Parsimony and Security
I have been thinking about security and parsimony lately. Security is not merely about confidentiality or even identity. It is about predictability and integrity. Challenges to predictability and integrity occur not only malefactors, but from those who develop, test, and maintain systems. Even interoperability is a part of security, introducing new sub-systems, or upgrading old ones, can introduce unanticipated interactions and failures.
I have been thinking about security and parsimony lately. Security is not merely about confidentiality or even identity. It is about predictability and integrity. Challenges to predictability and integrity occur not only malefactors, but from those who develop, test, and maintain systems. Even interoperability is a part of security, introducing new sub-systems, or upgrading old ones, can introduce unanticipated interactions and failures.
Introducing any interface not actually required introduces new attack vectors and increases the complexity of testing. An interface that is only used rarely is only tested rarely. Any non-essential interface is a site that will be delegated to the junior developer; primary interfaces will be tested fully while the non-essential interface becomes a back door.
DOS/Windows is the poster child for security and reliability problems. Upgrade problems and incompatibilities were legend. Many of these arose when little used and long deprecated interfaces were eliminated or changed. Some interfaces existed only to support development and testing, and were never even documented. As thousands of developers competed for advantage, these interfaces got used. In an ecosystem of systems with far more variety, we will be better served to never introduce these obscure interfaces.
The other challenge presented by DOS/Windows was the sheer number of interfaces. One bit of code might support a dozen interfaces. Code added to fix one problem would get replaced as code to address another security based on an earlier code fork would reintroduced the problem. Complex interfaces require complex maintenance.
An oft-heard and little understood truism is that security must be designed in. This can be interpreted to require planning for encryption and isolation at every interface. This task can be fiendishly complex and require that only the most sophisticated programmers work on each system. As we know that we cannot guarantee such attention, this is poor security design. Complex procedures embrace their own failure. Better security design offers fewer chances for missteps, and better chance for sustained success.
For the smart grid, this means fewer interfaces and simpler testing. The smart grid has defined inflection points, places where responsibility or ownership or business processes change. Such inflection points define business processes with specific requirements for shared identity and authority. These business interfaces define the risks and the costs of failure. They should be few, simple, and well-defined.
We may anticipate site-based generation is either PV or Wind. We could, in theory, include wind speed as a required part of the wind source interface for the grid. A house in a tidal swamp may have some sort of novel generation strategy that appears, in most respects, identical to energy generated by the morning and evening winds that characterize the weather between the California coast and desert. By excluding wind speed, in this example, the same interface would serve for the wind generation and the tidal swamp generation. Simpler, sparser interfaces are what enable diversity and innovation. Coming back to security, the unused wind speed interface in the Tidal generator, if mandatory, is the one that will be untested and eventually a security hole.
Anything we put on the smart grid will be there for some time. It will be upgraded numerous times and coexist with other version levels. The interfaces should be few, because they will be there for a long time, and implemented and patched by many programmers.
Cybersecurity for smart buildings and the smart grid
Building systems have until now been secured only for interaction between their parts. Schemes such as shared tokens used on open networks serve the purpose of isolating systems from interaction. They do not address the more intriguing security issues of interaction with non-system actors. These non-system actors may be agents from other systems, business process from other companies, or even direct consumer access.
Today’s shared token security schemes are only thinly deployed...
Building systems have until now been secured only for interaction between their parts. Schemes such as shared tokens used on open networks serve the purpose of isolating systems from interaction. They do not address the more intriguing security issues of interaction with non-system actors. These non-system actors may be agents from other systems, business process from other companies, or even direct consumer access.
Today’s shared token security schemes are only thinly deployed in buildings. They are an improvement on traditional building system security, which is largely non-existent.
What security there is today in control systems is most frequently controlled through some sort of head end system. Identity management for that system is entirely separate from that of the enterprise. This approach demonstrably reduces security. The most significant security breaches of SCADA systems appear to be by former employees, often months after they are no longer employed. The isolated systems that operate the engineered world are not tied directly enough to the business processes of Human Resources. A change in job status should cause instant changes in access rights; in the SCADA systems that control our utilities and our buildings, changes in access could take months.
We lack a commonly agreed upon common framework for defining access levels. At UNC, we defined a hierarchy of access rights that we could apply across many buildings of diverse technology. We defined configurers, system operators, system auditors, tenant operators, tenant auditors, and public. This framework allows us to define generic access and control rights across many buildings with diverse technology. Identity management, that is, recognizing who someone actually is, is always by reference to external enterprise systems. A security framework enablers easier adoption of the best practice of distributed authentication, local authorization.
For the smart grid and enterprise responsive buildings to develop together, we need easier adoption of best practices in security. Distributed generation and distributed energy storage introduce new inter-business interactions and new enterprises into the grid. As third party energy management and demand response aggregation merge, more enterprises will interact within the building. These are opportunities best met using federated identity management.
