How do I secure my CPS Devices?

imageSecurity and CPS devices present an interesting problem. First because we are talking billions of devices. The three concerns that I detailed previously were data, power and access. Access being the broad swath that security lives in. We can also argue that security would be a bubble that fits behind the entire CPS world.

imageIf we explode the access piece we gain additional information about where we have to apply security. There is user level, data level, device level, transmission level and finally location level access that we need to consider. Device is the hardest in that many devices aren’t going to have security chips in them. Location is most interesting because it presents two problems. So let’s start with secure locations.

imageBy definition CPS devices are connected. That means me when when you consider their location you also have the issue of physical and cyber location. It is somewhat reasonable to secure a physical location. The catch-22 here is that you often rely on CPS devices to provide physical security. Now, you have a cyber available security system.

Many years ago when Active Directory first appeared there was an interesting concept of group policies. Where you could apply a set of rules to users, groups and domain joined machines. We tested and played with that at a number of larger customers and came to the realization that security was best applied tightly to machines and loosely to users. Users were more likely to wander to a kiosk and use it. Machines didn’t often wander the building. If they did they were likely terminators and well we were running for our lives and no longer worried about security.

The problem with applying the highest security on the CPS device itself is the resulting change to the device. Many CPS devices continue to shrink. They continue to become smaller and smaller so that their utility is greater. That means there just isn’t physical space for greater security. So instead with CPS we have to apply the greatest security on the user. Social Engineering becomes the hacking tool that violates your CPS system now.

We can argue that there are CPS devices that we don’t care if they get hacked or if their information is compromised. An outside weather station that broadcasts information is information we don’t need to secure. If however that weather station is tied to the HVAC system of a building, we can’t let the information be hacked or modified (air conditioning is wonderful in the summer, really uncomfortable in January when your office is 22 degrees F). So there are devices that we don’t care if their data is compromised. And devices that we do care.

Security and CPS is a very interesting problem. Where access is used to apply security and where other forms of security are used to protect access becomes the question. What once was simply applying physical security (a guard with a gun and a gate or the 3g’s) doesn’t work when the device that is producing the information is cyber connected as well.

more to come…


new rut CPS Security!

Stuck in the rut of who owns my image…

We are taught at a very young age to look both ways when crossing the street. When my kids were little I used to joke look left, look right and then look up for helicopters. It was a joke but now with the eye in the sky and underwater and well all around us maybe we should start teaching that. Look around you in every direction.

Who will watch the watchers? And what of all those images is the responsibility? If, I commit no crimes, should my image be released or erased? I know this is another one of my ruts. But it is one that continues to bug me. Do I own my image?

Photographers capture moments. They see something in the collection of air and water around them and capture it. It is a vision. But, in this vision there is a person. Their image now forever on my blog. Do they own that image? Or do I? The image means one thing, the text talks about something else.

The copyright of the text is mine. The copyright of someone’s image is owned by them or the photographer (if the person signed a release). All this is well and good. That is not a gray area it is very clearly a legal ownership.

I walk by a camera like this at someone’s home. It captures my image as I walk by. Should that image be stored? Most security cameras are linked to a DVR. They record motion based video. So as you walk by it activates the camera. These cameras by the way record at night as well as in the daytime. You can see the images in the darkness as if it were light outside.

I know I am trying to beat a fart out of a dead horse. But in the end that image is critical. The uniqueness that is you is something you own.


still wondering who owns the image that is me…

I keep asking do I own my image. I keep getting an answer I don’t like…

Songs that when they come on you always start singing even if you are stuck in traffic and everyone is looking at you. The Alan Parsons Project song “Eye in the Sky” is one of those songs for me. But now it means more than it did before. A drone violated the air space of the US Open Tennis tournament and got a person arrested.

There are eyes in the sky. Robert Heinlein, the science fiction writer wrote a great line. In English (its in Latin in the book) the line is basically who will guard the guardians. If you arm those that protect with powers that can be abused Shakespeare said power corrupts. So the reality if you listen to the entire song “Eye in the Sky” you begin to realize that while it is cool it is also a risk.

Today there are three issues that are of concern:

  • Someone crossing your stream (Ghostbusters reference) in particular someone on purpose or accidently interfering with your connection with your drone.
  • Your drone loses connection because of range and flies off
  • You fly your drone in the wrong place.

