Managing Trust in Massive IIoT Systems | Episode 119

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome everyone to the industrial security podcast. My name is Nate Nelson I’m here with Andrew Ginter the vice president of industrial security at waterfall security solutions who’s going to introduce the subject and guest of our show today. Andrew how are you?

Andrew Ginter
I’m very well thank you our guest today is Dr Christopher Gorog he is the CEO at block Frame Inc and he himself is the host of the new Cyber Frontier Podcast and he’s talking to us today about establishing trust distributing security credentials in large industrial operations.

Nathaniel Nelson
Then without further ado here’s your conversation with Dr Gorug.

Andrew Ginter
Hello Chris and welcome to the to the podcast before we get started can I ask you maybe to you know, give a few words of of introduction about yourself and about the good work that you’re doing at block frame.

Chris Gorog
Yeah, thanks a lot Andrew my name is Christopher Googg I am a PhD in cybersecurity just recently finished my degree where I worked on a distribution of trust by all by using by all means of other things. Blockchain. What we call distributed ledger but my background has been in cyber security I host the new cyber frontier podcast which we have over 400 episodes been running 9 years probably 1 of the largest followed out there I chaired digital privacy for I triple for a global initiative. Among many things hold several patents and my work with the University Of Colorado and this state of Colorado to help support legislation in the area of privacy and security. So a lot of things we’ll get into as we unpack in today’s show.

Andrew Ginter
Great. Thanks for that. Our you know our topic today is trust distributing security credentials in in large industrial operations. Can you talk to me a bit about the problem. What is a large industrial operation. What does it mean to distribute security credentials. Why is this important?

Chris Gorog
Yeah, Andrew so I mean that’s that’s the ultimate you know question the problem set that I’ve been solving or working on literally my entire career because even in early stages of my career working with many different vendors that are implementing security. Everybody does it a little bit different. Everybody has the same problems and that’s the distribution of trust how do you trust unmanned devices millions of them out in in operation and how do you coordinate them? How do you get them all working together and then how do you secure them becomes a function of that. Trust once you can distribute it. We have several methods of distribution of trust using certificates and pk which the part that we have a problem with is the human part. The people that own the trust authorities the certificate authorities the people that that we have to rely on. And they don’t trust each other. They don’t work together. They’re different governments or different companies and we have a disjointed so looking at solving the problem industry-wide is is what I’ve been approaching literally for so you know some of my work started in 2006-2007 working with. SGIP and the smart grid interoperability panel where you’ll find me on the cryptographic key management of the niser Seventy Six Twenty Eight I r as one of the initial authors where we put together. You know what is needed for cryptographic key management back then we didn’t have like.

The global recognition of the tools that we know in Blockchain. So my work in my dissertation has been in trying to solve the problem of trust distribution by taking care of the human needed pieces using distributed ledger and making that work and that’s what. The the focus has been and I think we have some great solutions where we can show now. Feasible global attainable scalable problem solutions in that area.

Andrew Ginter
And you know to clarify you’ve said millions of devices I mean I understand cellphones I understand smart watches. Millions of these things in the industrial space. You know to me when we’re talking millions of devices. What leaps into mind is the smart grid. It is you know smart meters. It is. Advanced metering infrastructure. Whatever the buzzword of the day is is that what we’re talking about here are yeah, are there other applications?

Chris Gorog
Yeah, absolutely we’re talking from the smallest sensors to even pcs and and servers so all across the board and that’s 1 thing for for years I worked with a semiconductor manufacturer in rep placing and putting cryptology cryptology into many different vendors devices. and you know in that realm. There’s literally like 100 and you know 16 bit processors made for every 32 bit processor and there’s like a thousand eight bit processors made for every every 16 bit processor. So the smaller the devices the actually the more of them. There are out there and that’s the problem. We have relatively efficient solutions for the computers that humans sit behind but the millions and billions of devices that are unmanned on the grid that communicate as a mesh that we might just read on off temperature. You know power from a hundred times a day or even an hour that that’s really where the problem is is in that mass amount of devices out there.

Andrew Ginter
So Nate you know I’m thinking back I remember a few episodes ago. There was a gentleman on talking about the can bus I’m not sure I remember his name but that’s the bus that’s in automobiles.

