Chatelaine Security for Smart Buildings and Cities.

 There is a growing recognition that traditional models of cybersecurity are inadequate to secure complex systems, and to detect security flaws in systems of systems. (Many definitions essentially declare complex systems and systems of systems to be equivalent terms.) Full-stack systems are too fragile and ponderous to readily address smart cities, or even smart buildings. The spatial web anticipates unbounded numbers of systems interacting, each with its own technology, and purpose, and even perhaps frame of spatial reference.

 I read this week of applying behavioral economics to cybersecurity and calling the result (and the new book) “Security Chaos Engineering”. It seems aligned with models for security in actor-based systems, which seem to me the only way to develop the IoT at true scale.

 Actors do not know what other actors do in a system. Actors receive messages from other actors in potentially massive concurrent computation systems. In response to a message it receives, an actor can: make local decisions, create more actors, send more messages, and determine how to respond to the next message received. Actors can only affect each other indirectly through messaging, and cannot know the state of other actors.

 You may recognize this as the fundamental model of cloud-native computing, whether the cloud is in a far away data center, or in many such data centers, or in an on-premises cloud, or in some hybrid of the above. Some name this approach microservices. What makes it work is well defined invariant interfaces, that is, fully defined messages between systems. Any system, then, no matter how large or complex can participate AS IF an actor so long as it limits a specific interaction to these commonly-defined messages.

 Transactive energy is essentially a means to replace an integrated control system with a system of systems, with each economic actor clearly a separate system.

 This last week found me discussing the implications of these approaches for cybersecurity standards. Traditional cybersecurity doctrine, including for cyberphysical systems, assume to much homogeneity of systems, in internal design and in purpose, and thus make assumptions of cybersecurity agent omniscience that is unachievable. In complex systems, it is far easier to influence the system your system relies on than to ever touch your system. Even within a single system, a man-in-the-middle exploit on sensors can more easily be replaced with some chewing gum on the sensor, or with a light tap of a mallet on the sensor, or even remote infrasonic attacks on a sensor array.

 What one can do is monitor the patterns of interactions (messages) between distributed actors, likely with ML (machine learning), and notice that one of the systems is acting less and less as expected. This can work even in a zero-trust environment, in which all the actual messages are encrypted. One still cannot know automatically whether the changes of behavior are due to enemy action, or merely change in programmed motivation.

 Maggie had the misfortune of being on a four-and-a-half-hour drive with me last week, and so endured a long description of this approach and of the week’s conversations. She promptly declared this to be a chatelaine model. Hmmm.

 A chatelaine is the mistress of a large estate (chateau) who may not know everything that is going on, but has all the keys, and notices patterns. There is no butter in the in the bin – is the milk-maid on vacation—did she get married—was she fired—did the cow run dry—do we need a new cow? The chatelaine can notify the owner, and she can invent a plan of action and investigation. I liked it. It is a much more approachable, easier to understand, term than “chaos security engineering”.

 I want a chatelaine in the message fabric.

Cyberphysical Security using Digital Twin Actors.

There are several popular definitions for digital twins. Mine is that a digital twin is a low-resolution model of a remote system, usually of a single aspect or dimension of that system. This model relies on an abstraction as the basis for understanding what the remote system is doing, and for predicting what it might do. Because the twin is abstract, it requires neither the computing power of the original nor does it require the user of the twin to understand systems that he does not. A twin is simpler if the twinned system is simpler.

Read More

Today's Power Markets are Too Big

The span of power markets today is too big. Market participation by net metering applying tariffs across a whole region makes no sense if power from the seller cannot physically get to the would-be buyer. Power markets are intrinsically local. Atop this, one must factor in the line loss transforming up from the local small-scale prosumer

For such local markets, there needs to be some equivalence of market participant scale…

Read More

Actors for Buildings & Energy

Fifty-five years ago, we chose the wrong path. Small code that could run on small CPUs was recognized as a better path than large, probably single-threaded code. These elements of small code could be proven to be correct, unlike the large code programs that characterized mainframe-era programs. The software industry took a fork in the road, and led by the siren song of Intel CPUs, took the fork in the road of keeping the mainframe model of programming.

Nowhere was software hurt more by this than in building systems and IoT. These systems have a natural cadence based around independent actors for each mechanical subsystem, communicating in a service mesh. The lure of the large program you wrote last year being twice as fast next year due to Moore’s law, even without re-writing, was too enticing.

Read More