From a4813caa8dd1bbda7b6a3bcc72bd715c67aa54f9 Mon Sep 17 00:00:00 2001 From: jaseg Date: Tue, 19 May 2020 19:32:33 +0200 Subject: MA: Add standardization themes blurb --- ma/safety_reset.bib | 39 +++++++++++++++ ma/safety_reset.tex | 142 +++++++++++++++++++++++++++++++++++++++------------- 2 files changed, 147 insertions(+), 34 deletions(-) diff --git a/ma/safety_reset.bib b/ma/safety_reset.bib index 5d14c28..5e11a0e 100644 --- a/ma/safety_reset.bib +++ b/ma/safety_reset.bib @@ -1325,4 +1325,43 @@ urldate = {2020-05-18}, } +@Misc{abdallah01, + author = {Asmaa Abdallah}, + editor = {Xuemin Shen}, + title = {Security and Privacy in Smart Grid}, + url = {http://dx.doi.org/10.1007/978-3-319-93677-2}, + address = {Cham}, + isbn = {9783319936772}, + pagetotal = {1 Online-Ressource (XIV, 126 p. 30 illus., 23 illus. in color)}, + ppn_gvk = {1028034970}, + publisher = {Springer International Publishing}, + series = {SpringerBriefs in Electrical and Computer Engineering}, + year = {2018}, +} + +@InBook{kaplan01, + author = {Abraham Kaplan}, + booktitle = {The Conduct of Inquiry: Methodology for Behavioral Science}, + date = {1964}, + title = {The Law of the Instrument}, + isbn = {9781412836296}, + location = {San Francisco}, + pages = {28}, + publisher = {Chandler Publishing Co.}, + url = {https://books.google.com/books?id=OYe6fsXSP3IC&pg=PA28}, +} + +@Book{merz01, + author = {Hermann Merz and Thomas Hansemann and Christof Hübner}, + title = {Building automation}, + isbn = {9783540888284}, + pagetotal = {X, 282}, + publisher = {Springer}, + series = {Springer series on signals and communication technology}, + subtitle = {Communication systems with EIB/KNX, LON, and BACnet}, + address = {Berlin [u.a.]}, + ppn_gvk = {584030762}, + year = {2009}, +} + @Comment{jabref-meta: databaseType:biblatex;} diff --git a/ma/safety_reset.tex b/ma/safety_reset.tex index 8aa31bf..a5e5b63 100644 --- a/ma/safety_reset.tex +++ b/ma/safety_reset.tex @@ -463,13 +463,23 @@ transport encryption and other cryptographic services\cite{bsi-tr-03109-2,bsi-tr % FIXME \section{Regulatory frameworks around the world} -% FIXME + +Smart metering regulation varies from country to country as it is tightly coupled to the overall regulation of the +electrical grid. The standardization of the physical form factor and metrological parameters of a meter is usually +separate from the standardization of its \emph{smart} functionality. Most countries base the standard for their meters' +outwards-facing communication interface on a family of standards unified under the IEC as DLMS/COSEM. Employing this +base protocol ountry-specific standardization only covers which precise variant of it is spoken and what features are +supported. \subsection{International standards} % FIXME \subsection{The regulatory situation in selected countries} -% FIXME + +In this section we will give an overview of the situation in a number of countries. This list of countries is not +representative and notably does not include any developing countries and is geographically biased. We selected these +countries for illustration only and based our selection in a large part on the availability of information in a language +we read. We will conclude this section with a summarization of common themes. \subsubsection{Germany} @@ -559,13 +569,75 @@ meters are round devices that plug into a wall-mounted socket while IEC devices directly to the mains wiring through large screw terminals\cite{ifixit01}. \subsection{Common themes} -% FIXME - - -% FIXME overall thing: here or somewhere else mention the ongoing confusion of smart metering and smart home, e.g. -% sato01 -\section{Security in smart grids} +Researching the current situation around the world for the above sections we were able to distill some common themes. +First, smart metering is slowly advancing on a global scale and despite significant reservations from privacy-conscious +people and consumer advocates it seems it is here to stay. There are some notable exceptions of countries that have +decided to scale-back an ongoing rollout effort after subsequent analysis showed economical or other +issues\footnote{cf.\ the Netherlands and Germany}. + +\subsubsection{The introduction of smart metering} + +The smart meter rollout is largely driven by utility companies. Utility companies field a variety of arguments for the +rollout. The most prominent argument is a general increase in energy-efficiency along with a reduction of emissions. +This argument is based on the estimation that smart metering will increase private customers' awareness of their own +consumption and this will lead them to reduce their consumption. The second highly popular argument for smart metering +is that it is necessary for the widespread adoption of renewable energies. This argument again builds on the trend +towards \emph{green} energy to rationalize smart metering. Often it is formulated as an \emph{inevitability} instead of +a choice. + +Academic reception of smart metering is dyed with an almost unanimous enthusiasm. In particular smart meter +communication infrastructure has received a large amount of research +attention\cite{dzung01,gungor01,kabalci01,lloret01,mahmood01,yan01,anderson01}. Outside of human-computer interaction +claims that smart meters will reduce customer energy consumption have often been uncritically accepted. + +\subsubsection{Standardization and reality of smart devices} + +Regulators, utilities and