Nathaniel Nelson
I think this was Ken Tindell

Andrew Ginter
Yes, and you know his observation a truism in the space is that encryption is a tool for turning every problem into a key management problem and I think this is sort of another example of that that principle that that we’re seeing here. you know we’re talking about Blockchain. We’re talking about cryptography. We’re talking about authentication. So that devices can. Prove they are who they are and all of that involves managing keys it involves more generally managing trust and the application that springs to mind the first place I saw this in the industrial space. You know a decade ago. Was in the the context of smart meters power meters on every every consumer’s home or apartment. you know, billing appliances. and we’re talking big systems. We’re talking you know a distribution a power distribution system in a city with you know, 3000000 Smart Meters and you know as Christopher pointed out. there’s other really big systems out there. so you know what springs to mind is if you’re monitoring. Let’s say a water treatment system and you want to know what’s coming at you in the watershed you might have rain fall sensors. You might have you know? um. Water level sensors spread in thousands of locations throughout a massive. You know three hundred five hundred kilometer wide and long watershed you might have weather sensors throughout.

Andrew Ginter
You know a whole country gathering data for weather prediction. You might have smart cities. You might have traffic sensors everywhere and you know his point that yes there are sort of big computers 32 bit 64 bit processors in these systems of you know. thousands tens of thousands millions sometimes of devices. There’s very few of those sort of big conventional computers. analyzing the data. most of what we’re talking about here are very small. He’s talked about 8 bit and 16 bit talking about compute capability. in a lot of these circumstances out in the middle and nowhere there is no electric power. You’re talking solar powered devices. You’re talking not just limited compute power but limited electrical power. This is sort of the the big picture of of the problem that that christopher is going to be talking about.

Nathaniel Nelson
And you know when you put it like you just did it occurs to be you know on this Podcast. We’re usually not exclusively but usually talking about. you know, manufacturing plants refineries hospital these are sites where you sort of. Have have a boundary around them for better or worse and most of it is indoors. Maybe not entirely. it’s like a controlled space. But as you just mentioned you know when you’re talking about smart meters or traffic sensors or what have you.? These are really widespread outdoor sort of everywhere situations I would wonder how this affects the security problem and I’m sure that you guys are going to get into that.
C -4:55

Andrew Ginter
And thanks for that. The you know the the main let’s call it The main problem I heard you describe here was key management and you know I’ve heard encryption described as a a tool that turns every problem into the world into a key management Problem. What is the key management problem when you’re talking about I don’t know traffic sensors or smart Meters. Can you give me an example, What’s the problem. Why Why do we need a solution at all.

Chris Gorog
Yeah, so so you know I said cryptographic key management. Some people might call it trust management root of trust management. It’s the pieces in the center of your every device and if you have an energy meter for example and a company makes. model and then they mass produce 1000000 of them. The software is exactly the same The only thing different is the serial number in there that tells it which one am I but now in the in the age of virtualization. You can have a virtual machine running. A simulated software meter a real software meter and if they’re all on the internet. You can’t tell the difference so some some people might say the root of trust is an identification problem and each device being able to identify itself. But to also uniquely say that I can not only identify who I am but I can prove that I made this operation I produce this data I communicated with this other device and the 2 devices can prove each other and say I’m actually talking to the device I’m supposed to be talking to and not. ah, virtual device that’s mimicked of it or some other device or some buddy is in between listening all those pieces in security that make each device and I know this gets kind of in the conceptual level. But we we move it down to an energy meter.

Chris Gorog
Can all my energy meters on my grid verify that I’m talking to them from my reading station verify that when they’re talking to. They’re talking to each other when we’re collecting the data and that the the data is accurate and actually came from them so that we can then have. Valid information for billing or valid information for our control structure or for our demand response but all of the the information that comes to and from any embedded system that people might not touch for 10 years becomes questionable whether it’s authentic. Or whether it’s valid or whether we’re even talking to the device we are with the interconnected age that answered that question.

Andrew Ginter
So that helps but can you walk my walk me through a scenario. you know let’s say I mean what? what is the? yeah, what is the risk here. Let’s say that I have you know. Found on the internet someone has stolen a copy of the firmware for the smart meter that you know is in my home I put it up in a virtual machine and now I’m impersonating a smart meter I you know in principle can find the the serial number on my my device because it’s they’re attached to my home and I you know. Can can you know embed it in the virtual machine and now I can you know disable somehow put I don’t know tinfoil around the meter disabled communications between the meter and the grid and now I can impersonate the meter and say Andrew’s not using any power. Is that what we’re talking about is that the the attack scenario or you know is there something else. You’re thinking about.

