SCADA Security, Building Systems, and First Response
The security of the "internet of Things" and the security of the wider internet are about to collide. The Systems that have been hidden or off line will be on-line. Embedded systems, building systems, power supply and distribution must all change their security model. Eggshell security, the hard shell on the outside and no internal security, will be torn apart not only by the Smart Grid, and all its participants and influencers, but by new models for energy interaction as microgrids, pocket generation, and on-site storage increase the number of participants.
It is hard enough to define security for systems that are always on, always connected, always in a web of trust. Federated Identity Management is difficult, but relatively well understood. Outsourcing of system operation, cannot outsource the location of these systems; cloud computing is still grounded in the physical locations of the systems in the building, and as part of the grid . Crises in power and building systems are often interrelated, and failure of one may cut off access to the federation of security providers.
In a system of systems, in which the systems are expected to respond best when the challenges are greatest and the actors are least known. The ventilation system for space holding hazardous materials must communicate its import and explain its mission precisely when the unknown fire fighter logs in and connections to other systems are lost. The microgrid generating enough power for net outflow must accept commands from a stranger precisely when and because the ice storm has ended outside network connectivity.
Take a theoretical mixed use neighborhood and its substation, filled with zero-net energy buildings (internal storage, generation, conversion of energy), its microgrid generation on the parking deck, its demand/response ready buildings, and its electric cars. Consider the linesman, properly, as yet another class of first responder. Is the power line up or down. Is the downstream connection hot or not? If my office is powering my house, who has the authority to interrupt the flow, and what is the liability for damage upstream? What does the firemen know about whether the self generating, power-storing building is on the grid or not?
We will need new architectures for building system security, ones that share information freely with emergency responders, but know which information is pertinent the enough SCADA, ones performant enough for power, but with federated security at each junction. We will need new definitions for security, ones that understand external identities and roles, but that also understand how to interact when the same event that compromised power integrity has cut off access to external identity and role providers.
We will need now architectures for SCADA, ones performant enough for power, but with federated security at each junction. We will need new definitions for security, ones that understand external identities and roles, but that also understand how to interact when the same event that compromised power integrity has cut off access to external identity and role providers.
We need ways to express the variety of security decisions that these interactions will require, ways that degrade gracefully with communications, and ways that can be pre-cached for almost-as-good decisions.
These security must be able to interact with local business systems. For the first responder, they must provide access to the right information and to the right control systems. They must have access to the local business agreements for the provision of power, and for the liabilities for non-performance. They must be able to distinguish between what is show by necessity, what can be shown for curiosity, and what will be shared only with a warrant.
Security is fundamentally a problem of situation awareness. The situation involve multiple systems and multiple contexts. It requires federated identity management across the multiple organizational participants that will fail gracefully to temporary local "good enough" security. It requires business policy aware forward-caching of decision making frameworks on a building by building basis.
Buildings, Emergency Response, and Situation Awareness
This week twenty of us met at NIST to discuss situation awareness during emergencies. The centerpiece of the conversation was the NG911 system, or Next Generation 911. NG911 supports better interaction between call centers, and uses policy-based security to let other local call centers, or even centers in other regions take calls as circumstances and policy require. Private call centers, run by alarm services, can be full peers if local policy allows. Even buildings, and building systems, might act as 911 operators. The conveners asked me to lead an effort to develop a security model for these systems.
Interoperability at this level requires standardization of security, of policy management, and even of building semantics. 911 centers will...
This week twenty of us met at NIST to discuss situation awareness during emergencies. The centerpiece of the conversation was the NG911 system, or Next Generation 911. NG911 supports better interaction between call centers, and uses policy-based security to let other local call centers, or even centers in other regions take calls as circumstances and policy require. Private call centers, run by alarm services, can be full peers if local policy allows. Even buildings, and building systems, might act as 911 operators. The conveners asked me to lead an effort to develop a security model for these systems.
Interoperability at this level requires standardization of security, of policy management, and even of building semantics. 911 centers will accept even the most basic calls, the narrative that includes the confused description of flames from a building from the confused homeless person without a proper address. Such calls require further guess work and human attention before they can be dispatched. Without standards, other calls are no better once they hit the system.
