From 683f37e06e7ed1ff04230dcab651d2ae97101b7a Mon Sep 17 00:00:00 2001 From: jaseg Date: Tue, 12 May 2020 16:46:46 +0200 Subject: ma: add some intro blurb --- ma/safety_reset.bib | 162 ++++++++++++++++++++++++++-- ma/safety_reset.tex | 299 +++++++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 426 insertions(+), 35 deletions(-) (limited to 'ma') diff --git a/ma/safety_reset.bib b/ma/safety_reset.bib index b2358cd..129f4c7 100644 --- a/ma/safety_reset.bib +++ b/ma/safety_reset.bib @@ -830,16 +830,6 @@ year = {2016}, } -@Article{kabalci01, - author = {Yasin Kabalci}, - title = {A survey on smart metering and smart grid communication}, - doi = {10.1016/j.rser.2015.12.114}, - issn = {1364-0321}, - pages = {302-318}, - volume = {57}, - year = {2016}, -} - @Thesis{gasior02, author = {Gasior, Marek}, title = {{Improving frequency resolution of discrete spectra: algorithms of three-node interpolation}}, @@ -893,7 +883,7 @@ author = {Christian Egenhofer and Felice Simonelli and Andrea Renda and Antonella Zarra and William Schmitt and Aurélie Faure and Eleaonor Drabik and Vasileios Rizos and Thomas Hähl and Michèle Koper and Angelica Afanador and Marian Bons}, date = {2018}, institution = {European Commission, Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs}, - title = {Composition and Driversof Energy Prices and Costs:Case Studies in SelectedEnergy Intensive Industries – 2018}, + title = {Composition and Drivers of Energy Prices and Costs: Case Studies in SelectedEnergy Intensive Industries – 2018}, doi = {10.2873/937326}, url = {https://op.europa.eu/en/publication-detail/-/publication/424dac0a-ec77-11e8-b690-01aa75ed71a1/language-en}, } @@ -974,4 +964,154 @@ urldate = {2020-05-06}, } +@Report{ec02, + author = {Frédéric Tounquet and Clément Alaton}, + date = {2019}, + institution = {European Commission, Directorate-General for Energy, Directorate B - Internal Energy Market}, + title = {Benchmarking smart meteringdeployment in the EU-28}, + type = {resreport}, +} + +@WWW{destatis01, + editor = {Statistisches Bundesamt DeStatis}, + date = {2020-03-06}, + title = {Erzeugung - Bilanz - Monatsbericht über die Elektrizitätsversorgung}, + url = {https://www.destatis.de/DE/Themen/Branchen-Unternehmen/Energie/Erzeugung/Tabellen/bilanz-elektrizitaetsversorgung.html}, + urldate = {2020-05-07}, +} + +@Book{nelles01, + author = {Dieter Nelles and Christian Tuttas}, + date = {1998}, + title = {Elektrische Energietechnik}, + doi = {10.1007/978-3-663-09902-4}, + isbn = {978-3-663-09902-4}, + year = {1998}, +} + +@Book{crastan01, + author = {Valentin Crastan}, + date = {2015}, + title = {Elektrische Energieversorgung 1}, + doi = {10.1007/978-3-662-45985-0}, + year = {2015}, +} + +@Book{crastan03, + author = {Valentin Crastan}, + date = {2012}, + title = {Elektrische Energieversorgung 3}, + doi = {10.1007/978-3-642-20100-4}, + isbn = {978-3-642-20099-1}, +} + +@Misc{simon01, + editor = {Liviu Constantinescu-Simon}, + date = {1997}, + title = {Handbuch Elektrische Energietechnik}, + doi = {10.1007/978-3-322-85061-4}, + year = {1997}, +} + +@WWW{kamstrup01, + author = {{Kamstrup A/S}}, + title = {STS prepayment meter}, + url = {https://www.kamstrup.com/en-en/electricity-solutions/smart-electricity-meters/sts-prepayment-meter}, + urldate = {2020-05-11}, +} + +@Unpublished{itron01, + author = {{Itron Inc}}, + date = {2012}, + title = {Benutzerhandbuch Smart Meter EM 214}, + url = {https://www.ewh.de/fileadmin/user_upload/Stromnetz/Zaehlerstaende/Produktbeschreibung_ITRON_EM214.pdf}, + urldate = {2020-05-11}, +} + +@Unpublished{hager01, + author = {{Hager Group}}, + date = {2017}, + title = {Hager Smart Meter EHZ363 Betriebsanleitung}, + url = {https://bnnetze.de/downloads/kunden/netzkunden/messstellenbetrieb-und-messung/funktionalitaet/hager-ehz363-betriebsanleitung.pdf}, + urldate = {2020-05-11}, +} + +@TechReport{vseaes01, + date = {2010}, + institution = {{Verband Schweizerischer Elektrizitätsunternehmen VSE}}, + title = {Branchenempfehlung Strommarkt Schweiz Handbuch Smart Metering CH}, + url = {https://web.archive.org/web/20130418034458if_/http://www.strom.ch:80/uploads/media/HBSM-CH_1018d_2010.pdf}, + urldate = {2020-05-12}, +} + +@Article{geelen01, + author = {Daphne Geelen and Ruth Mugge and Sacha Silvester and Annemieke Bulters}, + date = {2019}, + journaltitle = {Energy Efficiency}, + title = {The use of apps to promote energy saving: a study of smartmeter–related feedback in the Netherlands}, + doi = {https://doi.org/10.1007/s12053-019-09777-z}, + issue = {12}, +} + +@TechReport{bmwi03, + author = {{Bundesministerium für Wirtschaft und Energie} and {Ernst and Young}}, + date = {2013}, + title = {Kosten-Nutzen-Analyse für einen flächendeckenden Einsatz intelligenter Zähler}, + url = {https://www.bmwi.de/Redaktion/DE/Publikationen/Studien/kosten-nutzen-analyse-fuer-flaechendeckenden-einsatz-intelligenterzaehler.pdf?