Chris Gorog
So when you’re looking at a meter the attack. The attack scenario is the company protecting itself from the customer and I think that’s kind of what you are alluding to when we get into the the day and age that everybody’s a producer and a consumer. And micro-grids and powers coming onto and off the grid by different people at different times of the day different different providers. The meter becomes your proof of whether you took power or provided power to the grid and if you as a utility company have a whole bunch of. Customers out there that are telling you they’re providing power to your grid and you now are expected to pay them. How do you prove that they’re accurate is the question we’re answering here in that case, in the it’s not as important if all the meters are owned by the company. Other than to get an Overall we’re not getting falsified but when we get into that now renewable peer-to-peer energy ecosystem of Micro-grids. We can’t trust the people if we can’t trust the people providing the information from a Micro-grid. To make monetary transactions based off of we end up with anybody being able to scam the the system indefinitely because you can’t prove that they put power on other than their communication which of their communication is not provable mathematically cryptographically and that’s what.

Chris Gorog
This root of trust in the distributed devices gives you.

Andrew Ginter
You know to me clearly there’s a need. You’ve convinced me. There’s a need to identify these meters, especially if they’re putting power onto the grid I mean partly billing yes but. Partly if you’ve got enough of these things. There’s grid stability that might be at Risk. but is the solution. Not that when you know the technician shows up at my home to attach a meter to my house is the solution not that the technician writes down the serial number and you know. Presumably has there’s a database somewhere associating serial numbers with private keys that are you know built into the into the the device is that not the solution. Why do we need something more complex.

Chris Gorog
So the solution you know if you think about what you just said where the the you know the private key of the device and the the solution set isn’t the private key in the device it’s getting the private key to the device and if that’s somebody doing it every time a a vendor puts one on the grid but there’s 50 different vendors that makes products for it. Everybody does it differently and everybody has a different certificate authority if they’re using certificates and the certificates can be changed. They can be stolen. They can be spoofed in a virtual machine. You can imitate another machine entirely. So if we scale back and step back and say yeah, the meter set is 1 problem in the consumer base and we’re moving towards that distributed consumer producer environment. The the bigger problem at least the now problem is in the control structure the demand response and the infrastructure of control and that they have equipment made by many different vendors that go into this and they have to have micro second responses. From trusted equipment and the only way to do that is to keep it on a private grid private network and each utility company now wants to start interconnecting and and working across utility companies. They have hundreds of thousands of devices that a human might not touch for five or ten years

Chris Gorog
And keep keeping and maintaining these those keys that you just talked about the private keys in every device is a human centric problem and that’s where we’re falling short what we’re talking about here is modularizing and you making that that. Human solution done uniformly to have their cryptographic keys managed so you can see them not just for a grid not just for a utility company. But for the industry many different companies many different vendors that all come in and put products in this kind of Frankenstein mesh and. All of them are different and all of them are done by different people who we might not know might not trust different levels of software different levels of of of responsible people even maybe something made in a supply chain where it was in another country and there’s purposeful, harmful information or. Malware injected into it so that mish mess of of unpredictableness is the problem that really is plaguing that whole industry we. We are all working in our own space without the ability to know that we. Who we’re talking to and what we’re putting on our networks and into our systems is actually authentic.

Andrew Ginter
Okay, so you know that kind of frames the problem for me, We’re talking millions of devices on the grid. Some of them are measuring power consumption. Some of them are measuring power production. Some of them are measuring other things. There’s a lot to measure when we’re when we’re talking about that level of Granularity. Um. And yeah, you know while I take your point that that you know there can be manual intervention in the course of deploying the equipment. It could be from lots of different vendors and if it’s going to sit there for 5 or 10 or 15 years the way this stuff often does I mean you know when was the last time you updated the firmware in your refrigerator. if it’s going to sit there for a long time. these keys age. Best practices that especially on the internet. You don’t leave the the key in there Forever. There’s got to be a way to update these and you know coordinate the updates across you know, producers and consumers of the information then it all makes sense that this is a problem. you’ve got a technology. Can you talk about the technology What what kind of technology are you proposing as the solution to this problem.