During a major disaster, the local 911 center may be swamped, or even destroyed. The communication lines to the 911 center may be cut off. When NG911 is deployed, calls to 911 can be automatically re-routed to nearby call centers, which will be able to dispatch calls to first responders just as does the local center. If the operator captures all information accurately, and the local policy permits, the NG911 can dispatch the call irrespective of the originating operator's location. Key elements include the type of emergency, the full address of the emergency, and the geo-location of the emergency.
Private alarm monitoring companies originate many 911 calls. Alarms go off, monitoring systems are checked, owners and tenants are contacted, and, if appropriate, 911 is called. If local policy allows it, this call can go directly from the Private alarm monitoring company's dispatch system into the NG911 network, perhaps even into automatic dispatch; no critical time would be lost in re-entering data. With proper standards, this extra information can be shared through the NG911 system.
Intelligent buildings, in concept, can initiate their own 911 calls. They have the advantage over the indigent of knowing their own address and geo-location. They may know what type of emergency is underway, and where in the building the problem occurred. With standards, they can supply the supporting detail very well; they may have to strain to provide the basic narrative.
911 centers want to be able to call back the initiator, to get more detail. Buildings do not always answer the phone. Call operators could access the building systems directly, but only if the information is made more useful and accessible than we find in the typical building control system. The requirements for creating those semantic standards are similar to those needed for transactive energy management. These standards will rely on descriptive information found in building information models (BIMs) such as NBIMS and buildingSmart.
We want standards for whoever comes to the site wants the same sort of access. This access may be a simple as floor plans or intimate as access to video surveillance. The responder may want to understand what the building systems are telling him and use them to clear smoke from the 4th floor or to shut off additional air. The responder may want to find where hazardous material is stored, or even the last known location of building occupants. Making this information and control simple and easy to access, no matter what brand of system in the building, will require abstraction, standards, and service oriented architectures in the building.
These interactions require careful service definitions, security interactions, and policy. In normal times, the building owner cannot accept passers-by able to see and interact within the building. Access to the video surveillance network for the third floor during an incident does not warrant access on other floors or to archives from the day before.
Good security is always about situation awareness. In an emergency, the situation awareness of the emergency includes awareness of its context within the building, and awareness of the informational context of the building. Awareness of the person accessing these systems will include federated identity management, as it might include the 911 operator, the local police, and even the fire department from the next town over.
I am heading up a group tasked by NIST with defining a security framework for this context in January. We have a good group working on this, but this type of work needs many different perspectives. Drop me a line, or comment here, and let me know what you think.
The New Privacy Advocates
My sample of two (my daughters 13 and nearly 16) have a very different point of view. . . . They are big Facebook and MySpace fans. They say It’s a trade off worth the giving up privacy to keep up with their friends. . . .they are much more aware of it than most kids (or adults for that matter). They don't care. Their only concern is really keeping info from Mom and Dad :).
Last week, I wrote of a new concern with privacy arising and data archiving that young adults now have in “she never wants an electric car”. Regular commenter Michaela notes
My sample of two (my daughters 13 and nearly 16) have a very different point of view. . . . They are big Facebook and MySpace fans. They say It’s a trade off worth the giving up privacy to keep up with their friends. . . .they are much more aware of it than most kids (or adults for that matter). They don't care. Their only concern is really keeping info from Mom and Dad :).
Michaela is certainly aware of the issues, and has explained things to her daughters. This also described my daughters at that age—but things change a lot. Soon they will get burned by more than Mom, and they will have a keen understanding and awareness of privacy.
Living in a college town, one can see this new progression. The freshman come in as digital libertines, sharing their information with everyone. In the next few years, they will hear through the grapevine of friends who missed out on an internship because of Facebook. Scholarship athletes have been tossed off the team because the coach saw the tagged pictures from the big party. Even getting up early to de-tag pictures may not be enough – coach may have reviewed his team even earlier. Some of the best parties are no declared “cell-free zones”, but to little avail.
Last weekend, I read of someone, now nearly 30, whose high school buddies emptied their photo collections onto Facebook. These pictures of long ago parties now show up first for when potential employers search for her. She now begins each week search and de-tagging pictures of her long ago self from the net.
Like the former libertine who turns socially conservative, these formerly promiscuous with personal information become some of the most protective as they gain experience. Unlike the privacy advocates of old, they really understand how long a digital shadow they cast, and become fanatical about protecting their digital image and owning their own digital footprint.