The smart grid and smart buildings will need to understand delegation. Delegation maintains control of information and services when they are provided by others interacting with third parties. To understand delegation, consider what you would want for secure management of on-line interactions with the IRS. You would like to keep all such communications private, and to prevent anyone from making decisions on your behalf. You would want to be able delegate this access to an identified professional such as your accountant. This assignment of rights might be for a limited term or it might be indefinite. You would want to be able to revoke that assignment at any time. You may grant your accountant the right to delegate once; he may need to delegate this access to his clerk, again able to revoke this delegation at any time. The delegation may be complete or partial, it may include all your business, or just managing your payroll. This model of delegation while managing control is well understood by enterprise architects.
Delegation, especially when combined with federated identity management, will be core to distributed operation of the open interoperable systems of the smart grid and smart buildings. Delegation will authorize your home or office energy management service (EMS) to share direct operation with your utility, your contracted demand aggregator, or with a maintenance analytics provider. Revocable delegation will authorize your utility to share your meter data with Google Energy or with others simply and quickly.
There are of course many other enterprise security concepts and approaches that we will need in enterprise buildings and the smart grid. Preparing for these three will introduce many more.
Collaborative Energy—the Smart Grid and the End Node
A significant goal of the smart grid is to encourage rapid innovation in the end nodes, that is in the commercial buildings, homes, and industrial sites that consume most of the electricity produced. Today’s North American power grid is probably the supreme engineering feat of the twentieth century; it has made possible the greatest life style ever lived. Its reliability, though, is insufficient for the digital world. Every system margin has been pushed too thin. The introduction of any significant portion of intermittent source energy, such as wind and solar, will make things much worse.
It is time to engage the end nodes in supporting system reliability. Today’s buildings have higher requirements for reliability and quality than the grid was ever designed for. Site-based generation and site based storage are part of the solution, but they could make the system even less reliable. It is time to begin the move to collaborative energy...
A significant goal of the smart grid is to encourage rapid innovation in the end nodes, that is in the commercial buildings, homes, and industrial sites that consume most of the electricity produced. Today’s North American power grid is probably the supreme engineering feat of the twentieth century; it has made possible the greatest life style ever lived. Its reliability, though, is insufficient for the digital world. Every system margin has been pushed too thin. The introduction of any significant portion of intermittent source energy, such as wind and solar, will make things much worse.
It is time to engage the end nodes in supporting system reliability. Today’s buildings have higher requirements for reliability and quality than the grid was ever designed for. Site-based generation and site based storage are part of the solution, but they could make the system even less reliable. It is time to begin the move to collaborative energy.
The Smart Grid Interim Roadmap highlights the Energy Management Service (EMS) as the sole service in the end node (Industry, Commercial Building, and Home) that communicates with the grid for purposes of load shaping and load curtailment. Over time, the load shaping signal will become primarily economic. Load curtailment, the mandatory response to critical issues on the grid, may not ever be adequately handled by economic signals. Load shaping and load curtailment comprise the function referred to by the utilities as Demand Response. The external signals to the EMS are being defined in the OASIS Energy Interoperability TC, building upon the work of OpenADR.
The EMS marshals the energy response from the building. This may range from the simple "shut off, turn on" to a nuanced response to enterprise and occupant driven priorities. While those priorities and their management are left, as they should be, to the market, we need stadata models to free the appliance, building system, and consumer electronics manufacturers to innovate. These standards go under the currently imprecise name "energy profiles".
Energy profiles will define the interaction patterns of the smaller systems. How much energy is it using? Can it respond to a price signal? How much can it respond to a price signal? How long will it take to respond? Will it use more before it uses less? The answers to these questions must be aggregated by the EMS and offered up to respond to OpenADR signals. The EMS should be able to access the meter to verify its own operations.
This model should support multiple levels, as several building systems may present one face to the EMS, or several EMS’s in a campus may present one face to the grid. The model does not include detailed operations of the EMS, nor does it define EMS user interfaces. These areas are best left to the creativity of the market.
A key function of the EMS is to support remote operations. Third parties will use the EMS to offer remote energy management services. Today, many utilities see themselves as the sole provider of these services. Increasingly, companies such as Enernoc and Constellation Energy are challenging that assumption. With proper standards, energy managers will flood the market, driving prices down. Those left standing will compete on higher level services.
There is still time to join the OASIS Energy Interoperability Technical Committee—drop me a line and I will tell you how to join.
Intelligent Buildings talk to Smart Energy
Intelligent buildings filled with clever devices and intelligent systems will negotiate with the grid and with their occupants to provide new models for reliable power. The benefits to the grid will come from coordinating supply and demand using economic signals. The benefits to the buildings will be increased value by providing higher levels of amenities to their tenants and inhabitants for lower cost. The benefits to the tenants and occupants will be better services at the same or lower costs and more autonomy as they separate from grid dependency. The benefit to the clever devices will be longer life and more reliable operations from eliminating the power shocks that assail them now.
