Pioneering Grid-Edge Security: Lessons from the Digicert Digital Trust Summit

Visual interpretation of a quantum computer

If you’ve attended one of my talks recently, or have been following this blog, you will have noticed an emphasis on security at the edge of the grid. It’s becoming more and more a ‘hot topic’ as the number of grid-edge devices, controlling things like premises-scale batteries and critical loads, increases.

In my talk at Energy Next last year I mentioned the Security of Critical Infrastructure Act, which directly applies to the energy sector. And while the implementation of the Act is still early days, and grid-edge mechanisms are not front-and-centre as yet, the lens is sure to focus on them in the not-too-distant future.

As we started designing and developing our new 6MW-CER device and the systems that support it, increased security has been a focal point. A key determining factor in our choice of main compute processor was the security features it provided and enabled. And we have built a number of features in our production processes and firmware to take advantage of these capabilities.

If we’re successful, however, a lot of this work will go unnoticed to our customers. That is, if we get it right, they won’t notice it’s there. (And conversely, they’ll definitely notice it if we get it wrong!!)

So it was lovely to have the opportunity to present in Melbourne last week, at the Digicert Digital Trust Summit Roadshow. It was a rare chance to highlight some of the behind-the-scenes work the Wattwatchers team have been doing over the past two years, to put the 6MW-CER at the forefront of grid-edge IoT security for devices in its class.

In my talk, I highlighted three main focal points of our work:

  1. Security of communications, including individual device certificates
  2. Cryptographic signing of firmware
  3. Encrypted data at rest (on-device)

Our approach was heavily informed by Amazon Web Services’ best practice guidelines. After speaking to a number of the leading providers of security products (this is a few years back, now), we chose to work with Digicert’s Software Trust and Device Trust products to provide the critical certificate and signing infrastructure we need.

We wanted an ‘API first’ approach to managing all this, to automate and ingrain security into our production processes. The Digicert One API has been terrific to work with—it is well designed to support our real-world requirements. Digicert went above and beyond to co-develop a PKS11 signing system with our chip manufacturer so that we could do all this with maximum security of our signing keys, all through our continuous integration system. We are proud to be one of the first organisations to utilise this system. The Digicert One API also enables our devices to be completely responsible for their own certification management, from provisioning through in-field deployment; another best practice.

Behind the scenes we have received confirmation of our approach from a number of folks doing due diligence for major projects, with anecdotal feedback that we have one of the best systems around. But again, that’s usually ‘off the record’ so we don’t get to share it.

Therefore, it was wonderful to have this work recognised by an industry leader such as Digicert, with our invitation to speak. It was a delight to share some of our experience, and publicly thank the Digicert team for their efforts in making our life easier! As I said on the day, a non-commercial benefit of working with Digicert is I sleep better at night 😉.

In addition to being able to showcase our work, one of the highlights on the day, for me at least, was Avesta’s session on Post-Quantum Cryptography. This has been a topic on my mind for a little while now. Cryptography is one of the areas where quantum computing holds particular relevance. Avesta highlighted that we need to be working now to be prepared for what is, in fact, not that far away. He demonstrated that a number of great minds across the industry have been ‘on the job’ for over 8 years, developing new algorithms and standards to meet this challenge. There’s a lot to take in, so I appreciated how Avesta explained things in ways that made sense to me, as a mere mortal! It was an insightful session, and a clear indication that we have more work to do, over time.

Oh, and I have to make a special shout-out to the guest appearance by KITT (if you’re old enough, you know) in Anthony Ricci’s talk. A very clever way to perk things up in the middle of a day of sessions… 😏🤓

All in all it was a wonderful day for me personally. I was so glad to hear that the Digicert team received positive feedback about my session, and the day overall.

We got a sneak peek at the new Device Trust Manager system, that the Digicert team launched in Barcelona a few days before the Summit. It’s another example of a well-considered system that responds to the needs of practitioners. It very closely reflects the deployment and management systems we have implemented over the years, built upon hard-won experience about what works (and what doesn’t). The keen interest Rahul Pathak (the Product Owner of Device Trust Manager), and Avesta, showed in my feedback to their hands-on demo at the event is testament to the user-centred ethos that seems well entrenched at Digicert. It shows in the end result…

I’m looking forward to continuing our work with the team at Digicert, and to continue our security improvement journey.