Navigant Research Blog

High Stakes Blockchain Applications Are a New Frontier for Cybersecurity

— November 30, 2017

Blockchain-Based Systems Are Only as Strong as Their Weakest Link

On November 16, the US Patent and Trademark Office released a patent filed by Nasdaq that describes a blockchain-based architecture that could be used to track the ownership and transaction of stock market assets.

Nasdaq is part of a wave of big name organizations globally—including banks, utilities, and the Pentagon—that have announced plans to experiment with blockchain to determine whether it can help their organizations run more smoothly, efficiently, and securely.

As the hype train charges onward and expectations skyrocket, there is a real risk that in the rush to generate solutions to increasingly complex high stakes problems, adopters will forget that simply adding blockchain doesn’t make a system bulletproof. Before integrating blockchain into keystone systems like stock exchanges or electricity grid operations, it’s important to understand where blockchain brings security to a system, where it doesn’t, and how it interacts with other pieces of the puzzle.

Blockchains Are Built on Security and Cryptography Principles

Blockchain architectures are considered a robust and highly secure means of storing information for several reasons:

  • The blockchain is stored across a decentralized and distributed network of many computers, creating a redundant record with no single point of failure.
  • Network nodes use a resource-intensive cryptographic process to reach majority consensus on the chronology and validity of transactions between nodes.
  • The full record of information stored on the blockchain is auditable by any node in the network.

In combination, these properties make the blockchain ledger itself resilient to attacks. Indeed, despite soaring valuation that provides a $140 billion incentive for hackers, the underlying architecture of Bitcoin has never been broken.

Determined Hackers Will Work Around Unbreakable Cryptography

Rather than attacking the blockchain itself, hackers have repeatedly exploited weakness in the hardware and software components of the system—the personal computers and devices that make up the nodes of the network and the software applications that enable autonomous transfers and digital contracts. It’s the cryptographic analog of identity theft: a thief doesn’t need to smash their way into a bank vault if they can clone your credit card.

White hat hackers used exactly this principle to gain irreversible control of users’ Bitcoin wallets by exploiting a hole in cellular text messaging protocols. A hacker famously exploited errors in an Ethereum smart contract to steal $31 million  from early backers of a startup. The blockchain preserves an immutable open record of the thefts for all to see, but it also makes them irreversible.

Planning Ahead

The electricity system is a frequent target of cyber attacks backed by powerful antagonists. To date, no blockchain architecture has yet been subjected to a stress test of the magnitude we might expect if it were supporting, say, the automated demand response capabilities of a microgrid in an urban financial district. Potential applications in these systems are among the most transformative opportunities for blockchain, but will also be among the most prone to cyber attack and the hardest to field test at scale.

Until a set of comprehensive security standards for blockchain-based systems is developed, Nasdaq and any organizations seeking to adopt blockchain-based solutions must recognize that blockchain does not inherently provide end-to-end security. For blockchain to be part of the solution requires thoughtful implementation and proactive design that maximizes security at the ends of the chain. Every link of the system must be evaluated for security and potential vulnerabilities, and adopters should be especially cautious about entrusting critical systems to the technology.

 

China Cements Its Role as the Undisputed AMI Leader

— November 30, 2017

In terms of volume, China continues to preserve its status as the undisputed global leader in advanced metering infrastructure (AMI). Since 2012, State Grid Corporation of China (SGCC) has been deploying smart meters to each of its customers at a feverish clip. SGCC has installed more than 400 million smart meters across China over the past 5 years as part of this unprecedented project.

While utilities in countries like Italy and Sweden have succeeded in converting all their electromechanical meters to smart devices, the scale and execution of China’s nationwide project are truly unmatched. It is worth noting some of the unique characteristics of SGCC’s project and what’s in store for the future of the overall Chinese smart meter market.

How Is This Possible?

When looking at the Chinese market for smart meters, it becomes clear that all meters are not created equal. More often than not, smart meters deployed across China lack the full capabilities of a basic smart meter common in Europe or North America, such as hourly interval measurements or reasonably symmetric two-way communications. Yet, the Chinese meters still provide significant capabilities beyond traditional automated meter reading systems, including very low speed or potential short-range communications.

These limited capabilities are one of the primary drivers behind the radically different price points of Chinese smart meters, which are typically around 50% less than typical US or European prices. In addition, the monopolistic nature of Chinese utilities leads to high volume purchase orders from domestic suppliers, further reducing average meter costs.

What Is Happening on the Ground?

Over the course of 2016, SGCC deployed 70 million new smart meters, with the installed base reaching approximately 400 million devices. SGCC expects full deployment by the end of 2017.

China Southern Power Grid, the country’s other state-owned electric utility, was primarily involved in pilot-scale projects prior to March 2016, at which point the utility began its large-scale commercial deployment. China Southern expects full deployment by 2020, which should account for more than 80 million meters.