__blob=publicationFile&v=5}, + urldate = {2020-05-12}, +} + +@InProceedings{rodden01, + author = {Tom A. Rodden and Joel E. Fischer and Nadia Pantidi and Khaled Bachour and Stuart Moran}, + booktitle = {Proceedings of the SIGCHI Conference on Human Factors in Computing Systems - CHI '13}, + date = {2013}, + title = {At Home with Agents: Exploring Attitudes Towards Future Smart Energy Infrastructures}, + doi = {10.1145/2470654}, + year = {2013}, +} + +@InProceedings{pierce01, + author = {James Pierce and Eric Paulos}, + booktitle = {CHI 2012}, + date = {2012}, + title = {Beyond Energy Monitors: Interaction, Energy, and Emerging Energy Systems}, + doi = {10.1145/2207676.2207771}, + subtitle = {interaction, energy, and emerging energy systems}, + year = {2012}, +} + +@Article{lupton01, + author = {Deborah Lupton}, + date = {2016}, + journaltitle = {Economy and Society}, + title = {The diverse domains of quantified selves: self-tracking modes and dataveillance}, + doi = {10.1080/03085147.2016.1143726}, + issn = {0308-5147}, + pages = {101-122}, + volume = {45}, + year = {2016}, +} + +@InProceedings{costanza01, + author = {Enrico Costanza and Joel E. Fischer and James A. Colley and Tom Rodden and Sarvapali D. Ramchurn and Nicholas R. Jennings}, + booktitle = {CHI 2014, One of a CHInd}, + date = {2014}, + title = {Doing the Laundry with Agents: a Field Trial of a Future SmartEnergy System in the Home}, + doi = {10.1145/2556288.2557167}, + subtitle = {a field trial of a future smart energy system in the home}, + year = {2014}, +} + +@Article{fell01, + author = {Michael J. Fell and David Shipworth and Gesche M. Huebner and Clifford A. Elwell}, + date = {2015}, + journaltitle = {Energy Research and Social Science}, + title = {Public acceptability of domestic demand-side response in Great Britain: The role of automation and direct load control}, + doi = {10.1016/j.erss.2015.08.023}, + issn = {2214-6296}, + pages = {72-84}, + volume = {9}, + year = {2015}, +} + @Comment{jabref-meta: databaseType:biblatex;} diff --git a/ma/safety_reset.tex b/ma/safety_reset.tex index 8f8c956..82c074e 100644 --- a/ma/safety_reset.tex +++ b/ma/safety_reset.tex @@ -93,39 +93,290 @@ \newpage \chapter{Introduction} +% FIXME + \section{Structure and operation of the electrical grid} +Since this thesis is filed under \emph{computer science} we will provide a very brief overview of some basic aspects of +modern power grids. + \subsection{Structure of the electrical grid} -\subsubsection{Generators and loads} +% FIXME + +\subsubsection{Hierarchical structure} +The electical grid is composed of a large number of systems such as distribution systems, power stations and substations +interconnected by long transmission lines. Mostly due to ohmic losses\footnote{ + Power dissipation of a resistor of resistance $R [\Omega]$ given current $I [A]$ is $P_\text{loss} [W] = + U_\text{drop} \cdot I = I^2 \cdot R$. Fixing power $P_\text{transmitted} [W] = U_\text{line} \cdot I$ this yields a + dependency on line voltage $U_\text{line} [V]$ of $P_\text{loss} = + \left(\frac{P_\text{transmitted}}{U_\text{line}}\right)^2 \cdot R$. Thus, ignoring other losses a $2\times$ increase + in transmission voltage halves current and cuts ohmic losses to a quarter. In practice the economics of this are + much more complicated due to the cost of better isolation for higher-voltage parts and the added factor of power + factor compensation. } +the efficiency of transmission of electricity through long transmission lines increases with the square of +voltage\cite{crastan01,simon01}. % simon01: p. 425, 9.4.1.1, crastan p.55, 3.1 +In practice economic considerations take into account a reduction of the considerable transmission losses (about +\SI{6}{\percent} in case of Germany\cite{destatis01}) as well as the cost of equipment such as additional transformers +and the cost increase for the increased volatage rating of components such as transmission lines. Overall these +considerations have led to a hierarchical structure where large amounts of energy are transmitted over very long +distances (up to thousands of kilometers) at very high voltages (upwards of \SI{200}{\kilo\volt}) and voltages get lower +the closer one gets to end-customer premises. In Germany at the local level a substation will distribute +\SIrange{10}{25}{\kilo\volt} % FIXME citation on this +to large industrial consumers and streets with small transformer substations converting this to the \SI{400}{\volt} +three-phase AC households are usually hooked up with. + +\subsubsection{Generators} + +Traditionally all generators in the power grid were synchronous machines. A synchronous machine is a generator that is +wound and connected in such a way that during normal operation its rotation is synchonous with the grid frequency. Grid +frequency and generator rotation speed are bidirectionally electromechanically coupled. If a generator would lag behind +the grid it would receive electrical energy from the grid