Spam & Smart Grid Operations, Privacy & Civil Rights
Spam has changed how we think about email, and automated monitoring and control needs to change how we think about privacy. If you make something very much easier and cheaper, it is no longer what it once was. Smart phones, smart buildings, and smart grids are now at the center of privacy law. Privacy is the ground upon which the battle for the preservation of the 4th amendment will be won or lost.
A serious of court decisions, each looking more to a desired end than to the constitution, are using technology to redefine what “reasonable” means in the 4th amendment to the US Constitution. If we are not careful, smart grids might destroy the last remaining realms...
Spam has changed how we think about email, and automated monitoring and control needs to change how we think about privacy. If you make something very much easier and cheaper, it is no longer what it once was. Smart phones, smart buildings, and smart grids are now at the center of privacy law. Privacy is the ground upon which the battle for the preservation of the 4th amendment will be won or lost.
A serious of court decisions, each looking more to a desired end than to the constitution, are using technology to redefine what “reasonable” means in the 4th amendment to the US Constitution. If we are not careful, smart grids might destroy the last remaining realms of privacy, that is, our privileges to be free from interference in our lives. Soon, the 4th amendment and its protections may mean nothing at all.
English common law declared the home inviolate even from the King and the King’s men at least as early as 1300. In 1760, William Pitt famously stated the right: "The poorest man may in his cottage bid defiance to all the force of the Crown. It may be frail, its roof may shake, the wind may blow through it. The rain may enter. The storms may enter. But the king of England may not enter. All his forces dare not cross the threshold of the ruined tenement."
The fourth amendment has its roots in a growing violation of this right using the general warrant as a tool. A general warrant is an arrest warrant that does not name or describe the person to be arrested, or a search warrant that does not specify the premises to be searched or the property sought. Such warrants were outlawed in England in the middle ages. In the 18th century, their use was revived with through the writ of assistance. Then as now, the regulation of commerce was used to erode liberty, and writs were issued to in the form of general warrants to assist in enforcing trade and navigation laws. These writs authorized customhouse officers to search any house for smuggled goods without specifying either the house or the goods.
The resentment bred by these writs of assistance contributed strongly to revolutionary fervor. Still feeling the sting, the memory of these writs led to the adoption of the 4th Amendment to the US Constitution two decades later:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
The language is clearly written; its meaning is clear to anyone whose understanding of English has not been clouded by the study of the law. No means No.
Technology and Commerce are the hammer and tongs on the privacy of the home. A walled garden or a large property are secure from prying eyes. Regulation of commerce says we must manage Cannabis. Planes change the definition of public view. Technology erodes the concept of privacy and chips away at the 4th amendment.
Ten years ago, a police department, suspicious about indoor plantations, scanned houses with an infrared scanner. They discovered a hot spot, and used it to get a warrant, and found grow lights in the attic. The owner, Kyllo, fought his conviction, fought it all the way to the Supreme Court, and won. The 4th amendment held against advancing technology. Unfortunately, that ruling held the seeds of the complete destruction of privacy and the 4th amendment. The ruling held that “when . . . the Government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a “search” and is presumptively unreasonable without a warrant.” Unraveling all the negatives, the ruling states that no warrant is required to authorize government use of any technology in general public use.
Today, such scanners are in common use. Many utilities offer to subsidize scans of your home. It appears that today, there would be no requirement of a specific warrant before scanning your home—or before scanning every home in your neighborhood.
The fourth amendment never protected against observation by government agents of public activity. There was always a practical limit on such monitoring because it had a real cost. It took as long to listen to a wire tap as it took to have the original conversation. Sending a squad car to tail a suspect cost the use of a squad car and the salary of a policeman for an entire day. Only an unashamedly corrupt society would assign the resources of a Stasi to watch all citizens.
Email has eliminated all cost barriers to sending unsolicited communications, and so created spam, hated for its use by legitimate and illegitimate organizations alike. Auto-dialers reduced the human time required to make unsolicited phone calls, creating a desire to regulate the free use of the phone system. In a similar way, automated monitoring and analysis has eliminated the practical barriers to pervasive monitoring of all citizens at all times. Just as spam storms required us to build policies to control unwanted messages, so the automation of monitoring requires us to expand our notions of privacy just to maintain the fourth amendment as it was.
Current case law and judicial rulings are pushing in the opposite direction, toward the negation of the 4th amendment.