Chris Gorog
Yeah, so so from from an industry level working with many different vendors and literally fifteen years twenty years of of my career has been working to solve. This problem is identifying what are all the things that that they have been doing and the first part was to create a modular piece. That could go into any device that would handle all the things that everybody is using for security and simplifying it the the interesting thing is we overcomplicate what is what? what the is being done and we make a thousand different applications but security is kind of like an art form. As much of it as it is a technology where in artwork. We only have nine components that make up paintings and pictures and sculptures and artists learn these in college and once you can master each one of the 9 components like line form volume shape. parallax. Ah. And there’s there’s 9 of them cyber security similarly there’s only 7 things we do and people might challenge this but we identify data we authenticate users and systems we establish connections we hide data or encrypt it. we blog and. Operations and and verify that the the data in the operations and we distribute trust I think that was 7 so if we make a way to unify the ability to do all those we can put that modular approach into every system every vendor every to every product.

Chris Gorog
And then the second thing is to make a way to to change that out because we know that we can’t keep the same security forever. So the second part of what we do is a method using distributed ledger known as blockchain to be able to change out those credentials the human piece. That that we usually do with a guy running in the truck to it and be able to do that and prove that it was done globally. So everybody sees it so we can prove who basically is responsible for that provisioning. It’s called of those cryptographic components and it doesn’t have to be. Somebody that you don’t trust. It’s open and this is where we we kind of borrowed that distribution of trust using Blockchain what we know from like cryptocurrency but using it in a totally different way to actually distribute the root of trust the cryptographic keys which are. All standard cryptography just doing the human aspect but proving that and proving the providence of it. The attestation of how that happened over your whole grid over every product or over your supply chain throughout the lifecycle the product and maintaining that over time. And over distributed area and over geographic and over logistics of networks and even the people aspect of it connecting your workforce and maintenance. So.

Chris Gorog
So the the problem there was a whole was.

Nathaniel Nelson
Andrew we’ve done somewhere north of a hundred episodes of this podcast at this point are there really only 7 steps to industrial security here.

Andrew Ginter
Um I should have asked. I was I was kind of wondering that myself I I did it could Google afterwards I haven’t seen where the the 7 steps come from. But you know if you ask me? those are 7 steps that are integral to communications security and. You know? Yeah, we’ve been doing 100 episodes. We’re talking about the the big picture is more than communications. It has to do with physical security. It has to do with you know people processing technology has to do with with you know, host-based a lot of host-based stuff. You know as well. you know, concrete example. if you know I’ve got ah a host I’ve got you know it’s it’s a I don’t know windows box a linux box a server 64 bits big big operating system and it turns out that my crypto library has a vulnerability in it and. That vulnerability can be exploited simply by sending a message across the internet into the machine into the the host into the server. and that compromises the the library it makes it. You know I don’t know buffer overflow it makes it do bad things. you know, no amount of key management. Is going to solve that vulnerability problem. That’s a patch problem. So if we’re talking about pushing data across the wire if the receiver the server is asking the question can I trust the data. Well then the 7 things that that christopher is talking about here. These are all steps that that we do have to have in place but the bigger picture is.

Andrew Ginter
There’s a little bit more to it possible.

Andrew Ginter
So that makes sense I mean we need to change these keys from time to time we got lots of different vendors and you know power utilities and others involved. when we make a change to the key somewhere we have to. Publish that that publication mechanism has to be standard so that everybody can consume the knowledge that we’ve just changed the key. Everyone has to communicate with this device. We have to make sure that that process is authentic that it can’t be spoofed by someone trying to you know steal power or you know do other malicious things.

And the solution that you’re proposing is Blockchain. So can we talk about the solution in a bit more detail I mean bitcoin is power hungry bitcoin. You know there’s farms of servers involved. It’s not going to work with an 8 bit cpu. What. What does your solution really look like.

