From c4420f81ef8c12783a41d0be3563af5ce51f187b Mon Sep 17 00:00:00 2001 From: jaseg Date: Tue, 2 Jun 2020 12:06:06 +0200 Subject: ma: first batch of corrections --- ma/safety_reset.tex | 624 ++++++++++++++++++++++++++-------------------------- 1 file changed, 309 insertions(+), 315 deletions(-) diff --git a/ma/safety_reset.tex b/ma/safety_reset.tex index 63edbac..7d99b2d 100644 --- a/ma/safety_reset.tex +++ b/ma/safety_reset.tex @@ -1,7 +1,7 @@ \documentclass[12pt,a4paper,notitlepage]{report} \usepackage[ngerman, english]{babel} \usepackage[utf8]{inputenc} -\usepackage[a4paper,textwidth=17cm, top=2cm, bottom=3.5cm]{geometry} +\usepackage[a4paper, top=2cm, bottom=3.5cm, left=3cm, right=4cm]{geometry} \usepackage[T1]{fontenc} \usepackage[ backend=biber, @@ -118,22 +118,22 @@ \chapter{Introduction} %FIXME: sprinkle this section with citations. -Like in all fields of engineering there is an ongoing diffusion of information systems into industrial control systems -in the power grid. Automation of these control systems has been practised for the better part of a century already. -Until recently this automation was mostly limited to core components of the grid. Generators in power stations are -computer-controlled according to electromechanical and economic models. Switching in substations is automated to allow -for fast failure recovery. Humans are still vital to these systems, but their tasks have shifted from pure operation to -engineering, maintenance and surveillance. - -A large-scale trend in power systems is the move from a model of centralized generation built around massive large-scale -fossil and nuclear power plants towards a more heterogenous model. In this new model large-scale fossil power plants -still serve a major role but two new factors come into play. One is the advance of renewable energies. The large-scale -use of wind and solar power in particular from a current standpoint seems unavoidable for our continued existence on -this planet. For the electrical grid however, these systems constitute a significant challenge. Fossil-fueled power -plants can be precisely controlled to match the expected energy consumption at any point in time. This tracking of -production and consumption is vital to the stability of the grid. Renewable energies such as wind and solar power do not -provide the same degree of controllability, and they introduce a large degree of uncertainty due to the -unpredictable way of the forces of nature. +In the power grid as in other engineered systems we can observe an ongoing diffusion of information systems into +industrial control systems. Automation of these control systems has been practised for the better part of a century +already. Throughout the 20th century this automation was mostly limited to core components of the grid. Generators in +power stations are computer-controlled according to electromechanical and economic models. Switching in substations is +automated to allow for fast failure recovery. Human operators are still vital to these systems, but their tasks have +shifted from pure operation to engineering, maintenance and surveillance. + +With the turn of the century came a large-scale trend in power systems to move from a model of centralized generation +built around massive large-scale fossil and nuclear power plants towards a more heterogenous model of smaller-scale +generators working together. In this new model large-scale fossil power plants still serve a major role but two new +factors come into play. One is the advance of renewable energies. The large-scale use of wind and solar power in +particular from a current standpoint seems unavoidable for our continued existence on this planet. For the electrical +grid these systems constitute a significant challenge. Fossil-fueled power plants can be controlled in a precise and +quick way to match energy consumption. This tracking of consumption with production is vital to the stability of the +grid. Renewable energies such as wind and solar power do not provide the same degree of controllability, and they +introduce a large degree of uncertainty due to the unpredictable way of the forces of nature. Along with this change in dynamic behavior renewable energies have brought forth the advance of distributed generation. In distributed generation end-customers that previously only consumed energy have started to feed energy into the grid @@ -146,52 +146,51 @@ computerization of end-user energy metering. Despite the widespread use of indus electrical grid and the far-reaching diffusion of computers into people's everyday lifes the energy meter has long been one of the last remnants of an offline, analog time. Until the 2010s many households were still served through electromechanical Ferraris-style meters that have their origin in the late 19th -century\cite{borlase01,ukgov04,bnetza02}. - -Today under the umbrella term \emph{Smart Grid} the shift towards fully computerized, often networked meters has been -partially accomplished. The roll out of these \emph{Smart Meters} has not been very smooth overall with some countries -severely lagging behind other countries. As a safety-critical technology smart meter technology is usually standardized -on a per-country basis. This leads to an inhomogenous landscape with in some instances wildly incompatible systems. -Often vendors only serve a single country or have a separate model of their meter for each country. This complex -standardization landscape and market situation has led to a proliferation of highly complex, custom-coded -microcontroller firwmare. The complexity and scale of this often network-connected firmware makes for a ripe substrate -for bugs to surface. +century\cite{borlase01,ukgov04,bnetza02}. Today under the umbrella term \emph{Smart Metering} the shift towards fully +computerized, often networked meters is well underway. The roll out of these \emph{Smart Meters} has not been very +smooth overall with some countries severely lagging behind other countries. As a safety-critical technology smart +metering technology is usually standardized on a per-country basis. This leads to an inhomogenous landscape with in some +instances wildly incompatible systems. Often vendors only serve a single country or have separate models of a meter for +each country. This complex standardization landscape and market situation has led to a proliferation of highly complex, +custom-coded microcontroller firwmare. The complexity and scale of this often network-connected firmware makes for a +ripe substrate for bugs to surface. A remotely exploitable flaw inside a smart meter's firmware\footnote{ There are several smart metering architectures that ascribe different roles to the component called \emph{smart - meter}. Coarsely divided into two camps these are systems where all metering and communication code resides within - one physical unit and systems where metering and communication are separated into two units, the \emph{smart meter} - and the \emph{smart meter gateway}\cite{stuber01}. An example for the former are setups in the USA, an example of - the latter is the one in Germany. For clarity in this introductory chapter we use \emph{smart meter} to describe the - entire system at the customer premises including both the meter and a potential gateway. -} could have consequences ranging from impaired billing -functionality to an existential threat to grid stability\cite{anderson01,anderson02}. A coördinated attack on meters in -a country where load switches are common could at worst cause widespread activation of grid safety systems by repeatedly -connecting and disconnecting megawatts of load capacity in just the wrong moments\cite{wu01}. + meter}. Coarsely divided into two camps these are systems where all metering and communication functions resides + within one physical unit and systems where metering and communication functions are separated into two units called + the \emph{smart meter} and the \emph{smart meter gateway}\cite{stuber01}. An example for the former are setups in + the USA, an example of the latter is the setup in Germany. For clarity, in this introductory chapter we use + \emph{smart meter} to describe the entire system at the customer premises including both the meter and a potential + gateway. +} could have consequences ranging from impaired billing functionality to an existential threat to grid +stability\cite{anderson01,anderson02}. In a country where meters commonly include disconnect switches for purposes such +as prepaid tariffs a coördinated attack could at worst cause widespread activation of grid safety systems by repeatedly +connecting and disconnecting Megawatts of load capacity in just the wrong moments\cite{wu01}. Mitigation of these attacks through firmware security measures is unlikely to yield satisfactory results. The enormous complexity of smart meter firmware makes firmware security extremely labor-intensive. The diverse standardization landscape makes a coördinated, comprehensive response unlikely. -In this thesis instead of lamenting the state of firmware security we introduce a pragmatic solution to the in our minds -likely scenario of a large-scale compromise of smart meter firmware. In our proposal the components of the smart meter -that are threatened by remote compromise are equipped with a physically separate \emph{safety reset controller} that -listens for a reset command transmitted through the electrical grid itself and on reception forcibly resets the smart -meter's entire firmware to a known-good state. Our safety reset controller receives commands through Direct Sequence -Spread Spectrum (DSSS) modulation carried out on grid frequency through a large controllable load such as an aluminium -smelter. After forward error correction and cryptographic verification it re-flashes the target application -microcontroller over the standard JTAG interface. +In this thesis instead of focusing on the very hard task of improving firmware security we introduce a pragmatic +solution to the in our minds likely scenario of a large-scale compromise of smart meter firmware. In our proposal the +components of the smart meter that are threatened by remote compromise are equipped with a physically separate +\emph{safety reset controller} that listens for a reset command transmitted through the electrical grid's frequency and +on reception forcibly resets the smart meter's entire firmware to a known-good state. Our safety reset controller +receives commands through Direct Sequence Spread