Law enforcement in the US is arguing that there is no privacy protection for any information routinely collected. This is particularly troubling as with the other hand, government is mandating that information be routinely tracked. Some years ago, government mandates (“to support E911”) required that all cell phones be trackable with high precision, higher than the cell companies required for their own business. Last week, the Justice department argued that as this information was routinely gathered, there was no expectation of privacy surrounding such information. This month, our government has argued that it should be able to track the whereabouts of any and all of us today and for the previous 120 days, without warrant, without explanation, and without judicial review.
Smart grids demand that smart buildings respond to changes in the availability of electricity in the grid. The largest utilities, particularly the California utilities, are advocating business models of direct load control, tracking the use of all devices in a home. A decade ago, engineers found they could track the use of all systems in a house from the meter; they could even distinguish from the signature of the heater whether a waterbed was occupied or unoccupied, or whether the occupants of that bed were active or sleeping. Complete access to building operational data is a loss of privacy more profound than a search, because it continues over time.
One of the key deliverables named in the UCAIug’s OpenADE requirements for tracking energy usage is the “Law Enforcement Interface.” The only good thing I can say about that is they decided to leave it out of version 1.
This last election cycle saw state employees abusing their authority to harass and discredit a private citizen who discomfited their favored candidate. One political team claimed that the previous administration can and would do anything, abuse any right to have its way. The other team has expressed horror at a rank intimidation of political discourse found in the current administration collecting emails of dissenters. How can those on either side honestly accept the 4th amendment suffering a death of a thousand cuts through the acceptance that technology erodes privacy?
The complete loss of privacy *is* the complete negation of the 4th amendment. Exposing operational data to the power of data mining *is* the complete loss of privacy.
The founders were literate, and they would have read Milton, who in Paradise Lost wrote:
And with necessity,
The tyrant's, plea, excus'd his devilish deeds.
As C.S. Lewis updated the formulation, "'Useful,' and 'necessity' was always 'the tyrant's plea'." There is nothing so useful or necessary that we allow untrammeled collection of such information by smart grids. There are business and technical models that avoid such collection. We should choose them.
Parsimony and Security
I have been thinking about security and parsimony lately. Security is not merely about confidentiality or even identity. It is about predictability and integrity. Challenges to predictability and integrity occur not only malefactors, but from those who develop, test, and maintain systems. Even interoperability is a part of security, introducing new sub-systems, or upgrading old ones, can introduce unanticipated interactions and failures.
I have been thinking about security and parsimony lately. Security is not merely about confidentiality or even identity. It is about predictability and integrity. Challenges to predictability and integrity occur not only malefactors, but from those who develop, test, and maintain systems. Even interoperability is a part of security, introducing new sub-systems, or upgrading old ones, can introduce unanticipated interactions and failures.
Introducing any interface not actually required introduces new attack vectors and increases the complexity of testing. An interface that is only used rarely is only tested rarely. Any non-essential interface is a site that will be delegated to the junior developer; primary interfaces will be tested fully while the non-essential interface becomes a back door.
DOS/Windows is the poster child for security and reliability problems. Upgrade problems and incompatibilities were legend. Many of these arose when little used and long deprecated interfaces were eliminated or changed. Some interfaces existed only to support development and testing, and were never even documented. As thousands of developers competed for advantage, these interfaces got used. In an ecosystem of systems with far more variety, we will be better served to never introduce these obscure interfaces.
The other challenge presented by DOS/Windows was the sheer number of interfaces. One bit of code might support a dozen interfaces. Code added to fix one problem would get replaced as code to address another security based on an earlier code fork would reintroduced the problem. Complex interfaces require complex maintenance.
An oft-heard and little understood truism is that security must be designed in. This can be interpreted to require planning for encryption and isolation at every interface. This task can be fiendishly complex and require that only the most sophisticated programmers work on each system. As we know that we cannot guarantee such attention, this is poor security design. Complex procedures embrace their own failure. Better security design offers fewer chances for missteps, and better chance for sustained success.
For the smart grid, this means fewer interfaces and simpler testing. The smart grid has defined inflection points, places where responsibility or ownership or business processes change. Such inflection points define business processes with specific requirements for shared identity and authority. These business interfaces define the risks and the costs of failure. They should be few, simple, and well-defined.
