diff options
Diffstat (limited to 'paper')
-rw-r--r-- | paper/safety-reset-paper.tex | 179 | ||||
-rw-r--r-- | paper/safety-reset.bib | 106 |
2 files changed, 144 insertions, 141 deletions
diff --git a/paper/safety-reset-paper.tex b/paper/safety-reset-paper.tex index 2493aa4..367359c 100644 --- a/paper/safety-reset-paper.tex +++ b/paper/safety-reset-paper.tex @@ -21,6 +21,7 @@ \usepackage{subcaption} \usepackage{array} \usepackage{hyperref} +\usepackage{enumitem} \renewcommand{\floatpagefraction}{.8} \newcommand{\degree}{\ensuremath{^\circ}} @@ -32,7 +33,7 @@ \title{Ripples in the Pond: Transmitting Information through Grid Frequency Modulation} \titlerunning{Ripples in the Pond: Transmitting Information through Grid Frequency} \author{Jan Sebastian Götte \and Liran Katzir \and Björn Scheuermann} -\institute{HIIG\\ \email{safetyreset@jaseg.de} \and Tel Aviv University\\Faculty of Engineering \and HU Berlin \\ \email{scheuermann@informatik.hu-berlin.de}} +\institute{Alexander von Humboldt Institut für Internet und Gesellschaft (HIIG)\\ \email{safetyreset@jaseg.de} \and Tel Aviv University\\Faculty of Engineering\\\email{lirankat@tau.ac.il} \and Humboldt-Universität zu Berlin\\ \email{scheuermann@informatik.hu-berlin.de}} % FIXME keywords \maketitle \keywords{Security, privacy and resilience in critical infrastructures \and Security and privacy in ``internet of @@ -50,14 +51,14 @@ things'' \and Cyber-physical systems \and Hardware security \and Network Securit To yield a fully fail-safe design, our system does not rely on the internet or other conventional communication network to work. Instead, our system transmits error-corrected and cryptographically secured commands by modulating grid frequency using a single large consumer such as a large aluminium smelter. This approach differs from - traditional Powerline Communication (PLC) systems in that reaches every device within the same synchronous area as - the signal is embedded into the fundamental grid frequency instead of a superimposed voltage that is quickly + traditional Powerline Communication (PLC) systems in that it reaches every device within the same synchronous area + as the signal is embedded into the fundamental grid frequency instead of a superimposed voltage that is quickly attenuated across long distances. Using simulations we have determined that control of a $\SI{25}{\mega\watt}$ load would allow for the transmission - of a crytographically secured \emph{reset} signal within $15$ minutes. We have produced a proof-of-concept prototype - receiver that demonstrates the feasibility of decoding such signals even on resource-constrained microcontroller - hardware. + of a crytographically secured \emph{reset} signal within $15$ minutes. We have designed and constructed a + proof-of-concept prototype receiver that demonstrates the feasibility of decoding such signals even on + resource-constrained microcontroller hardware. \end{abstract} \section{Introduction} @@ -67,7 +68,7 @@ the domain of industrial control. Automation of these control systems has alread century. Throughout the 20th century this automation was mostly limited to core components of the grid. Generators in power stations are computer-controlled according to electromechanical and economic models. Switching in substations is automated to allow for fast failure recovery. Human operators are still vital to these systems, but their tasks have -shifted from pure operation to engineering, maintenance and surveillance\cite{crastan03,anderson02}. +shifted from pure operation to engineering, maintenance and surveillance~\cite{crastan03,anderson02}. With the turn of the century came a large-scale trend in power systems to move from a model of centralized generation, built around massive large-scale fossil and nuclear power plants, towards a more heterogenous model of smaller-scale @@ -77,12 +78,12 @@ particular seems unavoidable for continued human life on this planet. For the el grid these systems constitute a significant challenge. Fossil-fueled power plants can be controlled in a precise and quick way to match energy consumption. This tracking of consumption with production is vital to the stability of the grid. Renewable energies such as wind and solar power do not provide the same degree of controllability, and they -introduce a larger degree of uncertainty due to the unpredictability of the forces of nature\cite{crastan03}. +introduce a larger degree of uncertainty due to the unpredictability of the forces of nature~\cite{crastan03}. Along with this change in dynamic behavior, renewable energies have brought forth the advance of distributed generation. -In distributed generation end-customers that previously only consumed energy have started to feed energy into the grid +In distributed generation end customers that previously only consumed energy have started to feed energy into the grid from small solar installations on their property. Distributed generation is a chance for customers to gain autonomy and -shift from a purely passive role to being active participants of the electricity market\cite{crastan03}. +shift from a purely passive role to being active participants of the electricity market~\cite{crastan03}. % FIXME the following paragraph is weird. @@ -92,36 +93,36 @@ computerization of end-user energy metering. Despite the widespread use of indus electrical grid and the far-reaching diffusion of computers into people's everyday lives, the energy meter has long been one of the last remnants of an offline, analog time. Until the 2010s many households were still served through electromechanical Ferraris-style meters that have their origin in the late 19th -century\cite{borlase01,ukgov04,bnetza02}. Today, under the umbrella term \emph{Smart Metering}, the shift towards fully +century~\cite{borlase01,ukgov04,bnetza02}. Today, under the umbrella term \emph{Smart Metering}, the shift towards fully computerized, often networked meters is well underway. The roll out of these \emph{Smart Meters} has not been very smooth overall with some countries severely lagging behind. As a safety-critical technology, smart metering technology -is usually standardized on a per-country basis. This leads to an inhomogenous landscape with--in some instances--wildly -incompatible systems. Often vendors only serve a single country or have separate models of a meter for each country. -This complex standardization landscape and