Spectrum (DSSS) modulation carried out on grid frequency through a +large controllable load such as an aluminium smelter. After forward error correction and cryptographic verification it +re-flashes the meter's main microcontroller over the standard JTAG interface. -In this thesis starting from a high-level architecture we have carried out extensive simulations of our proposal's +In this thesis, starting from a high-level architecture we have carried out extensive simulations of our proposal's performance under real-world conditions. Based on these simulations we implemented an end-to-end prototype of our -proposed safety reset controller as part of a realistic smart meter demonstrator. Finally we experimentally validate our -results and give an outline of further steps towards practical implementation. +proposed safety reset controller as part of a realistic smart meter demonstrator. Finally we experimentally validated +our results and we will conclude with an outline of further steps towards a practical implementation. \chapter{Fundamentals} \section{Structure and operation of the electrical grid} -Since this thesis is filed under \emph{computer science} we will provide a very brief overview of some basic aspects of +Since this thesis is filed under \emph{computer science} we will provide a very brief overview of some basic concepts of modern power grids. \subsection{Structure of the electrical grid} @@ -202,9 +201,9 @@ interconnected by long transmission lines. Mostly due to ohmic losses\footnote{ U_\text{drop} \cdot I = I^2 \cdot R$. Fixing power $P_\text{transmitted} [W] = U_\text{line} \cdot I$ this yields a dependency on line voltage $U_\text{line} [V]$ of $P_\text{loss} = \left(\frac{P_\text{transmitted}}{U_\text{line}}\right)^2 \cdot R$. Thus, ignoring other losses a $2\times$ increase - in transmission voltage halves current and cuts ohmic losses to a quarter. In practice the economics of this are - much more complicated due to the cost of better isolation for higher-voltage parts and the added factor of power - factor compensation. } + in transmission voltage halves current and cuts ohmic losses to a quarter. In practice the economics are much more + complicated due to the cost of better insulation for higher-voltage parts and the cost of power factor compensation. +} the efficiency of transmission of electricity through long transmission lines increases with the square of voltage\cite{crastan01,simon01}. % simon01: p. 425, 9.4.1.1, crastan p.55, 3.1 In practice economic considerations take into account a reduction of the considerable transmission losses (about @@ -213,8 +212,8 @@ and the cost increase for the increased volatage rating of components such as tr considerations have led to a hierarchical structure where large amounts of energy are transmitted over very long distances (up to thousands of kilometers) at very high voltages (upwards of \SI{200}{\kilo\volt}) and voltages get lower the closer one gets to end-customer premises. In Germany at the local level a substation will distribute -\SIrange{10}{30}{\kilo\volt} to large industrial consumers and streets with small transformer substations converting -this to the \SI{400}{\volt} three-phase AC households are usually hooked up with\cite{crastan01}. +\SIrange{10}{30}{\kilo\volt} to large industrial consumers and small transformer substations which converting this to +the \SI{400}{\volt} three-phase AC households are usually hooked up with\cite{crastan01}. \subsubsection{Transmission lines, bus bars and tie lines} @@ -223,61 +222,63 @@ parts of a substation are called \emph{bus bars}. Transmission lines that couple called \emph{tie lines}. A tie line often connects grid segments operated by two different operators e.g.\ across a country border. -\emph{Short} transmission lines can be approximated as a simple lumped-component -RLC\footnote{resistor-inductor-capacitor} circuit. In this case the effect of wave propagation along the line does not -have to be taken into consideration. In this lumped model the transmission line is represented by a circuit of one or -two inductors, one or two capacitors and some resistors. This representation simplifies analysis. For \emph{long} +In mathematical analysis \emph{short} transmission lines can be approximated as a simple lumped-component +RLC\footnote{Resistor-inductor-capacitor.} circuit. In longer lines the effect of wave propagation along the line has to +be taken into consideration. In the lumped model the transmission line is represented by a circuit of one or two +inductors, one or two capacitors and some resistors. This representation simplifies analysis. For \emph{long} transmission lines above \SI{50}{\kilo\meter} (cable) or \SI{250}{\kilo\meter} (overhead lines) this approximation breaks down and wave propagation along the line's length has to be taken into account. The resulting model is what RF -engineering calls a \emph{transmission line} and models the line's parasitics\footnote{stray capacitance, ohmic -resistance and stray inductance} as being uniformly distributed along the length of the line. To approximate this model -in lumped-element evaluations the line is represented as a long chain of small lumped-component RLC sections. This -complex structure makes modelling more difficult in comparison to short lines\cite{crastan01}. - -Almost all transmission lines used in the transmission and distribution grid use three-phase AC. Long-distance overland -lines are usually implemented as overhead lines due to their low cost and ease of maintenance. Underground cables are -much more expensive due to their isolation and are only used when overhead lines cannot be used for e.g.\ safety or -aesthetic reasons. In some specialized applications such as long, high-power undersea cables high-voltage DC (HVDC) is -used. In HVDC converter stations at both ends of the line convert between three-phase AC and the line's DC voltage. -These converter stations are controlled electronically and do not exhibit any of the electromechanical effects -generators in a power plant do. Since HVDC re-synthesizes three-phase AC from DC at the receiving end of the line it can -be used to couple non-synchronous grids. This also allows for additional degrees of control over the transmission of -power compared to a regular transmission line. These technical benefits are offset by the high initial cost (mostly due -to the converter stations) leading to HVDC being used in specific situations only\cite{crastan03}. +engineering calls a transmission line and models the line's parasitics\footnote{Stray capacitance, ohmic resistance and +stray inductance.} as being uniformly distributed along the length of the line. To approximate this model in +lumped-element evaluations the line is represented as a long chain of small lumped-component RLC sections. This complex +structure makes simulation and analysis more difficult in comparison to short lines\cite{crastan01}. + +Almost all transmission lines used in the transmission and distribution grid use three-phase alternating current (AC). +Long-distance overland lines are usually implemented as overhead lines due to their low cost and ease of maintenance. +Underground cables are much more expensive because of their insulation and are only used when overhead lines cannot be +used for reasons such as safety or aesthetics. In specialized applications such as long, high-power undersea cables +high-voltage DC (HVDC) is used. In HVDC converter stations at both ends of the line convert between three-phase AC and +the line's DC voltage. These converter stations are controlled electronically and do not exhibit any of the mechanical +inertia that is characteristic for rotating generators in a power plant. Since HVDC re-synthesizes three-phase AC from +DC at the receiving end of the line it can be used to couple non-synchronous grids. This allows for additional degrees +of control over the transmission of power compared to a regular transmission line. These technical benefits are offset +by high initial cost (mostly due to the converter stations) leading to HVDC being used in specific situations +only\cite{crastan03}. \subsubsection{Generators} -Traditionally all generators in the power grid were synchronous machines. A synchronous machine is a generator that is -wound and connected in such a way that during normal operation its rotation is synchonous with the grid frequency. Grid -frequency and generator rotation speed are bidirectionally electromechanically coupled. If a generator would lag behind -the grid it would receive electrical energy from the grid and convert it into mechanical energy, acting as a motor. -Small deviations between rotational speed and grid frequency will be absorbed by the electromechanical coupling between -both. All generators connected to the grid operate synchronously. Maintaining this synchronization over time is the task -of complex control systems within each power station\cite{simon01,crastan01}. +Traditionally all generators in the power grid were synchronous machines. A synchronous machine is a generator whose +copper coils are wound and connected in such a way that during normal operation its rotation is synchonous with the grid +frequency. Grid frequency and generator rotation speed are bidirectionally electromechanically coupled. If a generator's +angle of rotation would lag behind the grid it would receive electrical energy from the grid and convert it into +mechanical energy, acting as a motor--When the machine leads it acts as a generator and is braked. Small deviations +between rotational speed and grid frequency will be absorbed by the electromechanical coupling between both. Maintaining +optimal synchronization over time is the task of complex control systems inside power stations' speed +governors\cite{simon01,crastan01}. Nowadays besides traditional rotating generators the grid also contains a large amount of electronically controlled inverters. These inverters are used in photovoltaic installations and other setups where either DC or non-synchronous AC -is to be fed into the grid. Setups like this behave differently to rotating generators. In particular \emph{inertia} in -these setups is either absent or a software parameter potentially reducing their overload capacity compared to rotating -generators. The fundamentally different nature of electronically controlled inverters has to be taken into account in -planning and regulation\cite{crastan03}. +is to be fed into the grid. Setups like these behave differently to rotating generators. In particular \emph{inertia} in +these setups is either absent or a software parameter. This potentially reduces their overload capacity compared to +rotating generators. The fundamentally different nature of electronically controlled inverters has to be taken into +account in planning and regulation\cite{crastan03}. \subsubsection{Switchgear} In the electrical grid switches perform various roles. The ones a computer scientist would recognize are used for routing electricity between transmission lines and transformers and can be classified into ones that can be switched under load (called load switches) and ones that can not (called disconnectors). The latter are used to ensure parts of -the network are free from voltage. The former are used to re-route flows of electrical currents. A major difference in -their construction is that in contrast to disconnectors load switches have built-in components that extinguish the -high-power arc discharge that forms when the circuit is interrupted under load\footnote{ +the network are free from voltage e.g.