I won’t argue that the data collected by a drone flying overhead capturing images may or may not be violating my rights. The argument over who owns an image is one that hasn’t been fought yet. (Do I own my images. According to the law you have to have my permission, but there are loopholes. One of the biggest is the reality of social media and pictures that are freely shared).

You don’t want a predator drone staring you down. But you also don’t want your neighbors drone taking pictures of you. In the age of social media how far does personal privacy extend?

Do I own my image?

I have asked that question for many years now. The answer is a gray area at best. In fact it is fairly far into the gray scale. Within limits I own my image. I can refuse to have my image in a publication or on the news, unless I am in a crowd that is panned by a news or event camera. When handing a ticket taker a ticket I do implicitly grant the owner of the event the right to promote that I was there. Ergo they can capture my image because I completed the de facto contract of handing a purchased event ticket to the ticket taker.

The loopholes are many. The eyes are in the sky. Where can I draw the personal privacy line?


PII and me….

Someone is watching you. So the question is do you still own the image that is you?

In the John Mellencamp song “Small town” there is a great line. Talking about growing up in a small town and not caring about the big city but still saying “look who is in the big city.” It’s the mix of what we see and understand and in the end what we value. But there is another part of that and it is really is where CPS is going to live in the future.

Do you see the sensors around you? Video probably as you wander past a video camera. Or you stop at a certain stoplight because there is a red light camera. And its hard to argue right turn on read because you have to appear in court. No matter what you still have to come to a full stop, even if turn on red is legal. The only time you don’t have to slow down is when there is a green arrow. So you stop because of red light sensors.

The rise of the senor isn’t just that they (sensors) are watching us. It is that they are everywhere. Crossing the corner you may see several video cameras pointing at various places.

Homes have them, video cameras that survey the world around us. Recording motion and watching as people sleep. Their unblinking eyes don’t miss events. But those are the sensors we see. There are many more. Motion sensitive, pressure sensitive sensors that watch and see everything. Did you know that someone can hack into your phone and track the sound and motion your phone experiences. Accelerometers and microphones offer a myriad of information and we don’t even know that someone has hacked our phone.

IMG_1152 [1449611]

The nanny cam can be a teddy bear or a camera in an alarm clock. The sensor can be like this, the BUBL camera. It looks like a ball. But it sees all around. 360 degrees of vision resulting in a view of everything.

(by the way if you ever wanted a 360 degree camera for well anything including attaching it to the bottom of a drone get the bubl it rocks)

I’ve talked about continuation and the concept of a modular drone. The thing I guess that today is about is remembering that the sensors are there. Not that people are sitting at desks watching you. They may be. But that they could be watching you.

I asked once as a joke. Then I asked again because I got a lot of interesting responses. Who owns my image when it comes to the world of CPS. If, I am out walking, do I own my image. Because the route I take every afternoon (early evening) has 4 cameras on it. Do I own the image captured by those cameras? Do I own the image captured of my car by a traffic camera when I do not violate the law? I understand the legal concept of if you break the law you have less ownership rights. But do I own my image when I don’t break the law?


CPS state of mind…

Technology is moving past acceptance into expected…

Yesterday was Scott Geek day. I got to hang out in the Apple Store, wander by the Microsoft Store (and see the new Surface Book – I am impressed)! and finally sit in a Tesla. The last one was probably the highlight of the evening. I’ve seen them (Tesla’s) but have never had the chance to sit in one.

It is interesting to me first off as a social experience how much being a geek has moved into the mainstream. What once was a fringe activity is now installed in the mall. The Microsoft Store and the Apple Store were packed. There were 20 people wandering through the Tesla store. Where once those stores existed at the end of a strip mall and only 2 or 3 people were in them at a time were all packed.

First of all it is because there is much more technology in our world today than there was as recently as 10 years ago. The ubiquitous cellular phone and the explosion of capabilities in that device has changed the view of technology. Its cool now to have technology bling. I still haven’t seen my “sarcastically” predicted blinking LED’s as personal decorations but the reality is the cellular phone is a personal device the vast majority of people have and use.

Adoption moves to acceptance and acceptance moves to expected. When is the last time you were expecting a package that you didn’t track it? When is it arriving? You get emails now from UPS or FedEx (or DHL etc.) telling you to expect a package on Monday. They email you when the package is left on your door step. That by the way is beyond acceptance that is expected.

An example that I’ve used very recently of moving from acceptance to expected is the power in your house. Many years ago companies would build their own power plants. Then the power companies came and began building centralized generation and distribution models. Now we flip the switch and we expect power.

