diff options
Diffstat (limited to 'paper/safety-reset-paper.tex')
| -rw-r--r-- | paper/safety-reset-paper.tex | 140 |
1 files changed, 140 insertions, 0 deletions
diff --git a/paper/safety-reset-paper.tex b/paper/safety-reset-paper.tex new file mode 100644 index 0000000..d7be50c --- /dev/null +++ b/paper/safety-reset-paper.tex @@ -0,0 +1,140 @@ +\documentclass[nohyperref]{iacrtrans} +\usepackage[T1]{fontenc} +\usepackage[ + backend=biber, + style=numeric, + natbib=true, + url=false, + doi=true, + eprint=false + ]{biblatex} +\addbibresource{safety-reset.bib} +\usepackage{amssymb,amsmath} +\usepackage{eurosym} +\usepackage{wasysym} +\usepackage{amsthm} + +\usepackage[binary-units]{siunitx} +\DeclareSIUnit{\baud}{Bd} +\DeclareSIUnit{\year}{a} +\usepackage{commath} +\usepackage{graphicx,color} +\usepackage{subcaption} +\usepackage{array} +\usepackage{hyperref} + +\renewcommand{\floatpagefraction}{.8} +\newcommand{\degree}{\ensuremath{^\circ}} +\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} +\newcommand{\partnum}[1]{\texttt{#1}} + +\begin{document} + +\title[Ripples in a Pond]{Transmitting Information through Grid Frequency Modulation} +\author{Jan Sebastian Götte \and Björn Scheuermann} +\institute{HIIG\\ \email{safetyreset@jaseg.de} \and HU Berlin \\ \email{scheuermann@informatik.hu-berlin.de}} +% FIXME keywords +\keywords{hardware security \and energy systems \and signal theory} +\maketitle + +\begin{abstract} +\end{abstract} + +\section{Introduction} + +In the power grid, as in many other engineered systems, we can observe an ongoing diffusion of information systems into +industrial control systems. Automation of these control systems has already been practiced for the better part of a +century. Throughout the 20th century this automation was mostly limited to core components of the grid. Generators in +power stations are computer-controlled according to electromechanical and economic models. Switching in substations is +automated to allow for fast failure recovery. Human operators are still vital to these systems, but their tasks have +shifted from pure operation to engineering, maintenance and surveillance\cite{crastan03,anderson02}. + +With the turn of the century came a large-scale trend in power systems to move from a model of centralized generation, +built around massive large-scale fossil and nuclear power plants, towards a more heterogenous model of smaller-scale +generators working together. In this new model large-scale fossil power plants still serve a major role, but two new +factors come into play. One is the advance of renewable energies. The large-scale use of wind and solar power in +particular from a current standpoint seems unavoidable for our continued existence on this planet. For the electrical +grid these systems constitute a significant challenge. Fossil-fueled power plants can be controlled in a precise and +quick way to match energy consumption. This tracking of consumption with production is vital to the stability of the +grid. Renewable energies such as wind and solar power do not provide the same degree of controllability, and they +introduce a larger degree of uncertainty due to the unpredictability of the forces of nature\cite{crastan03}. + +Along with this change in dynamic behavior, renewable energies have brought forth the advance of distributed generation. +In distributed generation end-customers that previously only consumed energy have started to feed energy into the grid +from small solar installations on their property. Distributed generation is a chance for customers to gain autonomy and +shift from a purely passive role to being active participants of the electricity market\cite{crastan03}. + +To match this new landscape of decentralized generation and unpredictable renewable resources the utility industry has +had to adapt itself in major ways. One aspect of this adaptation that is particularly visible to ordinary people is the +computerization of end-user energy metering. Despite the widespread use of industrial control systems inside the +electrical grid and the far-reaching diffusion of computers into people's everyday lives the energy meter has long been +one of the last remnants of an offline, analog time. Until the 2010s many households were still served through +electromechanical Ferraris-style meters that have their origin in the late 19th +century\cite{borlase01,ukgov04,bnetza02}. Today under the umbrella term \emph{Smart Metering} the shift towards fully +computerized, often networked meters is well underway. The roll out of these \emph{Smart Meters} has not been very +smooth overall with some countries