kube-volttron: Rearchitecting the VOLTTRON Building Energy Management System for Cloud Native Deployment

Managing the energy consumption of the built environment is an important source of flexible load and decarbonization, enabling building managers and utilities to schedule consumption to avoid costly demand charges and peak times when carbon emissions from grid generated electricity are highest. A key technology component in building energy management is the building energy management system. Eclipse VOLTTRON is a legacy software platform which enables building energy management. It was developed for the US Department of Energy (DOE) at Pacific Northwest National Labs (PNNL) written in Python and based on a monolithic build-configure-and-run-in-place system architecture that predates cloud native architectural concepts. Yet the software architecture is componentized in a way that anticipates modular containerized applications, with software agents handling functions like data storage, web access, and communication with IoT devices over specific IoT protocols such as BACnet and Modbus. The agents communicate among themselves over a message bus. This paper describes a proof-of-concept prototype to rearchitect VOLTTRON into a collection of microservices suitable for deployment on the Kubernetes cloud native container orchestration platform. The agents are packaged in redistributable containers that perform specific functions and which can be configured when they are deployed. The deployment architecture consists of single Kubernetes cluster containing a central node, nominally in a cloud-based VM, where a microservice containing the database agent (called a "historian") and the web site agent for the service run, and gateway nodes running on sites in buildings where a microservice containing IoT protocol-specific agents handles control and data collection to and from devices, and communication back to the central node

Ubiquitous Computing and Ambient Intelligence—UCAmI

The Ubiquitous Computing (UC) idea envisioned by Weiser in 1991 [1] has recently evolved to a more general paradigm known as Ambient Intelligence (AmI) that represents a new generation of user-centred computing environments and systems. These solutions aim to find new ways to better integrate information technology into everyday life devices and activities. AmI environments are integrated by several autonomous computational devices of modern life ranging from consumer electronics to mobile phones. Ideally, people in an AmI environment will not notice these devices, but will benefit from the services these solutions provide them. Such devices are aware of the people present in those environments by reacting to their gestures, actions, and context [2]. Recently the interest in AmI environments has grown considerably due to new challenges posed by society’s demand for highly innovative services, such as smart environments, Ambient Assisted Living (AAL), e-Health, Internet of Things, and intelligent systems, among others.The Ubiquitous Computing (UC) idea envisioned by Weiser in 1991 [1] has recently evolved to a more general paradigm known as Ambient Intelligence (AmI) that represents a new generation of user-centred computing environments and systems. These solutions aim to find new ways to better integrate information technology into everyday life devices and activities. AmI environments are integrated by several autonomous computational devices of modern life ranging from consumer electronics to mobile phones. Ideally, people in an AmI environment will not notice these devices, but will benefit from the services these solutions provide them. Such devices are aware of the people present in those environments by reacting to their gestures, actions, and context [2]. Recently the interest in AmI environments has grown considerably due to new challenges posed by society’s demand for highly innovative services, such as smart environments, Ambient Assisted Living (AAL), e-Health, Internet of Things, and intelligent systems, among others

Implementing DNSSEC soft delegation for microservices

Securing DNS in Edge- and Fog computing, or other scenarios where microservices are offloaded, requires the provision of zone signing keys to the third parties who control the computing infrastructure. This fundamentally allows the infrastructure provider to create novel signatures at their discretion and even arbitrarily extend the certificate chain.Based on our proposal on soft delegation for DNSSEC, which curtails this vulnerability, we report on our proof-of-concept: a C-implementation of chameleon hashes in OpenSSL, a server side implementation of the mechanism in the ldns server, and an offline client that validates the signed records, in this paper. We also discuss different approaches for generating DNSSEC RRSIG records, and the behavior of a resolver to verify the credentials and securely connect to an end point using TLS with SNI and DANE

Cyber Security and Critical Infrastructures

This book contains the manuscripts that were accepted for publication in the MDPI Special Topic "Cyber Security and Critical Infrastructure" after a rigorous peer-review process. Authors from academia, government and industry contributed their innovative solutions, consistent with the interdisciplinary nature of cybersecurity. The book contains 16 articles: an editorial explaining current challenges, innovative solutions, real-world experiences including critical infrastructure, 15 original papers that present state-of-the-art innovative solutions to attacks on critical systems, and a review of cloud, edge computing, and fog's security and privacy issues

A highly-available and scalable microservice architecture for access management

Access management is a key aspect of providing secure services and applications in information technology. Ensuring secure access is particularly challenging in a cloud environment wherein resources are scaled dynamically. In fact keeping track of dynamic cloud instances and administering access to them requires careful coordination and mechanisms to ensure reliable operations. PrivX is a commercial offering from SSH Communications and Security Oyj that automatically scans and keeps track of the cloud instances and manages access to them. PrivX is currently built on the microservices approach, wherein the application is structured as a collection of loosely coupled services. However, PrivX requires external modules and with specific capabilities to ensure high availability. Moreover, complex scripts are required to monitor the whole system. The goal of this thesis is to make PrivX highly-available and scalable by using a container orchestration framework. To this end, we first conduct a detailed study of mostly widely used container orchestration frameworks: Kubernetes, Docker Swarm and Nomad. We then select Kubernetes based on a feature evaluation relevant to the considered scenario. We package the individual components of PrivX, including its database, into Docker containers and deploy them on a Kubernetes cluster. We also build a prototype system to demonstrate how microservices can be managed on a Kubernetes cluster. Additionally, an auto scaling tool is created to scale specific services based on predefined rules. Finally, we evaluate the service recovery time for each of the services in PrivX, both in the RPM deployment model and the prototype Kubernetes deployment model. We find that there is no significant difference in service recovery time between the two models. However, Kubernetes ensured high availability of the services. We find that Kubernetes is the preferred mode for deploying PrivX and it makes PrivX highly available and scalable

