The Internet of Things (IoT), a term used to denote the digital infrastructure where any digitalised asset, no matter how small, can connect to an invisible mesh of other assets through the internet, has recently become synonymous with security breaches and exploitation. This is true not just in a domestic setting, where flaws in Samsung’s ‘Smart Home’ let hackers unlock doors and set off fire alarms, but also in industrial IoT systems, where hackers were able to change the levels of chemicals being used to treat tap water. While security breaches in websites are common, with credit card details frequently stolen, breaches to industrial systems connected to the internet are fewer and more recent, as such systems were previously isolated from public networks.
In the world of Demand Side Response (DSR), security is one of the priorities of most asset owners. DSR assets have a core purpose other than helping to balance the energy system, so a DSR provider must be able to demonstrate that they will never prevent the safe and correct operation of the asset, be that treating wastewater in a sewage treatment facility or refrigerating food in a supermarket. This condition must hold even in the presence of bugs in the DSR provider’s software, and even if their own systems are penetrated by hackers. The usual practices of data encryption, strong access controls and network segregation only provide part of the answer, as they still don’t guarantee safe operation under all possible failure modes.
This condition may seem unreasonable, but in critical systems development it is crucial. A nuclear facility operating normally is run through a software system, but all safety-critical checks are duplicated in hardware interlocks that take over should the software fail in any way. These interlocks are immutable and thus immune to hacking or software bugs. In space missions, NASA has since the Challenger and Columbia incidents started to use consensus of multiple software systems developed by several independent teams to control rocket operation to eliminate the possibility that a single bug could affect the mission.
As the DSR industry progresses towards standardisation and common best practice guidelines, a key safety requirement must be safe operation of the asset under any failure mode. Open Energi on-site controllers are always supplemented by independent hardware or software interlocks that cannot be modified by us, creating an orthogonal layer of control required to operate critical assets. For example, on asphalt sites, we supplement our own controls with hardware interlocks to disable our control should the temperature of the tank increase beyond a safe limit. On water sites, we augment our controls with independently developed PLC code that checks that the asset is still within its control parameters and disables our control immediately if not. This dual layer of security means that even if our systems are compromised by an attacker, the DSR assets will continue to operate safely.
Michael Bironneau is Technical Director at Open Energi.
 Wired Magazine. May 2016. ‘Flaws in Samsung Smart home let hackers unlock doors and set off fire alarms’. https://www.wired.com/2016/05/flaws-samsungs-smart-home-let-hackers-unlock-doors-set-off-fire-alarms/
 The Register. March 2016. ‘Water treatment plant hacked, chemical mix changed for tap supplies’. http://www.theregister.co.uk/2016/03/24/water_utility_hacked/
 L.J. Jardine and M.M. Moshkov. Nuclear Materials Safety Management, Vol 2. 1998. See eg. p.151.
 Organizational Learning at NASA: The Challenger and Columbia Incidents. 1989. J. Mahler. See eg. p.63.