academics meet in their enthusiasm on the issue of smart home integration of smart metering. A +feature of many setups is that the meter acts as the centerpiece of a modern, fully integrated smart +home\cite{aubel01,geelen01,bsi-tr-03109-1,abdallah01}. The smart meter serves as a communication hub between a new class +of grid-aware loads and the utility company's control center. Large (usually thermal) loads such as dishwashers, +refrigerators and air conditioners are forecasted to intelligently adapt their heating/cooling cycles to better match +the grid's supply. A frequent scenario is that in which the meter bills the customer using near-real time pricing, and +supplies large loads in the customer's household with this pricing information. These loads then intelligently schedule +their operation to minimize cost\cite{sato01}. At the time in the mid-2000nds when smart metering proposals were first +advanced this vision might have been an effect of the \emph{law of the instrument}\cite{kaplan01}. Back then outside of +specialty applications household devices were not usually networked\cite{merz01}. Smart meters at the time may have +seemed the obvious choice for a smart home communications hub. + +From today's perspective, this idea is obviously outdated. Smart \emph{things} now have found their way into many homes. +Only these things are directly interconnected through the internet--foregoing the home-area network (HAN) technologies +anticipated by the smart metering pioneers. The simple reason for this is that nowadays anyone has Wifi, and Wifi +transceivers have become inexpensive enough to disappear in the bill of materials (BOM) cost of a large home device such +as a washing machine. Smart meters are usually situated in the basement--physically far away from most of one's devices. +This makes connecting them to said devices awkward and connecting them via the local Wifi lends the question why the +smart devices should not simply use the internet in the first place. + +Connecting things to a smart meter through a local bus is academically appealing. It promises cost-savings from a +simpler physical layer (such as ZigBee instead of Wifi) and it neatly separates concerns into \emph{home infrastructure} +and the regular internet. Communication between smart meter and devices never leaves the house. This gives potential +additional tolerance to utility backend systems breaking. It also physically keeps communication inside the house, +bypassing the utility's eyes improving both customer privacy and agency. The presently popular model of a device as +simple as a light switch proxying its every action through a manufacturer's servers somewhere on the public internet is +in stark contrast to this scenario. Alas, the reason that this model is as popular is that in most cases it simply +works. Device manufacturers simply integrate one of many off-the-shelf Wifi modules. The resulting device will work +anywhere on earth\footnote{For some places channel assignments may have to be updated. This is a configuration-level +change and in some devices is done by the end-user during provisioning.}. A HAN-connected device would have several +variants with different modems for different standards. Some might work across countries, but some might not. And in +some countriese there might not even be a standard for smart grid HANs. + +Looking at the situation like this begs the question why this realization has not yet found its way into mainstream +acceptance by smart metering implementors. The customer-facing functionality promised through smart meters would be +simple to implement as part of a now-standard \emph{internet of things} application. An in-home display that shows +real-time energy consumption and cost statistics would simply be an android tablet fetching summarized data from the +utility's billing backend. Demand-side response by large loads would be as simple as an HTTP request with a token +identifying the customer's contract that returns the electricity price the meter is currently charging along with a +recommendation to switch on or off. It seems the smart home has already arrived while smart metering standardization is +still getting off the starting blocks. +% TODO is this too critical? Is maybe the modern smart home compatible with smart meters? Is maybe the local-only path +% of data, avoiding utility clouds a design feature? (may be true in DE, NL, probably not anywhere else) + +\section{Security in smart distribution grids} The smart grid in practice is nothing more or less than an aggregation of embedded control and measurement devices that are part of a large control system. This implies that all the same security concerns that apply to embedded systems in @@ -577,37 +649,39 @@ systems, and as such inherently hard to update. Also, the smart grid and its con implement\cite{blaze01} and adding a host of distributed systems problems on top\cite{lamport01}. Given that the electrical grid is a major piece of essential infrastructure in modern civilization, these problems -amount to significant issues in practice. Attacks on the electrical grid may have grave consequences\cite{lee01} all the -while the long maintenance cycles of various components make the system slow to adapt. Thus, components for the smart -grid need to be built to a much higher standard of security than most consumer devices to ensure they live up to -well-funded attackers even decades down the