\ during maintenance. The former are used to re-route flows of electrical +currents. A major difference in their construction is that in contrast to disconnectors load switches have built-in +components that extinguish the high-power arc discharge that forms when the circuit is interrupted under load\footnote{ While an arc discharge is considered a fault condition in most low-voltage systems including computers, in energy systems it is often part of normal operation. -}. Beyond this there are circuit breakers. Circuit breakers are safety devices that can still switch even under failure -conditions at several times the circuit's nominal current. They are activated automatically on conditions such as -overcurrent or overvoltage. Fuses can be considered non-resettable switches. The fuse in a computer power supply is -barely more than a glass tube with some wire in it that is designed to melt at the designated current. In energy systems -fuses are often much more complex devices that in some cases even utilize explosivese to quickly and decisively open the -circuit and extinguish the resulting arc discharge\cite{nelles01,crastan01,simon01}. +}. Beyond this there are circuit breakers. Circuit breakers are safety devices that even under failure conditions can +still switch at several times the circuit's nominal current. They are activated automatically on conditions such as +overcurrent or overvoltage. Finally, fuses can be considered non-resettable switches. The fuse in a computer power +supply is barely more than a glass tube with some wire in it that is designed to melt at the designated current. In +energy systems fuses are often much more complex devices that in some cases utilize explosives to quickly and decisively +open the circuit and extinguish the resulting arc discharge\cite{nelles01,crastan01,simon01}. % disconnect switches, fuses, breakers -> crastan 1 (ch. 8) \subsubsection{Transformers} @@ -285,14 +286,15 @@ circuit and extinguish the resulting arc discharge\cite{nelles01,crastan01,simon Along with transmission lines transformers are one of the main components most people will be thinking of when talking about the electrical grid. Transformers connect grid segments at different voltage levels with one another. In the distribution grid transformers are used to provide standard end-user voltage levels to the customer (e.g. 230/400V in -Europe) from a \SIrange{10}{25}{\kilo\volt} feeder. Transformers can also be used to convert between buses without a -fourth neutral conductor and buses with one. +Europe) from a \SIrange{10}{25}{\kilo\volt} feeder. In places that use overhead wiring to connect customer households +this is the role of the pole-mounted gray devices the size of a small refrigerator that are characteristic for these +systems. Transformers can also be used to convert between buses without a fourth neutral conductor and buses with one. Transformers are large and heavy devices consisting of thick copper wire or copper foil windings arranged around a core made from thin stacked, insulated iron sheets. The entire core sits within a large metal enclosure that is filled with -liquid (usually a specialized oil) for both cooling and electrical insulation. This cooling liquid is cooled by means -such as radiator fins on the transformer enclosure itself or an external radiator. Depending on the design cooling may -rely on natural convection within the cooling liquid or on electrical pumps\cite{crastan01,simon01}. +liquid (usually a specialized oil) for both cooling and electrical insulation. This cooling liquid is cooled by radiator +fins on the transformer enclosure itself or an external heat exchanger. Depending on the design cooling may rely on +natural convection within the cooling liquid or on electrical pumps\cite{crastan01,simon01}. Transformers come in a large variety of coil and wiring configurations. There exist autotransformers where the secondary is part of the primary (or vice-versa) that are used to translate between voltage levels without galvanic isolation at @@ -313,11 +315,11 @@ substations\cite{crastan01}. Chokes are large inductors. In power grid applications their construction is similar to the construction of a transformer with the exception that they only have a single winding on the core. They are used for a variety of purposes. A frequent use is as a series inductor on one of the phases or the neutral connection to limit transient fault -currents. In addition to use as simple series inductances for current limiting inductors are also used to tune LC -circuits. One such use are Petersen coils, large inductors in series with the earth connection at a transformer's star -point are used to quickly extinguish arcs between phase and ground on a transmission line. The Petersen coil forms a -parrallel LC resonant circuit with the transmission line's earth capacitance. Tuning this circuit through adjusting the -petersen coil reduces earth fault current to levels low enough to quickly extinguish the arc\cite{simon01}. +currents. In addition to this inductors are also used to tune LC circuits. One such use are Petersen coils, large +inductors in series with the earth connection at a transformer's star point that are used to quickly extinguish arcs +between phase and ground on a transmission line. The Petersen coil forms a parrallel LC resonant circuit with the +transmission line's earth capacitance. Tuning this circuit through adjusting the petersen coil reduces earth fault +current to a level low enough to quickly extinguish the arc\cite{simon01}. \subsubsection{Power factor correction} @@ -330,56 +332,53 @@ the current at time $t$ is linear in voltage at constant factor $\frac{1}{R}$. In contrast to this idealized scenario reality provides us with two common issues: One, the load may be reactive. This means its current waveform is an ideal sinusoid, but there is a phase difference between mains voltage and load current -like so: $I(t) = \frac{V(t)}{R} = \frac{1}{\left|Z\right|} V_\text{pk} \sin\paren{\omega_\text{nom} t + \varphi}$ $Z$ -would be the load's complex impedance combining inductive, capacitive and resistive components and $\varphi$ the phase -difference between the resulting current waveform and the mains voltage waveform. A common case of such loads are motors -and the inductive ballasts in old fluorescent lighting fixtures. +like so: $I(t) = \frac{V(t)}{R} = \frac{1}{\left|Z\right|} V_\text{pk} \sin\paren{\omega_\text{nom} t + \varphi}$. $Z$ +is the load's complex impedance combining inductive, capacitive and resistive components and $\varphi$ is the phase +difference between the resulting current waveform and the mains voltage waveform. Examples of such loads are motors and +the inductive ballasts in old fluorescent lighting fixtures. -The second potential issue are loads with non-sinusoidal current waveform. There are many classes of these but the most -common one are switching-mode power supplies. Most SMPS for modern electronic devices have an input stage consisting of -a bridge rectifier followed by a capacitor that provide high-voltage DC power to the following switch-mode convert -circuit. This rectifier-capacitor input stage under normal load draws a high current only at the very peak of the input -voltage sinusoid and draws almost zero current for most of the period. +The second potential issue are loads with a non-sinusoidal current waveform. There are many classes of these but the +most common one are the switching-mode power supplies (SMPS) used in most modern electronic devicese.. Most SMPS have an +input stage consisting of a bridge rectifier followed by a capacitor that provide high-voltage DC power to the following +switch-mode convert circuit. This rectifier-capacitor input stage under normal load draws a high current only at the +very peak of the input voltage sinusoid and draws almost zero current for most of the period. These two cases are measured by \emph{displacement power factor} and \emph{distortion power factor} that when combined -yield the overall true power factor. The power factor is a key quantity in the design and operation of the power grid -since a high power factor (close to $1.0$ or an in-phase sinusoidal current waveform) yields lowest transmission and -generation losses. - -Reactive power (also referred to as \emph{VAR} after its is unit Volt-Ampère Reactive) an important variable in the -operation of electrical grids (see sec.\ \ref{frequency_estimation}). If reactive power generation and consumption are -mismatched and power factor is low, high currents develop that lead to high transmission losses. For this reason grids -include circuits to compensate reactive power imbalances\cite{crastan01}. These circuits can be as simple as inductors -or capacitors connected to a power line but often can be switched to adapt to changing load conditions. Static Var -compensators are particularly fast-acting reactive power compensation devices whose purpose is to maintain bus -voltage\cite{rogers01}. +yield the overall true power factor. The power factor is a key quantity in the design and operation of the power grid. +As a variable in the operation of electrical grids it is also referred to as \emph{VAR} after its is unit Volt-Ampère +Reactive. A high power factor (close to $1.0$, i.e.