diff options
Diffstat (limited to 'ma')
-rw-r--r-- | ma/safety_reset.bib | 61 | ||||
-rw-r--r-- | ma/safety_reset.tex | 81 |
2 files changed, 88 insertions, 54 deletions
diff --git a/ma/safety_reset.bib b/ma/safety_reset.bib index fdf40ef..c6e085f 100644 --- a/ma/safety_reset.bib +++ b/ma/safety_reset.bib @@ -33,15 +33,15 @@ booktitle={Black Hat conference}, year={2014} } - -@online{bnetza1, - author = {Bundesnetzagentur}, - publisher = {Bundesnetzagentur}, - title = {Smart Meter}, - url = {https://web.archive.org/web/20190919100204/https://www.bundesnetzagentur.de/DE/Sachgebiete/ElektrizitaetundGas/Verbraucher/NetzanschlussUndMessung/SmartMetering/SmartMeter_node.html}, - urldate = {2019-09-19}, - year = {2019} -} +
+@Online{bnetza1,
+ author = {{German Government Bundesnetzagentur}},
+ title = {Smart Meter},
+ url = {https://web.archive.org/web/20190919100204/https://www.bundesnetzagentur.de/DE/Sachgebiete/ElektrizitaetundGas/Verbraucher/NetzanschlussUndMessung/SmartMetering/SmartMeter_node.html},
+ urldate = {2019-09-19},
+ publisher = {Bundesnetzagentur},
+ year = {2019},
+}
@Online{bmwi1,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik} and {Bundesministerium f{\"u}r Wirtschaft und Energie}},
@@ -1273,6 +1273,7 @@ }
@Misc{ukgov01,
+ author = {{UK Department for Business, Energy and Industrial Strategy}},
date = {2018},
title = {Smart Metering Implementation Programme Progress Report for 2018},
url = {https://www.gov.uk/government/publications/smart-metering-implementation-programme-progress-report-2018},
@@ -1281,15 +1282,16 @@ }
@Misc{ukgov02,
- date = {2014},
- title = {Smart Metering Implementation Programme: Smart Metering Equipment Technical Specifications},
- url = {https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/381535/SMIP_E2E_SMETS2.pdf},
- urldate = {2020-05-18},
- version = {1.58},
- institution = {UK Department of Energy and Climate Change},
+ author = {{UK Department of Energy and Climate Change}},
+ date = {2014},
+ title = {Smart Metering Implementation Programme: Smart Metering Equipment Technical Specifications},
+ url = {https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/381535/SMIP_E2E_SMETS2.pdf},
+ urldate = {2020-05-18},
+ version = {1.58},
}
@Misc{ukgov03,
+ author = {{UK Department for Business, Energy and Industrial Strategy}},
date = {2016},
title = {Smart Meter Rollout Cost-Benefit Analysis Part I},
url = {https://ec.europa.eu/growth/tools-databases/tris/cs/index.cfm/search/?trisaction=search.detail&year=2017&num=350&iLang=EN},
@@ -1552,4 +1554,33 @@ year = {1996},
}
+@Misc{ukgov04,
+ author = {{UK Department for Business Energy and Industrial Strategy}},
+ date = {2019},
+ title = {Smart Meter Statistics Quarterly Report to end March 2019},
+ urldate = {2020-05-26},
+ url = {https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/804767/2019_Q1_Smart_Meters_Report.pdf},
+}
+
+@Misc{bnetza02,
+ author = {{German Government Bundesnetzagentur}},
+ date = {2018},
+ title = {Monitoring Report 2018},
+ urldate = {2020-05-26},
+ url = {https://www.bundesnetzagentur.de/SharedDocs/Downloads/EN/BNetzA/PressSection/ReportsPublications/2019/MonitoringReport2019.pdf},
+}
+
+@Article{borkar01,
+ author = {Borkar, Shekhar},
+ date = {2005},
+ journaltitle = {IEEE Micro},
+ title = {Designing reliable systems from unreliable components: the challenges of transistor variability and degradation},
+ number = {6},
+ pages = {10--16},
+ volume = {25},
+ journal = {Ieee Micro},
+ publisher = {IEEE},
+ year = {2005},
+}
+
@Comment{jabref-meta: databaseType:biblatex;}
diff --git a/ma/safety_reset.tex b/ma/safety_reset.tex index 3ac83e2..fbe4615 100644 --- a/ma/safety_reset.tex +++ b/ma/safety_reset.tex @@ -95,6 +95,7 @@ \chapter{Introduction} +%FIXME: sprinkle this section with citations. Like in all fields of engineering there is an ongoing diffusion of information systems into industrial control systems in the power grid. Automation of these control systems has been practised for the better part of a century already. Until recently this automation was mostly limited to core components of the grid. Generators in power stations are @@ -121,8 +122,9 @@ To match this new landscape of decentralized generation and unpredictable renewa had to adapt itself in major ways. One aspect of this adaption that is particularly visible to ordinary people is the computerization of end-user energy metering. Despite the widespread use of industrial control systems inside the electrical grid and the far-reaching diffusion of computers into people's everyday lifes the energy meter has long been -one of the last remnants of an offline, analog time. Until the 2010s many of the world's households were still served -through electromechanical Ferraris-style meters that have their origin in the late 19th century. % FIXME citation. +one of the last remnants of an offline, analog time. Until the 2010s many households were still served through +electromechanical Ferraris-style meters that have their origin in the late 19th +century\cite{borlase01,ukgov04,bnetza02}. Today under the umbrella term \emph{Smart Grid} the shift towards fully computerized, often networked meters has been partially accomplished. The roll out of these \emph{Smart Meters} has not been very smooth overall with some countries @@ -141,9 +143,9 @@ A remotely exploitable flaw inside a smart meter's firmware\footnote{ one in Germany. For clarity in this introductory chapter we use \emph{smart meter} to describe the entire system at the customer premises including both the meter and a potential gateway. } could have consequences ranging from impaired billing -functionality to an existential threat to grid stability. A coördinated attack on meters in a country where load -switches are common could at worst cause widespread activation of grid safety systems by repeatedly connecting and -disconnecting megawatts of load capacity in just the wrong moments. +functionality to an existential threat to grid stability\cite{anderson01,anderson02}. A coördinated attack on meters in +a country where load switches are common could at worst cause widespread activation of grid safety systems by repeatedly +connecting and disconnecting megawatts of load capacity in just the wrong moments\cite{wu01}. Mitigation of these attacks through firmware security measures is unlikely to yield satisfactory results. The enormous complexity of smart meter firmware makes firmware security extremely labor-intensive. The diverse standardization @@ -392,16 +394,17 @@ customers in situations where that was not previously economically possible\foot To the customer the utility of a smart meter is largely limited to the convenience of being able to read it without going to the basement. In the long term it is said that there will be second-order savings to the customer since electricity prices adapting to the market situation along with this convenience will lead them to consume less -electricity and to consume it in a way that is more amenable to utilities, both leading to reduced cost. % FIXME citation +electricity and to consume it in a way that is more amenable to utilities, both leading to reduced +cost\cite{borlase01,bmwi03,anderson02}. Traditional Ferraris counters with their distinctive rotating aluminium disc are simple electromechanical devices. Since it does not include any failure-prone semiconductors or other high technology a cheap Ferraris-style meter can easily last decades. In contrast to this, smart meters are complex high technology. They are vastly more expensive to develop in the first place since they require the development and integration of large amounts of complex, custom firwmare. Once deployed, their lifetime is severely limited by this very complexity. Complex semiconductor devices tend to fail, and -firmware that needs to communicate with the outside world tends to not age well. % FIXME citation +firmware that needs to communicate with the outside world tends to not age well\cite{borkar01}. This combination of higher unit cost and lower expected lifetime leads to grossly increased costs per household. This -cost is usually shared between utility and customer. % FIXME citation +cost is usually shared between utility and customer. As part of its smart metering rollout the German government in 2013 had a study conducted on the economies of smart meter installations. This study came to the conclusion that for the majority of households computerizing an existing @@ -463,19 +466,18 @@ the MCU's time base as a reference. Whereas legacy electromechanical energy meters only provided a display of aggregate energy use through a decimal counter as well as an indirect indication of power through a rotating wheel one of the selling points of smart meters is their ability to calculate advanced statistics on energy use. These statistics are supposed to help customers better target -energy conservation measures though evidence of this happening is scarce. % FIXME strong citation here plz! - -In addition to the pure measurement and data aggregation functions in many deployments % FIXME citation. EU white paper? -smart meters perform two additional functions. One is to serve as a gateway between the utility company's control -systems and large controllable loads in the consumer's household for Demand-Side Management (DSM). % FIXME citation -In DSM the utility company can control when exactly a high-power device