market situation has led to a proliferation of highly complex, custom-coded -microcontroller firmware. The complexity and scale of this--often network-connected--firmware makes for a ripe substrate -for bugs to surface. +is usually standardized on a per-country basis. This leads to an inhomogenous landscape with---in some +instances---wildly incompatible systems. Often vendors only serve a single country or have separate models of a meter +for each country. This complex standardization landscape and market situation has led to a proliferation of highly +complex, custom-coded microcontroller firmware. The complexity and scale of this---often network-connected---firmware +makes for a ripe substrate for bugs to surface. A remotely exploitable flaw inside the firmware of a component of a smart metering system could have consequences -ranging from impaired billing functionality to an existential threat to grid stability\cite{anderson01,anderson02}. In a +ranging from impaired billing functionality to an existential threat to grid stability~\cite{anderson01,anderson02}. In a country where meters commonly include disconnect switches for purposes such as prepaid tariffs, a coordinated attack could at worst cause widespread activation of grid safety systems through oscillations caused by repeated cycling of -megawatts of load capacity at just the wrong frequency\cite{wu01}. +megawatts of load capacity at just the wrong frequency~\cite{wu01}. Mitigation of these attacks through firmware security measures is unlikely to yield satisfactory results. The enormous -complexity of smart meter firmware makes firmware security extremely labor-intensive. The diverse standardization +complexity of smart meter firmware makes firmware security extremely labor intensive. The diverse standardization landscape makes a coordinated, comprehensive response unlikely. In this paper, instead of focusing on the very hard task of improving firmware security we introduce a pragmatic -solution to the--in our opinion likely--scenario of a large-scale compromise of smart meter firmware. In our concept +solution to the---in our opinion likely---scenario of a large-scale compromise of smart meter firmware. In our concept the components of the smart meter that are threatened by remote compromise are equipped with a physically separate \emph{safety reset controller} that listens for a ``reset'' command transmitted through the electrical grid's frequency and on reception forcibly resets the smart meter's entire firmware to a known-good state. Our safety reset controller receives commands through Direct Sequence Spread Spectrum (DSSS) modulation carried out on grid frequency through a large controllable load such as an aluminium smelter. After forward error correction and cryptographic verification it -re-flashes the meter's main microcontroller over the standard JTAG interface. Note that our modulation technique is one -\emph{changing grid frequency itself}. This is fundamentally different in both generation and detection from systems -such as traditional PLC that superimpose a signal on grid voltage, but leave the underlying grid frequency itself -unaffected. +re-flashes the meter's main microcontroller over the standard JTAG interface. Note that our modulation technique is +\emph{changing the grid frequency itself}. This is fundamentally different in both generation and detection from +systems such as traditional PLC that superimpose a signal on grid voltage, but leave the underlying grid frequency +itself unaffected. Starting from a high level architecture, we have carried out simulations of our concept's performance under real-world conditions. Based on these simulations we implemented an end-to-end prototype of our proposed safety reset controller as @@ -129,7 +130,7 @@ part of a realistic smart meter demonstrator. Finally, we experimentally validat an outline of further steps towards a practical implementation. This work contains the following contributions: -\begin{enumerate} +\begin{enumerate}[topsep=4pt] \item We introduce Grid Frequency Modulation (GFM) as a communication primitive. % FIXME done before in that one paper \item We elaborate the fundamental physics underlying GFM and theorize on the constrains of a practical implementation. @@ -147,45 +148,46 @@ This work contains the following contributions: The smart grid in practice is nothing more or less than an aggregation of embedded control and measurement devices that are part of a large control system. This implies that all the same security concerns that apply to embedded systems in general also apply to the components of a smart grid. Where programmers have been struggling for decades now with issues -such as input validation\cite{leveson01}, the same potential issue raises security concerns in smart grid scenarios as -well\cite{mo01, lee01}. Only, in smart grid we have two complicating factors present: Many components are embedded +such as input validation~\cite{leveson01}, the same potential issue raises security concerns in smart grid scenarios as +well~\cite{mo01, lee01}. Only, in smart grid we have two complicating factors present: many components are embedded systems, and as such inherently hard to update. Also, the smart grid and its control algorithms act as a large partially -distributed system making problems such as input validation or authentication harder\cite{blaze01} and adding a host of -distributed systems problems on top\cite{lamport01}. +distributed system making problems such as input validation or authentication harder~\cite{blaze01} and adding a host of +distributed systems problems on top~\cite{lamport01}. Given that the electrical grid is essential infrastructure in our modern civilization, these problems amount to -significant issues. Attacks on the electrical grid may have grave consequences\cite{anderson01,lee01} while the long +significant issues. Attacks on the electrical grid may have grave consequences~\cite{anderson01,lee01} while the long replacement cycles of various components make the system slow to adapt. Thus, components for the smart grid need to be built to a much higher standard of security than most consumer devices to ensure they live up to well-funded attackers even decades down the road. This requirement intensifies the challenges of embedded security and distributed systems security among others that are inherent in any modern complex technological