\ an in-phase sinusoidal current waveform) yields lowest +transmission and generation losses. If reactive power generation and consumption are mismatched and power factor is +low, high currents develop that lead to high transmission losses. For this reason grids include circuits to compensate +reactive power imbalances\cite{crastan01}. These circuits can be as simple as inductors or capacitors connected to a +power line but often can be switched to adapt to changing load conditions. Static var compensators are particularly +fast-acting reactive power compensation devices whose purpose is to maintain a constant bus voltage\cite{rogers01}. \subsubsection{Loads} Lastly, there is the loads that the electrical grid serves. Loads range from mains-powered indicator lights in devices such as light switches or power strips weighing in at mere milliwatts to large smelters in industrial metal production -that can consume a good fraction of a gigawatt all on their own. +that can consume a fraction of a gigawatt all on their own. \subsection{Operational concerns} \subsubsection{Modelling the electrical grid} Modelling performs an important role in the engineering of a reliable power infrastructure. The grid is a complex, -highly dynamic system. To maintain operational parameters such as voltage in various parts of the grid, grid frequency -and currents inside their specified ranges complex control systems are necessary. To design and parametrize such control -systems simulations are a valuable tool. Using model calculations the effects of control systems on operational -variables such as transmission efficiency or generation losses can be estimated. Model simulations can be used to -identify structural issues such as potential points of congestion. The same models can then be used to engineer -solutions to such issues, e.g.\ by simulating the effect of a new transmission line. +highly dynamic system. To maintain operational parameters such as voltage, grid frequency and currents inside their +specified ranges complex control systems are necessary. To design and parametrize such control systems simulations are a +valuable tool. Using model calculations the effects of control systems on operational variables such as transmission +efficiency or generation losses can be estimated. Model simulations can be used to identify structural issues such as +potential points of congestion. The same models can then be used to engineer solutions to such issues, e.g.\ by +simulating the effect of a new transmission line. There are several aspects under which the grid or parts of the grid can be simulated. There are static analysis methods -such as modal analysis that yield information on electromechanical oscillations by computing the eigenvalues of a -large system of differential equations describing the collective behavior of all components of the grid. Modal analysis -is one example of simulations used in grid planning. Using modal analysis likely oscillatory modes can be identified and -ultimately these results can inform a decision to install additional stabilization systems in a particular location. -In contrast to static analysis, transient simulations calculate an approximation of the time-domain behavior of some -variable of interest under a given model. Transient simulations are used e.g.\ in the design of control systems. -Power flow equations describe the flow of electrical energy throughout the network from generator to load. Numerical -solutions these equations are used to optimize control parameters to increase overall efficiency. +such as modal analysis that yield information on problematic electromechanical oscillations by computing the eigenvalues +of a large system of differential equations describing the collective behavior of all components of the grid. Modal +analysis is one example of simulations used in grid planning. Modal analysis is used in decisions to install additional +stabilization systems in a particular location. In contrast to static analysis, transient simulations calculate an +approximation of the time-domain behavior of some variable of interest under a given model. Transient simulations are +used e.g.\ in the design of control systems. Finally, power flow equations describe the flow of electrical energy +throughout the network from generator to load. Numerical solutions these equations are used to optimize control +parameters to increase overall efficiency. % TODO decide what of this to keep. % \subsubsection{Generator controls} @@ -389,96 +388,100 @@ solutions these equations are used to optimize control parameters to increase ov \section{Smart meter technology} -Smart meters were a concept pushed by utility companies throughout the 00's. Smart metering is one component of the +Smart meters were a concept pushed by utility companies throughout the early 21st century. Smart metering is one component of the larger societal shift towards digitally interconnected technology. Old analog meters required that service pesonnel physically come to read the meter. \emph{Smart} meters automatically transmit their readings through modern technologies. Utility companies were very interested in this move not only because of the cost savings for meter reading -personnel. Beyond this, an always-connected meter allows several entirely new use cases that have not been possible -before. One often-cited one is utilizing the new high-resolution load data to improve load forecasting to allow for -greater generation efficiency. Computerizing the meter also allows for new fee models where electricity cost is no -longer fixed over time but adapts to market conditions. Models such as prepayment electricity plans where the customer -is automatically disconnected until they pay their bill are significantly aided by a fully electronic system that can be +personnel: An always-connected meter also allows several entirely new use cases that have not been possible before. One +often-cited one is utilizing the new high-resolution load data to improve load forecasting to allow for greater +generation efficiency. Computerizing the meter also allows for new fee models where electricity cost is no longer fixed +over time but adapts to market conditions. Models such as prepayment electricity plans where the customer is +automatically disconnected until they pay their bill are significantly aided by a fully electronic system that can be controlled and monitored remotely\cite{anderson02}. A remotely controllable load switch can also be used to coerce customers in situations where that was not previously economically possible\footnote{ The swiss association of electrical utility companies in sec.\ 7.2 par.\ (2)a of their 2010 whitepaper on the introduction of smart metering\cite{vseaes01} cynically writes that remotely controllable load switches ``lead a new tenant to swiftly register'' with the utility company. This whitepaper completely vanished from their website some time after publication, but the internet archive has a copy. -}. Figure \ref{fig_smgw_schema} shows a schema of the smart metering installation in a typical household\cite{stuber01}. +}. Figure \ref{fig_smgw_schema} shows a schema of a smart metering installation in a typical household\cite{stuber01}. \begin{figure} \centering \includegraphics{resources/smgw_usage_scenario} - \caption{A typical usage scenario of a smart metering system in a typical home.} + \caption{A typical usage scenario of a smart metering system in a typical home. This diagram shows a gateway + connected to multiple smart meters through its local metrological network (LMN) and a multitude of devices on the + customer's home area network (HAN). A solar inverter and an electric car are connected through a controllable local + systems (CLS) adaptor.} \label{fig_smgw_schema} \end{figure} To the customer the utility of a smart meter is largely limited to the convenience of being able to read it without -going to the basement. In the long term it is said that there will be second-order savings to the customer since +going to their basement. In the long term it is said that there will be second-order savings to the customer since electricity prices adapting to the market situation along with this convenience will lead them to consume less electricity and to consume it in a way that is more amenable to utilities, both leading to reduced cost\cite{borlase01,bmwi03,anderson02}. Traditional Ferraris counters with their distinctive rotating aluminium disc are simple electromechanical devices. Since -it does not include any failure-prone semiconductors or other high technology a cheap Ferraris-style meter can easily -last decades. In contrast to this, smart meters are complex high technology. They are vastly more expensive to develop -in the first place since they require the development and integration of large amounts of complex, custom firwmare. Once -deployed, their lifetime is severely limited by this very complexity. Complex semiconductor devices tend to fail, and -firmware that needs to communicate with the outside world tends to not age well\cite{borkar01}. -This combination of higher unit cost and lower expected lifetime leads to grossly increased costs per household. This -cost is usually shared between utility and customer. +they do not include any semiconductors or other high technology that might be prone to failure a cheap Ferraris-style +meter can last decades. In contrast to this, smart meters are complex high technology. They are vastly more expensive to +develop in the first place since they require the development and integration of large amounts of complex, custom +firwmare. Once deployed, their lifetime is limited by this complexity. Complex semiconductor devices tend to fail, and +firmware that needs to communicate with the outside world tends to not age well\cite{borkar01}. This combination of +higher unit cost and lower expected lifetime leads to increased costs per household. This cost is usually shared between +utility and customer. As part of its smart metering rollout the German government in 2013 had a study conducted on the economies of smart meter installations. This study came to the conclusion that for the majority of households computerizing an existing ferraris meter is uneconomical. For larger consumers or new installations the higher cost of installation over time is -offset by the resulting savings in electricity cost\cite{bmwi03}. - -\subsection{Human-Computer Interaction aspects of smart meter technology} - -A fundamental aspect in realizing the cost and energy savings promised by the smart metering revolution is that it -requires