Chris Gorog
So so that’s that’s there’s a lot behind that simple question and it comes you know, in 2 parts one the part that we’re provisioning is very tiny and literally the cryptographic keys and the continued operation. Only takes up 64 k of memory in a small sensor device. So now we look at that’s what goes out and that’s the key distribution. That’s what goes on your device. It doesn’t take much size now the distribution of Blockchain was a whole nother problem set this actually spent the last six years my PhD dissertation and solving the problem of scaling blockchain and we actually throughout traditional blockchain. That’s why always try to say we have a distributed ledger. We now are going to the third generation of the first generation was cryptocurrency. The second generation was smart contracts and your ethereum your hyper ledger fabric. And now we have a third generation that doesn’t use the mining a defer algorithm that turns around the work to be your time spent participating storing data over time is how you gain your incentive versus a wasted energy upfront and we’re actually running to. Peer ledger distributed ledger nodes on a Raspberry PI that’s how small they they can run on and then there’s a it’s designed modularly so it can expand indefinitely where we have a consortium that’s similar to your DNS on the internet that manages who’s out there and the governance of it.

And then each individual peer that can scale horizontally like your routers on the internet and we’re turning into this new animal of no mining and indefinite scalability I think you know I’m excited about it. But it’s been my six, seven years of work and yeah I Love to help. Anybody understand more about it bring in ask questions as much questions as if you want my dissertation is out Publication. You can find it under sustainable framework for distributed ledgers a title of it on proquest and it’s open for anybody to View. So.

Andrew Ginter
Cool, let me dig just a little detail deeper. You know you you talked about the the memory footprint in the device. You talked about the you know the the Raspberry PI is managing the ledger something you didn’t mention is the size of the ledger. I mean in my understanding the bitcoin ledger is now I don’t know I don’t know like a dozen terabytes or something like that. and and that’s you know that’s money changinging hands if we have you know millions of devices coming out of each of dozens of vendors going into you know.

Hundreds of power utilities all over the world most of which are connected to at least 1 other power utility. There’s there’s very few power utilities that operate in complete isolation. It seems to me that you know is is it the case, let me ask you is it the case that you have to be able to share. All of this key information for every device on the planet with every possible consumer on the planet and if so is that going to scale sort of storage-wise.

Chris Gorog
And and that was actually the problem we set out to solve because when whenever we we came up with the modular approach to distributing cryptographic keys we actually tried it on some second generation blockchains and used hyper ledger fabric sawtooth lake. And ethereum and it brought it to its knee. There’s no way either any of them could scale. So the whole design of a scalable blockchain was based on being able to hit the mark of the needs for cryptographic key management and how big that would get and basically it’s we came up with a loosely. Coupled chain of chains so side chains that operate independently and that’s what I said like a router like a set of routers you plug in and they all work together but not everybody has to have everybody’s data. There’s sub-segments and it makes it scalable. But yet it’s the same forensic mapping to prove everybody’s transactions and timestamp them globally and it’s a unique consensus approach called a synchronous trust consensus model where it adds a couple of major things one that that we’d no longer have to keep. Data all the way back to the genesis block. the the data is kept as long as it has value to the operator and until you get your incentive which is set for the longest time at about 14 years but only in subsets of data as well. So not everybody has everybody’s data.

And the consortium servers keep the validation data of all the individual groups of ledgers that can now scale indefinitely across the the globe my testing and you can read it in my dissertation where we so I scaled this up to 52000000 ledgers which is currently the size of the number of routers on the internet to see if if it would if it would still be feasible and operational and the scalability models predicted that we could do this and that the growth in size and even the the data we’re going to persist over time is manageable. Because we can phase it out over time and basically have a window moving forward. and that that management of data and the ability to to meet this mark is and has been that that primary focus so kind of excited like once again, open to talk more about this and you’ll hear me. Speaking all over the place on it. but it is really a very involved topic.

We’ve had over four hundred people in the state of Colorado and involved over 85 people turn code on community source projects to and this has been funded by the state of Colorado under legislation. Wrote in 2018 through the University Of Colorado Colorado state university a couple others and that’s why it’s so big and exciting because we’ve had so many people work on it and getting excited about it that this is actually something that we can see scaling to that next generation for solving those problems you brought up in your question.

Andrew Ginter
So real quick just a clarifying question. you know you suggested 52000000 routers you said 52000000 ledgers does that mean that each ledger could it in turn. Manage thousands or I don’t know a million devices and so that’s the you know the 52000000 times a thousand or a million that we’re talking about or is there a ledger per device.

Chris Gorog
So when I’m talking 52000000 ledgers I’m talking the number of ledgers that can store an indefinite amount of blocks as many as they can handle on the blockchain. So the amount of data transactions is astronomically larger than that. So.

