Cybersecurity of Power—Resources
As we work to define the cybersecurity of things, power demands its own security models, outside of SCADA security and distributed controls. Power is both a resource and a vector, and each of these offers vulnerabilities to cyberattack. This article describes cybersecurity of the resource. A later article will discuss cybersecurity of the vector.
Distributed cybersecurity is a model that distributes responsibility across autonomous nodes or systems. These nodes may send or receive cybersecurity directives. They may request or share situation awareness. Each node is responsible for securing itself and reporting when it is under attack.
The developing OASIS OpenC2 (Open Command & Control) specification defines cybersecurity as a service. The sender of a command requests what it wants accomplished without using step-by-step instructions. If the receiver accepts the command it must determine and execute its own procedure to fulfill that request.
As a resource, a power system must defend certain characteristics. These characteristics include frequency, voltage, and the shape of the waveform itself. Cyberattacks on the power resource can interfere with proper system operation or they can escalate into direct cyberphysical effects. The well-known Aurora demonstration by DHS used repeated subtle waveform manipulation, to cause a large dynamo to rip itself out of its concrete moorings. Any cyberprocess that is able to manipulate the fundamental power signal can be an effective attack on the Internet of Things.
When a distributed cybersecurity language such as OpenC2 shares information about an attack through the power vector, it may act as a warning, or it may describe what the requestor wants reported back. Because Power is likely shared between many nodes on the same circuit, anything that has a strong effect on one node, perhaps low-value and poorly defended, can be a means to attack other nodes on the same circuit. I know of substations in the Midwest, supplying a limited number of industrial customers, wherein the operating margin is so small that activity in one factory can cause and has caused significant damage to equipment in another factory. Situation awareness coming back from one node may be useful to gain a broader understanding of attacks on other nodes.
Attacks on power through a nearby un-protected node can cause damage to all nodes on the same circuit. A large user can cause changes to voltage, to power factor, or to other power attributes even without the subtle wave harmonics demonstrated in Aurora. They may even cause delayed effects, as a sustained reduction in power factor may prevent power storage systems from re-charging properly over several days. As tomorrow’s grid incorporates a growing number of renewables, this offers a growing vulnerability.
Because they are working sharing a resource, a cyber-response may help defend nearby nodes. If a node is able to actively manage frequency or power factor, it may defend nearby resources.
I will write soon on Power Distribution as a Cybersecurity Vector.
Tighten Up Security Claims
Last month the focus of the issue was Cybersecurity. Cybersecurity is a complex issue with many facets, but it doesn’t need to be as hard as it is. A big problem is evaluating the tools, figuring out what they really do, and deciding what problems to solve.
Most security products promise the world, but it is hard to compare them, and to understand what problem they solve. Marketing language alone describes what each product does, and it often hard to compare the claims and evaluate the risks.
It’s time to tighten up the Cybersecurity language, to evaluate threats to buildings and what harme they may cause.
Formal cybersecurity defense rests on the tripod evaluation tripod: Capabilities, Threats, and Mission. Evaluation of the value of cybersecurity always depends on two of them. What will a Threat do to degrade a system Capability? How does each Capability support the organizational Mission? And so on. Looking at the risks of systems in a building in this light
Readers of this blog are well aware of System Capabilities. The Smart Building sales cycle attaches those capabilities to the Mission. Different organizations have different missions, so the capability provided by a given building-based system may support different missions in different ways.
The Threat is too often ill defined. What does an attack do, and what is supported by preventing each attack? How do we compare one security product to another? Evaluating vendor claims too often seem like flim-flam, with no clear means to evaluate risks. The automated building industry itself makes this worse, as poorly defined claims are made in language that prevents comparison or risk analysis.
In April, I met with proponents of the cyber security taxonomy developed by the US Department of Defense to defined and classify threats The DOD Cybersecurity Analysis and Review (DODCAR) defines a taxonomy of cybersecurity threats, creating a standard language to discuss security, Each threat is defined in terms of what it does and how it works.
Building System integrators can look to each of these threats, and consider how each might degrade the capabilities provided by their systems. By looking to the missions that they seel their systems into, they can evaluate the risks and costs of each vulnerability.
I recommend learning DODCAR, and using it to clean up product claims, and to evaluate imprecise security language, and to understand where to get the most benefits from improved cybersecurity.
Lifetime Learning for AI Everywhere
For decades, from even before we called everything the IoT (Internet of Things), maintenance has been the barrier to digital sensing and operating of the physical world. Wired sensors were reliable, but expensive to install, and often an esthetic nightmare once installed. With self-power, sensors became cheap enough to put everywhere, but faced a new challenge—maintenance.