such as a water storage heater is turned on. To -the customer the precise timing does not matter since the storage heater is set so that it has enough hot water in its -reservoir at all times. The utility company however can use this degree of control to reduce load variations during -temporary imbalances such as peaks. The efficiency gains realized with this system translate into lower electricity -prices for DSM-enabled loads for the customer. Traditionally DSM was realized on a local level using ripple control -systems. In ripple control control data is coded by modulating a carrier at a low frequency such as \SI{400}{\hertz} on -top of the regular mains voltage. These systems require high-power transmitters at tens of kilowatts and still can only -bridge regional distances\cite{dzung01}. +energy conservation measures\cite{bmwi03}. + +In addition to the pure measurement and data aggregation functions smart meters can perform additional functions. One is +to serve as a gateway between the utility company's control systems and large controllable loads in the consumer's +household for Demand-Side Management (DSM)\cite{borlase01}. In DSM the utility company can control when exactly a +high-power device such as a water storage heater is turned on. To the customer the precise timing does not matter since +the storage heater is set so that it has enough hot water in its reservoir at all times. The utility company however can +use this degree of control to reduce load variations during temporary imbalances such as peaks. The efficiency gains +realized with this system translate into lower electricity prices for DSM-enabled loads for the customer. Traditionally +DSM was realized on a local level using ripple control systems. In ripple control control data is coded by modulating a +carrier at a low frequency such as \SI{400}{\hertz} on top of the regular mains voltage. These systems require +high-power transmitters at tens of kilowatts and still can only bridge regional distances\cite{dzung01}. Another important additional function is that in some countries some smart meters can be used to remotely disconnect consumer households with outstanding bills. Using euphemisms such as \emph{utility revenue protection}\cite{kamstrup01} @@ -500,11 +502,13 @@ Compared to high-risk devices such as card payment processing terminals or ATMs is only basic\cite{anderson02}. Common measures include sealing the case by irreversibly ultrasonically welding front and back plastic shells together or the use of security seals on the lid covering the input/output screw terminals. Low-tech attacks using magnets to saturate the current transformer's ferrite cores are detected using hall -sensors\cite{anderson02,anderson03,itron01,hager01,easymeter01}. - -German smart metering standards are unique in that they specify the use of a smartcard-like security module to provide -transport encryption and other cryptographic services\cite{bsi-tr-03109-2,bsi-tr-03109-2-a}. -% FIXME compare to other places where things are not as nice +sensors\cite{anderson02,anderson03,itron01,hager01,easymeter01}. German smart metering standards specify the use of a +smartcard-like security module to provide transport encryption and other cryptographic +services\cite{bsi-tr-03109-2,bsi-tr-03109-2-a}. During our literature review we did not find many references to similar +requirements in other national standards, though this does not mean that individual manufacturers do not use smartcards +for engineering reasons or due to pressure from utilities. The limited documentation on meter internals that we did find +such as \cite{ifixit01} suggests where no such regulation exists manufacturers and utilities likely choose to forego +such advanced measures and instead settle on simple software implementations. \subsection{Physical structure and installation} @@ -675,8 +679,8 @@ a choice. Academic reception of smart metering is dyed with an almost unanimous enthusiasm. In particular smart meter communication infrastructure has received a large amount of research -attention\cite{dzung01,gungor01,kabalci01,lloret01,mahmood01,yan01,anderson01}. Outside of human-computer interaction -claims that smart meters will reduce customer energy consumption have often been uncritically accepted. +attention\cite{dzung01,gungor01,kabalci01,lloret01,mahmood01,yan01,anderson01,anderson02}. Outside of human-computer +interaction claims that smart meters will reduce customer energy consumption have often been uncritically accepted. \subsubsection{Standardization and reality of smart devices} @@ -688,9 +692,9 @@ refrigerators and air conditioners are forecasted to intelligently adapt their h the grid's supply. A