Nathaniel Nelson
Admittedly, Andrew whenever this kind of subject comes up I become a little bit suspicious if I had a nickel for every time somebody sold me on a scalable blockchain I probably wouldn’t have to do podcasts anymore. So the question that I suppose I would ask Dr Gorog which may well be answered in his dissertation or in later in your interview here is whether this kind of blockchain solution that he is describing while scalable and fast and whatever useful as you need offers the same kinds of security protections. Or doesn’t compromise too much on them compared with the other blockchains that we’re using as comparisons you know? Bitcoin ethereum the ones that are slow and unscalable for reasons that aren’t trivial.

Andrew Ginter
Um, good question. I did not ask that question. I do know that you know one difference between the the system that Dr Gorog is talking about and the traditional sort of bitcoin Blockchain is power usage I mean the bitcoin.

Blockchain already uses a measurable fraction of all of the world’s power and we’re talking about you know a tiny tiny fraction of all the world’s computers involved in that blockchain whereas you know here, we’re talking about 8 and 16 bit devices millions of them in every city involved in this. Ledger the the second sort of thing is I I don’t even know if this is the right question to be asking. You know the bitcoin blockchain models the movement of money whereas here this blockchain models. Trust it models the you know the degree to which we can trust. Different devices within an organization across organizations I don’t even know if these are the same questions I mean when we’re talking about trusting things the thing that springs to mind the system that springs to mind is active. Directory it’s the classic system that’s used for. Managing users. Not even devices act trajectory doesn’t manage devices to my knowledge it manages users and we’re talking about you know a system that could in principle scale to all of the devices on the planet being interconnected to some degree. and. I don’t know how big active direct real scale but I’ll be deeply surprised if it scales to all the users on the planet much less the hundred devices per user that we’re expecting to see deployed in the next century. So um.

Short answer is I don’t know the the longer answer is I think it has to do with power usage with scalability to you know, sort of ridiculous scales is is my understanding.

Andrew Ginter
So you know you folks that you you personally been involved in this for a long time block frame as a company has been involved in it for a long Time. Um. Can you talk about block frame a little bit more. What have you got in this Space. You know if people want if a vendor called up and said hey you know I want to do this, You’ve convinced me do you have technology What what are you offering in the space.

Chris Gorog
Yeah, so we right? Blockframe has been around for 7 years the technology from my dissertation is wrapped into block frame. We have literally patented the consensus model where we’ll be the only ones globally able to to implement this as well as opened up a community. Project where a lot of this work was done for the state of Colorado funded under many different sources and a big piece of it is open source interfaces that anybody can develop on top of to make your community your project for your application write your own smart contract. do your own embedded application that implements on top of the the distributed ledgers for the blockchain side or we also and block frame offers the modular ability and whether a hardware insert a physical device that goes on your your your ah. Your your iot device that holds your cryptographic keys or a modular. We even have a software approach. The hardware is always going to be more secure that we can implement work with vendors right now to implement this and get into your design for your next release or work on getting it into patches that could go out into legacy systems so we can. And we were offering for one cost through the release of your product to get you onboard. Get you all your your tokenization on the blockchain. All your embedded design set up support with making getting your product to markets and we.

Offer that all to any vendor who wants to be an early adopter on this if you’re looking at hey I want to be on the next generation of security. That’s not only modular but peer-to-peer based now every device can go unique one to each other which opens up that. Thing that we’ve been looking for and why people got into blockchain so heavily because it opens up that peer-to-peer it takes out the middleman it makes it so now every one of our devices are are individualized and can have a verification of each other zero trust between any 2 devices. Because they can identify each other on the blockchain before they communicate or commit to any operations and then do trusted so proof of origin signed data between the 2 of them. So the the level of security is something we haven’t seen in our day and age where we’re looking at. You know to date. We’ve collectivized data. All data is held by a company, an organization. We’re looking at this migration to end node to the edge to peer-to-peer and it’s just a new paradigm in how we will look at security in the future

Andrew Ginter
One other thing that that struck me in in your description of the solution. you know there’s technology involved. There’s you know, sort of a communications infrastructure the distributed ledger involved. Um. You mentioned that there’s patents involved. how how interoperable is this if you know a group of vendors on the other side of the planet wanted to do this stuff I don’t know on their own Could they you know. Is there or you know is there a sort of a standard of standards where where these many different kinds of ledgers can interoperate how I guess how universal you know how how universally available is the data here.

