How do I secure my CPS Devices?

imageSecurity and CPS devices present an interesting problem. First because we are talking billions of devices. The three concerns that I detailed previously were data, power and access. Access being the broad swath that security lives in. We can also argue that security would be a bubble that fits behind the entire CPS world.

imageIf we explode the access piece we gain additional information about where we have to apply security. There is user level, data level, device level, transmission level and finally location level access that we need to consider. Device is the hardest in that many devices aren’t going to have security chips in them. Location is most interesting because it presents two problems. So let’s start with secure locations.

imageBy definition CPS devices are connected. That means me when when you consider their location you also have the issue of physical and cyber location. It is somewhat reasonable to secure a physical location. The catch-22 here is that you often rely on CPS devices to provide physical security. Now, you have a cyber available security system.

Many years ago when Active Directory first appeared there was an interesting concept of group policies. Where you could apply a set of rules to users, groups and domain joined machines. We tested and played with that at a number of larger customers and came to the realization that security was best applied tightly to machines and loosely to users. Users were more likely to wander to a kiosk and use it. Machines didn’t often wander the building. If they did they were likely terminators and well we were running for our lives and no longer worried about security.

The problem with applying the highest security on the CPS device itself is the resulting change to the device. Many CPS devices continue to shrink. They continue to become smaller and smaller so that their utility is greater. That means there just isn’t physical space for greater security. So instead with CPS we have to apply the greatest security on the user. Social Engineering becomes the hacking tool that violates your CPS system now.

We can argue that there are CPS devices that we don’t care if they get hacked or if their information is compromised. An outside weather station that broadcasts information is information we don’t need to secure. If however that weather station is tied to the HVAC system of a building, we can’t let the information be hacked or modified (air conditioning is wonderful in the summer, really uncomfortable in January when your office is 22 degrees F). So there are devices that we don’t care if their data is compromised. And devices that we do care.

Security and CPS is a very interesting problem. Where access is used to apply security and where other forms of security are used to protect access becomes the question. What once was simply applying physical security (a guard with a gun and a gate or the 3g’s) doesn’t work when the device that is producing the information is cyber connected as well.

more to come…

.doc

new rut CPS Security!

Stuck in the rut of who owns my image…

We are taught at a very young age to look both ways when crossing the street. When my kids were little I used to joke look left, look right and then look up for helicopters. It was a joke but now with the eye in the sky and underwater and well all around us maybe we should start teaching that. Look around you in every direction.

Who will watch the watchers? And what of all those images is the responsibility? If, I commit no crimes, should my image be released or erased? I know this is another one of my ruts. But it is one that continues to bug me. Do I own my image?

Photographers capture moments. They see something in the collection of air and water around them and capture it. It is a vision. But, in this vision there is a person. Their image now forever on my blog. Do they own that image? Or do I? The image means one thing, the text talks about something else.

The copyright of the text is mine. The copyright of someone’s image is owned by them or the photographer (if the person signed a release). All this is well and good. That is not a gray area it is very clearly a legal ownership.

I walk by a camera like this at someone’s home. It captures my image as I walk by. Should that image be stored? Most security cameras are linked to a DVR. They record motion based video. So as you walk by it activates the camera. These cameras by the way record at night as well as in the daytime. You can see the images in the darkness as if it were light outside.

I know I am trying to beat a fart out of a dead horse. But in the end that image is critical. The uniqueness that is you is something you own.

.doc

still wondering who owns the image that is me…

I keep asking do I own my image. I keep getting an answer I don’t like…

Songs that when they come on you always start singing even if you are stuck in traffic and everyone is looking at you. The Alan Parsons Project song “Eye in the Sky” is one of those songs for me. But now it means more than it did before. A drone violated the air space of the US Open Tennis tournament and got a person arrested.

There are eyes in the sky. Robert Heinlein, the science fiction writer wrote a great line. In English (its in Latin in the book) the line is basically who will guard the guardians. If you arm those that protect with powers that can be abused Shakespeare said power corrupts. So the reality if you listen to the entire song “Eye in the Sky” you begin to realize that while it is cool it is also a risk.

Today there are three issues that are of concern:

  • Someone crossing your stream (Ghostbusters reference) in particular someone on purpose or accidently interfering with your connection with your drone.
  • Your drone loses connection because of range and flies off
  • You fly your drone in the wrong place.

I won’t argue that the data collected by a drone flying overhead capturing images may or may not be violating my rights. The argument over who owns an image is one that hasn’t been fought yet. (Do I own my images. According to the law you have to have my permission, but there are loopholes. One of the biggest is the reality of social media and pictures that are freely shared).

You don’t want a predator drone staring you down. But you also don’t want your neighbors drone taking pictures of you. In the age of social media how far does personal privacy extend?

Do I own my image?

I have asked that question for many years now. The answer is a gray area at best. In fact it is fairly far into the gray scale. Within limits I own my image. I can refuse to have my image in a publication or on the news, unless I am in a crowd that is panned by a news or event camera. When handing a ticket taker a ticket I do implicitly grant the owner of the event the right to promote that I was there. Ergo they can capture my image because I completed the de facto contract of handing a purchased event ticket to the ticket taker.