frequent scenario is that in which the meter bills the customer using near-real time pricing, and supplies large loads in the customer's household with this pricing information. These loads then intelligently schedule their operation to minimize cost\cite{sato01}. At the time in the mid-2000nds when smart metering proposals were first -advanced this vision might have been an effect of the \emph{law of the instrument}\cite{kaplan01}. Back then outside of -specialty applications household devices were not usually networked\cite{merz01}. Smart meters at the time may have -seemed the obvious choice for a smart home communications hub. +advanced this vision might have been an effect of the \emph{law of the instrument}\cite{kaplan01,anderson02}. Back then +outside of specialty applications household devices were not usually networked\cite{merz01}. Smart meters at the time +may have seemed the obvious choice for a smart home communications hub. From today's perspective, this idea is obviously outdated. Smart \emph{things} now have found their way into many homes. Only these things are directly interconnected through the internet--foregoing the home-area network (HAN) technologies @@ -720,7 +724,7 @@ real-time energy consumption and cost statistics would simply be an android tabl utility's billing backend. Demand-side response by large loads would be as simple as an HTTP request with a token identifying the customer's contract that returns the electricity price the meter is currently charging along with a recommendation to switch on or off. It seems the smart home has already arrived while smart metering standardization is -still getting off the starting blocks. +still getting off the starting blocks\cite{anderson02}. % TODO is this too critical? Is maybe the modern smart home compatible with smart meters? Is maybe the local-only path % of data, avoiding utility clouds a design feature? (may be true in DE, NL, probably not anywhere else) @@ -959,12 +963,11 @@ exceedingly unlikely at this point. A general observation with smart grid systems of any kind is that they comprise a departure from the decentralized control structure of yesterday's dumb grid and the advent of centralization at an enormous scale. This modern, -centralized infrastructure has been carefully designed to defend against malicious actors%FIXME cite -and all involved parties have an interest in keeping it secure. Still, like in any other system this centralization also -makes for a very attractive target to attackers. An attacker can employ this centralized control to their advantage. -Decentralized systems tend to make attacks more costly while centralized systems aid their efficiency. From this -perspective the centralization of smart metering control sytems--sometimes at a national level\cite{anderson01}--poses a -security risk. +centralized infrastructure has been carefully designed to defend against malicious actors and all involved parties have +an interest in keeping it secure. In decentralized systems scaling attacks is inherently harder than in centralized +systems\cite{anderson02}. Centralization makes for an attractive attack target. An attacker can employ this centralized +control to their advantage. From this perspective the centralization of smart metering control sytems--sometimes at a +national level\cite{anderson01,anderson02}--poses a security risk. \chapter{Restoring endpoint safety in an age of smart devices} @@ -1689,6 +1692,7 @@ transmitter key management is shown in Figure \ref{fig:tx_scope_key_illu}. This our prototype in Section \ref{sec-prototype} and may even be useful in a practical implementation. During standardization of a safety reset system the key management system would most likely have to be customized to the particular application's requirements. Developing an universal solution is outside the scope of this work. +% FIXME revisit this section - 2020-05-26 \begin{figure} \centering \begin{minipage}[c]{0.5\textwidth} @@ -2039,7 +2043,6 @@ implementation in python. Implementing all components in a high-level language b while taking away much of the implementation complexity. For our demonstrator we will not be able to use python since our target platform is a cheap low-end microcontroller. Our demonstrator firmware will have to be written in a low-level language such as C or rust. For prototyping these languages lack flexibility compared to python. -% FIXME introduce project outline, specs -> proto -> demo above! To validate our modulation scheme we first performed a series of simulations on our python demodulator prototype implementation. To simulate a modulated grid frequency signal we added noise to a synthetic modulation signal. For most |