a paradigm shift in consumer interaction. Previously most consumers would only confront their energy use when -their monthly or yearly electricity bill arrived. All of the cost savings smart meters promise over traditional metering -infrastructure\footnote{ - We are excluding savings from Demand-Side Response (DSR) implemented through smart meters here: Traditional ripple - control systems already allowed for these, and due to the added cost of high-power relays many smart meters do not - include such features. -} critically depend on the consumer regularly interacting with the meter through an in-home display or app. We live in -an era where our attention is already highly contested. A myriad of apps and platforms compete for our attention through -our smart phones and other devices. Introducing an entirely new service into this already complex battleground is a large -endeavour. On the one hand it is not clear how this new service would compete with everything else. On the other hand if -it does manage to capture our attention and lead us to modify our behavior, what are the side effects? For instance, -does an in-home display increase financial anxiety in economically disadvantaged customers? +expected to be offset by the resulting savings in electricity cost\cite{bmwi03}. + +\subsection{Smart metering and Human-Computer Interaction} + +A fundamental aspect in realizing many of the cost and energy savings promised by the smart metering revolution is that +it requires a paradigm shift in consumer interaction. Previously most consumers would only confront their energy use +when they receive their monthly or yearly electricity bill. A large part of the cost savings smart meters promise over +traditional metering infrastructure\footnote{ We are excluding savings from Demand-Side Response (DSR) implemented +through smart meters here: Traditional ripple control systems already allowed for these\cite{dzung01}, and due to the +added cost of high-power relays many smart meters do not include such features. } critically depend on the consumer +regularly interacting with the meter through an in-home display or app, then changing their behavior. We live in an era +where our attention is already highly contested. A myriad of apps and platforms compete for our attention through our +smart phones and other devices. Introducing an entirely new service exerting cognitive pressure into this already +complex battleground is a large endeavour. On the one hand it is not clear how this new service would compete with +everything else. On the other hand if it does manage to capture our attention and lead us to modify our behavior, what +are the side effects? For instance an in-home display might increase financial anxiety in economically disadvantaged +customers. Human Computer Interaction research has touched the topic of smart metering several times and has many insights to offer for technologists\cite{pierce01,rodden01,lupton01,costanza01,fell01}. An issue pointed out in \cite{rodden01} is that at least in some countries consumers fundamentally distrust their utility companies. This trust issue is exacerbated by smart meters being unilaterally forced onto consumers by utility companies. Much of the success of smart metering's -ubiquitous promises of energy savings fundamentally depends on consumer coöperation. Here, the aforementioned trust -issue calls into question smart metering's chances of long-term success. +ubiquitous promises of energy savings depends on consumer coöperation. Here, the aforementioned trust issue calls into +question smart metering's chances of long-term success. -As \text{pierce01} pointed out smart metering developments could benefit greatly from early involvement of HCI research. +As \cite{pierce01} pointed out smart metering developments could benefit greatly from early involvement of HCI research. HCI research certainly would not have overlooked entire central issues such as privacy as it happened in the dutch case\cite{cuijpers01}. The current corporate-driven approach to a technological advance forced through national -standardization bears a serious risk of failing to meet its ostensible objectives for consumers. The role of consumers -and the complex sociotechnological environment posed by this new technology is seriously considered nowhere in the -standardization process. While certainly noone will admit to outright ignoring consumers in smart meter standardization -their role is largely limited to the occassional public consultation. At the same time the standards are written by -technologists--it seems largely without input on their practicality or socio-technological implications from fields such -as HCI. % TODO citation? too much burn? +standardization bears a risk of failing to meet its ostensible objectives for consumers. The role of consumers and the +complex sociotechnological environment posed by this new technology is not seriously considered in the standardization +process. While certainly no one will admit to outright ignoring consumers in smart meter standardization, their role is +largely limited to the occassional public consultation. At the same time the standards are written by technologists--it +seems largely without input on their practicality or socio-technological implications from fields such as HCI. +% TODO citation? too much burn? \subsection{Common components} \label{sm-cpu} -Smart meters usually are built around an off-the-shelf microcontroller. Some meters use specialized smart metering -SOCs\cite{ifixit01} while others use standard microcontrollers with core metering functions implemented in external -circuitry (cf.\ sec.\ \ref{sec-easymeter} where we detail the meter in our demonstration setup). Specialized SoCs -usually contain a segment LCD driver along with some high-resolution analog-to-digital converters for the actual -measurement functions. In many smart meter designs used outside of Germany the metering SoC will be connected to another -full-featured SoC acting as the modem. At a casual glance this might seem to be a security measure, but it may be more -likely that this is done to ease integration of one metering platform with several different communication stacks (e.g.\ -proprietary sub-gigahertz wireless, powerline communication (PLC) or ethernet). In these architectures there is a clear -line of functional demarcation between the metering SoC and the modem. As evidenced by over-the-air software update -functionality (see e.g.\ \cite{honeywell01}) this does not however extend to an actual security boundary. +Smart meters usually are built around an off-the-shelf microcontroller (microcontroller unit, MCU). Some meters use +specialized smart metering system-on-chips (SoCs)\cite{ifixit01} while others use standard microcontrollers with core +metering functions implemented in external circuitry (cf.\ sec.\ \ref{sec-easymeter} where we detail the meter in our +demonstration setup). Specialized SoCs usually contain a segment LCD driver along with some high-resolution +analog-to-digital converters for the actual measurement functions. In many smart meter designs the metering SoC is +connected to another full-featured SoC acting as the modem. At a casual glance this might seem to be a security measure, +but it is be more likely that this is done to ease integration of one metering platform with several different +communication stacks (e.g.\ proprietary sub-gigahertz wireless, powerline communication (PLC) or ethernet). In these +architectures there is a clear line of functional demarcation between the metering SoC and the modem. As evidenced by +over-the-air software update functionality (see e.g.\ \cite{honeywell01}) this does not however extend to an actual +security boundary. Energy usage is calculated by measuring both voltage and current at high resolution and then integrating the measurements. Current measurements are usually made with either a current transformer or a shunt in a four-wire @@ -490,29 +493,27 @@ as well as an indirect indication of power through a rotating wheel one of the s ability to calculate advanced statistics on energy use. These statistics are supposed to help customers better target energy conservation measures\cite{bmwi03}. -In addition to the pure measurement and data aggregation functions smart meters can perform additional functions. One is -to serve as a gateway between the utility company's control systems and large controllable loads in the consumer's -household for Demand-Side Management (DSM)\cite{borlase01}. In DSM the utility company can control when exactly a -high-power device such as a water storage heater is turned on. To the customer the precise timing does not matter since -the storage heater is set so that it has enough hot water in its reservoir at all times. The utility company however can -use this degree of control to reduce load variations during temporary imbalances such as peaks. The efficiency gains -realized with this system translate into lower electricity prices for DSM-enabled loads for the customer. Traditionally -DSM was realized on a local level using ripple control systems. In ripple control control data is coded by modulating a -carrier at a low frequency such as \SI{400}{\hertz} on top of the regular mains voltage. These systems require -high-power transmitters at tens of kilowatts and still can only bridge regional distances\cite{dzung01}. - -Another important additional function is that in some countries some smart meters can be used to remotely disconnect -consumer households with outstanding bills. Using euphemisms such as \emph{utility revenue protection}\cite{kamstrup01} -or \emph{reducing nontechnical losses}\cite{brown01} while cynically claiming \emph{Consumer -Empowerment}\cite{kamstrup01} these systems allow an utility company to remotely disconnect a customer at any time. -Whereas before smart metering this required either additional hardware or an expensive site visit by a qualified -technician smart meters have ushered in an era of frictionless control\footnote{ - Note that in some countries such as the UK non-networked mechanical prepayment meters did exist. In such systems the - user inserts coins into a coin slot that activates a load switch at the household's main electricity connection. - These systems were non-networked and did not allow for remote control. A disadvantage of such systems compared to - modern \emph{smart} systems are the high cost of the coin acceptor and the overhead of site visits required to empty - the coin box\cite{anderson02}. -}. +Smart meters can perform additional functions in addition to pure measurement and data aggregation. One is to serve as a +gateway between the utility company's control systems and large controllable loads in the consumer's household for +Demand-Side Management (DSM)\cite{borlase01}. In DSM the utility company can control when exactly a high-power device +such as a water storage heater is switched on. To the customer the precise timing does not matter since the storage +heater is set so that it has enough hot water in its reservoir at all times. The utility company however can use this +degree of control to reduce load variations during peak times. The efficiency gains realized with this system translate +into lower electricity prices for DSM-enabled loads for the customer. Traditionally DSM was realized on a local level +using ripple control systems. In ripple control control data is coded by modulating a carrier at a low frequency such as +\SI{400}{\hertz} on top of the regular mains voltage. These systems require high-power transmitters at tens of kilowatts +and still can only bridge regional distances\cite{dzung01}. + +Another important additional function is that some smart meters can be used to remotely disconnect consumer households +with outstanding bills. Using euphemisms such as \emph{utility revenue protection}\cite{kamstrup01} or \emph{reducing +nontechnical losses}\cite{brown01} while cynically claiming \emph{Consumer Empowerment}\cite{kamstrup01} these systems +allow an utility company to remotely disconnect a customer at any time\cite{anderson01}. Whereas before smart metering +this required either additional hardware or an expensive site visit by a qualified technician smart meters have ushered +in an era of frictionless control\footnote{ Note that in some countries such as the UK non-networked mechanical +prepayment meters did exist. In such systems the user inserts coins into a coin slot that activates a load switch at the +household's main electricity connection. These systems were non-networked and did not allow for remote control. A +disadvantage of such systems compared to modern \emph{smart} systems are the high cost of the coin acceptor and the +overhead of site visits required to empty the coin box\cite{anderson02}. }. \subsection{Cryptographic coprocessors} @@ -521,11 +522,11 @@ design. Since in both types of meter cost depends on physical quantities being m customers can save cost in case they are able to falsify the meter's measurements without being detected\cite{anderson02}. For this reason both types of meters employ countermeasures against physical intrusion. Compared to high-risk devices such as card payment processing terminals or ATMs the tamper proofing used in smart meters -is only basic\cite{anderson02}. Common measures include sealing the case by irreversibly ultrasonically welding front -and back plastic shells together or the use of security seals on the lid covering the input/output screw terminals. -Low-tech attacks using magnets to saturate the current transformer's ferrite cores are detected using hall -sensors\cite{anderson02,anderson03,itron01,hager01,easymeter01}. German smart metering standards specify the use of a -smartcard-like security module to provide transport encryption and other cryptographic +is only basic\cite{anderson02}. Common measures include sealing the case by irreversibly ultrasonically welding the +front and back plastic shells together or the use of security seals on the lid covering the input and output screw +terminals. The common low-tech attack of using magnets to saturate the current transformer's ferrite cores is detected +using hall sensors\cite{anderson02,anderson03,itron01,hager01,easymeter01}. German smart metering standards specify the +use of a smartcard-like security module to provide transport encryption and other cryptographic services\cite{bsi-tr-03109-2,bsi-tr-03109-2-a}. During our literature review we did not find many references to similar requirements in other national standards, though this does not mean that individual manufacturers do not use smartcards for engineering reasons or due to pressure from utilities. The limited documentation on meter internals that we did find @@ -543,10 +544,10 @@ wired into the house or apartment's electrical connection. Modern smart meters are usually made with plastic cases. Ferraris meters often used cases stamped from sheet metal with glass windows on them. Smart meters now look much more like other modern electronic devices. A common construction style -is to separate the case in a front and back half with both halves clipped or ultrasonically welded together. Ultrasonic -welding gives a robust, airtight interface. This interface cannot easily be separated and re-connected without leaving -visible traces, which helps with tamper evidence properties. As an industry-standard process common in various consumer -goods ultrasonic welding is a cheap and accessible technology\cite{easymeter01,ifixit01}. +is to separate the case into front and back halves with both clipped or ultrasonically welded together. Ultrasonic +welding gives a robust, airtight interface that cannot easily be separated and re-connected without leaving visible +traces, which helps with tamper evidence properties. As an industry-standard process common in various consumer goods +ultrasonic welding is a cheap and accessible technology\cite{easymeter01,ifixit01}. Communication interfaces sometimes are brought out through regular electromechanical connectors but often also are optical interfaces. A popular style here is to use a regular UART connected to an LED/phototransistor optocoupler @@ -572,19 +573,19 @@ supported. The family of standards one encounters most in smart metering applications are IEC 62056 specifying the Device Language Message Specification (DLMS) and the Companion Specification for Electronic Metering (COSEM). DLMS/COSEM are -application-layer standards describing a request/response schema similar to e.g.\ HTTP. DLMS/COSEM are mapped onto a +application-layer standards describing a request/response schema similar to HTTP. DLMS/COSEM are mapped onto a multitude of wire protocols. They can be spoken over TCP/IP or mapped onto low-speed UART serial interfaces \cite{sato01,stuber01}. Besides DLMS/COSEM there are a multitude of standards usually specifying how DLMS/COSEM are to be applied. DLMS/COSEM show some amount of feature creep. They do not adhere to the age-old systems design adage that a tool should \emph{do one thing and do it well}. Instead they try to capture the convex hull of all possible applications. This led -to a complicated design that requires extensive additional specification and testing to maintain even basic -interoperability. In particular in the area of transport security it becomes evident that the IEC as an electrical -engineering standards body stretched their area of expertise and resorting to established standard protocols would have -improved the situation\cite{weith01}. Compared to industry-standard transport security the IEC standards provide -a simplistic key management framework based on a static shared key with unlimited lifetime and provide sub-optimal -transport security properties (e.g.\ lack of forward-secrecy)\cite{khurana01,sato01}. +to a complicated design that requires extensive additional specification and testing to maintain interoperability. In +particular in the area of transport security it becomes evident that the IEC as an electrical engineering standards body +stretched their area of expertise where resorting to established standard protocols would have led to a better +outcome\cite{weith01}. Compared to industry-standard transport security the IEC standards provide a simplistic key +management framework based on a static shared key with unlimited lifetime and provide sub-optimal transport security +properties (e.g.\ lack of forward-secrecy)\cite{khurana01,sato01}. % TODO maybe expand this? \subsection{The regulatory situation in selected countries} @@ -592,7 +593,7 @@ transport security properties (e.g.\ lack of forward-secrecy)\cite{khurana01,sat In this section we will give an overview of the situation in a number of countries. This list of countries is not representative and notably does not include any developing countries and is geographically biased. We selected these countries for illustration only and based our selection in a large part on the availability of information in a language -we read. We will conclude this section with a summarization of common themes. +we can read. We will conclude this section with a summarization of common themes. \subsubsection{Germany} @@ -604,33 +605,33 @@ major renovations but does not require most legacy residential installations to customers\cite{bmwi03,bmwi1,bmwe01,brown01}. The German standards strictly separate between metering and communication functions. Both are split into separate -devices, the \emph{meter} and the \emph{gateway} (called emph{smart meter gateway} in full and often abbreviated -emph{SMGW}). One or several meters connect to a gateway through a COSEM-derived protocol. The communication interface +devices, the \emph{meter} and the \emph{gateway} (called \emph{smart meter gateway} in full and often abbreviated +\emph{SMGW}). One or several meters connect to a gateway through a COSEM-derived protocol. The communication interface between meter and gateway can optionally be physically unidirectional. An unidirectional interface eliminates any possibility of meter firmware compromise. The gateway contains a cryptographic security module similar to a smartcard\cite{mahlknecht01} that is entrusted with signing of measurements and maintaining an authenticated and encrypted communication channel with its authorities. Security of the system is certified according to a Common Criteria process. -The German specification does not include any support for load switches outside of demand-side management as they are -common in some other countries. It does not prohibit the installation of one behind the smart meter installation. This -makes it theoretically possible for a utility company to still install a load switch to disconnect a customer, but this -would be a spearate installation from the smart meter. In Germany there are significant barriers that have to be met -before a utility company may cut power to a household\cite{delaw01}. The elision of a load switch means attacks on -German meters will be limited in influence to billing irregularities and attacks using DSM equipment. +The German specification does not include any support for load switches as they are common in some other countries +outside of demand-side management. It only does not prohibit the installation of one behind the smart meter +installation. This makes it theoretically possible for a utility company to still install a load switch to disconnect a +customer, but this would be a spearate installation from the smart meter. In Germany there are significant barriers that +have to be met before a utility company may cut power to a household\cite{delaw01}. The elision of a load switch means +attacks on German meters will be limited in influence to billing irregularities and attacks using DSM equipment. % TODO elaborate DSM attacks vs. whole-household attacks in attacks section \subsubsection{The Netherlands} The Netherlands were early to take initiative to roll out smart metering after its recognition by the European Commission in 2006\cite{cuijpers01,ec04}. After overcoming political issuses the Netherlands were above the European -median in 2018 having replaced almost half of all meters\cite{cuijpers01,ec03}. Dutch smart meters are standardized by a -consortium of distribution system operators. They integrate gateway and metrology functions into one device. The -utility-facing interface is a IEC DLMS/COSEM-based interface over cellular radio such as GPRS or -LTE\cite{aubel01}. Like e.g.