and convert it into mechanical energy, acting as a motor. +Small deviations between rotational speed and grid frequency will be absorbed by the electromechanical coupling between +both. All generators connected to the grid operate synchronously. Maintaining this synchronization over time is the task +of complex control systems within each power station. + +% FIXME influence of non-rotating sources: photovoltaics + +\subsubsection{Switchgear} + +In the electrical grid switches perform various roles. The ones a computer scientist would recognize are used for +routing electricity between transmission lines and transformers and can be classified into ones that can be switched +under load (called load switches) and ones that can not (called disconnectors). The latter are used to ensure parts of +the network are free from voltage. The former are used to re-route flows of electrical currents. A major difference in +their construction is that in contrast to disconnectors load switches have built-in components that extinguish the +high-power arc discharge that forms when the circuit is interrupted under load\footnote{ + While an arc discharge is considered a fault condition in most low-voltage systems including computers, in energy + systems it is often part of normal operation. +}. Beyond this there are circuit breakers. Circuit breakers are safety devices that can still switch even under failure +conditions at several times the circuit's nominal current. They are activated automatically on conditions such as +overcurrent or overvoltage. Fuses can be considered non-resettable switches. The fuse in a computer power supply is +barely more than a glass tube with some wire in it that is designed to melt at the designated current. In energy systems +fuses are often much more complex devices that in some cases even utilize explosivese to quickly and decisively open the +circuit and extinguish the resulting arc discharge\cite{nelles01,crastan01,simon01}. +% disconnect switches, fuses, breakers -> crastan 1 (ch. 8) + \subsubsection{Transformers} -\subsubsection{Tie lines} +Along with transmission lines transformers are one of the main components most people will be thinking of when talking +about the electrical grid. Transformers connect grid segments at different voltage levels with one another. In the +distribution grid transformers are used to provide standard end-user voltage levels to the customer (e.g. 230/400V in +Europe) from a \SIrange{10}{25}{\kilo\volt} feeder. Transformers can also be used to convert between buses without a +fourth neutral conductor and buses with one. + +Transformers are large and heavy devices consisting of thick copper wire or copper foil windings arranged around a core +made from thin stacked, insulated iron sheets. The entire core sits within a large metal enclosure that is filled with +liquid (usually a specialized oil) for both cooling and electrical insulation. This cooling liquid is cooled by means +such as radiator fins on the transformer enclosure itself or an external radiator. Depending on the design cooling may +rely on natural convection within the cooling liquid or on electrical pumps\cite{crastan01,simon01}. + +Transformers come in a large variety of coil and wiring configurations. There exist autotransformers where the secondary +is part of the primary (or vice-versa) that are used to translate between voltage levels without galvanic isolation at +lower cost. Transformers used in parts of the electrical grid often have several taps and include \emph{tap changers}. A +tap changer is a system of mechanical switches that can be used to switch between several discrete transformer ratios to +adjust secondary voltage under load\cite{simon01}. Tap changers are used in the distribution grid to maintain the +specified voltage tolerances at the customer's connection. + +\subsubsection{Instrument transformers} +While operating on the exact same physical principles instrument transformers are very different from regular +transformers in an energy system. Instrument transformers are specialized low-power transformers that are used as +transducers to measure voltage or current at very high voltages. They are part of the control and protection systems of +substations\cite{crastan01}. + +\subsubsection{Chokes} +Chokes are large inductors. In power grid applications their construction is similar to the construction of a +transformer with the exception that they only have a single winding on the core. They are used for a variety of +purposes. A frequent use is as a series inductor on one of the phases or the neutral connection to limit transient fault +currents. In addition to use as simple series inductances for current limiting inductors are also used to tune LC +circuits. One such use are Petersen coils, large inductors in series with the earth connection at a transformer's star +point are used to quickly extinguish arcs between phase and ground on a transmission line. The Petersen coil forms a +parrallel LC resonant circuit with the transmission line's earth capacitance. Tuning this circuit through adjusting the +petersen coil reduces earth fault current to levels low enough to quickly extinguish the arc\cite{simon01}. + +\subsubsection{Power factor correction} +Reactive power (also referred to as \emph{VAR} after its is unit Volt-Ampère Reactive) an important variable in the +operation of electrical grids (see sec.