From a1e6a1115df44ce1fbb197aab458a6850f364ff2 Mon Sep 17 00:00:00 2001 From: jaseg Date: Thu, 28 May 2020 11:16:27 +0200 Subject: ma: add conclusion, add some polish, add version numbering --- ma/Makefile | 5 ++- ma/safety_reset.tex | 119 ++++++++++++++++++++++++++++++++-------------------- 2 files changed, 78 insertions(+), 46 deletions(-) diff --git a/ma/Makefile b/ma/Makefile index 4458082..bc552a2 100644 --- a/ma/Makefile +++ b/ma/Makefile @@ -15,11 +15,14 @@ safety_reset.pdf: resources/gps_clock_jitter_analysis.pdf safety_reset.pdf: resources/dsss_experiments-ber.pdf safety_reset.pdf: resources/freq_meas_validation_rocof_testsuite.pdf -%.pdf: %.tex %.bib +%.pdf: %.tex %.bib version.tex pdflatex -shell-escape $< biber $* pdflatex -shell-escape $< +version.tex: safety_reset.tex safety_reset.bib + git describe --tags --long --dirty > $@ + resources/%.pdf: $(LAB_PATH)/%.ipynb jupyter-nbconvert --to=pdf --output-dir=resources --output=$* --LatexExporter.template_file=resources/nbexport.tplx $^ diff --git a/ma/safety_reset.tex b/ma/safety_reset.tex index fbe4615..179fcca 100644 --- a/ma/safety_reset.tex +++ b/ma/safety_reset.tex @@ -41,6 +41,7 @@ \usepackage{tabularx} \usepackage{commath} \usepackage{graphicx,color} +\usepackage{ccicons} \usepackage{subcaption} \usepackage{float} \usepackage{footmisc} @@ -87,6 +88,22 @@ \mitverteidigung % entfernen, falls keine Verteidigung erfolgt %FIXME \makeTitel \selbstaendigkeitserklaerung{31.03.2020} +\vfill +\begin{minipage}[t][10cm][b]{\textwidth} +\center{\ccbysa} + +\center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The full +text of the license can be found at:} + +\center{\url{https://creativecommons.org/licenses/by-sa/4.0/}} + +\center{For alternative licensing options, source files, questions or comments please contact the author at +\texttt{masterarbeit@jaseg.de}}. + +\center{This is version \texttt{\input{version.tex}\unskip}. The git repository can be found at:} + +\center{\url{https://git.jaseg.de/master-thesis.git}} +\end{minipage} \newpage % Hier folgt die eigentliche Arbeit (bei doppelseitigem Druck auf einem neuen Blatt): @@ -139,9 +156,9 @@ A remotely exploitable flaw inside a smart meter's firmware\footnote{ There are several smart metering architectures that ascribe different roles to the component called \emph{smart meter}. Coarsely divided into two camps these are systems where all metering and communication code resides within one physical unit and systems where metering and communication are separated into two units, the \emph{smart meter} - and the \emph{smart meter gateway}. An example for the former are setups in the USA, an example of the latter is the - one in Germany. For clarity in this introductory chapter we use \emph{smart meter} to describe the entire system at - the customer premises including both the meter and a potential gateway. + and the \emph{smart meter gateway}\cite{stuber01}. An example for the former are setups in the USA, an example of + the latter is the one in Germany. For clarity in this introductory chapter we use \emph{smart meter} to describe the + entire system at the customer premises including both the meter and a potential gateway. } could have consequences ranging from impaired billing functionality to an existential threat to grid stability\cite{anderson01,anderson02}. A coördinated attack on meters in a country where load switches are common could at worst cause widespread activation of grid safety systems by repeatedly @@ -382,7 +399,7 @@ customers in situations where that was not previously economically possible\foot introduction of smart metering\cite{vseaes01} cynically writes that remotely controllable load switches ``lead a new tenant to swiftly register'' with the utility company. This whitepaper completely vanished from their website some time after publication, but the internet archive has a copy. -}. Figure \ref{fig_smgw_schema} shows a schema of the smart metering installation in a typical household. +}. Figure \ref{fig_smgw_schema} shows a schema of the smart metering installation in a typical household\cite{stuber01}. \begin{figure} \centering @@ -1288,7 +1305,7 @@ P}{\Delta f}$, called \emph{Overall Network Power Frequency Characteristic} by E \SI{25}{\giga\watt\per\hertz}. We can derive general design parameter for any system utilizing grid frequency as a communications channel from the -policies of ENTSO-E\cite{entsoe02,entsoe03}. Probably