\ the German standard, the Dutch standard precisely specifies all communication -interfaces of the meter\cite{dsmrp3}. Another parallel is that the Dutch standard also does not cover any functionality -for remotely disconnecting a household. This absence of a load switch limits attacks on Dutch smart meters to causing -billing irregularities. +median in 2018, having replaced almost half of all meters\cite{cuijpers01,ec03}. Dutch smart meters are standardized by +a consortium of distribution system operators. They integrate gateway and metrology functions into one device. The +utility-facing interface is a IEC DLMS/COSEM-based interface over cellular radio such as GPRS or LTE\cite{aubel01}. Like +e.g.\ the German standard, the Dutch standard precisely specifies all communication interfaces of the +meter\cite{dsmrp3}. Another parallel is that the Dutch standard also does not cover any functionality for remotely +disconnecting a household. This absence of a load switch limits attacks on Dutch smart meters, too to causing billing +irregularities. \subsubsection{The UK} @@ -643,8 +644,8 @@ smart metering standard, as is remote firmware update functionality\cite{ukgov02 standards is performed through a gateway (there called \emph{communications hub}) that can be shared between several meters \cite{ukgov01,ukgov02,ukgov03,brown01,sato01}. The combination of both gas and electricity metering into one family of standards and the exceptionally large set of \emph{required} features make the UK regulations the maximalist -among the ones in this section. The mandatory inclusion of both load switches and remote connectivity up to remote -firmware update make it an interesting attack target. +option among the regulations in this section. The mandatory inclusion of both load switches and remote connectivity up +to remote firmware update make it an interesting attack target\cite{anderson01}. \subsubsection{Italy} @@ -661,10 +662,11 @@ gateways\cite{gungor01}. Japan is currently rolling out smart metering infrastructure. Compared to other countries in Japan significant standardization effort has been spent on smart home integration\cite{usitc01,sato01,brown01}. Japan has domestic -standards (JIS) for metrology and physical dimensions. The TEPCO deployment currently being rolled out is based on the -IEC DLMS/COSEM standards suite for remote meter reading in conjuction with the Japanese ECHONET protocol for the -home-area network. Smart meters are connected to TEPCO's backend systems through the customer's internet connection, -sub-gigahertz radio based on 802.15.4 framing, regular landline internet or PLC\cite{toshiba01,sato01}. +standards under its Japanese Industrial Standards organization (JIS) that determine metrology and physical dimensions. +Tokyo utility company TEPCO is currently rolling out a deployment that is based on the IEC DLMS/COSEM standards suite +for remote meter reading in conjuction with the Japanese ECHONET home-area network protocol. Smart meters are +connected to TEPCO's backend systems through the customer's internet connection, sub-gigahertz radio based on 802.15.4 +framing, regular landline internet or PLC\cite{toshiba01,sato01}. A unique point in the Japanese utility metering landscape is that the current practice is monthly manual readings. In Japan residential utility meters are usually mounted outside the building on an exterior wall and every month someone @@ -675,18 +677,19 @@ consumption but does incur significant pesonnel overhead. % TODO decide on citat \subsubsection{The USA} In the USA the rollout of smart meters has been promoted by law as early as 2005. The US electricity market is highly -complex with states having significant authority to decide on their own policies\cite{brown01}. Different from the IEC -standards used in large fraction of the rest of the world, the USA have their own domestic set of standards for smart -meters developed by ANSI\cite{sato01}. The main difference between IEC and ANSI-standard meters is that ANSI-standard -meters are round devices that plug into a wall-mounted socket while IEC devices are usually rectangular and connected -directly to the mains wiring through large screw terminals\cite{ifixit01}. +complex with states having significant authority to decide on their own policies\cite{brown01}. Originally different +from the IEC standards used in large fraction of the rest of the world the USA developed their own domestic set of +standards for smart meters under the Americal National Standards Institute (ANSI)\cite{sato01}. Today ANSI is converging +with the IEC on the protcol layer. An obvious feature of ANSI-standard meters is that they are round and plug into a +wall-mounted socket while IEC devices are usually rectangular and connected directly to the mains wiring through large +screw terminals\cite{ifixit01}. \subsection{Common themes} Researching the current situation around the world for the above sections we were able to distill some common themes. First, smart metering is slowly advancing on a global scale and despite significant reservations from privacy-conscious -people and consumer advocates it seems it is here to stay. There are some notable exceptions of countries that have -decided to scale-back an ongoing rollout effort after subsequent analysis showed economical or other +people and consumer advocates it seems it is here to stay. Still, there are some notable exceptions of countries that +have decided to scale-back an ongoing rollout effort after subsequent analysis showed economical or other issues\footnote{cf.\ the Netherlands and Germany}. \subsubsection{The introduction of smart metering} @@ -696,8 +699,8 @@ rollout. The most prominent argument is a general increase in energy-efficiency This argument is based on the estimation that smart metering will increase private customers' awareness of their own consumption and this will lead them to reduce their consumption. The second highly popular argument for smart metering is that it is necessary for the widespread adoption of renewable energies. This argument again builds on the trend -towards \emph{green} energy to rationalize smart metering. Often it is formulated as an \emph{inevitability} instead of -a choice. +towards green energy to rationalize smart metering. Interestingly this argument is often formulated as an inevitability +instead of a choice. Academic reception of smart metering is dyed with an almost unanimous enthusiasm. In particular smart meter communication infrastructure has received a large amount of research @@ -707,46 +710,46 @@ interaction claims that smart meters will reduce customer energy consumption hav \subsubsection{Standardization and reality of smart devices} Regulators, utilities and academics meet in their enthusiasm on the issue of smart home integration of smart metering. A -feature of many setups is that the meter acts as the centerpiece of a modern, fully integrated smart +feature of many concepts is that the meter acts as the centerpiece of a modern, fully integrated smart home\cite{aubel01,geelen01,bsi-tr-03109-1,abdallah01}. The smart meter serves as a communication hub between a new class of grid-aware loads and the utility company's control center. Large (usually thermal) loads such as dishwashers, -refrigerators and air conditioners are forecasted to intelligently adapt their heating/cooling cycles to better match -the grid's supply. A frequent scenario is that in which the meter bills the customer using near-real time pricing, and +refrigerators and air conditioners are expected to intelligently adapt their heating/cooling cycles to better match +the grid's supply. A frequent scenario is one in which the meter bills the customer using near-real time pricing, and supplies large loads in the customer's household with this pricing information. These loads then intelligently schedule -their operation to minimize cost\cite{sato01}. At the time in the mid-2000nds when smart metering proposals were first -advanced this vision might have been an effect of the \emph{law of the instrument}\cite{kaplan01,anderson02}. Back then -outside of specialty applications household devices were not usually networked\cite{merz01}. Smart meters at the time -may have seemed the obvious choice for a smart home communications hub. +their operation to minimize cost\cite{sato01}. At the time between 2000 and 2005 when smart metering proposals were +first advanced this vision might have been an effect of the \emph{law of the instrument}\cite{kaplan01,anderson02}. Back +then outside of specialty applications household devices were not usually networked\cite{merz01}. Smart meters at the +time may have seemed to be the obvious choice for a smart home communications hub. From today's perspective, this idea is obviously outdated. Smart \emph{things} now have found their way into many homes. Only these things are directly interconnected through the internet--foregoing the home-area network (HAN) technologies -anticipated by the smart metering pioneers. The simple reason for