Search Archives
Why New Daedalus?

Daedalus was the mythical great architect and artificer of the classical world. Today, embedded intelligence is enabling the most profound changes in the way we create and use buildings since his day.

Building Intelligence meets the Intelligent Building. The Intelligent Building negotiates with the Intelligent Grid. How will this transform how we interact with the physical world?

More on the Web
Login
Powered by Squarespace

Entries by Toby Considine (446)

Saturday
Aug242019

Secure Remote Access to Insecure Systems

p>I have written for years here that control systems are not designed for security, and that one needs to create a security architecture as part of connecting building systems to networks. Recently, I had to design a security architecture to allow remote access to several systems with no security built in. An example of such an architecture is below.

Click to read more ...

Sunday
Jul282019

Cybersecurity of Power and the Signals of Time

I was writing about about Power Cybersecurity and the information transmitted over the power signal, when I got distracted by an old family story. The story made that post too long. This post Recalls Power as a Time Signal.

Today, power is usually turned to DC before it is used, and doing so removed its periodicity as a signal. It wasn’t always so. The frequency of power used to be the heartbeat of time.

Click to read more ...

Saturday
Jul132019

Spontaneous Order on a Continental Scale

A recent conversation about European power markets and some “glitches” in early June shown a light on profound issues in cybersecurity, in system architectures for big infrastructure, and to an extent the scalability problems with many of the hottest applications for the Internet of Things (IOT). The specific observations was a plea for direct central control, even as it used an example that showed the shortcoming of infrastructure architecture based on assumptions of central control. It then learned the wrong lesson, that spontaneous order is too “risky” at large scale.

Click to read more ...

Thursday
Jun272019

Cybersecurity of Power—Resources

As we work to define the cybersecurity of things, power demands its own security models, outside of SCADA security and distributed controls. Power is both a resource and a vector, and each of these offers vulnerabilities to cyberattack. This article describes cybersecurity of the resource.

Click to read more ...

Tuesday
Apr302019

Tighten Up Security Claims

Last month the focus of the issue was Cybersecurity. Cybersecurity is a complex issue with many facets, but it doesn’t need to be as hard as it is. A big problem is evaluating the tools, figuring out what they really do, and deciding what problems to solve.

Most security products promise the world, but it is hard to compare them, and to understand what problem they solve. Marketing language alone describes what each product does, and it often hard to compare the claims and evaluate the risks.

It’s time to tighten up the Cybersecurity language, to evaluate threats to buildings and what harme they may cause.

Formal cybersecurity defense rests on the tripod evaluation tripod: Capabilities, Threats, and Mission. Evaluation of the value of cybersecurity always depends on two of them. What will a Threat do to degrade a system Capability? How does each Capability support the organizational Mission? And so on. Looking at the risks of systems in a building in this light

Readers of this blog are well aware of System Capabilities. The Smart Building sales cycle attaches those capabilities to the Mission. Different organizations have different missions, so the capability provided by a given building-based system may support different missions in different ways.

The Threat is too often ill defined. What does an attack do, and what is supported by preventing each attack? How do we compare one security product to another? Evaluating vendor claims too often seem like flim-flam, with no clear means to evaluate risks. The automated building industry itself makes this worse, as poorly defined claims are made in language that prevents comparison or risk analysis.

In April, I met with proponents of the cyber security taxonomy developed by the US Department of Defense to defined and classify threats The DOD Cybersecurity Analysis and Review (DODCAR) defines a taxonomy of cybersecurity threats, creating a standard language to discuss security, Each threat is defined in terms of what it does and how it works.

Building System integrators can look to each of these threats, and consider how each might degrade the capabilities provided by their systems. By looking to the missions that they seel their systems into, they can evaluate the risks and costs of each vulnerability.

I recommend learning DODCAR, and using it to clean up product claims, and to evaluate imprecise security language, and to understand where to get the most benefits from improved cybersecurity.

https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/ctr-nsa-css-technical-cyber-threat-framework.pdf