As I write this, the Interim Roadmap for the Smart Grid has not been published. THis is a personal, un-endorsed view of how this area will develop.
Intelligent buildings filled with clever devices and intelligent systems will negotiate with the grid and with their occupants to provide new models for reliable power. The benefits to the grid will come from coordinating supply and demand using economic signals. The benefits to the buildings will be increased value by providing higher levels of amenities to their tenants and inhabitants for lower cost. The benefits to the tenants and occupants will be better services at the same or lower costs and more autonomy as they separate from grid dependency. The benefit to the clever devices will be longer life and more reliable operations from eliminating the power shocks that assail them now.
The benefits to building owners will be economic models that offer incentives to pay for improved equipment. The benefit to building integrators will be national markets based on common signals from the grid, allowing them to provide more services to those owners for less. The benefit to ventures and technology development will be the entry of all those building owners into the markets for generation and storage; those owners will offer a shorter sales cycle and more openness to innovation than ever will the utilities.
This requires a small simple model for interactions. To create this model, we must think clearly about the business process of each of these participants. Today, we have the virtual company in every niche of our economy. UPS and FedEx offer logistics services that are part of the internal processes of thousands of companies. Tomorrow we will have virtual energy services companies as well, assembled from the services offered by a community more numerous and diverse than today.
Each building will communicate with the grid by two services: the metering service and the energy management services (EMS).
The metering service (which does not necessarily mean the meter) will provide live and interval measurement of energy flows into and out of the building. This service will be symmetrical, meaning both the supplier and the consumer will be able to see the same information at the same time. The meter service will also be the end point of the energy distribution control system, providing telemetry to enhance customer service and downtime recognition.
The EMS will be the focus of business interactions. On the outside, the EMS it will manage the business negotiations for each building. On the outside of the building, the EMS will be the locus of energy market operations. Buying, selling, and price decisions will flow to and from the outside of the EMS.
On the inside of the EMS, developers and integrators will build applications to manage moment by moment energy use. The energy management applications will respond to the needs of the Industry, Office, or Home. The EMS will inform them of market negotiations on the outside. They will catalogue the devices and systems inside the building. They will marshal potential responses the smart grid market signals. They will share these responses with the EMS agent to inform its negotiations in energy markets.
A key service offered by the EMS will be to relay energy management services to external parties. Many businesses and homes will want to out-source their energy management; the EMS will support this. Some utilities will want to offer this outsource energy management to their customers. Some utilities will mandate, as they do today, that they accepting their energy management services is a condition of participating in certain programs.
I have written before on this blog, when discussing plug-in electric vehicles (PEVs), that eliminating regulatory barriers to retail re-sale of energy will help achieve some benefits of the smart grid. At the EMS, this means that sometimes there will be additional EMS systems below the EMS that talks to the smart grid. The educational campus, office park, and military base may have many buildings, each with their own EMS. Even office buildings may have an EMS in front of each tenant. Between the EMS at the edge of the grid, and each EMS below, there can be a whole new energy market.
Distributed generation and distributed storage are important aspects of the smart grid. The EMS must be able to marshal and generation and storage the building side to respond to market signals from the grid. If these resources are inside a building, then there can be a micro-market inside that building. On the base or campus microgrid, these resources may be directly attached, external to the buildings. In either case, the messages and market operations on the client side of the EMS should be the same as those on the outside.
The smart grid roadmap cites loose coupling, layered architectures, composition, and symmetry as critical design values. The EMS as defined above uses loose coupling and avoids direct control. Symmetry enables us to define the same services on either side of the EMS, and for the meters to report net use and net supply identically. Layering lets the conversation above proceed without ever mentioning data paths or transport protocols; it works the same whether the EMS is separately attached to the internet, or bound to the meter and communicating over utility infrastructure. Composition lets price and supply and value flow through multiple domains.
Smart Building professionals should watch the development of the EMS, and consider what new value we can deliver once we define the interfaces. If you want to participate in developing the interface, write me about the Technical Committees defining Energy Interoperability and Energy Market Information Exchange.
New Daedalus
Daedalus designed buildings, automated statues, and built wings for human flight. Daedalus worked by eye and hand, his designs scratched with a stylus on wax tablets. Until recently, we merely perfected his means of work, using better pens, and paper, and finally drawing on computers.
It is only recently that we have begun to leave the methods of Daedalus behind.
Simulations and digital twins guide each decision. Intelligence, or at least behaviors, imbue each system and device. Cyberphysical systems replace household servants and chauffeurs, operate factories, and manage energy logistics. The most pressing concerns are how intelligent systems and buildings will respond to us, and to each other.