diff options
Diffstat (limited to 'paper')
-rw-r--r-- | paper/safety-reset-paper.tex | 57 |
1 files changed, 32 insertions, 25 deletions
diff --git a/paper/safety-reset-paper.tex b/paper/safety-reset-paper.tex index ece7d57..e3c3a41 100644 --- a/paper/safety-reset-paper.tex +++ b/paper/safety-reset-paper.tex @@ -57,31 +57,34 @@ the last years. Smart Grid security has two major components: The security of ce of equipment at the consumer premises such as smart meters and IoT devices. While there is previous work on both sides, their interactions have not yet received much attention. -In this paper, we consider the previously proposed scenario where a large number of compromised consumer devices is used -alone or in conjunction with an attack on the grid's central SCADA systems to destabilize the grid by rapidly modulating -the total connected load~\cite{ctap+11,wu01,zlmz+21,kgma21,smp18,hcb19}. Several devices have been identified as likely -targets for such an attack including smart meters with integrated remote disconnect switches~\cite{ctap+11,anderson01}, -large IoT-connected appliances~\cite{smp18,hcb19,chl20,olkd20} and electric vehicle -chargers~\cite{kgma21,zlmz+21,olkd20}. Such attacks are hard to mitigate, and existing literature focuses on hardening -grid control systems~\cite{kgma21,lzlw+20,lam21,zlmz+21} and device firmware\cite{mpdm+10,smp18,zb20,yomu+20} to prevent -compromise. Despite the infeasibility of perfect firmware security, there is little research on \emph{post-compromise} -mitigation approaches. A core issue with post-attack mitigation is that network connections such as internet and -cellular networks between the utility and devices on consumer premises may not work due to the attack. Thus, mitigation -strategies that involve devices on the consumer premises will need an out-of-band communication channel. - -We propose a \emph{safety reset} controller that is controlled through a novel, resilient, grid-wide powerline -communication technique. Our safety reset controller can be fitted into any Smart Meter or IoT device. Its purpose is to -await an out-of-band command to put the device into a safe state (e.g. \emph{relay on} or \emph{light on}) that -interrupts attacker control over the device. The safety reset controller is separated from the system's main application -controller and does not have any conventional network connections to reduce attack surface and cost. - -To facilitate resilient communication between the grid operator and the safety reset controller, we propose a grid-wide -broadcast channel based on grid frequency modulation (GFM). This channel can be operated by transmission system -operators (TSOs) even during black-start recovery procedures and it bridges the gap between the TSO's private control -network and consumer devices that can not economically be equipped with other resilient communication techniques such as -satellite transceivers. To demonstrate our proposed channel, we have implemented a system that transmits error-corrected -and cryptographically secured commands through an emulated grid frequency-modulated voltage waveform to an off-the-shelf -smart meter equipped with a prototype safety reset controller based on a small off-the-shelf microcontroller. +We consider the previously proposed scenario where a large number of compromised consumer devices is used alone or in +conjunction with an attack on the grid's central SCADA systems to destabilize the grid by rapidly modulating the total +connected load~\cite{ctap+11,wu01,zlmz+21,kgma21,smp18,hcb19}. Several devices have been identified as likely targets +for such an attack including smart meters with integrated remote disconnect switches~\cite{ctap+11,anderson01}, large +IoT-connected appliances~\cite{smp18,hcb19,chl20,olkd20} and electric vehicle chargers~\cite{kgma21,zlmz+21,olkd20}. +Such attacks are hard to mitigate, and existing literature focuses on hardening grid control +systems~\cite{kgma21,lzlw+20,lam21,zlmz+21} and device firmware\cite{mpdm+10,smp18,zb20,yomu+20} to prevent compromise. +Despite the infeasibility of perfect firmware security, there is little research on \emph{post-compromise} mitigation +approaches. A core issue with post-attack mitigation is that network connections such as internet and cellular networks +between the utility and devices on consumer premises may not work due to the attack. Thus, mitigation strategies that +involve devices on the consumer premises will need an out-of-band communication channel. + +In this paper, we propose a novel, resilient, grid-wide communication technique based on \empH{grid frequency +modulation} (GFM) that can be used to broadcast short messages to all devices connected to the electrical grid. The grid +frequency modulation channel is robust and can be used even during an ongoing attack. Based on our channel we propose +the \emph{safety reset} controller, an attack mitigation technique that is compatible with most smart meter and IoT +device designs. A safety reset controller is a separate controller integrated to the device that awaits an out-of-band +reset command transmitted through GFM. Upon reception of the reset command, it puts the device into a safe state (e.g. +\emph{relay on} or \emph{light on}) that interrupts attacker control over the device. The safety reset controller is +separated from the system's main application controller and itself does not have any conventional network connections to +reduce attack surface and cost. + +The grid frequency modulation channel can be operated by transmission system operators (TSOs) even during black-start +recovery procedures and it bridges the gap between the TSO's private control network and consumer devices that can not +economically be equipped with other resilient communication techniques such as satellite transceivers. To demonstrate +our proposed channel, we have implemented a system that transmits error-corrected and cryptographically secured commands +through an emulated grid frequency-modulated voltage waveform to an off-the-shelf smart meter equipped with a prototype +safety reset controller based on a small off-the-shelf microcontroller. The frequency behavior of the electrical grid can be analyzed by examining the grid as a large collection of mechanical oscillators coupled through the grid via the electromotive force~\cite{rogers01,wcje+12}. The generators and motors that @@ -720,6 +723,10 @@ commercially viable. Source code and EDA designs are available at the public repository listed at the end of this document. +\begin{acks} + This work has been co-funded by the LOEWE initiative (Hesse, Germany) within the emergenCITY center. +\end{acks} + \bibliographystyle{plain} \bibliography{\jobname} |