system. The safety-critical nature of the -modern smart metering ecosystem in particular was quickly recognized\cite{anderson01}. +modern smart metering ecosystem in particular was quickly recognized~\cite{anderson01}. A point we will not consider in much depth in this work is theft of electricity. While in publications aimed towards the general public the introduction of smart metering is always motivated with potential cost savings and ecological benefits, in industry-internal publications the reduction of electricity theft is often cited as an -incentive\cite{czechowski01}. Likewise, academic publications tend to either focus on other benefits such as generation +incentive~\cite{czechowski01}. Likewise, academic publications tend to either focus on other benefits such as generation efficiency gains through better forecasting or rationalize the consumer-unfriendly aspects of smart metering with social -benefits\cite{mcdaniel01}. They do not usually point out revenue protection mechanisms as -incentives\cite{anderson01,anderson02}. +benefits~\cite{mcdaniel01}. They do not usually point out revenue protection mechanisms as +incentives~\cite{anderson01,anderson02}. A serious issue in smart metering setups is customer privacy. Even though the meter ``only'' collects aggregate energy -consumption of a whole household, this data is highly sensitive\cite{markham01}. This counterintuitive fact was -initially overlooked in smart meter deployments leading to outrage, delays and reduced features\cite{cuijpers01}. The -root cause of this problem is that given sufficient timing resolution these aggregate measurements contain ample +consumption of a whole household, this data is highly sensitive~\cite{markham01}. This counterintuitive fact was +initially overlooked in smart meter deployments leading to outrage, delays and reduced features~\cite{cuijpers01}. The +root cause of this problem is that given sufficient time resolution these aggregate measurements contain ample entropy. Through disaggregation algorithms, individual loads can be identified and through pattern matching even complex -usage patterns can be discerned with alarming accuracy\cite{greveler01} in the same way that similar privacy issues -arise in many other areas of modern life through other kinds of pervasive tracking and surveillance\cite{zuboff01}. +usage patterns can be discerned with alarming accuracy~\cite{greveler01} in the same way that similar privacy issues +arise in many other areas of modern life through other kinds of pervasive tracking and surveillance~\cite{zuboff01}. Another fundamental challenge in smart grid implementations is the central role of smart electricity meters in the smart grid ecosystem. Smart meters are used both for highly-granular load measurement and in some countries also for load -switching\cite{zheng01}. Smart electricity meters are effectively consumer devices. They are built down to a certain +switching~\cite{zheng01}. Smart electricity meters are effectively consumer devices. They are built down to a certain price point that is measured by the burden it puts on consumers and that is divided by the relatively small market served by a single smart meter implementation. Such cost requirements can preclude security features such as the use of a standard hardened software environment on a high powered embedded system. Landis+Gyr, a large manufacturer that makes -most of its revenue from utility meters in their 2019 annual report write that they \SI{36}{\percent} of their total -R\&D budget on embedded software while spending only \SI{24}{\percent} on hardware R\&D\cite{landisgyr01,landisgyr02}, -indicating a significant tension between firmware security and a smart meter vendor's bottom line. +most of its revenue from utility meters state in their 2019 annual report that they invested \SI{36}{\percent} of their +total R\&D budget on embedded software while spending only \SI{24}{\percent} on hardware +R\&D~\cite{landisgyr01,landisgyr02}, indicating a significant tension between firmware security and a smart meter +vendor's bottom line. \subsection{The state of the art in embedded security} @@ -195,20 +197,21 @@ is rarely updated. On the other hand, embedded devices often lack advanced secur units that are found in most higher-power devices. Even well-funded companies continue to have trouble securing their embedded systems. A spectacular example of this difficulty is the 2019 flaw in Apple's iPhone SoC first-stage ROM bootloader that allows for the full compromise of any iPhone before the iPhone X given physical access to the -device\cite{heise01}. iPhone 8, one of the affected models, was still being manufactured and sold by Apple until April -2020. In another instance in 2016, researchers found multiple flaws in the secure world firmware used by Samsung in -their mobile phone SoCs. The flaws they found were both severe architectural flaws such as secret user input being -passed through untrusted userspace processes without any protection as well as shocking cryptographic flaws such as -CVE-2016-1919\footnote{\url{http://cve.circl.lu/cve/CVE-2016-1919}}\cite{kanonov01}. And Samsung is not the only large -multinational corporation having trouble securing their secure world firmware implementation. In 2014 researchers found -an embarrassing integer overflow flaw in the low-level code handling untrusted input in Qualcomm's QSEE -firmware\cite{rosenberg01}. For an overview of ARM TrustZone including a survey of academic work and past security -vulnerabilities of TrustZone-based firmware see \cite{pinto01}. +device~\cite{heise01}. iPhone 8, one of the affected models, was still being manufactured and sold by Apple until April +2020. In another instance in 2016, researchers found multiple flaws in Samsung's implementation of ARM TrustZone +``secure world'' firmware that Samsung used for their own mobile phone SoCs. The flaws they found were both severe +architectural flaws such as secret user input being passed through untrusted userspace processes without any protection +as well as shocking cryptographic flaws such as +CVE-2016-1919\footnote{\url{http://cve.circl.lu/cve/CVE-2016-1919}}~\cite{kanonov01}. And Samsung is not the only large +multinational corporation having trouble securing their secure firmware implementation. In 2014 researchers found an +embarrassing integer overflow flaw in the low-level code handling untrusted input in Qualcomm's