IT infrastructure & microservices authentication

Mestrado IPB-ESTGBIOma - Integrated solutions in BIOeconomy for the Mobilization of the Agrifood chain project is structured in 6 PPS (Products, Processes, and Services) out of which, a part of PPS2 is covered in this work. This work resulted in the second deliverable of PPS2 which is defined as PPS2.A1.E2 - IT infrastructure design and graphical interface conceptual design. BIOma project is in the early stage and this deliverable is a design task of the project. For defining the system architecture, requirements, UML diagrams, physical architecture, and logical architecture have been proposed. The system architecture is based on microservices due to its advantages like scalability and maintainability for bigger projects like BIOma where several sensors are used for big data analysis. Special attention has been devoted to the research and study for the authentication and authorization of users and devices in a microservices architecture. The proposed authentication solution is a result of research made for microservices authentication where it was concluded that using a separate microservice for user authentication is the best solution. FIWARE is an open-source initiative defining a universal set of standards for context data management that facilitates the development of Smart solutions for different domains like Smart Cities, Smart Industry, Smart Agrifood, and Smart Energy. FIWARE’s PEP (Policy Enforcement Point) proxy solution has been proposed in this work for the better management of user’s identities, and client-side certificates have been proposed for authentication of IoT (Internet of Things) devices. The communication between microservices is done through AMQP (Advanced Message Queuing Protocol), and between IoT devices and microservices is done through MQTT (Message Queuing Telemetry Transport) protocol

{SoK}: {An} Analysis of Protocol Design: Avoiding Traps for Implementation and Deployment

Today's Internet utilizes a multitude of different protocols. While some of these protocols were first implemented and used and later documented, other were first specified and then implemented. Regardless of how protocols came to be, their definitions can contain traps that lead to insecure implementations or deployments. A classical example is insufficiently strict authentication requirements in a protocol specification. The resulting Misconfigurations, i.e., not enabling strong authentication, are common root causes for Internet security incidents. Indeed, Internet protocols have been commonly designed without security in mind which leads to a multitude of misconfiguration traps. While this is slowly changing, to strict security considerations can have a similarly bad effect. Due to complex implementations and insufficient documentation, security features may remain unused, leaving deployments vulnerable. In this paper we provide a systematization of the security traps found in common Internet protocols. By separating protocols in four classes we identify major factors that lead to common security traps. These insights together with observations about end-user centric usability and security by default are then used to derive recommendations for improving existing and designing new protocols---without such security sensitive traps for operators, implementors and users

Hybrid clouds for data-Intensive, 5G-Enabled IoT applications: an overview, key issues and relevant architecture

Hybrid cloud multi-access edge computing (MEC) deployments have been proposed as efficient means to support Internet of Things (IoT) applications, relying on a plethora of nodes and data. In this paper, an overview on the area of hybrid clouds considering relevant research areas is given, providing technologies and mechanisms for the formation of such MEC deployments, as well as emphasizing several key issues that should be tackled by novel approaches, especially under the 5G paradigm. Furthermore, a decentralized hybrid cloud MEC architecture, resulting in a Platform-as-a-Service (PaaS) is proposed and its main building blocks and layers are thoroughly described. Aiming to offer a broad perspective on the business potential of such a platform, the stakeholder ecosystem is also analyzed. Finally, two use cases in the context of smart cities and mobile health are presented, aimed at showing how the proposed PaaS enables the development of respective IoT applications.Peer ReviewedPostprint (published version

{SoK}: {An} Analysis of Protocol Design: Avoiding Traps for Implementation and Deployment

Today's Internet utilizes a multitude of different protocols. While some of these protocols were first implemented and used and later documented, other were first specified and then implemented. Regardless of how protocols came to be, their definitions can contain traps that lead to insecure implementations or deployments. A classical example is insufficiently strict authentication requirements in a protocol specification. The resulting Misconfigurations, i.e., not enabling strong authentication, are common root causes for Internet security incidents. Indeed, Internet protocols have been commonly designed without security in mind which leads to a multitude of misconfiguration traps. While this is slowly changing, to strict security considerations can have a similarly bad effect. Due to complex implementations and insufficient documentation, security features may remain unused, leaving deployments vulnerable. In this paper we provide a systematization of the security traps found in common Internet protocols. By separating protocols in four classes we identify major factors that lead to common security traps. These insights together with observations about end-user centric usability and security by default are then used to derive recommendations for improving existing and designing new protocols---without such security sensitive traps for operators, implementors and users

Fotovoltaic excess management and visualization system

L'objectiu principal del projecte és el desenvolupament d'un prototip funcional per a un sistema de gestió i visualització d'excedents fotovoltaics basat en la integració de tecnologies ja existents. En termes més concrets, implica la implementació d'una solució software capaç de gestionar els excedents d'energia d'una casa intel·ligent o instal·lació similar (seguiment de l'ús de l'energia importada/exportada, decidir quan i com utilitzar l'excés d'energia, etc.), així com visualitzar-lo (consum de diferents dispositius, càlcul de potènciacostos/beneficis, recursos hardware, etc.)The project's main objective is the development of a working prototype for a photovoltaic excess management and visualization system based on the integration of already existing technologies. In more concrete terms, this means the implementation of a software-based solution capable of managing excess power from a smart home or similar installation (tracking use of imported/exported power, deciding when and how to use excess power, etc.), as well as visualizing it (consumption of different devices, computation of power costs/benefits, hardware resources, etc.