For a long time, deployments were limited by battery life. Many initiatives were short lived, running until the batteries wore out. Changing the batteries was expensive, sometime more than the initial installation. Committed organizations developed scheduled battery changes to control costs, just as they had done before for re-lamping projects.
We solved that problem by making sensors so cheap we could just leave them and install replacements. Or we (notably members of the EnOcean Alliance) tuned communications to be so light-weight that in situ energy harvesting could keep systems working.
Now we face yet another maintenance challenge, that of intelligence management.
Today’s sensors have become smarter, sometimes referred to by the indeterminate name “edge devices”. Sensors and Edge Devices likely transmitted more than 20 zettabytes of data for central storage last year, although there are no firm estimates on 2017 data gathering. With that much data being stored, the communications requirement was easily in yottabytes.
This much data creates a new challenge. The IoT not only requires that we get actionable information that matters, but that we get it before it is too late to matter. There is too much data and too many situations to rely on timely central decisions.
The enable drinking this firehose of data, we are starting to rely on sips at the edge. Edge Devices are making the initial decisions as to what data means, and what data needs to be brought into the middle. Local decisions are made faster, without interference from temporary high priorities elsewhere in the IoT. For all but the simplest scenarios, this model requires learning at the edges. There are large open source libraries now of Artificial Intelligence (AI) code for Raspberry Pi and Arduino.
This presents a new maintenance problem, managing and updating AI routines and algorithms.
The big software companies are preparing the tools we will need. Thousands of AI systems in each building will require tools to manage the rapid evolution algorithms. New algorithms will require managed roll-outs Rapid evolution forces diversity of algorithm and information as systems will change far faster than their installed life. Oracle is pushing GraphPipe, an open source software project for efficiently deploying and managing AI models at scale. Microsoft is right there with them, with large platform management announcements expected this Fall.
The problem of managing intelligence in millions of devices is solved already, before most people know they have the problem.
In the last year Pi architecture devices have blown right past the $40 and even $20 price points, with full systems expected for $7 and perhaps $4. Arduino platforms not only run open source Linux and Android, but with open source hardware offer potential easy integration directly onto integrated specialty hardware components.
The barriers to fully intelligent small systems across every aspect of buildings are falling even faster than pioneers such as Alper Üzmezler and the Project Sandstar for smart controls have publicly projected. It is my personal belief that while full platforms such as the Pi have higher initial costs, in part because they include a GPU not needed to manage a display, that this means they are pre-adapted for high speed signal processing. This will not play out slowly.
Choosing a Light or a Dark Mirror
“If it has to do with heating, lighting, or mobility for human beings on this planet, we’re interested in it”
- Darryl Willis, Google
Last month, in the July issue of Automated Buildings, Ken Sinclair called for smart buildings to spearhead an improved relationship between the physical, the virtual and the emotional world. Relationships go two ways. When we consider how buildings can manipulate our emotions, we also are considering how our emotions can manipulate buildings,
The sci-fi anthology series Black Mirror explores a near-future where humanity's greatest innovations and dark side collide. Last week, Daikin and NEC announced that they have developed a system that monitors the movement of the employee's eyelids and hits dozing workeers with a blast of cold air. More are growing aware that traditional cloud practices have a dark side in the erosion of privacy and often misuses of personal data. Will Ken’s call lead to better buildings or to their dark mirror?
Crude interactions will predominate at first because buildings have no way to empathize with their occupants. The early phases of emotional relationships with buildings will be based on specific purpose driven metrics developed by building engineers responding to occupant middle management—two groups that may not be the most empathic themselves.
More subtly, Daikin / NEC collaboration begins lowering the ambient temperature when it detects people getting sleepier.
Today, IT throws up artificial intelligence (AI) as the answer to every new problem. In the Internet of Things (IoT), this usually means combining several variants of regression analysis based on concrete models of mechanical systems. This model will not take us far down the road to Artificial Emotional Intelligence (AEI)
Humans can respond to mutual emotions because they are able to share them. In some theories, this is based on our mirror neurons. A mirror neuron fires both when we act and when we see someone else performing the same action. As we subtly shift our posture and our face to match that of those around us, we learn how they feel by feeling how we feel. Buildings can’t do this. Yet.
AEI will rely on highly abstract models of human actions and interactions. Humans are too complex to collect and transmit all data to a remote cloud, or even to the building-based cloud if there are more than a few people being tracked. Simple systems will transform data into these abstract models at the edge, and only the abstractions will be sent to the cloud. Where desirable, this enables anonymous and privatized data to be processed alongside personalized data.