\ \ref{frequency_estimation}). If reactive power generation and consumption are +mismatched, high currents develop that lead to high transmission losses. For this reason grids include circuits to +compensate reactive power imbalances\cite{crastan01}. These circuits can be as simple as inductors or capacitors +connected to a power line but often can be switched to adapt to changing load conditions. Static Var compensators are +particularly fast-acting reactive power compensation devices whose purpose is to maintain bus voltage\cite{rogers01}. + +\subsubsection{Transmission lines, bus bars and tie lines} +% cite crastan 1 on transmission lines, bus bars (ch. 8) + +\subsubsection{Loads} + +Lastly, there is the loads that the electrical grid serves. Loads range from mains-powered indicator lights in devices +such as light switches or power strips weighing in at mere milliwatts to large smelters in industrial metal production +that can consume a good fraction of a gigawatt all on their own. \subsection{Operational concerns} \subsubsection{Modelling the electrical grid} +% FIXME + \subsubsection{Generator controls} +% FIXME + \subsubsection{Load shedding} +% FIXME + \subsubsection{System stability} +% FIXME + \subsubsection{Power System Stabilizers} +% FIXME -\subsubsection{Smart metering} \section{Smart meter technology} -\subsubsection{Common components} +Smart meters were a concept pushed by utility companies throughout the 00's. Smart metering is one component of the +larger societal shift towards digitally interconnected technology. Old analog meters required that service pesonnel +physically come to read the meter. \emph{Smart} meters automatically transmit their readings through modern +technologies. Utility companies were very interested in this move not only because of the cost savings for meter reading +personnel. Beyond this, an always-connected meter allows several entirely new use cases that have not been possible +before. One often-cited one is utilizing the new high-resolution load data to improve load forecasting to allow for +greater generation efficiency. Computerizing the meter also allows for new fee models where electricity cost is no +longer fixed over time but adapts to market conditions. Models such as prepayment electricity plans where the customer +is automatically disconnected until they pay their bill are significantly aided by a fully electronic system that can be +controlled and monitored remotely. A remotely controllable load switch can also be used to coerce customers in +situations where that was not previously economically possible\footnote{ + The swiss association of electrical utility companies in sec.\ 7.2 par.\ (2)a of their 2010 whitepaper on the + introduction of smart metering\cite{vseaes01} cynically writes that remotely controllable load switches lead a new + tenant to swiftly register with the utility company. Mysteriously, this whitepaper completely vanished from their + website some time after publication. Luckily for us, the internet archive had a copy. +}. + +To the customer the utility of a smart meter is largely limited to the convenience of being able to read it without +going to the basement. In the long term it is said that there will be second-order savings to the customer since +electricity prices adapting to the market situation along with this convenience will lead them to consume less +electricity and to consume it in a way that is more amenable to utilities, both leading to reduced cost. % FIXME citation + +Traditional Ferraris counters with their distinctive rotating aluminium disc are simple electromechanical devices. Since +it does not include any failure-prone semiconductors or other high technology a cheap Ferraris-style meter can easily +last decades. In contrast to this, smart meters are complex high technology. They are vastly more expensive to develop +in the first place since they require the development and integration of large amounts of complex, custom firwmare. Once +deployed, their lifetime is severely limited by this very complexity. Complex semiconductor devices tend to fail, and +firmware that needs to communicate with the outside world tends to not age well. % FIXME citation +This combination of higher unit cost and lower expected lifetime leads to grossly increased costs per household. This +cost is usually shared between utility and customer. % FIXME citation + +As part of its smart metering rollout the