New Daedalus

A cyber attack has already caused a multi-city power outage, according to a report delivered by Tom Donahue, a CIA analyst speaking at an energy security conference in New Orleans last week. I just hope that people thinking about this are doing a better job thinking about real security than are those in building controls or those I have talked to at energy conferences.

Most control systems engineers seem drawn to what are called egg security strategies. An egg has a nice, crisp, esthetically pleasing security system called a shell securing a soft gooey inside with no barriers whatsoever. When this security system is subjected to the planned security stress, being sat upon in the nest, it holds up perfectly. When subjected to unexpected stresses, it fails completely and badly. Even the smallest breech of the shell will introduce infection that will fester and rot the internal systems.

Many banks used to think a hardened shell was fine to protect systems. Because all in-bank systems were inside their firewall, they performed few audits. They “knew” that all systems inside the perimeter were trustworthy. Secure in this knowledge, many ATM’s based on Windows NT 4 (or worse) were rolled out. No patches were ever needed.

One day some of these banks decided to issue lap-tops to loan officers. Perhaps they were styled as personal bankers, and expected to make sales calls on businesses in the evening. Perhaps they were supposed to take their work home. Inevitably, someone, sooner or later, went to some place they out not have on the internet. Or perhaps their son used it for an evening of gaming. In any case, an infected PC arriving on a completely unsecured, un-patched, un-defended homogenous network created many a memorable moment for bank IT staff. No money was stolen, but a lot of ATMs were off-line.

A better approach to security is situational awareness, not just a locked door. If what you want is a locked door, it will be far cheaper to not cut a door, but leave the wall intact. Of course, this may limit functionality. Far better, like the high-end hotel, to have a doorman always on duty, who recognizes who is staying in the hotel, and even holds the door open when they arrive. The doorman has an unpredictable variety of responses to a security incident. He may knock the intruder down, He may sound an alarm. He may merely bar the door.

Perhaps you are sure that no one will sniff your BACnet or LON off a network hub to get to your building systems. Perhaps you know of no way to use the open Zigbee you use for automated meter reading to get to your controls. Perhaps all your technicians always treat their diagnostic laptop in a secure manner, and so you can rely that everyone with physical access will always use a secured computer.

Building and grid operators may get away with this for a while. But when someone does get in with malice on their mind, the results will not be a minor annoyance. And it may well include a loss of light.

Today’s Chapel Hill Herald has a front page on the value that bouncers provide to the town’s economy. It’s an amusing article written for a weekend when the Football team has a bye. It also set me to musing on security, and how building systems never seem to get it right.

Let’s contrast two beefy guys, each working in security. One works at the worst prison in the poorest state. One is a bouncer at an upscale night club.

The article discussed the many roles that bouncer’s around town play. Sure, they stop fights; the better bouncers noticing them before they happen and have a quiet word with someone's friend before they get out of hand. They check ages on the students who want to enter the bar. They spend some time just being highly visible. They prevent those already drunk from entering the bar and they escort those who, even if non-violent, have had too many out. They call cabs. In other words, they add value to the bar and restaurant experience for everyone but the troublemakers, and keep the troublemakers from getting into trouble.

When I was in college, it was popular to go clubbing in New York City (still scary in those days). The better Disco’s would always have a line. How did we know they were better—because of the large bouncers keeping people out. Beautiful people and celebrities would go right in; others would wait in lines that never moved. Even the people who waited in line somehow enjoyed the wait more, because they could watch the A-List go in, and returned to Jersey or Peoria with a story to tell.

If we wore tuxes and evening gowns, and arrived as a group with a good balance of men and women, we always got in. It was important, though, to swarm en masse out of the cab or cabs, arms linked and laughing. Somehow, the same effort that got us by the bouncer meant that we were already poised to have a good time, and to enhance the good time of others in the Club. This meant that we always had a better time when we stayed in our college town, and went out scruffy and alone to see who was in a club.

The ignored bouncer enhanced the value of the experience for everyone who entered the club. He did this by being aware of the situation and aware of the business goals of the establishment. He understands that he provides a service that enhances and enables the other services of the establishment.

Contrast this with the prison guard in the lowest penitentiary. He enforces a consistent experience on the inmates. He may prevent that prison from being an absolute hell. He does not have permission to make many choices. No one will claim that the guard enhances their time in prison. If he does not protect the inner sections of the prison, as well as the perimeter, things can get very bad in a hurry. He is a hygiene factor, necessary but not desirable.

Every time I talk security with building systems guys (or with power grid guys), they tell me “Sure we have security.” They use HTTPS so no one can read our messages. They require long complex passwords so no one can get in. They never talk about enhancing the services offered by the building. They never talk about letting the right people do the right things easily.

Embedded system security sounds just like that Prison Guard. The problem is, we need that situation aware, service oriented bouncer.