this is that nowadays anyone has Wifi, and Wifi +anticipated by smart metering pioneers. The simple reason for this is that nowadays anyone has Wifi, and Wifi transceivers have become inexpensive enough to disappear in the bill of materials (BOM) cost of a large home device such as a washing machine. Smart meters are usually situated in the basement--physically far away from most of one's devices. This makes connecting them to said devices awkward and connecting them via the local Wifi lends the question why the -smart devices should not simply use the internet in the first place. +smart devices should not simply use the internet directly. Connecting things to a smart meter through a local bus is academically appealing. It promises cost-savings from a -simpler physical layer (such as ZigBee instead of Wifi) and it neatly separates concerns into \emph{home infrastructure} -and the regular internet. Communication between smart meter and devices never leaves the house. This gives potential -additional tolerance to utility backend systems breaking. It also physically keeps communication inside the house, -bypassing the utility's eyes improving both customer privacy and agency. The presently popular model of a device as -simple as a light switch proxying its every action through a manufacturer's servers somewhere on the public internet is -in stark contrast to this scenario. Alas, the reason that this model is as popular is that in most cases it simply -works. Device manufacturers simply integrate one of many off-the-shelf Wifi modules. The resulting device will work -anywhere on earth\footnote{For some places channel assignments may have to be updated. This is a configuration-level -change and in some devices is done by the end-user during provisioning.}. A HAN-connected device would have several -variants with different modems for different standards. Some might work across countries, but some might not. And in -some countriese there might not even be a standard for smart grid HANs. +simpler physical layer (such as ZigBee instead of Wifi) and it neatly separates concerns into home infrastructure and +the regular internet. Communication between smart meter and devices never leaves the house. This promises tolerance to +utility backend systems breaking. It also physically keeps communication inside the house, bypassing the utility's eyes +improving both customer privacy and agency. The presently popular model of a device as simple as a light bulb proxying +its every action through a manufacturer's servers somewhere on the public internet is in stark contrast to this +scenario. Alas, the reason that this model is as popular is that in most cases it simply works. Device manufacturers +integrate one of many off-the-shelf Wifi modules. The resulting device will work anywhere on earth\footnote{For some +places channel assignments may have to be updated. This is a configuration-level change and in some devices can be done +by the end-user during provisioning.}. A HAN-connected device would have several variants with different modems for +different standards. Some might work across countries, but some might not. And in some countries there might not even be +a standard for smart grid HANs. Looking at the situation like this begs the question why this realization has not yet found its way into mainstream acceptance by smart metering implementors. The customer-facing functionality promised through smart meters would be -simple to implement as part of a now-standard \emph{internet of things} application. An in-home display that shows -real-time energy consumption and cost statistics would simply be an android tablet fetching summarized data from the -utility's billing backend. Demand-side response by large loads would be as simple as an HTTP request with a token -identifying the customer's contract that returns the electricity price the meter is currently charging along with a -recommendation to switch on or off. It seems the smart home has already arrived while smart metering standardization is -still getting off the starting blocks\cite{anderson02}. +simple to implement as part of a now-standard \emph{Internet of Things} application. An in-home display that shows +real time energy consumption and cost statistics would simply be an Android tablet fetching summarized data from the +utility's billing backend. Custom hardware for this purposes seems anachronistic today. Demand-side response by large +loads would be as simple as an HTTPS request with a token identifying the customer's contract that returns the +electricity price the meter is currently charging along with a recommendation to switch on or off. It seems the smart +home has already arrived while smart metering is still getting off the starting blocks\cite{anderson02}. % TODO is this too critical? Is maybe the modern smart home compatible with smart meters? Is maybe the local-only path % of data, avoiding utility clouds a design feature? (may be true in DE, NL, probably not anywhere else) @@ -754,36 +757,27 @@ still getting off the starting blocks\cite{anderson02}. The smart grid in practice is nothing more or less than an aggregation of embedded control and measurement devices that are part of a large control system. This implies that all the same security concerns that apply to embedded systems in -general also apply to most components of a smart grid in some way. Where programmers have been struggling for decades -now with input validation\cite{leveson01}, the same potential issue raises security concerns in smart grid scenarios as -well\cite{mo01, lee01}. Only, in smart grid we have two complicating factors present: Many components are embedded -systems, and as such inherently hard to update. Also, the smart grid and its control algorithms act as a large -(partially-)distributed system, making problems such as input validation or authentication difficult to -implement\cite{blaze01} and adding a host of distributed systems problems on top\cite{lamport01}. - -Given that the electrical grid is a major piece of essential infrastructure in modern civilization, these problems -amount to significant issues in practice. Attacks on the electrical grid may have grave -consequences\cite{anderson01,lee01} all the while the long maintenance cycles of various components make the system slow -to adapt. Thus, components for the smart grid need to be built to a much higher standard of security than most consumer -devices to ensure they live up to well-funded attackers even decades down the road. This requirement intensifies the -challenges of embedded security and distributed systems security among others that are inherent in any modern complex -technological system. The safety-critical nature of modern smart metering ecosystems in particular was quickly -recognized by security experts\cite{anderson01}. - -A point we will not consider in much depth is theft of electricity. An incentive for the introduction of smart metering -that is frequently cited in utility industry publications outside of a general public's view is the reduction of -electricity theft\cite{czechowski01}. Academic papers tend to either focus on other benefits such as generation -efficiency gains through better forecasting or try to rationalize the funamentally anti-consumer nature of smart -metering with strenuous claims of ``enormous social benefits''\cite{mcdaniel01}. Academics rarely point out the large -economical incentive such \emph{revenue protection} mechanisms provide\cite{anderson01,anderson02}. - -This thesis will entirely focus on grid stability and discard electricity theft. For the attack scenarios we lay out -billing inaccuracies of utility companies are of very low urgency compared to grid stability. In fact stability is a -precondition for billing to happen. Additionally utility companies can already limit the volume of theft by -cross-refrencing meter readings against trusted readings from upstream sections of the grid. This capability works even -without smart meters and only gains speed from smart meters. A smart meter cannot prevent the customer from bypassing it -with a section of wire. Due to the limit on its volume, electricity theft using smart meter hacking would not scale. -Hackers would quickly be triangulated with no damage to consumers and limited damage to utility companies. +general also apply to most components of a smart grid. Where programmers have been struggling for decades now with input +validation\cite{leveson01}, the same potential issue raises security concerns in smart grid scenarios as well\cite{mo01, +lee01}. Only, in smart grid we have two complicating factors present: Many components are embedded systems, and as such +inherently hard to update. Also, the smart grid and its control algorithms act as a large (partially-)distributed +system making problems such as input validation or authentication harder\cite{blaze01} and adding a host of distributed +systems problems on top\cite{lamport01}. + +Given that the electrical grid is essential infrastructure in our modern civilization, these problems amount to +significant issues in practice. Attacks on the electrical grid may have grave consequences\cite{anderson01,lee01} while +the long maintenance cycles of various components make the system slow to adapt. Thus, components for the smart grid +need to be built to a much higher standard of security than most consumer devices to ensure they live up to well-funded +attackers even decades down the road. This requirement intensifies the challenges of embedded security and distributed +systems security among others that are inherent in any modern complex technological system. The safety-critical nature +of the modern smart metering ecosystem in particular was quickly recognized by security experts\cite{anderson01}. + +A point we will not consider in much depth in this work is theft of electricity. An incentive for the introduction of +smart metering that is frequently cited in utility industry publications outside of a general public's view is the +reduction of electricity theft\cite{czechowski01}. Academic publications tend to either focus on other benefits such as +generation efficiency gains through better forecasting or rationalize the consumer-unfriendly aspects of smart metering +with ``enormous social benefits''\cite{mcdaniel01}. They do not usually point out the economical incentive such +\emph{revenue protection} mechanisms provide\cite{anderson01,anderson02}. \subsection{Privacy in the smart grid} -- cgit