QSEE +firmware~\cite{rosenberg01}. For an overview of ARM TrustZone including a survey of academic work and past security +vulnerabilities of TrustZone-based firmware see~\cite{pinto01}. If even companies with R\&D budgets that rival some countries' national budgets at mass-market consumer devices have trouble securing their mass market secure embedded software stacks, what is a much smaller smart meter manufacturer to do? Especially if national standards mandate complex protocols such as TLS that are tricky to implement -correctly\cite{georgiev01}, this manufacturer will be short on options to secure their product. +correctly~\cite{georgiev01}, this manufacturer will be short on options to secure their product. \subsection{Attack surface in the smart grid} @@ -219,16 +222,16 @@ smart grid in the first place. These risks arise at three different infrastructu The first level is that of attacks on centralized control systems. This type of attack is often cited in popular discourse and to our knowledge is the only type of attack against an electric grid that has ever been carried out in -practice at scale\cite{lee01}. Despite their severity, these attacks do not pose a strictly \emph{scientific} challenge +practice at scale~\cite{lee01}. Despite their severity, these attacks do not pose a strictly \emph{scientific} challenge since they are generic to any industrial control system. Their causes and countermeasures are generally well-understood and the hardest challenge in their prevention is likely to be budgetary constraints. Beyond the centralized control systems, the next target for an attacker may be the communication links between those control systems and other smart grid components. While in some countries such as Italy special-purpose systems such as -PLC are common\cite{ec03}, overall, IP-based technologies have proliferated according to the larger trend in commputing -towards IP-based communications. This proliferation of IP-based communication links brings along the possibility for -the application of generic network security measures from the IP world to the smart grid domain. In this way, a -standardized, IP-based protocol stack unlocks decades of network security improvements at little cost. +PLC are common~\cite{ec03}, overall, IP-based technologies have proliferated according to the larger trend towards +IP-based communications. This proliferation of IP links brings along the possibility for the application of generic +network security measures from the IP world to the smart grid domain. In this way, a standardized, IP-based protocol +stack unlocks decades of network security improvements at little cost. Beyond these layers towards the core of the smart grid's control infrastructure, an attacker might also corrupt the network from the edges and target the endpoint devices itself. The large scale deployment of networked smart meters @@ -239,10 +242,10 @@ creates an environment that is favorable to such attacks. Assuming that an attacker has compromised devices on any of these levels of smart grid infrastructure, what could they do with their newly gained power? The obvious action would be to switch off everything. Of all scenarios, -this is both the most likely in practice---it is exactly what happened in the russian cyberattacks on the Ukranian -grid\cite{lee01}---but it is also the easiest to mitigate since the vulnerable components are few and centralized. -Mitigations include the installation of fail-safes as well as a defense in depth approach to hardening the grid's -cyber-infrastructure. +this is both the most likely in practice---it is exactly what happened in the Russian cyberattacks on the Ukranian +grid~\cite{lee01}---but it is also the easiest to mitigate since the vulnerable components are few and centralized. +Mitigations include the installation of fail safes as well as a defense in depth approach to hardening the grid's +cyber infrastructure. Another possible action for an attacker would be to forge energy measurements in an attempt to cause financial mayhem. Both individual consumers as well as the utility could be targeted by such an attack. While such an attack might have @@ -254,24 +257,24 @@ distribution grid. In some countries, smart meter functionality goes beyond mere monitoring devices and also includes remotely controlled switches. There are two types of these switches: Switches to support \emph{Demand-Side Management} (DMS) and cut off-switches that are used to punish defaulting customers. Demand Side Management is when a grid operator can remotely -control the timing of large, non-time-critical loads on the customer's premises\cite{dzung01}. A typical example of this +control the timing of large, non-time-critical loads on the customer's premises~\cite{dzung01}. A typical example of this is a customer using an electric water heater: The heater is outfitted with a large hot water storage tank and is connected hooked up to the utility's DSM system. The customer does not care when exactly their water is heated as long -as there is enough of it, and the utitliy offers them cheaper rates for the electricity used for heating in exchange for +as there is enough of it, and the utility offers them cheaper rates for the electricity used for heating in exchange for control over its precise timing. The utility uses this control to even out peaks in the consumption/production imbalance, remotely enabling DSM systems during off-peak times and disabling them during peak hours. In contrast to -DSM, cut-off switches are switches placed in-between the grid and the entire customer's household such that the utility +DSM, cut-off switches are switches placed in between the grid and the entire customer's household such that the utility can disconnect non-paying customers without incurring the expense of sending a technician to the customer's premises. -Unlike DSM systems, cut-off switches are not opt-in\cite{anderson01,temple01}. An attack that uses cut-off switches +Unlike DSM systems, cut-off switches are not opt-in~\cite{anderson01,temple01}. An attack that uses cut-off switches would obviously immediately cause severe mayhem. Attacks on DSM may have more limited immediate impact as affected consumers may not notice an interruption for several hours. Instead of switching off loads outright, an attack employing DSM switches (and potentially also cut-off switches) could choose to target the grid's