So as more and more technology moves to expected what does that do? It brings more and more technology into play. The ubiquitous cellular device has a world of technology behind it. A world that isn’t shown or seen but its there.

We no longer think about the impact of a cellular device. We simply have it on. I know personally that I often find myself absorbed into the tiny world of my phone. A friend passed me on the road the other day on the way home. She said she tried to get my attention but I was focused on the traffic ahead of me (DC it wasn’t moving) and talking on a conference call. My world shrank to just what was in front of me.

I posted a joke blog about the devolution of humans. Hunching over our cellular devices. It was meant as a joke but one of the things I have noticed is that people don’t act the same socially now that they did when I was little. It is acceptable to text and communicate via electronic communication. People actually call less and less now because you can text or IM.

Still to end with my point. So much of technology is moving past acceptance and into expected. That pulls a great mass of possible along with it.


Looking to a bright tomorrow (hunched over my cellular phone)

Heading down the path of designing Smart Devices….

A single smart device. First off you have to ask what makes the device smart? Is it the information you have on the device, or the information you can get? Because in that case the user is smart, not the device. Is it that the device can learn? The new Apple Maps using analytics to track your commute. When I get to my car (about the same time every day) Apple Maps tells me its 85 minutes to Maryland. Now that 85 minutes isn’t always true (mostly its more) but you get the idea. It is the result of collecting data (my GPS tracks) and analyzing that to produce a consistent trend (where do I go and how long will it take).

The mix of analysis and data is of course the great reality of what has been called “Big Data” the past few years. The implementation of data analysis provides an interesting reality. First off today we are talking about 110 zB of data (Zeta Bytes) produced by the IoT/CPS devices of the world.

See the thing is there is that much data produced, its really not the internet of things. Its why Cyber Physical Systems represent a much better overall name. CPS allows for the automation and collection of data that comes from IoT devices. Resulting in the broader internet of data. You see the data is the real value of CPS devices. There are 10 billion or so devices deployed today. They produce 110 zB of data. It’s the data that people are chasing.

This brings me to my actual topic for today the presentation of that data. Data analytics are awesome. It is something that will become, frankly already is a game changer. Its depressing knowing its 88 minutes to my house. Its more depressing to have no traffic at all and suddenly be in the world’s fifth largest parking lot for 144 minutes. I would rather know my fate than come upon it unaware.

So the data produced is massive. If you do the math it is nearly a zB of data produced every month. No one person could go through all that information. But more importantly the value of the information is two fold.

  • How is the collection of data managed
  • How is the data presented to the actual consumer

The first one is all about Cyber Resilience. Creating an infrastructure and application layer that are designed to fail. Creating a multi-zone cloud implementation that allows for the entire system to fail and remain active.

In the second bullet there are two themes of mine that have been on this blog before. The bandwidth of the device the user is using to access the information and the screen the information is presented on.

I have formula for the screen and data combination. The density of data is proportional to the size of the presentation screen. In the old days we used to talk about 3 tier applications. User layer, business process layer and finally the data layer. If we maintain that view of modern applications but instead do the following:

  • Presentation layer (the direct interaction with the user and how do we provide secure access at the device level)
  • Transportation layer (how does the data get there and how is it secured while it is moving)
  • Storage and compute layer (where the data exists, where most analytics are preformed and where we provide both the presentation layer and storage layer security).

The architectural diagram for this lies over the N-Tier application. For the last bullet we create a security map. Where is the data at any point in the process and what security principles are applied at any particular point.

Our transportation layer looks at the total available bandwidth for the user. Cramming a zB down a 14..4kbs pipe does no one any good. Plus the user will be downloading that data for the foreseeable future and I doubt they have a zB of available local storage.

Finally formatting and screen presentation. I have talked about bandwidth and the reality of what is coming there. The screen is the next big hurdle. Moving to the broad concept of the screen as a service makes this whole thing work. It has to be secure but we have to have a flexible screen.

Your smart device should, along with telling you its 88 minutes to your house say “please find a larger screen for this data. There are 8 screens near you to use. One of them is secure shall I push your information to the secure screen?

The smart device offers options. Automated structured options that help you consume the data you need to consume and act on the data you need to act on.


Smart Device Dreamer….

Information only works when it isn’t a day late and a dollar short…

Transactive Energy in action – this is a link to my report from the solar system for yesterday. I think the link will work for anyone but we will find out!