We may anticipate site-based generation is either PV or Wind. We could, in theory, include wind speed as a required part of the wind source interface for the grid. A house in a tidal swamp may have some sort of novel generation strategy that appears, in most respects, identical to energy generated by the morning and evening winds that characterize the weather between the California coast and desert. By excluding wind speed, in this example, the same interface would serve for the wind generation and the tidal swamp generation. Simpler, sparser interfaces are what enable diversity and innovation. Coming back to security, the unused wind speed interface in the Tidal generator, if mandatory, is the one that will be untested and eventually a security hole.
Anything we put on the smart grid will be there for some time. It will be upgraded numerous times and coexist with other version levels. The interfaces should be few, because they will be there for a long time, and implemented and patched by many programmers.
Cybersecurity for smart buildings and the smart grid
Building systems have until now been secured only for interaction between their parts. Schemes such as shared tokens used on open networks serve the purpose of isolating systems from interaction. They do not address the more intriguing security issues of interaction with non-system actors. These non-system actors may be agents from other systems, business process from other companies, or even direct consumer access.
Today’s shared token security schemes are only thinly deployed...
Building systems have until now been secured only for interaction between their parts. Schemes such as shared tokens used on open networks serve the purpose of isolating systems from interaction. They do not address the more intriguing security issues of interaction with non-system actors. These non-system actors may be agents from other systems, business process from other companies, or even direct consumer access.
Today’s shared token security schemes are only thinly deployed in buildings. They are an improvement on traditional building system security, which is largely non-existent.
What security there is today in control systems is most frequently controlled through some sort of head end system. Identity management for that system is entirely separate from that of the enterprise. This approach demonstrably reduces security. The most significant security breaches of SCADA systems appear to be by former employees, often months after they are no longer employed. The isolated systems that operate the engineered world are not tied directly enough to the business processes of Human Resources. A change in job status should cause instant changes in access rights; in the SCADA systems that control our utilities and our buildings, changes in access could take months.
We lack a commonly agreed upon common framework for defining access levels. At UNC, we defined a hierarchy of access rights that we could apply across many buildings of diverse technology. We defined configurers, system operators, system auditors, tenant operators, tenant auditors, and public. This framework allows us to define generic access and control rights across many buildings with diverse technology. Identity management, that is, recognizing who someone actually is, is always by reference to external enterprise systems. A security framework enablers easier adoption of the best practice of distributed authentication, local authorization.
For the smart grid and enterprise responsive buildings to develop together, we need easier adoption of best practices in security. Distributed generation and distributed energy storage introduce new inter-business interactions and new enterprises into the grid. As third party energy management and demand response aggregation merge, more enterprises will interact within the building. These are opportunities best met using federated identity management.
The smart grid and smart buildings will need to understand delegation. Delegation maintains control of information and services when they are provided by others interacting with third parties. To understand delegation, consider what you would want for secure management of on-line interactions with the IRS. You would like to keep all such communications private, and to prevent anyone from making decisions on your behalf. You would want to be able delegate this access to an identified professional such as your accountant. This assignment of rights might be for a limited term or it might be indefinite. You would want to be able to revoke that assignment at any time. You may grant your accountant the right to delegate once; he may need to delegate this access to his clerk, again able to revoke this delegation at any time. The delegation may be complete or partial, it may include all your business, or just managing your payroll. This model of delegation while managing control is well understood by enterprise architects.
Delegation, especially when combined with federated identity management, will be core to distributed operation of the open interoperable systems of the smart grid and smart buildings. Delegation will authorize your home or office energy management service (EMS) to share direct operation with your utility, your contracted demand aggregator, or with a maintenance analytics provider. Revocable delegation will authorize your utility to share your meter data with Google Energy or with others simply and quickly.
There are of course many other enterprise security concepts and approaches that we will need in enterprise buildings and the smart grid. Preparing for these three will introduce many more.
Pervasive Security and Control Systems
With cybersecurity so much in the news, I found myself in a heated discussion the other day about whether IT should take over SCADA, and in particular SCADA security, or whether it should not. SCADA (System Control And Data Acquisition) refers to the technologies that run large processes. In common use, it refers primarily to the large distribution systems, such as those for electricity, water, and gas. SCADA systems were usually designed to operate with the extreme resource constraints of last generation technology. SCADA systems have traditionally been secured primarily through isolation. Any signal that breached the outer shell was considered trusted.