road. This requirement intensifies the challenges of embedded security and -distributed systems security among others that are inherent in any modern complex technological system. - -A point we will not consider in much depth is theft of electricity. A large part of the motivation of the introduction -of smart meters seems to be % TODO weak statement -to reduce the level of fraud by consumers. Academic papers tend to either focus on other benefits such as generation -efficiency gains through better forecasting or try to rationalize the funamentally anti-consumer nature of smart -metering with strenuous claims of ``enormous social benefits''\cite{mcdaniel01}. We will entirely focus on grid -stability and discard electricity theft in the context of this paper for two reasons: One, billing inaccuracies of -electricity companies are of very low urgency compared to grid stability, and the one is a precondition for the other. -Two, utility companies can already put strong bounds on the amount of theft by simply cross-refrencing meter readings -against trusted readings from upstream sections of the grid. This capability works even without smart meters and only -gains speed from smart meters, just as the old exploit of bypassing the meter with a section of wire can't be prevented -like this. - -Due to these bounds on its volume, electricity theft using smart meter hacking would not scale. Hackers would simply be -rooted up one by one with no damage to consumers and very limmited damage to utility companies. Damage in these -scenarios would be a far cry from the efficiency of an exponentially growing botnet. +amount to significant issues in practice. Attacks on the electrical grid may have grave +consequences\cite{anderson01,lee01} all the while the long maintenance cycles of various components make the system slow +to adapt. Thus, components for the smart grid need to be built to a much higher standard of security than most consumer +devices to ensure they live up to well-funded attackers even decades down the road. This requirement intensifies the +challenges of embedded security and distributed systems security among others that are inherent in any modern complex +technological system. The safety-critical nature of modern smart metering ecosystems in particular was quickly +recognized by security experts\cite{anderson01}. + +A point we will not consider in much depth is theft of electricity. An incentive for the introduction of smart metering +that is frequently cited in utility industry publications outside of a general public's view is the reduction of +electricity theft. Academic papers tend to either focus on other benefits such as generation efficiency gains through +better forecasting or try to rationalize the funamentally anti-consumer nature of smart metering with strenuous claims +of ``enormous social benefits''\cite{mcdaniel01}. Academics rarely point out the large economical incentive such +\emph{revenue protection} mechanisms provide\cite{anderson01}. + +This thesis will entirely focus on grid stability and discard electricity theft. For the attack scenarios we lay out +billing inaccuracies of utility companies are of very low urgency compared to grid stability. In fact stability is a +precondition for billing to happen. Additionally utility companies can already limit the volume of theft by +cross-refrencing meter readings against trusted readings from upstream sections of the grid. This capability works even +without smart meters and only gains speed from smart meters. A smart meter cannot prevent the customer from bypassing it +with a section of wire. Due to the limit on its volume, electricity theft using smart meter hacking would not scale. +Hackers would quickly be triangulated with no damage to consumers and limited damage to utility companies. \subsection{Smart grid components as embedded devices} A fundamental challenge in smart grid implementations is the central role smart electricity meters play. Smart meters are used both for highly-granular load measurement and (in some countries) load switching\cite{zheng01}. -Smart electricity meters are effectively consumer devices. They are built down to a certain price point that is -measured by the burden it puts on consumers and that is generally fixed by regulatory authorities. % FIXME cite -This requirement precludes some hardware features such as the use of a standard hardened software environment on a -high-powerded embedded system (such as a hypervirtualized embedded linux setup) that would both increase resilience -against attacks and simplify updates. Combined with the small market sizes in smart grid deployments +Smart electricity meters are effectively consumer devices. They are built down to a certain price point that is measured +by the burden it puts on consumers. The cost of a smart meter is ultimately limited by it being a major factor in the +economies of a smart meter rollout\cite{bmwi03}. Cost requirements preclude some hardware features such as the use of a +standard hardened software environment on a high-powerded embedded system (such as a hypervirtualized embedded linux +setup) that would both increase resilience against attacks and simplify updates. Combined with the small market sizes in +smart grid deployments \footnote{ Most vendors of smart electricity meters only serve a handful of markets. For the most part, smart meter development cost lies in the meter's software % TODO cite? -- cgit