any such system should stay below a modulation amplitude of +policies of ENTSO-E\cite{entsoe02,entsoe03}. Any such system should stay below a modulation amplitude of \SI{100}{\milli\hertz} which is the threshold defined in the ENTSO-E incidents classification scale for a Scale 0-1 (from "Anomaly" to "Noteworthy Incident" scale) frequency degradation incident\cite{entsoe03} in the continental europe synchronous area. @@ -1297,10 +1314,9 @@ synchronous area. The ENTSO-E Operations Handbook Policy 1 chapter defines the activation threshold of primary control to be \SI{20}{\milli\hertz}. Ideally a modulation system would stay well below this threshold to avoid fighting the primary -control reserve. Modulation line rate should probably be on the order of a few hundred millibaud. -% TODO is using "probably" here and in the previous paragraph ok? -Modulation at such high rates would outpace primary control action which is specified by ENTSO-E as acting within -between ``a few seconds'' and \SI{15}{\second}. +control reserve. Modulation line rate should likely be on the order of at most a few hundred millibaud. Modulation at +such high rates would outpace primary control action which is specified by ENTSO-E as acting within between ``a few +seconds'' and \SI{15}{\second}. The effective \emph{Network Power Frequency Characteristic} of primary control in the european grid is reported by ENTSO-E at around \SI{20}{\giga\watt\per\hertz}. Keeping modulation amplitude below this threshold would help to avoid @@ -1452,10 +1468,10 @@ excitation will cause a proportional change in the receiver's measurement. Using we get a real-valued signed quantity. In this way grid frequency modulation is similar to a channel using coherent modulation. We can transmit not only signal strength, but polarity too. -For our purposes we can discount both Time and Frequency Hopping Spread Spectrum techniques. Time -hopping aids to reduce interference between multiple transmitters but does not help with SNR any more than Direct -Sequence does. % FIXME verify this. -Our system is strictly limited to a single transmitter so we do not gain anything through Time Hopping. +For our purposes we can discount both Time and Frequency Hopping Spread Spectrum techniques. Time hopping aids to reduce +interference between multiple transmitters but does not help with SNR any more than Direct Sequence does since all it +does is allowing other transmitters to transmit. Our system is strictly limited to a single transmitter so we do not +gain anything through Time Hopping. Frequency Hopping Spread Spectrum techniques require a carrier. Grid frequency modulation itself is very limited in peak frequency deviation $\Delta f$. Frequency hopping could only be implemented as a second modulation on top of GFM, @@ -2619,11 +2635,24 @@ microcontroller providing this type of virtualization on the one hand and the co virtualization on the other hand. Virtualization systems such as TrustZone are still orders of magnitude more complex to correctly configure than it is to simply use separate hardware and secure the interfaces in between. -\chapter{Alternative uses of grid frequency modulation} -% FIXME random beacons? funky consensus protocols? proof of knowledge/cryptographic notary service? - \chapter{Conclusion} - %FIXME + +In this thesis we have developed an end-to-end design of a reset system to restore smart meters to a safe operating +state during an ongoing large-scale cyberattack. We have laid out the fundamentals of smart metering infrastructure and +elaborated the need for an out-of-band method to reset device firmware due to the large attack surface of this complex +firmware. To allow our system to be triggered even in the middle of a cyberattack we have developed a broadcast data +transmission system based on intentional modulation of global grid frequency. We have developed the theoretical +foundations of the process based on an established model of inertial grid frequency response to load variations and +shown the veracity of our end-to-end design through extensive simulations. To properly base these simulations we have +developed a grid frequency measurement methodology comprising of a custom-designed hardware device for electrically safe +data capture and a set of software tools to archive and process captured data. Our simulations show good behavior of our +broadcast communication system and give an indication