The loopholes are many. The eyes are in the sky. Where can I draw the personal privacy line?

.doc

PII and me….

Someone is watching you. So the question is do you still own the image that is you?

In the John Mellencamp song “Small town” there is a great line. Talking about growing up in a small town and not caring about the big city but still saying “look who is in the big city.” It’s the mix of what we see and understand and in the end what we value. But there is another part of that and it is really is where CPS is going to live in the future.

Do you see the sensors around you? Video probably as you wander past a video camera. Or you stop at a certain stoplight because there is a red light camera. And its hard to argue right turn on read because you have to appear in court. No matter what you still have to come to a full stop, even if turn on red is legal. The only time you don’t have to slow down is when there is a green arrow. So you stop because of red light sensors.

The rise of the senor isn’t just that they (sensors) are watching us. It is that they are everywhere. Crossing the corner you may see several video cameras pointing at various places.

Homes have them, video cameras that survey the world around us. Recording motion and watching as people sleep. Their unblinking eyes don’t miss events. But those are the sensors we see. There are many more. Motion sensitive, pressure sensitive sensors that watch and see everything. Did you know that someone can hack into your phone and track the sound and motion your phone experiences. Accelerometers and microphones offer a myriad of information and we don’t even know that someone has hacked our phone.

IMG_1152 [1449611]

The nanny cam can be a teddy bear or a camera in an alarm clock. The sensor can be like this, the BUBL camera. It looks like a ball. But it sees all around. 360 degrees of vision resulting in a view of everything.

(by the way if you ever wanted a 360 degree camera for well anything including attaching it to the bottom of a drone get the bubl it rocks)

I’ve talked about continuation and the concept of a modular drone. The thing I guess that today is about is remembering that the sensors are there. Not that people are sitting at desks watching you. They may be. But that they could be watching you.

I asked once as a joke. Then I asked again because I got a lot of interesting responses. Who owns my image when it comes to the world of CPS. If, I am out walking, do I own my image. Because the route I take every afternoon (early evening) has 4 cameras on it. Do I own the image captured by those cameras? Do I own the image captured of my car by a traffic camera when I do not violate the law? I understand the legal concept of if you break the law you have less ownership rights. But do I own my image when I don’t break the law?

.doc

CPS state of mind…

Technology is moving past acceptance into expected…

Yesterday was Scott Geek day. I got to hang out in the Apple Store, wander by the Microsoft Store (and see the new Surface Book – I am impressed)! and finally sit in a Tesla. The last one was probably the highlight of the evening. I’ve seen them (Tesla’s) but have never had the chance to sit in one.

It is interesting to me first off as a social experience how much being a geek has moved into the mainstream. What once was a fringe activity is now installed in the mall. The Microsoft Store and the Apple Store were packed. There were 20 people wandering through the Tesla store. Where once those stores existed at the end of a strip mall and only 2 or 3 people were in them at a time were all packed.

First of all it is because there is much more technology in our world today than there was as recently as 10 years ago. The ubiquitous cellular phone and the explosion of capabilities in that device has changed the view of technology. Its cool now to have technology bling. I still haven’t seen my “sarcastically” predicted blinking LED’s as personal decorations but the reality is the cellular phone is a personal device the vast majority of people have and use.

Adoption moves to acceptance and acceptance moves to expected. When is the last time you were expecting a package that you didn’t track it? When is it arriving? You get emails now from UPS or FedEx (or DHL etc.) telling you to expect a package on Monday. They email you when the package is left on your door step. That by the way is beyond acceptance that is expected.

An example that I’ve used very recently of moving from acceptance to expected is the power in your house. Many years ago companies would build their own power plants. Then the power companies came and began building centralized generation and distribution models. Now we flip the switch and we expect power.

So as more and more technology moves to expected what does that do? It brings more and more technology into play. The ubiquitous cellular device has a world of technology behind it. A world that isn’t shown or seen but its there.

We no longer think about the impact of a cellular device. We simply have it on. I know personally that I often find myself absorbed into the tiny world of my phone. A friend passed me on the road the other day on the way home. She said she tried to get my attention but I was focused on the traffic ahead of me (DC it wasn’t moving) and talking on a conference call. My world shrank to just what was in front of me.

I posted a joke blog about the devolution of humans. Hunching over our cellular devices. It was meant as a joke but one of the things I have noticed is that people don’t act the same socially now that they did when I was little. It is acceptable to text and communicate via electronic communication. People actually call less and less now because you can text or IM.

Still to end with my point. So much of technology is moving past acceptance and into expected. That pulls a great mass of possible along with it.

.doc

Looking to a bright tomorrow (hunched over my cellular phone)

Heading down the path of designing Smart Devices….

A single smart device. First off you have to ask what makes the device smart? Is it the information you have on the device, or the information you can get? Because in that case the user is smart, not the device. Is it that the device can learn? The new Apple Maps using analytics to track your commute. When I get to my car (about the same time every day) Apple Maps tells me its 85 minutes to Maryland. Now that 85 minutes isn’t always true (mostly its more) but you get the idea. It is the result of collecting data (my GPS tracks) and analyzing that to produce a consistent trend (where do I go and how long will it take).