Improving Technology Shows Promise for the Market

While initial indications would suggest a significant market downturn in 2017 and 2020 given the rollout conclusions, the emerging second-generation smart meter market should help placate any potential concerns. According to China’s national regulations, meters must be replaced every 5 to 8 years. With the lifespan of SGCC’s deployed meters running between 1 and 5 years, the mega-utility will now begin looking into second-generation upgrade meters, which often carry a higher cost along with increased capabilities.

This emerging second-generation market is expected to help sustain the strong revenue and growth profiles that have characterized the Chinese market for years. As other major markets like Brazil, Egypt, India, and Turkey begin their forays into large-scale smart meter projects, lessons can be learned from the impressive scale and execution of China’s rollouts.

 

Interoperability Is an Issue Both between and within Companies

— June 14, 2017

Interoperability is a major barrier for smart home companies. Mainstream adoption of smart home devices largely depends on the experience and ease of use for consumers. And consumers don’t want to install an ecosystem of devices that can’t communicate and require multiple apps to operate. But when issues around interoperability are raised, it is usually in reference to companies with different devices that can’t work together. For example, the somewhat newly released Google Home still does not work with rival thermostat product ecobee. Google already has integrations with a subsidiary consumer products company, its Nest Learning Thermostat. However, one issue that is not always apparent is the interoperability of devices from within the same company or product line.

This issue hit close to home for me during a recent holiday. While celebrating with friends, the group decided to play music using Bluetooth-enabled UE Boom speakers. We wanted to connect each of our individual speakers so we could play the same music from all three speakers in sync. UE Boom’s app guides users through a step-by-step FAQ on how to PartyUp, or how to connect multiple speakers through one smart phone app. But we could not seem to get all three of our speakers to connect. The closest we came to troubleshooting this problem was discovering that we could connect two speakers to each other by connecting one speaker through the app and manually connecting the other to the already connected speaker via Bluetooth. However, the third speaker wouldn’t connect to either of the other two and could only play music on its own. After much frustration and Googling, we determined that the third speaker was an older generation than the other two. This means that even though the speakers were all from the same company and product line, the firmware in the third speaker was too old to enable us to connect all three speakers.

Big Picture Implications

As somebody active and engaged in the smart home industry, it is concerning that I was unable to connect these speakers; if I’m an early adopter and I can’t do it, then how can the average consumer? Though this was a small technology glitch, it has much larger implications for the smart home and its role in the energy cloud. How will the smart home manifest when it depends on an ecosystem of various connected devices and there are currently issues connecting a few devices? How will the smart home play a role in the energy cloud as a dynamic grid asset when there are still issues at the device level?

Not only do participants in the smart home space need to work together to fix interoperability issues between third-party devices, but companies themselves need to ensure products within their own lines work together—otherwise the smart home industry will never succeed or play a role in the larger energy industry.

 

Cybersecurity Pros Are Hiding the Breaches: This Must Stop

— May 31, 2017

Even the security good guys are failing us. That’s the upshot from the new survey of cybersecurity experts conducted by Bromium, a cybersecurity firm based in Cupertino, California.

The company surveyed attendees at the RSA Conference 2017 and others as part of a combined extended study and found startling results:

  • On average, 10% of security professionals said they had paid a ransom or hid a breach without telling their team members (5% at RSA, 15% in the extended study). Note: some 638 million ransomware attacks took place in 2016, which implies that tens of millions of such attacks are likely going unreported.
  • On average, 35% of security professionals said they went around, turned off, or bypassed their own corporate security settings (38% at RSA, 32% in extended study of United States and United Kingdom security professionals).

The folks at Bromium said the results “kind of blew their minds.” No kidding. This level of failure to act is shocking. But on further analysis, perhaps understandable. The bad guys have both the incentives and easy access to the tools needed to break into servers and cause havoc.

For grid operators, this is not good news. An updated U.S. News & World Report article last year noted it took hackers just 22 minutes to get employees at an electric facility north of Seattle to bite on phishing emails. It was only an exercise, but proved the point that the grid is vulnerable and that humans are often the weakest link.

Security Fatigue

One of the root causes among cybersecurity professionals for this lack of diligence is security fatigue, as pointed out in a TechRepublic story. The National Institute of Standards and Technology (NIST) defines this fatigue as “weariness or reluctance to deal with computer security.” The author recommends that companies reduce such fatigue by boosting the relevance and importance of security alerts to an IT team and emphasizing the need for constant security vigilance.

It is hard to argue with that recommendation. However, I would take things a step further: institute regular focused training on how to combat threats combined with controlled drills or testing, like the one at the plant near Seattle. It is unacceptable that people we need to trust have such careless attitudes and avoid actions in the face of threats. It is hard to admit, but we are in far deeper trouble on this front than imagined. We must do better.

 

Blog Articles

Most Recent

By Date

Tags

Clean Transportation, Digital Utility Strategies, Electric Vehicles, Energy Technologies, Policy & Regulation, Renewable Energy, Smart Energy Practice, Smart Energy Program, Transportation Efficiencies, Utility Transformations

By Author


{"userID":"","pageName":"Utility Innovations","path":"\/tag\/utility-innovations","date":"12\/16\/2017"}