It is an interesting characteristic of technology that when it is everywhere, it is no longer anywhere. Take timekeeping, one of the oldest automated technologies. Modern time technology sprang from the monastic orders of the middle ages, wherein it was important to track the time for prayer and the ordered life. As time tracking technology improved, it was moved into the clock tower or cathedral in the center of town, and used to order the economic life of the townsfolk.
Time was later brought into the homes of the wealthy, and then adopted, in the form of mantle clocks by the middle classes as a luxury. This was followed by personal time, as pocket watches which were a sign of wealth or awarded, at retirement, as thanks for long service. Time kept growing cheaper until digital time arrived in accurate wrist watches at disposable prices. Today, time is everywhere, in ovens and in coffee-makers. Time is more important than ever, as very precise time-keeping is at the heart of telecommunications and the internet. Precise centrally managed is in every cell phone—yet time is nowhere, and watches and mantle clocks are becoming scarce.
There is a common meme in management circles that IT is becoming pervasive, and therefore beginning to fade as a separate department within companies. We have central management of network communications as a critical facility. There may even be central operating system and hardware management within a data center; that data center may instead be outsourced and no longer part of the corporate skill-set. In the service oriented world, there is central technology governance to describe how technology from each division fits together. Subject to that guidance, the divisions and department are free to manage their own development, and their own decisions.
At the beginning of the 20th century, it was not uncommon for manufacturing corporations to have people with titles like Vice President of Electricity. The person who held this title had all sorts of strategic responsibilities. As electricity became pervasive, this role became less important. As everyone grew to understand, more or less, how to use electricity (Use the plug. Don’t drop a paperclip on the leads), the need for specialists at every step of the process became less. I have seen hotel wiring for lights installed by Edison own hand; none of us can imagine the CEO of a large research and engineering doing that contract today.
Today, electricity is everywhere and it is nowhere. Outside of those businesses that are directly involved with the production and distribution, the strategic use of electricity has vanished. Oh, you still need an electrician or two on the maintenance staff; he may also be a plumber. Electrical engineers are needed to design systems for factories or buildings. Electricity as a profession in each organization is gone. Plug in your own lamp and computer!
In a similar way, IT is becoming everywhere and nowhere. I have a computer far more powerful than any available in 1970, and with more networking bandwidth than any in 1990 sitting in pocket. It is also able to create and process video and has a display capability greater than any but the highest end computers of two decades ago. I carry it everywhere, it may be company issued, but it is never touched by company IT. Sometimes I make phone calls with it.
A decade ago, every resume claimed some experience as a webmaster. Now very few do, although they have Facebook pages and a facile familiarity with HTML. Every salesman and every factory quality team performs computerized statistical analysis as part of their work, although none of them claim to work in IT. The specialized staff who install the physical infrastructure of networking have fused with those doing analog telephony.
Much of IT is gone. Security policy staff are rising in visibility, but growing fewer in number as they use policy based tools. Software installation staff, necessary as policy locks out most users from modifying system configurations, grow closer to electricians in education and in perspective. The CIO becomes a specialized sort of efficiency expert. From this perspective, either control systems staff and the accounting staff are both IT, or are both “not IT”.
IT security offers a set of disciplines and mind-sets useful to those building their current systems with today’s tools. Knowing IT Security assists the control system engineer in the same way that knowing accounting is the path to advancement for the accounting clerk. Knowledge of auditing principles makes a better manager just as other IT-security skills make a better SCADA system architect.
I think most organizations will not have IT functions per se in the future, unless they are designing electronics, or creating new graphics systems. I think SCADA and control systems will not be run by IT, but will be perfused by the pervasive IT all around. System design, and system architecture will still matter. IT Security, with the newly popular moniker cybersecurity, will be everywhere. But IT will be gone.
New Daedalus
Daedalus designed buildings, automated statues, and built wings for human flight. Daedalus worked by eye and hand, his designs scratched with a stylus on wax tablets. Until recently, we merely perfected his means of work, using better pens, and paper, and finally drawing on computers.
It is only recently that we have begun to leave the methods of Daedalus behind.
Simulations and digital twins guide each decision. Intelligence, or at least behaviors, imbue each system and device. Cyberphysical systems replace household servants and chauffeurs, operate factories, and manage energy logistics. The most pressing concerns are how intelligent systems and buildings will respond to us, and to each other.