Search Archives
Why New Daedalus?

Daedalus was the mythical great architect and artificer of the classical world. Today, embedded intelligence is enabling the most profound changes in the way we create and use buildings since his day.

Building Intelligence meets the Intelligent Building. The Intelligent Building negotiates with the Intelligent Grid. How will this transform how we interact with the physical world?

More on the Web
Login
Powered by Squarespace
« Virginia Tech, Emergency Communications, and Academic Sheep | Collaborative Energy—the Smart Grid and the End Node »
Tuesday
Jun232009

Cybersecurity for smart buildings and the smart grid

Building systems have until now been secured only for interaction between their parts. Schemes such as shared tokens used on open networks serve the purpose of isolating systems from interaction. They do not address the more intriguing security issues of interaction with non-system actors. These non-system actors may be agents from other systems, business process from other companies, or even direct consumer access.

Today’s shared token security schemes are only thinly deployed in buildings. They are an improvement on traditional building system security, which is largely non-existent.

What security there is today in control systems is most frequently controlled through some sort of head end system. Identity management for that system is entirely separate from that of the enterprise. This approach demonstrably reduces security. The most significant security breaches of SCADA systems appear to be by former employees, often months after they are no longer employed. The isolated systems that operate the engineered world are not tied directly enough to the business processes of Human Resources. A change in job status should cause instant changes in access rights; in the SCADA systems that control our utilities and our buildings, changes in access could take months.

We lack a commonly agreed upon common framework for defining access levels. At UNC, we defined a hierarchy of access rights that we could apply across many buildings of diverse technology. We defined configurers, system operators, system auditors, tenant operators, tenant auditors, and public. This framework allows us to define generic access and control rights across many buildings with diverse technology. Identity management, that is, recognizing who someone actually is, is always by reference to external enterprise systems. A security framework enablers easier adoption of the best practice of distributed authentication, local authorization.

For the smart grid and enterprise responsive buildings to develop together, we need easier adoption of best practices in security. Distributed generation and distributed energy storage introduce new inter-business interactions and new enterprises into the grid. As third party energy management and demand response aggregation merge, more enterprises will interact within the building. These are opportunities best met using federated identity management.

The smart grid and smart buildings will need to understand delegation. Delegation maintains control of information and services when they are provided by others interacting with third parties. To understand delegation, consider what you would want for secure management of on-line interactions with the IRS. You would like to keep all such communications private, and to prevent anyone from making decisions on your behalf. You would want to be able delegate this access to an identified professional such as your accountant. This assignment of rights might be for a limited term or it might be indefinite. You would want to be able to revoke that assignment at any time. You may grant your accountant the right to delegate once; he may need to delegate this access to his clerk, again able to revoke this delegation at any time. The delegation may be complete or partial, it may include all your business, or just managing your payroll. This model of delegation while managing control is well understood by enterprise architects.

Delegation, especially when combined with federated identity management, will be core to distributed operation of the open interoperable systems of the smart grid and smart buildings. Delegation will authorize your home or office energy management service (EMS) to share direct operation with your utility, your contracted demand aggregator, or with a maintenance analytics provider. Revocable delegation will authorize your utility to share your meter data with Google Energy or with others simply and quickly.

There are of course many other enterprise security concepts and approaches that we will need in enterprise buildings and the smart grid. Preparing for these three will introduce many more.

PrintView Printer Friendly Version

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>