other resource markets such as transactive water or transactive thermal markets. In each case, the product is delivery of the commodity at the designated time at the designated rate.

The CTS can work in many market structures. CTS can be used with a single (for the microgrid / micromarket) brokered trading floor or with peer-to-peer transactions. Compound transactions can link multiple simple transactions, such as paired transmission and delivery. Different circumstances will work best with different market structures, but in all cases, the communications can use the CTS.

  1. Each party represents a node that acts in its own interests to support its own purposes.
  2. The internal mechanisms and systems of a node are not communicated as part of the CTS.
  3. The system of systems that make up a node may choose to organize some or part of their internal operations using transactive energy / transactive agents.
  4. Actors inside a node interact with the internal market, not the external; there is no direct market interaction with things / markets / prices external to the node.
  5. The purpose of an transactive node is to support the purposes of its owners and occupants, and not to support the things outside the node.
  6. Economic signals or availability from outside the node might influence the market, if any, inside the node, but only as the market interface on the node relays that information. This may include markups, smoothing, discounts or any other means or mechanism that the owner of the node chooses to use (or that the maker of the system that operates the node chooses to use so that the owner of the node box will choose that system).
  7. Parties external to the node should not use the possible existence of an economic entity inside the box as an excuse to penetrate the veil of the black box.

     

Read More

Eight Agents for Energy

The Energy Mashup Lab (The Lab) is developing open source software for agents that will enable systems that use, produce, or store energy to self-assemble into microgrids. These microgrids can be standalone or grid-attached. If grid-attached, they present a single market or OpenADR interface to the grid, and that interface reveals only the net market position of the microgrid.

The microgrid is operated by a micromarket, trading in availability over time. The Lab uses ...

The Energy Mashup Lab (The Lab) is developing open source software for agents that will enable systems that use, produce, or store energy to self-assemble into microgrids. These microgrids can be standalone or grid-attached. If grid-attached, they present a single market or OpenADR interface to the grid, and that interface reveals only the net market position of the microgrid.

The microgrid is operated by a micromarket, trading in availability over time. The Lab uses open standards to transact between agents. Each system or group of systems being represented by an autonomous merchant agent that buys or sells Power for those systems. The software for this agent is Open Source and can be freely downloaded for use in products.

While there is a simplicity in a single Agent, we think there are benefits to creating more than one type of agent. While a single agent running a single set of code could encompass all behaviors could be created, agents that are optimized for specific types of market behavior can be smaller and more secure. Naming similar market behaviors across systems makes it easier for the integrator to understand how introducing an additional system will affect an existing micromarket/microgrid. We name these the Agent Personalities.

The descriptions below refer to electric power for clarity and brevity. The agent behaviors apply to any resource micromarket.

The Simple Agent Personalities

Each Agent Personality denotes a common set of market behaviors.

Homeostasis Agent

A homeostasis agent represents a system that consumes power episodically to support it’s a purpose external to the resource market. A homeostatic agent schedules power purchases to support providing a service external to the grid.

Two examples of systems that would use a Homeostatic Agent are an air conditioning system and a refrigerator. Each of them buys power to support processes that support a service external to the grid. Neither wants to run unless it is able to buy the entire power curve it needs for its next cycle. Each could advance or delay its purchases to some, or even skip a cycle, without harming the service it provides.

Preconsumption Agent

A pre-consumption agent is similar to the homeostatic agent, but it provides an asynchronous server and therefore has a bias to buying only when the price is low. The system is able to increase consumption in the short term to enhance its ability to provide service at a future time. If the refrigerator is a homeostatic agent, the ice-maker may be a pre-consumption agent. There may be overrides to the behavior, i.e., fill up before the party, or high priority when less than a quarter full.

Base Consumer

Base Consumer uses power continuously when the system it represents is providing a service. An example is a light which is either lit and consuming power, or is unlit and not consuming power. An agent representing one or many lightbulbs on a circuit changes in scale only. A base consumer is almost always a high-priority purchaser in the market.

Tiered Consumer

A Tiered Consumer differs from a Base Consumer in that it may be able to reduce power consumption by providing a lower level of services. An example is a dimmable light. More power might provide a better service, or a different service. Using for example the dimmable light again, a low level of light might support movement, a high level of light support reading, and a higher level of light support personal grooming.

Base Supplier

A Base Supplier supplies power continuously. A Base Supplier might include any controllable generator with a long cycle time. Long cycle time is situationally defined.

Market-Driven Supplier

A Market Driven Supplier supplies power intermittently, based on interactions within the microgrid.

Intermittent Supplier

An Intermittent Market Supplier supplies power intermittently, based upon inputs external to the microgrid. An example is a photovoltaic system, which generates power when the sun shines.

Storage Agent

A Storage Agent is able to consume resources later supply the same resource. It stores power. This is similar to a system able to pre-consume, but it is able to bring some portion of its pre-consumption back to the market at a later time.

The Platform Agents

Any of the Agents Personalities named above can in principal interact with any other agent through bilateral transactions. Some markets might be set up with all tenders going to a single entity who manages all transactions.

Broker

The Broker acts as an agent by executing public orders. It may operate a double auction. The Broker does not itself have a position in any trade. (Transactions to power the broker are an exception). In the home, a home router may act as a broker.

Market Maker

A Market Maker acts as a Broker by executing public orders left. It Market Maker further maintains an orderly resource market with a responsibility to buy for its own account in the absence of public buy orders, and sell from its own account in the absence of public sell orders. The market Maker personality may be associated with Storage or with external market sales and purchases. External market sales and purchases are not part of the internal maker that operates the microgrid.

How to use the Agents

Each of the simple agent personalities could characterize a single node or a collection of nodes. Microgrids can be characterized just as nodes are characterized. This point is fundamental to considering interactions within aggregations of microgrids, as to considering the dis-aggregation if a node into smaller component systems.

A system or device developer will be able to select the personality that he desires to represent his technology, and download it.

A set of agents sufficient to support systems with each of these characteristics is able to support all systems potentially within a microgrid. Such a set does not rule out potential hybrid systems, in which two or more of these characteristics coexist within a single system—such a system is a natural outcome of a microgrid at one level being a node at a higher level.

Read More

New Daedalus

Daedalus designed buildings, automated statues, and built wings for human flight. Daedalus worked by eye and hand, his designs scratched with a stylus on wax tablets. Until recently, we merely perfected his means of work, using better pens, and paper, and finally drawing on computers.

It is only recently that we have begun to leave the methods of Daedalus behind.

Simulations and digital twins guide each decision. Intelligence, or at least behaviors, imbue each system and device. Cyberphysical systems replace household servants and chauffeurs, operate factories, and manage energy logistics. The most pressing concerns are how intelligent systems and buildings will respond to us, and to each other.


What would the concerns of a New Daedalus be, in our world, with our tools, and facing our challenges?