Cybersecurity researchers from the Pacific Northwest National Laboratory (PNNL) have recently published a Threat Profile of ACE IoT Solutions’ commercial deployment of the Eclipse VOLTTRON platform. The Threat Profile, published by PNNL’s Secure Software Central (SSC) Team, provides ACE IoT and our customers with a clear understanding of potential threats against ACE IoT’s Cloud Platform and an independent assessment of ACE IoT’s approaches to mitigating security threats.
What is a Threat Profile and Why is it Valuable?
Leading organizations have started to move away from cybersecurity approaches that focus on vulnerabilities in favor of approaches that assess threats. A 2019 blog post by researchers at Lockheed Martin makes the case for a threat-centric approach to cybersecurity. In the post, authors Muckin and Fitch identify several deficiencies inherent to an approach to cybersecurity that is centered on system vulnerabilities, noting that such approaches:
Create a highly reactive operational environment,
Drive overreactions and improper resource allocations as vulnerabilities and incidents are prioritized in lieu of larger scale threat scenarios and patterns and
Identify only known vulnerabilities; unknown vulnerabilities or systemic design flaws are neglected.
In contrast to a vulnerabilities-centric approach, a threat-centric approach to cybersecurity helps ensure that organizations allocate the commensurate level of resources to defend their assets and plan-for current and future threats. A Threat Profile is a foundational assessment designed to guide an organization’s effort related to planning, design and deployment of critical systems.
The growing Eclipse VOLTTRON community stands to benefit from the open and transparent cybersecurity assessment of ACE IoT’s Eclipse VOLTTRON deployment. Indeed, since our deployment of Eclipse VOLTTRON is representative of a typical open network deployment, the published Threat Profile will have value to developers for – and end-users of – the Eclipse VOLTTRON platform. We are grateful to the Department of Energy for the funding the SSC Team’s important work.
An Illustration of ACE IoT’s Commitment to Effective Cybersecurity
For ACE IoT, the published Threat Profile serves an illustration of our commitment to an open pursuit of a mature and effective cybersecurity posture. Given the sensitivity of control technologies that enable Distributed Energy Resources (DERs) deployments and Grid Interactive Efficient Buildings (GEBs), we favor “defense in depth strategies” to help prevent inevitable Common Vulnerabilities and Exposures (CVEs) from compromising our system. Rather than make claims of ineffable security, we prefer to demonstrate the thoroughness of our approach and our willingness to seek out independent expertise to respond and improve in the face of changing threats.
Vendors often make claims of “absolute” cybersecurity and require that their potential customers take their word about the veracity of these claims. We are pleased that the Threat Profile published by PNNL provides evidence that our deployment of the Eclipse VOLTTRON platform is designed to secure against the current threat models and incorporates a posture that will allow an effective response to future threats. To speak with ACE IoT about how our Infrastructure as a Service solution can help your organization acquire and trend IoT data to the cloud securely and cost-effectively, please contact firstname.lastname@example.org.