Democratizing Authority in the Built Environment MICHAEL P. ANDERSEN, JOHN KOLB, KAIFEI CHEN, GABE FIERRO, DAVID E. CULLER, and RANDY KATZ, University of California, Berkeley 17 Operating systems and applications in the built environment have relied upon central authorization and management mechanisms that restrict their scalability, especially with respect to administrative overhead. We propose a new set of primitives encompassing syndication, security, and service execution that unifies the management of applications and services across the built environment, while enabling participants to individually delegate privilege across multiple administrative domains with no loss of security or manage- ability. We show how to leverage a decentralized authorization syndication platform to extend the design of building operating systems beyond the single administrative domain of a building. The authorization sys- tem leveraged is based on blockchain smart contracts to permit decentralized and democratized delegation of authorization without central trust. Upon this, a publish/subscribe syndication tier and a containerized service execution environment are constructed. Combined, these mechanisms solve problems of delegation, federation, device protection and service execution that arise throughout the built environment. We leverage a high-fidelity city-scale emulation to verify the scalability of the authorization tier, and briefly describea prototypical democratized operating system for the built environment using this foundation. This is an extension of work presented in Ref. [3]. CCS Concepts: • Security and privacy → Access control; Authorization; Authentication;•Computer systems organization → Embedded and cyber-physical systems; Additional Key Words and Phrases: Built environment, syndication, microservices, federation ACM Reference format: Michael P. Andersen, John Kolb, Kaifei Chen, Gabe Fierro, David E. Culler, and Randy Katz. 2018. Democ- ratizing Authority in the Built Environment. ACM Trans. Sen. Netw. 14, 3–4, Article 17 (December 2018), 26 pages. https://doi.org/10.1145/3199665 1 INTRODUCTION Over the past several years, building operating systems (BOS) have been developed to provide an execution environment for applications that operate safely on the physical plant of a building, transforming it into a rich cyberphysical system (e.g., BAS [25], sMAP [16], BuildingDepot [1], BOSS [17], Mortar.io [26], BEMOSS [27], Niagara [23], VOLTTRON [2]). While this work has made great strides in supporting energy efficiency, human comfort, and grid integration of buildings, three themes emerge that are both outstanding shortcomings of BOS and This work is sponsored in part by the California Energy Commission, Department of Energy grant DE-EE0007685, the Fulbright Scholarship Program, and National Science Foundation grant CPS-1239552. Authors’ addresses: M. P. Andersen, J. Kolb, K. Chen, G. Fierro, D. E. Culler, and R. Katz, University of California, Berkeley, Soda Hall, Berkeley, CA 94720; emails: {m.andersen, jkolb, kaifei, gtfierro, culler, randy}@cs.berkeley.edu. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. © 2018 Association for Computing Machinery. 1550-4859/2018/12-ART17 $15.00 https://doi.org/10.1145/3199665 ACM Transactions on Sensor Networks, Vol. 14, No. 3–4, Article 17. Publication date: December 2018. 17:2 M. P. Andersen et al. critical to extending from buildings (or campuses of buildings) to the broader built environment—(i) natural delegation of authority and its enforcement, (ii) federation, and (iii) protection. Further- more, each of these are present not just for individuals, but for persistent computational processes and devices operating on their behalf. Delegation: Within the building context, organizationally, the campus facility manager dele- gates certain authority to building managers, each of whom may delegate (logically) the control of certain regions of a building to its tenant organizations, who may further delegate to individual office occupants. However, little of this delegation is actually supported by building management systems. Often the individual does not even have a way to set desired temperature; she instead makes a request up the chain of authority. The building manager may be authorized on a central server to adjust zone setpoints and schedules, but she must issue requests to facilities managers to make deeper adjustments like supply air temperature. In a more modern BOS, the occupant may be able to open a webpage or app to adjust the temperature schedule for their particular of- fice, but authorization to do so is based on verifying the identity of the individual (or possiblythe identity of a device, e.g., a touchpad, in the room) used in accordance with an access control list (ACL). If the occupant loans the office to a visitor, there may be no way to also “loan” the author- ity to adjust its temperature or lighting schedule other than getting the visitor inserted and later removed from the directory. The delegation problem is amplified as we consider the lifecycle of the building, operations performed on common spaces, temporary authorizations for events, etc. These issues are further amplified across the built environment. The individual is delegated differ- ent access in their apartment, work setting, gym, and public space, for example. Furthermore, as we move to intelligent environments, the individual may want to delegate a portion of her authority in each of these places to her computational agents, so out-of-band human communication is not sufficient. Federation: Even within a building, its subsystems (HVAC, lighting, electrical monitoring, secu- rity) have typically been disconnected, managed by different control systems. Most BOS integrate these and many will integrate the resulting systems over multiple buildings in a common admin- istrative domain, say a campus or a property management company. The challenge is integration across distinct administrative domains. This arises in settings as simple as demand response, where the issuer of the critical event (e.g., the independent system operator) is distinct from the building owner, its occupants, the utility, or the energy services aggregator. As electric vehicle charging is incorporated, the set of stakeholders increases, as with the incorporation of municipal and indus- trial processes, especially in conjunction with fluctuating renewable supplies. The mechanisms to allow agents in one administrative domain to take particular limited actions in another, say ad- justing a temperature or lighting set-point, is quite ad hoc. We cannot expect all of these to refer their authorizations to a common central authority, nor can we expect to deal with many disparate authorizing entities. Certainly, the vendors of each of the different devices cannot be the autho- rizing entity (as we see today with Nest, Amazon Echo, and Google Home). Nor can we expect all the parties to be on-line and participating whenever a delegation is performed. Protection: As more of the built environment is connected and intelligent, the danger arises that more attack surfaces and threats are presented. Embedded devices tend to be particularly sen- sitive to DOS attacks because of limited processing power, often limited connection bandwidth, and largely unattended operation. Several examples in the literature [15, 28] show current vul- nerabilities to these threats and modern BOS have not fundamentally changed the picture. They typically apply modern network security, sit behind firewalls, avoid open ports, and may use Vir- tual Private Network (VPN) to cross Local Area Network (LAN). Execution containers: Lying beneath these issues is the simple fact that the building blocks of cyberphysical systems are numerous persistent computational processes—drivers, gateways, ACM Transactions on Sensor Networks, Vol. 14, No. 3–4, Article 17. Publication date: December 2018. Democratizing Authority in the Built Environment 17:3 controllers, and so on. Each of these resides in some execution container and needs to be managed (initiated, monitored, controlled, restarted, etc.), as does the container itself. In building a foundation for delegation, protection, and federation in higher level services, these principles can be utilized internally in the support for these services. To address these issues in the expansion from intelligent buildings to intelligence throughout the built environment, we explore incorporating delegation, protection, and federation into the communication substrate of the syndication layer. The idea is that in any attempt to publish to a resource, the entity making the attempt must present a proof of authorization (over multiple levels of delegation, across administrative domains) that can be easily verified by the router form- ing the syndication layer and by the recipient subscribers. Entities can delegate rights to access resources to other entities without engaging any central authority, in fact, without any communi- cation