They will not tolerate the so-called privacy of, for example, today’s Automated Metering. In many areas, the utility shares usage data with no one, including with the tenant except in ways that the utility controls. This is claimed to be in support of privacy. The new data-mining savvy consumer will demand direct control of this data themselves, and want to decide how and when it is data mined. They will trust neither the utility or the government to make these decisions for them.
Secondary school is a time of pushing many limits. It is at an age where Mom and Dad know little, about privacy or about dress. At as Mark Twain is said to have observed: “When I was fourteen, my father was so ignorant I could hardly stand to have him around. When I got to be twenty-one, I was astonished at how much he had learned in seven years.”
Some of this generation will be remain digital libertines—but not many. Most will want their own data, will expect to control their own data, and their metadata as well. When in control, they will share it as they please.
Note: It was very tempting to use an extended analogy about tight clothes in middle school and knowledge about exactly where and when to flash a little lace at 30, but I controlled the impulse…
She never wants an Electric Car
My daughter explained to me yesterday why she never wants an electric car. She has been reading about Shai Agassi’s and Idan Ofer’s efforts to build an electric car while building up an electric car infrastructure. She resents the “Gillette” (or Polaroid) model: sell them the handle cheap and sell them blades forever. She does not want to be even more dependent upon the power grid. She also mistrusts giving a single player access to her driving information.
Many of today’s twenty-somethings have deep doubts about our information society and its long-term stability. Cultural messengers from Al Gore to Rap to Ron Paul communicate a society whose wheels are ready to fly off. The local food movement is at least as concerned with relying on fragile connections to far away locations as it is with transport costs and produce freshness.
My daughter likes the idea of being able to pay cash for fuel and leave no records. Her generation has few illusions about privacy and a reflexive understanding of her exposure to data mining. She is refusing to use Chrome because of the ever intensifying record keeping it manifests.
Her generation sees the amorality of large institutions in part through the lens of the collapse of the intellectual property deal. The deal has been that by revealing secrets and participating in trade, individuals would get short term government enforced exclusivity. The deal was that to encourage creative works, the author would get a brief exclusive use of the work. That deal has been broken by patent trolls who never develop products, but merely wait to hold for ransom those who do. That deal was broken when Congress, corrupted by liberal application of corporate money, retroactively extended copyright on old works.
Once the deal was broken, the new one-sided deal has been enforced by data mining for IP addresses and enforced by technically illiterate courts. Even when the data mining is done incorrectly, the courts have allowed the RIAA to assert points of law and points of fact by raw assertion, turning personally identifiable information into vulnerability to a shake-down. And so this generation mistrusts data-miners even when their motto is “Do No Evil”.
Power companies are proposing models of central control and data tracking to manage the smart grid. Smart car models are developed around automatic tracking, for billing purposes. Regulations stipulate that privacy concerns are paramount; those privacy rules are used to prohibit homes and businesses from seeing their own data, their own energy use.
Current practice has taught the college age generation about privacy as well. Privacy is an inviolable contract, one that prevents parents paying the bill from even finding out what classes are being taken, yet privacy concerns are tossed out when corporate interests are involved. This year’s Congress proposes that unless campuses track data to support the RIAA, that all federal funding be denied. No student today believes in the enforcement of privacy laws.
She does likes the idea of fuel stills, so she can be self reliant. She would welcome the self charging electric car, on that would let her go off grid and off the records. She mistrusts a rigid reliance on our infrastructure; while happy to use it, she does not want to have to rely on it.
This is the citizen of the future. This is the middle aged consumer of the 2030 challenge. If we want to define successful new energy markets, we had better keep her in mind.
New Daedalus
Daedalus designed buildings, automated statues, and built wings for human flight. Daedalus worked by eye and hand, his designs scratched with a stylus on wax tablets. Until recently, we merely perfected his means of work, using better pens, and paper, and finally drawing on computers.
It is only recently that we have begun to leave the methods of Daedalus behind.
Simulations and digital twins guide each decision. Intelligence, or at least behaviors, imbue each system and device. Cyberphysical systems replace household servants and chauffeurs, operate factories, and manage energy logistics. The most pressing concerns are how intelligent systems and buildings will respond to us, and to each other.