Chris Gorog
Yeah, and so we actually like I said we designed this for standardization for modularization. So every single cryptographic root of trust in all the devices is a modular block now. What is in those is entirely different for each one and your bender your product owner for all their products decides on certain pieces of it. The industry utility registrar which is a kind of like a DNS server that programs that provisions a set of products out. There is. Is is able to then uniquely identify each one and we are licensing those registars for different companies to use for different industries to use. So not only is is the individual pieces of it modular though the the blockchain for the Wayback machine. You can revert back to a like earlier stage that you did trust the device if it becomes compromised and reprovisioned from that. But now we have the ability for multiple different people multiple different product owners to take charge of their segment of the market and we have. We have a we actually did a decentralized autonomous organization that owns the rights to run and manage the public distributed ledger and that’s the state of Colorado through the University Of Colorado is a part owner in that because many people provided that effort. So.

The whole thing is designed around these modular pieces that are developed for anybody to build on top and then even the smart contracts then become ownership of the person that wrote them and they can sub let or sell their smart contract for other people to use for whatever price they want. And you have all these modular constructs within the overall system of systems that makes everybody in the marketplace be able to run their own business and be individual the control structures that we put together is just to make sure that we don’t have competing standardization pieces. And that’s why we decided to go with the patent route so we didn’t have somebody competing against releasing the same thing on the other side of the world that we can then say from the from the first couple phases we get it very standard before we start that kind of push and release structure.

Nathaniel Nelson
Andrew we are really getting in the weeds of blockchain stuff and I’m only faintly remembering that we are talking about smart meters here. Can you help me with the connection.

Andrew Ginter
Yeah, so sure you know it’s not It’s more than smart meters. It’s devices all over the place that need to talk to sort of control systems skata systems sort of you know, high-end analytical systems all over the place. The the example in the in the power grid is yes, smart. Smart meters is is 1 piece of it. it’s really, but we’re talking about about gathering information from many many devices and we’re talking about sharing. Information and sometimes even sharing devices between organizations. So it’s not just the meters. It’s also the the devices that are connected to you know millions of rooftops solar that are sometimes producing power and sending it into the grid and you know the household is sometimes consuming power from the grid. and. You know these organ who wants to talk to these devices whilst yeah the the grid wants to talk to the devices. The the local utility but sometimes there’s other aggregators like you know I think Google has a system now where they can talk to your rooftop solar and aggregate your rooftop solar so that they can. You know interact sort of more aggressively more personally you know with human oversight into power pricing to maximize the price that householders get for the power. They give back into the grid to to and of course Google takes a cut of of all that money. but.

You know there. We’ve got an example of a couple of organizations talking to the same rooftop solar. You’ve got synchro phases all over the grid which are talking about you know measuring the in a sense the the health of the grid. You know I won’t go into phase measurement but it’s it’s a technical thing that’s done and these synchrophas are measurements. Makes sense to share across the many utilities that are cooperating in the grid. There’s load shedding devices that that have the ability to shed load that need you know instruction from outfits like Google that are maximizing what you get paid for shedding the load. Need to be. You know, connected and report to the local utility and possibly other utilities. you know you’ve got high voltage charging stations coming online everywhere that are pulling a lot of power from the grid that need to interact with the local utility and possibly bigger utilities. You know in traffic. You’ve got different cities that are you know. Coming up against each other different different jurisdictions. They might not want to know what’s coming their way. The simplest way of doing that might just be. You know, connect to some of the other city’s traffic sensors. But now you’ve got multiple organizations multiple cities talking to the same sensor. You know it’s all about. Devices that need to talk to each other that need to talk to a central analytical station and where you’ve got multiple jurisdictions that need to trust you know that might need to interact most profitably with individual devices. So it’s ah.

You know it’s all about sort of the the big picture and interoperability.

Andrew Ginter
Um, so let me ask you on the internet I mean we’re you know a lot of our our episodes on the on the podcast here are focused on you know, programmable logic controllers deep into heavily protected Networks that. Nobody on the internet has any hope of of having a look at if we’re out on the internet if we’re reporting power usage. you know when we’re out on the internet privacy is often a much bigger factor. Then it is deep into a heavily protected power Plant Network you know and so I’ve been asking you sort of questions from the perspective of the industrial security aspect. But you know if my power usage is on the internet I do care about the you know who can see that have you got. Privacy stuff built into this as well.

