diff options
-rw-r--r-- | ma/safety_reset.tex | 51 |
1 files changed, 42 insertions, 9 deletions
diff --git a/ma/safety_reset.tex b/ma/safety_reset.tex index 7f4bed0..289d91e 100644 --- a/ma/safety_reset.tex +++ b/ma/safety_reset.tex @@ -115,7 +115,7 @@ unpredictable way of the forces of nature. Along with this change in dynamic behavior renewable energies have brought forth the advance of distributed generation. In distributed generation end-customers that previously only consumed energy have started to feed energy into the grid from small solar installations on their property. Distributed generation is a chance for customers to gain autonomy and -shift from a purely passive role to being active participants of the electricity market. +shift from a purely passive role to being active participants of the electricity market\cite{crastan03}. To match this new landscape of decentralized generation and unpredictable renewable resources the utility industry has had to adapt itself in major ways. One aspect of this adaption that is particularly visible to ordinary people is the @@ -124,11 +124,44 @@ electrical grid and the far-reaching diffusion of computers into people's everyd one of the last remnants of an offline, analog time. Until the 2010s many of the world's households were still served through electromechanical Ferraris-style meters that have their origin in the late 19th century. % FIXME citation. -Today, under the terms \emph{Smart Grid} and \emph{Smart metering} the shift towards fully computerized, often networked -meters has been largely accomplished. -% FIXME continue here. - -\cite{crastan03} +Today under the umbrella term \emph{Smart Grid} the shift towards fully computerized, often networked meters has been +partially accomplished. The roll out of these \emph{Smart Meters} has not been very smooth overall with some countries +severely lagging behind other countries. As a safety-critical technology smart meter technology is usually standardized +on a per-country basis. This leads to an inhomogenous landscape with in some instances wildly incompatible systems. +Often vendors only serve a single country or have a separate model of their meter for each country. This complex +standardization landscape and market situation has led to a proliferation of highly complex, custom-coded +microcontroller firwmare. The complexity and scale of this often network-connected firmware makes for a ripe substrate +for bugs to surface. + +A remotely exploitable flaw inside a smart meter's firmware\footnote{ + There are several smart metering architectures that ascribe different roles to the component called \emph{smart + meter}. Coarsely divided into two camps these are systems where all metering and communication code resides within + one physical unit and systems where metering and communication are separated into two units, the \emph{smart meter} + and the \emph{smart meter gateway}. An example for the former are setups in the USA, an example of the latter is the + one in Germany. For clarity in this introductory chapter we use \emph{smart meter} to describe the entire system at + the customer premises including both the meter and a potential gateway. +} could have consequences ranging from impaired billing +functionality to an existential threat to grid stability. A coördinated attack on meters in a country where load +switches are common could at worst cause widespread activation of grid safety systems by repeatedly connecting and +disconnecting megawatts of load capacity in just the wrong moments. + +Mitigation of these attacks through firmware security measures is unlikely to yield satisfactory results. The enormous +complexity of smart meter firmware makes firmware security extremely labor-intensive. The diverse standardization +landscape makes a coördinated, comprehensive response unlikely. + +In this thesis instead of lamenting the state of firmware security we introduce a pragmatic solution to the in our minds +likely scenario of a large-scale compromise of smart meter firmware. In our proposal the components of the smart meter +that are threatened by remote compromise are equipped with a physically separate \emph{safety reset controller} that +listens for a reset command transmitted through the electrical grid itself and on reception forcibly resets the smart +meter's entire firmware to a known-good state. Our safety reset controller receives commands through Direct Sequence +Spread Spectrum (DSSS) modulation carried out on grid frequency through a large controllable load such as an aluminium +smelter. After forward error correction and cryptographic verification it re-flashes the target application +microcontroller over the standard JTAG interface. + +In this thesis starting from a high-level architecture we have carried out extensive simulations of our proposal's +performance under real-world conditions. Based on these simulations we implemented an end-to-end prototype of our +proposed safety reset controller as part of a realistic smart meter demonstrator. Finally we experimentally validate our +results and give an outline of further steps towards practical implementation. \section{Structure and operation of the electrical grid} @@ -1707,7 +1740,7 @@ data. Re-using segements of this data as background noise in multiple simulation simulation results depending on individual features of this particular capture that would be common between all runs. To estimate the impact of this problem we re-ran some of our simulations with artificial random noise synthesized with a power spectral density matching that of our capture. To do this, we first measured our capture's PSD, then fitted a -low-resolution spline to the PSD curve in log-log coordinates. We then generated white noise, multiplied the resampled +low-resolution spline to the PSD curve in log-log coördinates. We then generated white noise, multiplied the resampled spline with the DFT of the synthetic noise and performed an iDFT on the result. The resulting time-domain signal is our synthetic grid frequency data. Figure \ref{freq_meas_spectrum} shows the PSD of our measured grid frequency signal. The red line indicates the low-resolution log-log spline interpolation used for shaping our artificial noise. Figure @@ -2199,7 +2232,7 @@ over long periods of time at cost of a slight increase in system complexity. The description of a safety reset system provided in this work could be translated into a formalized technical standard with relatively low effort. Our system is very simple compared to e.g. a full smart meter communication standard and thus can conceivably be described in a single, concise document. The much more complicated side of standardization would -be the standardization of the backend operation including key management, coordination and command authorization. +be the standardization of the backend operation including key management, coördination and command authorization. \section{Regulatory adoption} @@ -2254,7 +2287,7 @@ TrustZone is a virtualization technology that provides a hardware-assisted privi of the microcontrollers cores. In traditional virtualization setups a privileged hypervisor is managing several unprivileged applications sharing resources between them. Separation between applications in this setup is longitudinal between adjacent virtual machines. Two applications would both be running in unprivileged mode sharing the same cpu and -the hypervisor would merely schedule them, configure hardware resource access and coordinate communication. This +the hypervisor would merely schedule them, configure hardware resource access and coördinate communication. This longitudinal virtualization simplifies application development since from the application's perspective the virtual machine looks very similar to a physical one. In addition, in general this setup reciprocally isolates two applications with neither one being able to gain control over the other. |