Why in the end am I spending so my time on TE and Bandwidth. Because beyond the initial three areas of concern (Data, Access and Power) that I’ve talking about there is a quiet revolution happening. Today Washington State gets more than 70% of its consumed power from renewable sources. The country Germany, is moving towards 50% of its energy coming from installed home based solar panels.

TE and CPS however are linked. The reason? Simply put I included a link to a report that I can pull every day. It is a CPS sensor that connects to the digital electric meter of my house to tell me actual power consumption and to my solar system to tell me actual production.

Now for me today this is not critical information. If there was someone in my house that health issues that required energy to support their medical care it would be critical information. But for now its kind of nice to know.

The peaks and valleys of power use in your house remain intriguing. Over time of course you are going to want to change habits and consider becoming even more green. It’s nice to consider the easy ways to help the world around you.

(if you are interested in a solar system and want a referral directly to a sales person that won’t BS you, let me know via email and I will get you to the right person)

I talked about this briefly before and today again loosely. The concept of data that is critical versus data that is nice to know. Both types of data are presented to you. Both have a time to live. The relevance of information is bound to the nature of the information and the timeliness of the presentation.

How many times have you gotten an answer to a problem, a week after you solved the problem. Yes nice to know you did it the right way but in the end too late. So considering that information has a TTL (Time to Live) and also has delivery limit its important that we are able to automate emergency information. There is a great comic I’ve seen in the past about a manhole cover and a person walking with their cell phone. Heads down and not paying attention the person walks into the manhole cover. Given that information existed that could have warned the person, texting them in the hospital after falling doesn’t help them. Flashing on their screen three or four steps before they fall is life changing.

That’s where bandwidth comes to play. The more you have, the more critical information you can get. The less you have the more you need to prioritize your critical information list. This has to be automatic.

A significant component of smart devices will be the understanding of the limits of the bandwidth the user is getting and the priority of the information you need to get to that user.



Rules for smart devices and further discussion of the upcoming problems….

The three components of CPS futures. Not three ghosts visiting you in a single evening. Rather the three pieces of a increasing complex puzzle. Data, Access and Power.

110 zB or Zeta bytes of information currently produced by CPS sensors and devices every year. Based on an installed base of 10 – 14 billion CPS devices. A number that increases every year and is projected by 2020 to be near 46 billion deployed devices or if you are doing the math – 4 times what we have deployed today. We can assume with smart devices we won’t have a linear increase in data produced but you can safely assume that there will be between 200-300 zB of information produced by CPS devices.

Smart Device Rule: Only report when there is a change outside of your known good range. (easy one – if you are a river level monitor and the river changes 1 inch don’t report it. If the river changes to near flood stage report it).

So that CPS device has to have some level of security. There needs to be a level of security on the device. Personally I think of the show “Person of Interest” as an example of why there needs to be cloud, transport and device level security. It shouldn’t be that easy to tap into the video feeds of New York City. So Access to what and how becomes important. Who grants access and who revokes access to a CPS implementation. Where possible access and revocation should be automated.

Smart Device Rule 2: Be aware of how much data you are moving and the amount of bandwidth you have available.

The last piece of my puzzle is power. Every year in the fall I change the batteries in the smoke detectors in my house. They are now NEST connected so they are CPS devices. They have rechargeable batteries so I don’t have to change them weekly but you do have to change them from time to time. Easier just to do it once a year.

Smart Device Rule 3: Buy power on the sport market – use power intelligently. When possible balance battery versus charging.

Reality is there is a fourth problem (Bandwidth). I’ve been trying to beat a fart out of that dead horse for a long time. Today most homes will have bandwidth problems very soon. Cable companies advertise that they provide the fastest in home Wi-Fi connections. They may, but that router only has one cache and your CPS devices are chewing up that bandwidth and cache by the second. The risk of CPS devices in the home is who can touch them, see them and use them. The value is that you can access them and use them. But if your router is overloaded you won’t be able.

Smart Device Rule 4: Understand who should use your data. Report violations of data integrity and device access.



The evolution of the smart device.

The smartest device is one that adapts quickly to new requirements. The innovations and the smart devices however don’t always come from traditional sources. I think that is the big evolution of the past five years.