severely lagging behind. As a safety-critical technology, smart metering technology +is usually standardized on a per-country basis. This leads to an inhomogenous landscape with--in some instances--wildly +incompatible systems. Often vendors only serve a single country or have separate models of a meter for each country. +This complex standardization landscape and market situation has led to a proliferation of highly complex, custom-coded +microcontroller firmware. The complexity and scale of this--often network-connected--firmware makes for a ripe substrate +for bugs to surface. + +A remotely exploitable flaw inside a smart meter's firmware\footnote{ + There are several smart metering architectures that ascribe different roles to the component called \emph{smart + meter}. Not all systems are susceptible to attacks to the same degree, with the German implementation being almost + immune as far as energy availability is concerned. For clarity, we use \emph{smart meter} to describe the entire + system at the customer premises including both the meter and if present a gateway. +} could have consequences ranging from impaired billing functionality to an existential threat to grid +stability\cite{anderson01,anderson02}. In a country where meters commonly include disconnect switches for purposes such +as prepaid tariffs a coördinated attack could at worst cause widespread activation of grid safety systems by repeatedly +connecting and disconnecting megawatts of load capacity in just the wrong moments\cite{wu01}. + +Mitigation of these attacks through firmware security measures is unlikely to yield satisfactory results. The enormous +complexity of smart meter firmware makes firmware security extremely labor-intensive. The diverse standardization +landscape makes a coördinated, comprehensive response unlikely. + +In this paper, instead of focusing on the very hard task of improving firmware security we introduce a pragmatic +solution to the--in our opinion likely--scenario of a large-scale compromise of smart meter firmware. In our proposal +the components of the smart meter that are threatened by remote compromise are equipped with a physically separate +\emph{safety reset controller} that listens for a reset command transmitted through the electrical grid's frequency and +on reception forcibly resets the smart meter's entire firmware to a known-good state. Our safety reset controller +receives commands through Direct Sequence Spread Spectrum (DSSS) modulation carried out on grid frequency through a +large controllable load such as an aluminum smelter. After forward error correction and cryptographic verification it +re-flashes the meter's main microcontroller over the standard JTAG interface. Note that our modulation technique is one +\emph{changing grid frequency itself}. This is fundamentally different in both generation and detection from systems +such as traditional PLC that superimpose a signal on grid voltage, but leave grid frequency itself unaffected. + +In this thesis, starting from a high level architecture we have carried out extensive simulations of our proposal's +performance under real-world conditions. Based on these simulations we implemented an end-to-end prototype of our +proposed safety reset controller as part of a realistic smart meter demonstrator. Finally we experimentally validated +our results and we will conclude with an outline of further steps towards a practical implementation. + +This work contains the following contributions: +\begin{enumerate} + \item We introduce Grid Frequency Modulation (GFM) as a communication primitive. % FIXME done before in that one paper + \item We elaborate the fundamental physics underlying GFM and theorize on the constrains of a practical + implementation. + \item We design a communication system based on GFM. + \item We carry out extensive simulations of our systems to determine its performance characteristics. + \item We show the simple grid voltage recorder design we used to capture data for our simulations. + \item We introduce a new, simplified method to determine grid frequency from a capture of the grid voltage waveform + that is simple to implement on constrained embedded devices. +\end{enumerate} + +\section{Related work} +\label{sec_related_work} + +\section{Conclusion} +\label{sec_conclusion} + +\printbibliography[heading=bibintoc] + +%%% FIXME remove appendix and work into text. + +\center{ + \center{This is version \texttt{\input{version.tex}\unskip} of this paper, generated on \today. The git repository + can be found at:} + + \center{\url{https://git.jaseg.de/safety-reset.git}} +} +\end{document} |