Paper WIP

1 files changed, 91 insertions, 26 deletions

diff --git a/paper/safety-reset-paper.tex b/paper/safety-reset-paper.tex
index f89aeae..fc62bc8 100644
--- a/paper/safety-reset-paper.tex
+++ b/paper/safety-reset-paper.tex
@@ -35,38 +35,82 @@
 \title{Ripples in the Pond: Transmitting Information through Grid Frequency Modulation}
 \titlerunning{Ripples in the Pond: Transmitting Information through Grid Frequency}
 \author{Jan Sebastian Götte \and Liran Katzir \and Björn Scheuermann}
-\institute{Alexander von Humboldt Institut for Internet and Society Berlin (HIIG)\\ \email{safetyreset@jaseg.de} \and Tel Aviv University\\Faculty of Engineering\\\email{lirankat@tau.ac.il} \and Humboldt-Universität zu Berlin\\ \email{scheuermann@informatik.hu-berlin.de}}
-% FIXME keywords
+\institute{TU Darmstadt\\ Communication Networks Lab\\ \email{safetyreset@jaseg.de}
+\and Tel Aviv University\\ Faculty of Engineering\\ \email{lirankat@tau.ac.il}
+\and TU Darmstadt\\ Communication Networks Lab\\ \email{scheuermann@informatik.hu-berlin.de}}
 \maketitle
 \keywords{Security, privacy and resilience in critical infrastructures \and Security and privacy in ``internet of
 things'' \and Cyber-physical systems \and Hardware security \and Network Security \and Energy systems \and Signal theory}
 
 \begin{abstract}
-    The smart grid is a large, complex and interconnected technological system. With remotely controllable load switches
-    having been rolled out at scale in some countries, a tiny flaw inside the firmware of one of these embedded devices
-    may enable attacks to remotely trigger large-scale disruption with potentially catastrophic results. Attaining
-    perfect security against such cyberphysical attacks is a monumental embedded engineering task---and observations do
-    not indicate that current efforts meet the requirements of this task.%FIXME cite recent RECESSIM work
-
-    In this paper, we approach the smart grid safety issue by introducing a new, resilient broadcast communication
-    channel based on modulating grid frequency that can be used as a last resort during large-scale cyberattacks.  To
-    demonstrate this channel, we have implementing an emergency override that can be used to reset potentially
-    compromised smart meters to a known-good state and preempt subsequent compromise by cutting communication links.
-    Our system transmits error-corrected and cryptographically secured commands by modulating grid frequency using a
-    single large consumer such as a large aluminium smelter. This approach differs from traditional Powerline
-    Communication (PLC) systems in that it reaches every device within the same synchronous area as the signal is
-    embedded into the fundamental grid frequency instead of a superimposed voltage that is quickly attenuated across
-    long distances. The system only requires a single transmitting station anywhere on the grid and as such can operate
-    fully independent of public telecommunication infrastructure.
-
-    Using simulations we have determined that control of a $\SI{25}{\mega\watt}$ load would allow for the transmission
-    of a crytographically secured \emph{reset} signal within $15$ minutes. We have designed and constructed a
-    proof-of-concept prototype receiver that demonstrates the feasibility of decoding such signals even on
-    resource-constrained microcontroller hardware.
+    With the rollout of the smart grid, the IT security of electrical infrastructure has attracted increased attention
+    in the last years. Smart Grid IT security has two major components: The security of central SCADA systems, and
+    the security of equipment at the consumer premises such as smart meters and IoT devices. While there is previous
+    work on both sides, their interactions have not yet received much attention.
+
+    In this paper, we consider the previously proposed scenario where a large number of compromised consumer devices is
+    used alone or in conjunction with an attack on the grid's central SCADA systems to destabilize the grid by rapidly
+    modulating the total connected load. Such attacks might include IoT devices, but they might also target Smart
+    Meters, which in many parts of the world now contain remote-controlled disconnect switches. Such attacks are hard to
+    mitigate, and existing literature focuses on hardening device firmware to prevent compromise. Although perfect
+    firmware security is not practically achievable, there is little research on \emph{post-compromise} mitigation
+    approaches. A core issue of any post-attack mitigation is that the devices normal network connection may not work
+    due to the attack and as such an out-of-band communication channel is necessary.
+
+    We propose a \emph{safety reset} controller that is controlled through a novel, resilient, grid-wide powerline
+    communication technique. Our safety reset controller can be fitted into any Smart Meter or IoT device. Its purpose
+    is to await an out-of-band command to put the device into a safe state (e.g. \emphp{relay on} or \emph{light on})
+    that interrupts attacker control over the device. The safety reset controller is separated from the system's main
+    application controller and does not have any conventional network connections to reduce attack surface and cost.
+
+    Our proposed resilient communication channel is a grid-wide broadcast channel based on modulating grid frequency. It
+    can be operated by transmission system operators (TSOs) even during black-start recovery procedures and in this
+    situation bridges the gap between the TSO's private network and the consumer devices. To demonstrate our proposed
+    channel, we have implemented a system that transmits error-corrected and cryptographically secured commands.
+
+    Our approach differs from traditional Powerline Communication (PLC) systems in that it reaches every device within
+    the same synchronous area as the signal is embedded into the fundamental grid frequency. Traditional PLC uses a
+    superimposed voltage, which is quickly attenuated across long distances.
+
+    Using simulations we have determined that control of a $\SI{25}{\mega\watt}$ load such as a large aluminium smelter,
+    load bank or photovoltaic farm would allow for the transmission of a crytographically secured \emph{reset} signal
+    within $15$ minutes. We have designed and constructed a proof-of-concept prototype receiver that demonstrates the
+    feasibility of decoding such signals on a resource-constrained microcontroller.
 \end{abstract}
 