Chris Gorog
And that’s that’s a great question because one of the first things I started out looking at security and cryptographic key management’s all about security is what I thought and then when we started working with the the state of Colorado and and looking at several different programs they had over 71 programs last I heard a list of them that were candidates for this type these type of technologies. each one had different requirements and I started asking well who makes a decision on them and nobody raised their hand There’s nobody making a decision when we started analyzing those their privacy questions there. Where is it held versus where is it stored what parts of it are private. What parts are public who has opt in is it opt out who who’s allowed to have access who’s allowed to audit versus who is allowed to see it are you allowed to audit without seeing it or they have to get to know that they audit it. and there’s so many legal and privacy questions. And that actually drove me to start asking these questions. We ran a campaign called privacy for the people literally like four or five years ago we got some international kind of attention and now I chair the digital privacy initiative for IEEE where we’re looking at an international level to set up a lot of the boundaries to answer those questions. But things that we had to develop in the technology from the ground up is like every operation every transaction has a public and a private categorization and you tag the data whether it goes on the chain or whether it has to be held privately offline and then what to do with it becomes the question after that or as different parts of that and what.

Chris Gorog
Required We went through the the pandemic learning that certain things are socially we overpower and override and you have to have these things public so that we can all find out who has a disease and the numbers and everything But what are your rights in that balance and those are kind of the the privacy questions and and led to a whole. Governance architecture with 42 dimensions of governance that you can find in my my dissertation if you pull that up, but this will be applied many places because it really mimics the real world How we manage our governments as addressed into technology applications and putting it into operation. So. Also a very exciting piece of what I’ve done and I think more of what I will give to the world is along that lines than than even the technology piece because that’s where really I think we’re making a difference in giving people those rights in the digital Era

Andrew Ginter
well this has been great. thank you for these these insights. It’s it’s a more complicated space than than I realized before we let you go. Can you sum up for us What what should we take away from here. What what should we be thinking about

Chris Gorog
So it’s time to get involved right now we’re in the process of tokenization do an initial token offering for the distributed ledger look for it come in. It’s not an investment It’s a a a a a utility token sorry forgot. Um. But it is a way to get in early and we’re offering some discount rates as well on the cryptographic key management talk to reach out to blockframetech.com and we’re bringing in vendors right now to integrate it into their product to design this next generation generation security. Today and have it in your next product release. So and it comes down the road. it’s like I I keep saying I’m excited about it and I think we’re changing the world but I’ll let you make that decision but come talk to us.

Nathaniel Nelson
Andrew that concludes your interview with Dr Gorog do you have any final summary about what we talked about here to lead us off.

Andrew Ginter
Yeah I mean you know to me, it’s all about device networks. you know, backing away just a moment. The biggest denialless service attack in history if you recall what a year ago or so two years ago was because internet-connected household cameras had defects that were exploited and all of them attacked. You know one 1 or 2 sites on the internet at the at the same time. Not an example of trust that’s an example of just scale the scale we’re talking about is. You know the the number of these devices out in the world are just getting more and more and a lot of them are internet connected. you know and when we connect an incredible number of devices across the internet. There’s privacy issues. There’s you know there’s. Verification issues are these power readings that I’m getting from rooftop solar producers in in my geography are these are these you know readings real should I really pay these people are these traffic sensors from the neighboring city that say I’ve got a problem coming my way. There’s a traffic jam coming my way you know take corrective action. are these real you know. we’re talking about about trust we’re talking about scale you know the unprecedented scale. We’re talking about interoperability between vendors between vendors and utilities between utilities and other utilities. You know, probably even other applications that I just don’t get yet. so yeah, it’s ah.

Andrew Ginter
It looks like a kind of technology that we’re going to see more and more of on the internet and you know with industrial and other kinds of applications going forward. So it’s it’s a space that I’ve tried to ignore and I don’t know that I can’t anymore.

Nathaniel Nelson
Well thank you to Dr Christopher Gorog for speaking with you Andrew and Andrew as always thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you Nate.

Nathaniel Nelson
This has been the industrial security podcast from waterfall. Thanks to everyone out there listening.