diff options
Diffstat (limited to 'ma/safety_reset.tex')
-rw-r--r-- | ma/safety_reset.tex | 40 |
1 files changed, 20 insertions, 20 deletions
diff --git a/ma/safety_reset.tex b/ma/safety_reset.tex index 0e6ed6e..35c7839 100644 --- a/ma/safety_reset.tex +++ b/ma/safety_reset.tex @@ -120,46 +120,46 @@ \chapter{Introduction} %FIXME: sprinkle this section with citations. -In the power grid as in other engineered systems we can observe an ongoing diffusion of information systems into -industrial control systems. Automation of these control systems has been practiced for the better part of a century -already. Throughout the 20th century this automation was mostly limited to core components of the grid. Generators in +In the power grid, as in many other engineered systems, we can observe an ongoing diffusion of information systems into +industrial control systems. Automation of these control systems has already been practiced for the better part of a +century. Throughout the 20th century this automation was mostly limited to core components of the grid. Generators in power stations are computer-controlled according to electromechanical and economic models. Switching in substations is automated to allow for fast failure recovery. Human operators are still vital to these systems, but their tasks have shifted from pure operation to engineering, maintenance and surveillance. -With the turn of the century came a large-scale trend in power systems to move from a model of centralized generation -built around massive large-scale fossil and nuclear power plants towards a more heterogenous model of smaller-scale -generators working together. In this new model large-scale fossil power plants still serve a major role but two new +With the turn of the century came a large-scale trend in power systems to move from a model of centralized generation, +built around massive large-scale fossil and nuclear power plants, towards a more heterogenous model of smaller-scale +generators working together. In this new model large-scale fossil power plants still serve a major role, but two new factors come into play. One is the advance of renewable energies. The large-scale use of wind and solar power in particular from a current standpoint seems unavoidable for our continued existence on this planet. For the electrical grid these systems constitute a significant challenge. Fossil-fueled power plants can be controlled in a precise and quick way to match energy consumption. This tracking of consumption with production is vital to the stability of the grid. Renewable energies such as wind and solar power do not provide the same degree of controllability, and they -introduce a large degree of uncertainty due to the unpredictable way of the forces of nature. +introduce a larger degree of uncertainty due to the unpredictability of the forces of nature. -Along with this change in dynamic behavior renewable energies have brought forth the advance of distributed generation. +Along with this change in dynamic behavior, renewable energies have brought forth the advance of distributed generation. In distributed generation end-customers that previously only consumed energy have started to feed energy into the grid from small solar installations on their property. Distributed generation is a chance for customers to gain autonomy and shift from a purely passive role to being active participants of the electricity market\cite{crastan03}. To match this new landscape of decentralized generation and unpredictable renewable resources the utility industry has -had to adapt itself in major ways. One aspect of this adaption that is particularly visible to ordinary people is the +had to adapt itself in major ways. One aspect of this adaptation that is particularly visible to ordinary people is the computerization of end-user energy metering. Despite the widespread use of industrial control systems inside the electrical grid and the far-reaching diffusion of computers into people's everyday lives the energy meter has long been one of the last remnants of an offline, analog time. Until the 2010s many households were still served through electromechanical Ferraris-style meters that have their origin in the late 19th century\cite{borlase01,ukgov04,bnetza02}. Today under the umbrella term \emph{Smart Metering} the shift towards fully computerized, often networked meters is well underway. The roll out of these \emph{Smart Meters} has not been very -smooth overall with some countries severely lagging behind other countries. As a safety-critical technology smart -metering technology is usually standardized on a per-country basis. This leads to an inhomogenous landscape with in some -instances wildly incompatible systems. Often vendors only serve a single country or have separate models of a meter for -each country. This complex standardization landscape and market situation has led to a proliferation of highly complex, -custom-coded microcontroller firmware. The complexity and scale of this often network-connected firmware makes for a -ripe substrate for bugs to surface. +smooth overall with some countries severely lagging behind. As a safety-critical technology, smart metering technology +is usually standardized on a per-country basis. This leads to an inhomogenous landscape with--in some instances--wildly +incompatible systems. Often vendors only serve a single country or have separate models of a meter for each country. +This complex standardization landscape and market situation has led to a proliferation of highly complex, custom-coded +microcontroller firmware. The complexity and scale of this--often network-connected--firmware makes for a ripe substrate +for bugs to surface. A remotely exploitable flaw inside a smart meter's firmware\footnote{ There are several smart metering architectures that ascribe different roles to the component called \emph{smart - meter}. Coarsely divided into two camps these are systems where all metering and communication functions resides + meter}. Coarsely divided into two camps these are systems where all metering and communication functions reside within one physical unit and systems where metering and communication functions are separated into two units called the \emph{smart meter} and the \emph{smart meter gateway}\cite{stuber01}. An example for the former are setups in the USA, an example of the latter is the setup in Germany. For clarity, in this introductory chapter we use @@ -168,15 +168,15 @@ A remotely exploitable flaw inside a smart meter's firmware\footnote{ } could have consequences ranging from impaired billing functionality to an existential threat to grid stability\cite{anderson01,anderson02}. In a country where meters commonly include disconnect switches for purposes such as prepaid tariffs a coördinated attack could at worst cause widespread activation of grid safety systems by repeatedly -connecting and disconnecting Megawatts of load capacity in just the wrong moments\cite{wu01}. +connecting and disconnecting megawatts of load capacity in just the wrong moments\cite{wu01}. Mitigation of these attacks through firmware security measures is unlikely to yield satisfactory results. The enormous complexity of smart meter firmware makes firmware security extremely labor-intensive. The diverse standardization landscape makes a coördinated, comprehensive response unlikely. -In this thesis instead of focusing on the very hard task of improving firmware security we introduce a pragmatic -solution to the in our minds likely scenario of a large-scale compromise of smart meter firmware. In our proposal the -components of the smart meter that are threatened by remote compromise are equipped with a physically separate +In this thesis, instead of focusing on the very hard task of improving firmware security we introduce a pragmatic +solution to the--in our opinion likely--scenario of a large-scale compromise of smart meter firmware. In our proposal +the components of the smart meter that are threatened by remote compromise are equipped with a physically separate \emph{safety reset controller} that listens for a reset command transmitted through the electrical grid's frequency and on reception forcibly resets the smart meter's entire firmware to a known-good state. Our safety reset controller receives commands through Direct Sequence Spread Spectrum (DSSS) modulation carried out on grid frequency through a |