stability. By synchronizing many compromised smart meters to switch on and off a large -amount of load capacity, an attacker might cause the entire electrical grid to oscillate\cite{kosut01,wu01,kim01}. As a -large system of coupled mechanical systems, the electrical grid exhibits a complex frequency-domain behavior. These -resonance effects, colloquially called ``modes'', are well-studied in power system -engineering\cite{rogers01,grebe01,entsoe01,crastan03}. As they can cause issues even under normal operating conditions, +load capacity, an attacker might cause the entire electrical grid to oscillate~\cite{kosut01,wu01,kim01}. As a large +system of coupled mechanical systems, the electrical grid exhibits a complex frequency-domain behavior. Resonance +effects, colloquially called ``modes'', are well-studied in power system +engineering~\cite{rogers01,grebe01,entsoe01,crastan03}. As they can cause issues even under normal operating conditions, a large effort is invested in dampening these resonances. Howewer, fully eliminating them under changing load conditions may not be achievable. @@ -279,9 +282,9 @@ may not be achievable. A core part of intervening with any such cyberattack is the ability to communicate remediary actions to the devices under attack. There is a number of well-established technologies for communication on or along power lines. We can -distinguish three basic system categories: Systems using separate wires (such as DSL over landline telephone wiring), +distinguish three basic system categories: systems using separate wires (such as DSL over landline telephone wiring), wireless radio systems (such as LTE) and \emph{Power Line Communication} (PLC) systems that reuse the existing mains -wiring and superimpose data transmissions onto the 50 Hz mains sine\cite{gungor01,kabalci01}. +wiring and superimpose data transmissions onto the 50 Hz mains sine~\cite{gungor01,kabalci01}. During a large-scale cyberattack, availability of internet and cellular connectivity cannot be relied upon. An attacker may already have disabled such systems in a separate attack, or they may go down along with parts of the electrical @@ -295,20 +298,20 @@ We propose to approach the problem of broadcasting an emergency signal to all sm using grid frequency as a communication channel. Despite the awesome complexity of large power grids, the physics underlying their response to changes in load and generation is surprisingly simple. Individual machines (loads and generators) can be approximated by a small number of differential equations and the entire grid can be modelled by -aggregating these approximations into a large system of nonu differential equations. As a consequence, small signal +aggregating these approximations into a large system of nonlinear differential equations. As a consequence, small signal changes in generation/consumption power balance cause an approximately proportional change in -frequency\cite{kundur01,crastan03,entsoe02,entsoe04}. This \emph{Power Frequency Charactersistic} is about +frequency~\cite{kundur01,crastan03,entsoe02,entsoe04}. This \emph{Power Frequency Charactersistic} is about \SI{25}{\giga\watt\per\hertz} for the continental European synchronous area according to European electricity grid authority ENTSO-E. If we modulate the power consumption of a large load such as a multi-megawatt aluminium smelter, this modulation will -result in a small change in frequency according to this characteristic. So long as we stay within the operational limits -set by ENTSO-E\cite{entsoe02,entsoe03}, this change will not degrade the operation of other parts of the grid. The +result in a small change in frequency according to this characteristic. As long as we stay within the operational limits +set by ENTSO-E~\cite{entsoe02,entsoe03}, this change will not degrade the operation of other parts of the grid. The advantages of grid frequency modulation are the fact that a single transmitter can cover an entire synchronous area as well as low receiver hardware complexity. To the best of the authors' knowledge, grid frequency modulation has only ever been proposed as a communication channel -at very small scales in microgrids before\cite{urtasun01} and has not yet been considered for large-scale application. +at very small scales in microgrids before~\cite{urtasun01} and has not yet been considered for large-scale application. \subsection{Characterizing Grid Frequency} @@ -317,15 +320,15 @@ measure grid frequency among other parameters. This task is much more complicat first glance since a PMU has to make extremely precise measurements, track fast changes in frequency and handle even distorted input signals. Detail on the inner workings of commercial phasor measurement units is scarce but there is a large amount of academic research on sophisticated phasor measurement -algorithms\cite{narduzzi01,derviskadic01,belega01}. +algorithms~\cite{narduzzi01,derviskadic01,belega01}. Since we do not need reference standard-grade accuracy for our application we chose to start with a very basic algorithm based on short-time fourier transform (STFT). Our system uses the universal frequency estimation approach of -experimental physicists Gasior and Gonzalez at CERN\cite{gasior01}. The Gasior and Gonzalez algorithm\cite{gasior01} +experimental physicists Gasior and Gonzalez at CERN~\cite{gasior01}. The Gasior and Gonzalez algorithm~\cite{gasior01} passes the windowed input signal through a DFT, then interpolates the signal's fundamental frequency by fitting a wavelet such as a Gaussian to the largest peak in the DFT results. The bias parameter of this curve fit is an accurate estimation of the signal's fundamental frequency. This algorithm is similar to the simpler interpolated DFT algorithm -used as a reference in much of the phasor measurement literature\cite{borkowski01}. +used as a reference in much of the phasor measurement literature~\cite{borkowski01}. To collect ground truth measurements for our analysis of grid frequency as a communication channel, we developed a device to safely record real mains voltage waveforms. Our system consists of an \texttt{STM32F030F4P6} ARM Cortex M0 @@ -345,7 +348,7 @@ modulation would be a very large controllable load connected to the power grid a wire submerged in a body of cooling liquid such as a small lake along with a thyristor rectifier bank would likely suffice to perform this function during occasional