The mix of analysis and data is of course the great reality of what has been called “Big Data” the past few years. The implementation of data analysis provides an interesting reality. First off today we are talking about 110 zB of data (Zeta Bytes) produced by the IoT/CPS devices of the world.

See the thing is there is that much data produced, its really not the internet of things. Its why Cyber Physical Systems represent a much better overall name. CPS allows for the automation and collection of data that comes from IoT devices. Resulting in the broader internet of data. You see the data is the real value of CPS devices. There are 10 billion or so devices deployed today. They produce 110 zB of data. It’s the data that people are chasing.

This brings me to my actual topic for today the presentation of that data. Data analytics are awesome. It is something that will become, frankly already is a game changer. Its depressing knowing its 88 minutes to my house. Its more depressing to have no traffic at all and suddenly be in the world’s fifth largest parking lot for 144 minutes. I would rather know my fate than come upon it unaware.

So the data produced is massive. If you do the math it is nearly a zB of data produced every month. No one person could go through all that information. But more importantly the value of the information is two fold.

  • How is the collection of data managed
  • How is the data presented to the actual consumer

The first one is all about Cyber Resilience. Creating an infrastructure and application layer that are designed to fail. Creating a multi-zone cloud implementation that allows for the entire system to fail and remain active.

In the second bullet there are two themes of mine that have been on this blog before. The bandwidth of the device the user is using to access the information and the screen the information is presented on.

I have formula for the screen and data combination. The density of data is proportional to the size of the presentation screen. In the old days we used to talk about 3 tier applications. User layer, business process layer and finally the data layer. If we maintain that view of modern applications but instead do the following:

  • Presentation layer (the direct interaction with the user and how do we provide secure access at the device level)
  • Transportation layer (how does the data get there and how is it secured while it is moving)
  • Storage and compute layer (where the data exists, where most analytics are preformed and where we provide both the presentation layer and storage layer security).

The architectural diagram for this lies over the N-Tier application. For the last bullet we create a security map. Where is the data at any point in the process and what security principles are applied at any particular point.

Our transportation layer looks at the total available bandwidth for the user. Cramming a zB down a 14..4kbs pipe does no one any good. Plus the user will be downloading that data for the foreseeable future and I doubt they have a zB of available local storage.

Finally formatting and screen presentation. I have talked about bandwidth and the reality of what is coming there. The screen is the next big hurdle. Moving to the broad concept of the screen as a service makes this whole thing work. It has to be secure but we have to have a flexible screen.

Your smart device should, along with telling you its 88 minutes to your house say “please find a larger screen for this data. There are 8 screens near you to use. One of them is secure shall I push your information to the secure screen?

The smart device offers options. Automated structured options that help you consume the data you need to consume and act on the data you need to act on.

.doc

Smart Device Dreamer….

Information only works when it isn’t a day late and a dollar short…

Transactive Energy in action – this is a link to my report from the solar system for yesterday. I think the link will work for anyone but we will find out!

Why in the end am I spending so my time on TE and Bandwidth. Because beyond the initial three areas of concern (Data, Access and Power) that I’ve talking about there is a quiet revolution happening. Today Washington State gets more than 70% of its consumed power from renewable sources. The country Germany, is moving towards 50% of its energy coming from installed home based solar panels.

TE and CPS however are linked. The reason? Simply put I included a link to a report that I can pull every day. It is a CPS sensor that connects to the digital electric meter of my house to tell me actual power consumption and to my solar system to tell me actual production.

Now for me today this is not critical information. If there was someone in my house that health issues that required energy to support their medical care it would be critical information. But for now its kind of nice to know.

The peaks and valleys of power use in your house remain intriguing. Over time of course you are going to want to change habits and consider becoming even more green. It’s nice to consider the easy ways to help the world around you.

(if you are interested in a solar system and want a referral directly to a sales person that won’t BS you, let me know via email and I will get you to the right person)

I talked about this briefly before and today again loosely. The concept of data that is critical versus data that is nice to know. Both types of data are presented to you. Both have a time to live. The relevance of information is bound to the nature of the information and the timeliness of the presentation.

How many times have you gotten an answer to a problem, a week after you solved the problem. Yes nice to know you did it the right way but in the end too late. So considering that information has a TTL (Time to Live) and also has delivery limit its important that we are able to automate emergency information. There is a great comic I’ve seen in the past about a manhole cover and a person walking with their cell phone. Heads down and not paying attention the person walks into the manhole cover. Given that information existed that could have warned the person, texting them in the hospital after falling doesn’t help them. Flashing on their screen three or four steps before they fall is life changing.

That’s where bandwidth comes to play. The more you have, the more critical information you can get. The less you have the more you need to prioritize your critical information list. This has to be automatic.

A significant component of smart devices will be the understanding of the limits of the bandwidth the user is getting and the priority of the information you need to get to that user.

.doc

CPS SMe