There’s an old story told in military circles that illustrates the problems of discussing security. Each of the three forces was told to secure a building. The army arranged for a platoon to set up a perimeter guard around the building. Troops surrounded the building, and let no one out. The Navy sent in the Marines, who took possession of the building, searched it room by room, and set up a guard at all of the entrances so no one could come in. The Air Force contacted a procurement officer, who negotiated a three year lease on the building.

That’s the problem with security. Everyone knows what they mean when they say it, and no one asks what anyone else means.

Proper security is an absolute requirement for modern building control systems. Modern systems have added IP communications, the standard protocol of the internet and sit on the corporate network. If we are going to allow enterprise programmers, and even tenants, to interact with embedded control systems, security is the key. Security is specified as a requirement in every new construction job.

When I ask for security, though, I never know what I am going to get. I am also pretty sure that I will never be asked. Will I get the Army, the Navy, or the Air Force?

Straining the analogy, I can pretty much assume I will get the Army version. Building systems put in perimeter security; nothing gets in or out. To my mind, perimeter security is the most expensive kind.

Perimeter security is too expensive. The control system costs what is costs. I get some minimum value for that cost. Perimeter security means that I will never get more than that minimal value because I cannot get to the systems and their information. Perimeter Security is too expensive because it is the hard way to accomplish results; if I want the system to talk to no one, it is far cheaper and more secure to cut a door into a wall than it is to lock that door carefully. Perimeter Security is insecure because it is not as secure as no access at all.

Until building systems define higher level functions for network access, any security beyond perimeter security indefinable. What does secure access to a temperature setting mean? How to I define the proper access for a C-Level executive, for her administrative assistant, and for a building tenant, if all I have is tags and sensor readings, never defined. IF those tag reading turn into the lobby thermostat, or the building security schedule, then perhaps we have some way to talk about security.

I want better security. I want to have serious discussions about what better security means. But first, we need to define what is being secured.

Security is a business service. Security is not about keeping people out. If keeping people out was all you wanted, it is far easier to let no one in than to guard a door. Security is about providing the right services to the right person at the right time. Security enahnces every business serviceyou offer.

Security needs to be aware of the situation, it needs to be aware of identity, and it needs to be aware of role. That is, a secure systems always needs to be aware of what is going on, who is trying to do things, and what is their role. A great system should consider delegation as well, i.e., if this person doesn’t have rights, did someone else who does lend them to him.

When each function that can be invoked in a system is aware of these things, then the enterprise is able to offer more services than it could before. A secure organization can extract more value from each of its services and processes. Things costs what they cost, but their value is in how many different ways you can use them. This is particularly true for embedded systems.

Imagine the naturist family living in the city. They can barely open the door; the city offers them no value. Now add clothes to that family. They can go out into the town. They can invite others into their home. Their enjoyment of others is increased. If they want to assert their naturism, they can do it with friends, who have already passed the security checks. Life has improved. Security has enhanced amenity.

To harvest the maximum value from its existing procedures, technologies, and information, an enterprise needs to be secure in everything it does. This is what we call pervasive security. But as I illustrated in an earlier post on pervasive time, security that is everywhere is nowhere in particular.

When you have pervasive security across your systems, each one can be exposed to more people. What value would you find in the following systems if you could somehow share them with others:

• Security Enhanced Building Systems
• Third Party Energy Managers
• Discoverable interfaces to home systems
• Grid Operations

Great security will enable you to provide better service. This service will enable you to charge a premium over those who do not. It has little to do, however, with trivial techniques,  such as merely using HTTPS for your Web Service. Encryption can be a part of security, but it is not security.

Security is an approach to every aspect of system design, that must built in to the architecture, and into each service in that architecture.

Pervasive Security was a new track at Connectivity Week. Pervasive security occurs when every transaction is aware of the identity, location, context, and role of the requestor, wherein identity might be determined by someone identity source external to the organization, role might be determined by an external business process, location might distinguish, say, between access internal or external to a firewall, and context is the business situation surrounding the interaction.

I am not going to discuss Pervasive Security yet. By way of illustration, however, I will discuss pervasive time.

Jeff Stern, of KoolSpan, gave an excellent talk during the session. He illustrated pervasive security by recalling the development of Pervasive Time.

Time started as a city-wide, and then a town-wide phenomenon, with a clock in the central cathedral or courthouse. The entire town could look up to the single instance of time.

Later, the well-to do could acquire time, in the form of large grandfather clocks for the wealthy. In time these expanded into mantle clocks affordable for the middle classes. The model now is one clock per house.

The next development was personal time, as watches came to the fore. Everyone wore a watch, everyone had personal time.

Today, we have pervasive time. Incredibly accurate time is the underpinning of all internet activity. Each device in the house seems to have its own clock, ready to flash 12:00 angrily at us if power flickers.

And most people? Well, they no longer buy mantle clocks. Or even watches. All but one in the room had no watch, but instead reached for their cell-phone, its time perpetually updated over the ether.

Time is now everywhere, and nowhere. Time is pervasive. Security is next.