 \section{Introduction}
 
+% FIXME This is meh.
+% Maybe *start* with "the recovery from a blackout bla bla..."?
+The power grids of the world are some of the most complex man-made technological systems. Their operation is essential
+for modern human life and with the proliferation of ransomware and state-sponsored attacks their IT security has come
+under close scrutiny. To grid operators, there are two main challenges that complicate IT security efforts. First, all
+parts of the electrical grid are physically coupled and faults can have consequences far from their source. Second, many
+of the networked devices used in grid applications are special-purpose devices built in low volumes, which limits the
+amount of engineering effort that could have been spent on their firmware security.
+
+We expect that a serious compromise can never fully be ruled out since the combined attack surface of a large number of
+diverse devices is too large to effectively secure, and perimeter security measures are only effective to a point when
+devices are spread out across a vast geographical area. Thus, in this paper we focus not on the prevention of an attack,
+but on the recovery from one. 
+%The IT security of the power grid is a complicated issue. Transmission system operators are faced with multiple
+%challenges. 
+
+%First, the grid is composed of myriad different devices that are interconnected on a contintental scale. Since all these
+%devices are physically coupled, faults in one system can have ripple effects far away. In other critical infrastructure
+%such as the water supply, transportation or the public health system, a number of fundamentally independent sub-systems
+%are only linked at an organizational level, which means faults due to either natural disasters or hacking attacks are
+%likely to be localized. In contrast, a transmission system operator has to make sure no faults happen anywhere in the
+%system for the system to be stable. Ensuring faultless operation across thousands of devices is hard.
+
+%Like any other complex technological system, the components that make up the power grid are increasingly being outfitted
+%with networked computer systems for monitoring and control. 
+%They have to secure a large and diverse fleet of networked systems, many of which are special-purpose devices customized
+%for this particular application. Small production quantities
+%mean that the limit of economically achievable security is already low. Coupled with the high complexity of each of
+%these devices, this results in 
+
+\subsection{The digitalization of the grid}
 In the power grid, as in many other engineered systems, we can observe an ongoing diffusion of information systems into
 the domain of industrial control. Automation of these control systems has already been practiced for the better part of a
 century.  Throughout the 20th century this automation was mostly limited to core components of the grid. Generators in
@@ -77,8 +121,8 @@ shifted from pure operation to engineering, maintenance and surveillance~\cite{c
 With the turn of the century came a large-scale trend in power systems to move from a model of centralized generation,
 built around massive large-scale fossil and nuclear power plants, towards a more heterogenous model of smaller-scale
 generators working together. In this new model large-scale fossil power plants still serve a major role, but new
-factors come into play. One such factor is the advance of renewable energies. The large-scale use of wind and solar power in
-particular seems unavoidable for continued human life on this planet. For the electrical
+factors come into play. One such factor is the advance of renewable energies. The large-scale use of wind and solar
+power in particular seems unavoidable for continued human life on this planet. For the electrical
 grid these systems constitute a significant challenge. Fossil-fueled power plants can be controlled in a precise and
 quick way to match energy consumption. This tracking of consumption with production is vital to the stability of the
 grid. Renewable energies such as wind and solar power do not provide the same degree of controllability, and they
@@ -100,7 +144,11 @@ electromechanical Ferraris-style meters that have their origin in the late 19th
 century~\cite{borlase01,ukgov04,bnetza02}.  Today, under the umbrella term \emph{Smart Metering}, the shift towards fully
 computerized, often networked meters is well underway. The roll out of these \emph{Smart Meters} has not been very
 smooth overall with some countries severely lagging behind. As a safety-critical technology, smart metering technology
-is usually standardized on a per-country basis. This leads to an inhomogenous landscape with---in some
+is usually standardized on a per-country basis.
+
+\subsection{Perfect firmware security}
+% FIXME join these paragraphs
+This leads to an inhomogenous landscape with---in some
 instances---wildly incompatible systems.  Often vendors only serve a single country or have separate models of a meter
 for each country.  This complex standardization landscape and market situation has led to a proliferation of highly
 complex, custom-coded microcontroller firmware. The complexity and scale of this---often network-connected---firmware
@@ -174,6 +222,23 @@ This work contains the following contributions:
     \item We carry out extensive simulations of our systems to determine its performance characteristics.
 \end{enumerate}
 
+\section{Notation}
+
+To a computer scientist there is one confusing aspect to the theory of grid frequency modulation. GFM can be seen as a
+frequency modulation (FM) with a baseband signal in the band below approximately $f_m = \SI{5}{\hertz}$ that is
+modulated on top of a carrier signal at $f_c = \SI{50}{\hertz}$ in case of the European electrical grid. The frequency
+deviation $f_\Delta$ that the modulated carrier deviates from its nominal value of $f_m$ is very small at only a few
+milli-Hertz.
+
+When grid frequency is measured by first digitizing the mains voltage waveform, then de-modulating digitally, the FM's
+SNR is very high and is dominated by the ADC's quantization noise and nearby mains voltage noise sources such as
+resistive droop due to large inrush current of nearby machines.
+
+Note that both the carrier signal at $f_c$ and the modulation signal at $f_m$ both have unit Hertz. To disambiguate
+them, in this paper we will use \textbf{bold} letters to refer to the carrier waveform $\mathbf{U}$ or frequency
+$\mathbf{f_c}$ as well as its deviation $\mathbf{f_\Delta}$, and we will use normal weight for the actual modulation
+signal and its properties such as $f_m$.
+
 \section{Related work} 
 \label{sec_related_work}