cybersecurity incidents. We can however decrease hardware and maintenance investment even compared to this rather uncultivated solution by repurposing large industrial loads -as transmitters. Going through a list of energy-intensive industries in Europe\cite{ec01}, we found that an aluminium +as transmitters. Going through a list of energy-intensive industries in Europe~\cite{ec01}, we found that an aluminium smelter would be a good candidate. In aluminium smelting, aluminium is electrolytically extracted from alumina solution. High-voltage mains power is transformed, rectified and fed into about 100 series-connected electrolytic cells forming a \emph{potline}. Inside these pots alumina is dissolved in molten cryolite electrolyte at about \SI{1000}{\degreeCelsius} @@ -354,11 +357,11 @@ the bottom of the cell and is tapped off for further processing. Aluminium smelters are operated around the clock, and due to the high financial stakes their behavior under power outages has been carefully characterized by the industry. Power outages of tens of minutes up to two hours reportedly do -not cause problems in aluminium potlines\cite{eisma01,oye01}. Recently, even techniques for intentional power modulation -without affecting cell lifetime or product quality have been devloped to take advantage of variable energy -prices.\cite{duessel01,eisma01}. An aluminium plant's power supply is controlled to constantly keep all smelter cells +not cause problems in aluminium potlines~\cite{eisma01,oye01}. Recently, even techniques for intentional power modulation +without affecting cell lifetime or product quality have been developed to take advantage of variable energy +prices.~\cite{duessel01,eisma01}. An aluminium plant's power supply is controlled to constantly keep all smelter cells under optimal operating conditions. Modern power supply systems employ large banks of diodes or SCRs to rectify -low-voltage AC to DC to be fed into the potline\cite{ayoub01}. Potline voltage is controlled through a combination of a +low-voltage AC to DC to be fed into the potline~\cite{ayoub01}. Potline voltage is controlled through a combination of a tap changer and a transductor. Individual cell voltages are controlled by changing the physical distance between anode and cathode distance. In this setup, power can be modulated fully electronically. Since this system does not have any mechanical inertia, high modulation rates can reasonably be achieved. @@ -372,7 +375,7 @@ Under such conditions, the obvious choice for modulation are spread-spectrum tec using Direct Sequence Spread Spectrum for its simple implementation and good overall performance. DSSS chip timing should be as fast as the transmitter's physics allow to exploit the low-noise region between $\SI{0.2}{\hertz}$ to $\SI{2.0}{\hertz}$ in the frequency noise spectrum while avoiding any of the grid's oscillation modes. Going -past $\approx\SI{2}{\hertz}$ would put strain on the receiver's frequency measurement subsystem\cite{belega01}. Using a +past $\approx\SI{2}{\hertz}$ would put strain on the receiver's frequency measurement subsystem~\cite{belega01}. Using a spread-spectrum technique allows us to reduce the effect of interference by spurious tones. In addition, spreading our signal's energy over frequency also reduces the likelihood that we cause the grid to oscillate along any of its modes. @@ -416,7 +419,7 @@ to $\SI{2}{\hertz}$. Taking these modulation parameters as a starting point, we proceeded to create a proof-of-concept smart meter emergency reset system. On top of the modulation described in the previous paragraphs we layered simple Reed-Solomon error -correction\cite{mackay01} and some cryptography. The goal of our PoC cryptographic implementation was to allow the +correction~\cite{mackay01} and some cryptography. The goal of our PoC cryptographic implementation was to allow the sender of an emergency reset broadcast to authorize a reset command to all listening smart meters. An additional constraint of our setting is that due to the extremely slow communication channel all messages should be kept as short as possible. The solution we chose for our PoC is a simplistic hash chain using the approach from the Lamport and @@ -498,7 +501,7 @@ Our initial assumption that a development kit would be easier to program than a true. Contrary to our expectations the commercial meter had JTAG enabled allowing us to easily read out its stock firmware without either reverse-engineering vendor firmware update files nor circumventing code protection measures. The fact that its firmware was only available in its compiled binary form was not much of a hindrance as it proved not -to be too complex and all we wanted to know we found out with just a few hours of digging in +to be too complex and all we wanted to know we found with just a few hours of digging in Ghidra\footnote{\url{https://ghidra-sre.org/}}. In the firmware development phase our approach of testing every module individually (e.g. DSSS demodulator, Reed-Solomon diff --git a/paper/safety-reset.bib b/paper/safety-reset.bib index d7b6fbd..1690e30 100644 --- a/paper/safety-reset.bib +++ b/paper/safety-reset.bib @@ -53,7 +53,7 @@ year = {2019},
}
-@Misc{bsi-tr-03109,
+@Unpublished{bsi-tr-03109,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {Technische Richtlinie BSI TR-03109},
organization = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
@@ -64,7 +64,7 @@ year = {2015},
}
-@Misc{bsi-tr-03109-1,
+@Unpublished{bsi-tr-03109-1,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-1: Anforderungen an die Interoperabilit{\"a}t der Kommunikationseinheit eines intelligenten Messsystems},
organization = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
@@ -76,7 +76,7 @@ year = {2019},
}
-@Misc{bsi-tr-03109-6,
+@Unpublished{bsi-tr-03109-6,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-6: Smart Meter Gateway Administration},
organization = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
@@ -88,7 +88,7 @@ year = {2015},
}
-@Misc{bsi-tr-03109-4,
+@Unpublished{bsi-tr-03109-4,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-4: Public Key Infrastruktur f{\"u}r Smart Meter Gateways},
organization = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
@@ -100,7 +100,7 @@ year = {2017},
}
-@Misc{bsi-tr-03109-2,
+@Unpublished{bsi-tr-03109-2,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-2: Smart Meter Gateway - Anforderungen an die Funktionalit{\"a}t und Interoperabilit{\"a}t des Sicherheitsmoduls},