that coöperating with a large consumer such as an aluminium +smelter would be a feasible way to set up a transmitter at very low hardware overhead. Based on our broadcast primitive +we have developed a cryptographic protocol ready for embedded implementation in resource-constrained systems that allows +quick (response time less than 30 minutes) triggering of all or a selected subset of devices. Finally, we have +experimentally validated our system using simulated grid frequency data in a demonstrator setup based on a commercial +microcontroller as our safety reset controller and an off-the-shelf smart meter. We have laid out a path for further +research and standardization related to our system. \newpage @@ -2632,12 +2661,12 @@ correctly configure than it is to simply use separate hardware and secure the in \newpage \appendix -\chapter{Transcripts of Jupyter notebooks used in this thesis} +%\chapter{Transcripts of Jupyter notebooks used in this thesis} -\includenotebook{Grid frequency estimation}{grid_freq_estimation} -\includenotebook{Grid frequency estimation validation against ROCOF test suite}{freq_meas_validation_rocof_testsuite} -\includenotebook{Frequency sensor clock stability analysis}{gps_clock_jitter_analysis} -\includenotebook{DSSS modulation experiments}{dsss_experiments-ber} +%\includenotebook{Grid frequency estimation}{grid_freq_estimation} +%\includenotebook{Grid frequency estimation validation against ROCOF test suite}{freq_meas_validation_rocof_testsuite} +%\includenotebook{Frequency sensor clock stability analysis}{gps_clock_jitter_analysis} +%\includenotebook{DSSS modulation experiments}{dsss_experiments-ber} \chapter{Frequency sensor schematics} \fancyhead[C]{Frequency sensor schematics (1/3)} @@ -2650,29 +2679,29 @@ correctly configure than it is to simply use separate hardware and secure the in \includepdf[fitpaper,landscape,pagecommand={\thispagestyle{fancy}}]{resources/platform-export-pg3.pdf} \fancyfoot[C]{\thepage} -\chapter{Firmware source code excerpts} -\section{DMA-backed ADC capture (adc.c)} -\inputminted[fontsize=\footnotesize,linenos,firstline=18,lastline=115,breaklines]{C}{../gm_platform/fw/adc.c} - -\section{Frequency sensor packetized serial interface} -\subsection{serial.c} -\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../gm_platform/fw/serial.c} -\subsection{packet\_interface.c} -\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../gm_platform/fw/packet_interface.c} -\subsection{cobs.c} -\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../gm_platform/fw/cobs.c} -\subsection{Host data logging utility (tw\_test.py)} -\inputminted[fontsize=\footnotesize,linenos,breaklines]{python}{../gm_platform/fw/tw_test.py} - -\section{Frequency estimation (freq\_meas.c)} -\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/freq_meas.c} -\section{DSSS demodulation (dsss\_demod.c)} -\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/dsss_demod.c} -\section{Cryptographic protocol handling} -\subsection{protocol.c} -\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/protocol.c} -\subsection{crypto.c} -\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/crypto.c} +%\chapter{Firmware source code excerpts} +%\section{DMA-backed ADC capture (adc.c)} +%\inputminted[fontsize=\footnotesize,linenos,firstline=18,lastline=115,breaklines]{C}{../gm_platform/fw/adc.c} +% +%\section{Frequency sensor packetized serial interface} +%\subsection{serial.c} +%\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../gm_platform/fw/serial.c} +%\subsection{packet\_interface.c} +%\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../gm_platform/fw/packet_interface.c} +%\subsection{cobs.c} +%\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../gm_platform/fw/cobs.c} +%\subsection{Host data logging utility (tw\_test.py)} +%\inputminted[fontsize=\footnotesize,linenos,breaklines]{python}{../gm_platform/fw/tw_test.py} +% +%\section{Frequency estimation (freq\_meas.c)} +%\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/freq_meas.c} +%\section{DSSS demodulation (dsss\_demod.c)} +%\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/dsss_demod.c} +%\section{Cryptographic protocol handling} +%\subsection{protocol.c} +%\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/protocol.c} +%\subsection{crypto.c} +%\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/crypto.c} \chapter{Demonstrator firmware symbol size map} -- cgit