I know the graphic on the left is funny. I choose it on purpose. The first big feature added to smart devices was GPS. I remember the addition of GPS quite vividly. Back in the day I traveled a lot. I used to have to get my laptop out and connect my GPS connector to the USB board and load Co-Pilot. Landing in a new city virtually every day made it easy to get lost. The first PPC phone with GPS installed was the HP. Now I just take my cellular device out of my pocket, I still load Co-Pilot but now my laptop stays in my bag.

That initial evolution of smart devices made a huge difference. But it was only the tip of the spear. Much was to come that was even more innovative.

Now you can simply plug a weather station right into the audio in port of your cellular device. You will know very quickly what the weather is where you are. Barometric pressure and current temperature as well as the moisture in the air. Everything at your fingertips and you don’t have to install a huge weather station.

But that is child’s play. Now there are new devices appearing that make the weather station and GPS seem like tiny evolutions. They aren’t mind you, they are huge but these new things are making huge evolutionary leaps forward.

First of all – drinking and driving just isn’t smart. But now you can connect a breathalyzer to your cellular device. You can check your BAC before you get into the car. It isn’t as accurate as the one held by the officer in the picture but it will tell you close enough that you shouldn’t be driving.

Thermal imaging cameras, laser measurement, 3d scanners, 3d cameras all now available and simply running on the software on your smart phone.

  • Spike from Ike: Awesome laser measurement device and software.
  • Structure: 3d scanner that fits snugly on your iPad or Android Tablet.
  • Breathometer: breathalyzer attached to your cellular phone
  • Seek: Thermal imaging camera
  • Sleipnir: Wind speed and wind directional meter attached to your cellular device
  • Bubl Camera: 3d camera you connect to your smart phone via software
  • Deeper: Sonar that connects to your smart phone

All of these things are available now, on the market and have stable software. The smart device is evolving around us. Now the question is how fast and how far. I used to carry a pocket pc and two sleeves to do what my iPhone can do out of the box. I can add software that makes what my pocket pc did for me then obsolete. And I don’t have to carry a bunch of sleeves and cards with me.


Smart Device dreamer

I will gladly trade you a KW today for two tonight…

Some of my readers get frustrated when I get stuck in a blog rut. Blog rut by the way is not my term it was shared with me by one of my oldest readers to describe a long series of blogs on a single topic about 4 years ago.

My current rut is IoT/CPS, Transactive Energy and the reality of smart devices. I do in fact realize I’ve posted a lot about the topic in the past couple of months. I am wandering through my thinking trying to decide what my concerns are for a number of these technology solutions and implementations.

On a side note: I used to drive in rural southern Indiana. We used to measure ruts by how many cars could fit across the rut. There were a lot of places where off road really meant off road. There were a lot of places where it was critical to avoid the two ruts that were deep and full of mud. If you hit the rut you got stuck for a long time. Which I think is why my long time reader calls it my rut. Once you hit the rut you are stuck in it for a long time.

This one has a few more bumps to go so hang on. I think the ride is going to go on for a bit. At the very least there is today’s post and a few others. The concept of intelligent or smart devices is intriguing to me. First off because it is a combination of a number of other solutions that I am interested in. I can see where the reality of CPS, Cloud Broker and Continuation come together as we go forward. An apex of technology intersection to quote a dear friend of mine.

So this new world order that will be created presents some very interesting concepts for consideration. The first concept is how will we going forward secure these new solutions. It’s one thing to secure a billion objects. It is quite another thing to secure 50 billion objects.

I haven’t even gotten into the TE argument of centralized versus decentralized control. Today the power companies have for the most part centralized control that goes from the production system to the consumer. In the future that is going to change as the consumer may also be the producer.

Power storage becomes a very interesting problem at that point. As cloud storage was about 5 years ago power storage will become a commodity. How much though and where you store your “extra” generated power and how much that will cost will become interesting. The storage power that is trickled back to your house at night when your solar system is less effective has to be cheaper than the power provided by your backup system (current power utility). But power storage isn’t cheap.

You have to consider the following.

1. It needs to be pretty close. We are not talking massive amounts of energy and the cost has to be maintained. Currently you can get a battery system for your solar implementation but the cost can be as much as 20% of the overall cost of the system.

2. You will have to rent power lines from the Utility company. In order to move energy in and out of the neighborhood (out during the day in at night). This requires a different relationship with the power company.

3. The batteries will need to be protected from extreme heat and cold. They do produce a lot of heat also, so you need to be able to cool them effectively.

Oh to live in power production times.


Wondering about the future of the future…