organization = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
@@ -112,7 +112,7 @@ year = {2014},
}
-@Misc{bsi-tr-03109-3,
+@Unpublished{bsi-tr-03109-3,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-3: Kryptographische Vorgaben f{\"u}r die Infrastruktur von intelligenten Messsystemen},
organization = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
@@ -123,7 +123,7 @@ year = {2014},
}
-@Misc{bsi-tr-03109-1-I,
+@Unpublished{bsi-tr-03109-1-I,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-1 Anlage I: CMS-Datenformat f{\"u}r die Inhaltsdatenverschl{\"u}sselung und -signatur},
organization = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
@@ -135,7 +135,7 @@ year = {2013},
}
-@Misc{bsi-tr-03109-1-II,
+@Unpublished{bsi-tr-03109-1-II,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-1 Anlage II: COSEM/HTTP Webservices},
organization = {Bundesamt f{\"u}r Sicherheit in der Informationstechnik},
@@ -147,7 +147,7 @@ year = {2012},
}
-@Misc{bsi-tr-03109-1-IIIb,
+@Unpublished{bsi-tr-03109-1-IIIb,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-1 Anlage III: Feinspezifikation "Drahtlose LMN-Schnittstelle" Teil b: "OMS Technical Report Security"},
organization = {Bundesamt f{\"u}r Sicherheit in der Informationstechnik},
@@ -159,7 +159,7 @@ year = {2013},
}
-@Misc{bsi-tr-03109-1-IIIa,
+@Unpublished{bsi-tr-03109-1-IIIa,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-1 Anlage III: Feinspezifikation "Drahtlose LMN-Schnittstelle" Teil a: "OMS Specification Volume 2, Primary Communication"},
organization = {Bundesamt f{\"u}r Sicherheit in der Informationstechnik},
@@ -171,7 +171,7 @@ year = {2013},
}
-@Misc{bsi-tr-03109-1-IVa,
+@Unpublished{bsi-tr-03109-1-IVa,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-1 Anlage IV: Feinspezifikation "Drahtgebundene LMN-Schnittstelle" Teil a: "HDLC f{\"u}r LMN"},
organization = {Bundesamt f{\"u}r Sicherheit in der Informationstechnik},
@@ -183,7 +183,7 @@ year = {2013},
}
-@Misc{bsi-tr-03109-1-IVb,
+@Unpublished{bsi-tr-03109-1-IVb,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-1 Anlage IV: Feinspezifikation "Drahtgebundene LMN-Schnittstelle" Teil b: "SML Smart Message Language"},
organization = {Bundesamt f{\"u}r Sicherheit in der Informationstechnik},
@@ -195,7 +195,7 @@ year = {2013},
}
-@Misc{bsi-tr-03109-1-VI,
+@Unpublished{bsi-tr-03109-1-VI,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-1 Anlage VI: Betriebsprozesse},
organization = {Bundesamt f{\"u}r Sicherheit in der Informationstechnik},
@@ -207,7 +207,7 @@ year = {2013},
}
-@Misc{bsi-tr-03109-1-VII,
+@Unpublished{bsi-tr-03109-1-VII,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-1 Anlage VII: Interoperabilit{\"a}tsmodell und Ger{\"a}teprofile f{\"u}r Smart-Meter- Gateways},
organization = {Bundesamt f{\"u}r Sicherheit in der Informationstechnik},
@@ -219,7 +219,7 @@ year = {2019},
}
-@Misc{bsi-tr-03109-2-a,
+@Unpublished{bsi-tr-03109-2-a,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-2 Anhang A: Smart Meter Gateway Sicherheitsmodul Use Cases},
organization = {Bundesamt f{\"u}r Sicherheit in der Informationstechnik},
@@ -231,7 +231,7 @@ year = {2014},
}
-@Misc{bsi-tr-03109-2-b,
+@Unpublished{bsi-tr-03109-2-b,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-2 Anhang B: Smart Meter Mini-HSM Anforderungen an die Funktionalit{\"a}t und Interoperabilit{\"a}t des Sicherheitsmoduls},
organization = {Bundesamt f{\"u}r Sicherheit in der Informationstechnik},
@@ -243,7 +243,7 @@ year = {2017},
}
-@Misc{bsi-tr-03116-3,
+@Unpublished{bsi-tr-03116-3,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03116-3: Intelligente Messsysteme},
organization = {Bundesamt f{\"u}r Sicherheit in der Informationstechnik},
@@ -254,7 +254,7 @@ year = {2019},
}
-@Misc{bsi-tr-03109-ts-1,
+@Unpublished{bsi-tr-03109-ts-1,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-03109-TS-1: Testkonzept zu BSI TR-03109-1},
organization = {Bundesamt f{\"u}r Sicherheit in der Informationstechnik},
@@ -266,7 +266,7 @@ year = {2015},
}
-@Misc{bsi-tr-pruefstellen,
+@Unpublished{bsi-tr-pruefstellen,
author = {{Bundesamt f{\"u}r Sicherheit in der Informationstechnik}},
title = {TR-Pr{\"u}fstellen: Anforderungen an Antragsteller zur Anerkennung als Pr{\"u}fstelle im Bereich Technischer Richtlinien},
organization = {Bundesamt f{\"u}r Sicherheit in der Informationstechnik},
@@ -470,7 +470,7 @@ year = {2016},
}
-@Misc{st-db3636,
+@Unpublished{st-db3636,
author = {{ST Microelectronics}},
title = {STSAFE-J100-BS Data brief},
organization = {ST Microelectronics},
@@ -512,7 +512,7 @@ year = {2018} } -@Misc{entsoe01,
+@Unpublished{entsoe01,
author = {{ENTSO-E System Protection Dynamics and WG}},
title = {Oscillation Event 03.12.2017},
url = {https://docstore.entsoe.eu/Documents/SOC%20documents/Regional_Groups_Continental_Europe/OSCILLATION_REPORT_SPD.pdf},
@@ -581,7 +581,7 @@ year = {2013} } -@Misc{cenelec01,
+@Unpublished{cenelec01,
author = {{The CEN/CENELEC/ETSI Joint Working Group Standards Smart on for Grids}},
title = {Final report of the CEN/CENELEC/ETSI Joint Working Group on Standards for Smart Grids},
organization = {CEN/CENELEC/ETSI},
@@ -589,7 +589,7 @@ year = {2011},
}
-@Misc{pariente01,
+@Unpublished{pariente01,
author = {Dillon Pariente and Emmanuel Ledinot},
title = {Formal verification of industrial C code using Frama-C: a case study},
journal = {Formal Verification of Object-Oriented Software},
@@ -753,7 +753,7 @@ publisher = {Springer},
}
-@Misc{lamport02,
+@Unpublished{lamport02,
author = {Lamport, Leslie},
date = {19},
title = {Constructing digital signatures from a one-way function},
@@ -794,7 +794,7 @@ year = {2005},
}
-@Misc{gasior01,
+@Unpublished{gasior01,
author = {Gasior, M and Gonzalez, JL},
title = {Improving FFT frequency measurement resolution by parabolic and gaussian interpolation},
institution = {CERN-AB-Note-2004-021},
@@ -883,7 +883,7 @@ year = {2006},
}
-@Misc{entsoe02,
+@Unpublished{entsoe02,
author = {UCTE/ENTSO-E},
date = {2009},
title = {Operation Handbook},
@@ -892,14 +892,14 @@ year = {2009},
}
-@Misc{entsoe03,
+@Unpublished{entsoe03,
author = {{ENTSO-E Working Group Incident Classification Scale Under System Operations Committee}},
date = {2014},
title = {Incidents Classification Methodology},
institution = {ENTSO-E},
}
-@Misc{entsoe04,
+@Unpublished{entsoe04,
author = {UCTE/ENTSO-E},
date = {2004},