These abstract models will become the “mirror neurons” of the building-based systems. Building-based systems will respond not by trying to mimic humans, but by comparing edge-based abstraction of human behavior to the abstract human models they have internally. Potential responses will then be filtered to the IoT by a repeated de-abstraction (“make alert” to “more cooling” or “more ventilation” or “more light”) to potential specific concrete choices. The final choices will be made by traditional engineered systems, based on economic outcomes (such as energy use) and engineered choices such as ASHRAE considerations (air turns, humidity control, etc.). Edge processing will the send the abstracted effects of these choices back into the regression models.
The Classification of Everyday Life (COEL) is a recently completed specification. COEL is an OASIS specification, just as are OBIX, SAML, and the specifications for Transactive Energy. COEL is already an international ecosystem with multiple implementations based around Coelition. COEL was designed from the ground up to support modern privacy law, necessary for products to reach to international markets. COEL defines creating, transmitting, and storing the behavioral abstractions needed to create the “mirror neurons” for AEI.
This can be hard to map one’s head around. I’ll start with my own child-like understanding and description of some early COEL apps.
The hottest topics in health care are Evidence Based Medicine and Standards of Care. Evidence Based Medicine aims to optimize decision-making by emphasizing well-designed and well-conducted research to build strong recommendations meta-analyses, systematic reviews, and randomized controlled trials. Standards of Care refers to detailed sequences of medicine that may continue over years, and may include, in the most difficult processes, hundreds of clinical events. A Standard of Care for orthopedic surgery may start with pre-surgery “pre-hab” (getting strong enough to benefit from the surgery), to a couple weeks of pre-surgery preparation, to the all the events the day of and the day after the surgery, to programs for rehabilitation after the surgery.
Zooming in, without evidence of pre-hab fitness, it may be worthless or even dangerous to proceed to surgery. The best post-surgery outcomes involve both sending the patient home quickly and making sure the patient is returning to level of exercise and activity. For the single patient, this requires tracking and analysis of what the patient is doing outside the hospital. For Evidence-based Medicine, this requires factoring the patient response and activity back into to the meta-analyses and systematic reviews.
But what is the patient doing at home? Medical decisions during pre-hab and re-hab may be based on levels of physical activity. Counting trips to the gym or physical therapist is at best inadequate and at worst misleading. One patient may go to the gym and stand around watching CNN. Another patient may not go to the gym often, but might use the stairs at home and at work. Coelition member Activinsights already makes Android apps that can analyze the individual from a wearable device, abstract the data into COEL-based information, and present privacy-protecting, and pseudo-anonymized COEL Atoms to support clinical and research decisions.
While developed to support clinical work, these Apps can make personally useful predictions. Active Insights apps can predict when each person is most likely to be alert, and able to make good decisions. Simple environmental monitoring can bring a feedback loop into building operations. It is easy to imagine apps that also COEL abstractions for physical activity into personal recommendations for alertness and for re-setting the body after jet-lag.
But this is a building-based audience. It is not hard to imagine a critical meeting with attendees from many geographic locations. Personal but fully anonymized COEL biorhythm data is submitted to the building for each participant. The building then solves final schedule, ventilation, temperature, lighting level, and perhaps even lighting color to create the best chance for the best work from each participant. A conference center that can reliably do this makes a good case for a premium price. When many knowledge worker work from home or coffee shop, COEL-submissions to the scheduling server might determine the time and location of even in-town events.
It has been said that the essence of marketing is to build a relationship and engagement. Engagement can be measured as demonstrating to an individual that you know them. In smart health care, patient engagement is best when the patient can recognize themselves in the data. Building-based AEI enables a building to show its occupants a mirror to show them that it knows them. That mirror will be a Black Mirror unless it knows this in a way that protects privacy and anonymity.
New Daedalus
Daedalus designed buildings, automated statues, and built wings for human flight. Daedalus worked by eye and hand, his designs scratched with a stylus on wax tablets. Until recently, we merely perfected his means of work, using better pens, and paper, and finally drawing on computers.
It is only recently that we have begun to leave the methods of Daedalus behind.
Simulations and digital twins guide each decision. Intelligence, or at least behaviors, imbue each system and device. Cyberphysical systems replace household servants and chauffeurs, operate factories, and manage energy logistics. The most pressing concerns are how intelligent systems and buildings will respond to us, and to each other.