title = {Operation Handbook},
@@ -925,24 +925,24 @@ journaltitle = {Proceedings of the 36th International ICSOBA Conference},
}
-@Misc{ec01,
+@Unpublished{ec01,
author = {Christian Egenhofer and Felice Simonelli and Andrea Renda and Antonella Zarra and William Schmitt and Aurélie Faure and Eleaonor Drabik and Vasileios Rizos and Thomas Hähl and Michèle Koper and Angelica Afanador and Marian Bons},
date = {2018},
- title = {Composition and Drivers of Energy Prices and Costs: Case Studies in SelectedEnergy Intensive Industries – 2018},
+ title = {Composition and Drivers of Energy Prices and Costs: Case Studies in Selected Energy Intensive Industries – 2018},
doi = {10.2873/937326},
url = {https://op.europa.eu/en/publication-detail/-/publication/424dac0a-ec77-11e8-b690-01aa75ed71a1/language-en},
institution = {European Commission, Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs},
}
-@Misc{oye01,
+@Unpublished{oye01,
author = {Harald A. Øye},
date = {2012},
title = {Power Failure, Temporary Pot Shut-Down, Restart and Repair},
- eventtitle = {27thInternational Aluminium Conference Metal Bulletin Events},
+ eventtitle = {27th International Aluminium Conference Metal Bulletin Events},
institution = {27th International Aluminium Conference Metal Bulletin Events},
}
-@Misc{ayoub01,
+@Unpublished{ayoub01,
author = {Mohammed W. Ayoub and Francis V. P. Robinson},
date = {2013},
title = {A comparative study between diode and thyristor based AC to DC converters for aluminium smelting process},
@@ -951,7 +951,7 @@ institution = {{Dubai Aluminium}},
}
-@Misc{wright01,
+@Unpublished{wright01,
author = {Paul S. Wright},
date = {2019},
title = {Library of ROCOF Test Waveforms – Pseudo Code, V1.0, May 2019.},
@@ -959,7 +959,7 @@ institution = {UK National Physical Laboratory},
}
-@Misc{hp01,
+@Unpublished{hp01,
date = {1997},
title = {Application Note 200-2: Fundamentals of Quartz Oscillators},
institution = {Hewlett Packard},
@@ -988,13 +988,13 @@ institution = {Bundesministeriums f{\"u}r Wirtschaft und Energie},
}
-@Misc{easymeter01,
+@Unpublished{easymeter01,
author = {{EasyMeter GmbH}},
date = {2020},
title = {Datenblatt Moderne Messeinrichtung Q3A Drehstromzähler},
}
-@Misc{honeywell01,
+@Unpublished{honeywell01,
author = {{Honeywell Smart Energy}},
date = {2017},
title = {Datasheet Honeywell REX2 smart meter},
@@ -1010,7 +1010,7 @@ urldate = {2020-05-06},
}
-@Misc{ec02,
+@Unpublished{ec02,
author = {Frédéric Tounquet and Clément Alaton},
date = {2019},
title = {Benchmarking smart meteringdeployment in the EU-28},
@@ -1051,7 +1051,7 @@ isbn = {978-3-642-20099-1},
}
-@Misc{simon01,
+@Unpublished{simon01,
editor = {Liviu Constantinescu-Simon},
date = {1997},
title = {Handbuch Elektrische Energietechnik},
@@ -1082,7 +1082,7 @@ urldate = {2020-05-11},
}
-@Misc{vseaes01,
+@Unpublished{vseaes01,
date = {2010},
title = {Branchenempfehlung Strommarkt Schweiz Handbuch Smart Metering CH},
url = {https://web.archive.org/web/20130418034458if_/http://www.strom.ch:80/uploads/media/HBSM-CH_1018d_2010.pdf},
@@ -1193,7 +1193,7 @@ year = {2014},
}
-@Misc{semerow01,
+@Unpublished{semerow01,
author = {Anatoli Semerow and Sebastian Hohn and Matthias Luther and Walter Sattinger and Hans Abildgaard and Agustin Diaz Garcia and Giorgio Giannuzzi},
date = {2015},
title = {Dynamic Study Model for the interconnected power system of Continental Europe in different simulation tools},
@@ -1239,7 +1239,7 @@ subtitle = {Specifications, Requirements and Technologies},
}
-@Misc{ec03,
+@Unpublished{ec03,
date = {2014},
title = {Single Market Progress Report: Country Profiles – Italy},
type = {resreport},
@@ -1248,7 +1248,7 @@ institution = {European Commission},
}
-@Misc{usitc01,
+@Unpublished{usitc01,
author = {Lisa Alejandro and Caitlin Blair and Laura Bloodgood and Mahnaz Khan and Martha Lawless and Daniel Meehan and Patrick Schneider and Karl Tsuji},
date = {2014},
title = {Global Market for Smart Electricity Meters},
@@ -1259,7 +1259,7 @@ institution = {U.S. International Trade Commission},
}
-@Misc{toshiba01,
+@Unpublished{toshiba01,
author = {Mitsuhide Ishima and Kiyoyuki Terai and Yoshihiro Ogita},
date = {2018},
title = {Construction and Operation of Communication System for Smart Meter System of TEPCO Power Grid, Inc.},
@@ -1272,7 +1272,7 @@ volume = {73},
}
-@Misc{ukgov01,
+@Unpublished{ukgov01,
author = {{UK Department for Business, Energy and Industrial Strategy}},
date = {2018},
title = {Smart Metering Implementation Programme Progress Report for 2018},
@@ -1281,7 +1281,7 @@ institution = {UK Department for Business, Energy and Industrial Strategy},
}
-@Misc{ukgov02,
+@Unpublished{ukgov02,
author = {{UK Department of Energy and Climate Change}},
date = {2014},
title = {Smart Metering Implementation Programme: Smart Metering Equipment Technical Specifications},
@@ -1290,7 +1290,7 @@ version = {1.58},
}
-@Misc{ukgov03,
+@Unpublished{ukgov03,
author = {{UK Department for Business, Energy and Industrial Strategy}},
date = {2016},
title = {Smart Meter Rollout Cost-Benefit Analysis Part I},
@@ -1344,7 +1344,7 @@ volume = {109},
}
-@Misc{dsmrp3,
+@Unpublished{dsmrp3,
date = {2014},
title = {Dutch Smart Meter Requirements P3 Companion Standard},
url = {https://www.netbeheernederland.nl/_upload/Files/Slimme_meter_15_1f3c5c9b2c.pdf},
@@ -1353,7 +1353,7 @@ institution = {Netbeheer Nederland WG DSMR},
}
-@Misc{dsmrp1,
+@Unpublished{dsmrp1,
date = {2016},
title = {Dutch Smart Meter Requirements P1 Companion Standard},
url = {https://smarty.creos.net/wp-content/uploads/DutchSmartMeterRequirements.pdf},
@@ -1554,7 +1554,7 @@ year = {1996},
}
-@Misc{ukgov04,
+@Unpublished{ukgov04,
author = {{UK Department for Business Energy and Industrial Strategy}},
date = {2019},
title = {Smart Meter Statistics Quarterly Report to end March 2019},
@@ -1562,7 +1562,7 @@ url = {https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/804767/2019_Q1_Smart_Meters_Report.pdf},
}
-@Misc{bnetza02,
+@Unpublished{bnetza02,
author = {{German Government Bundesnetzagentur}},
date = {2018},
title = {Monitoring Report 2018},
@@ -1714,7 +1714,7 @@ urldate = {2020-06-08},
}
-@Misc{landisgyr01,
+@Unpublished{landisgyr01,
author = {{Landis+Gyr Group AG}},
date = {2020-05-28},
title = {Landis+Gyr Annual Report 2019},
@@ -1722,7 +1722,7 @@ urldate = {2020-06-29},
}
-@Misc{landisgyr02,
+@Unpublished{landisgyr02,
author = {{Landis+Gyr Group AG}},
date = {2020-05-06},
title = {Landis+Gyr Financial Report 2019},
|