German government in 2013 had a study conducted on the economies of smart +meter installations. This study came to the conclusion that for the majority of households computerizing an existing +ferraris meter is uneconomical. For larger consumers or new installations the higher cost of installation over time is +offset by the resulting savings in electricity cost\cite{bmwi03}. + +\subsection{Human-Computer Interaction aspects of smart meter technology} + +% TODO the following paragraph uses "us" a bunch. Is that ok? +A fundamental aspect in realizing the cost and energy savings promised by the smart metering revolution is that it +requires a paradigm shift in consumer interaction. Previously most consumers would only confront their energy use when +their monthly or yearly electricity bill arrived. All of the cost savings smart meters promise over traditional metering +infrastructure\footnote{ + We are excluding savings from Demand-Side Response (DSR) implemented through smart meters here: Traditional ripple + control systems already allowed for these, and due to the added cost of high-power relays many smart meters do not + include such features. +} critically depend on the consumer regularly interacting with the meter through an in-home display or app. We live in +an era where our attention is already highly contested. A myriad of apps and platforms compete for our attention through +our smart phones and other devices. Introducing an entirely new service into this already complex battleground is a large +endeavour. On the one hand it is not clear how this new service would compete with everything else. On the other hand if +it does manage to capture our attention and lead us to modify our behavior, what are the side effects? For instance, +does an in-home display increase financial anxiety in economically disadvantaged customers? + +Human Computer Interaction research has touched the topic of smart metering several times and has many insights to offer +for technologists\cite{pierce01,rodden01,lupton01,costanza01,fell01}. + +% FIXME continue this. + +\subsection{Common components} +\label{sm-cpu} Smart meters usually are built around an off-the-shelf microcontroller. Some meters use specialized smart +metering SOCs\cite{ifixit01} while others use standard microcontrollers with core metering functions implemented in +external circuitry (cf.\ sec.\ \ref{sec-easymeter} where we detail the meter in our demonstration setup). Specialized +SoCs usually contain a segment LCD driver along with some high-resolution analog-to-digital converters for the actual +measurement functions. In many smart meter designs used outside of Germany the metering SoC will be connected to another +full-featured SoC acting as the MODEM. At a casual glance this might seem to be a security measure, but it may be more +likely that this is done to ease integration of one metering platform with several different communication stacks (e.g.\ +proprietary sub-gigahertz wireless, powerline communication (PLC) or ethernet). In these architectures there is a clear +line of functional demarcation between the metering SoC and the MODEM. As evidenced by over-the-air software update +functionality (see e.g.\ \textcite{honeywell01}) this does not however extend to an actual security boundary. + +Energy usage is calculated by measuring both voltage and current at high resolution and then integrating the +measurements. Current measurements are usually made with either a current transformer or a shunt in a four-wire +configuration. Voltage is measured by dividing input AC down with a resistor chain. Both are integrated digitally using +the MCU's time base as a reference. + +Whereas legacy electromechanical energy meters only provided a display of aggregate energy use through a decimal counter +as well as an indirect indication of power through a rotating wheel one of the selling points of smart meters is their +ability to calculate advanced statistics on energy use. These statistics are supposed to help customers better target +energy conservation measures though evidence of this happening is scarce. % FIXME strong citation here plz! + +In addition to the pure measurement and data aggregation functions in many deployments % FIXME citation. EU white paper? +smart meters perform two additional functions. One is to serve as a gateway between the utility company's control +systems and large controllable loads in the consumer's household for Demand-Side Management (DSM). % FIXME citation +In DSM the utility company can control when exactly a high-power device such as a water storage heater is turned on. To +the customer the precise timing does not matter since the storage heater is set so that it has enough hot water in its +reservoir at all times. The utility company however can use this degree of control to reduce load variations during +temporary imbalances such as peaks. The efficiency gains realized with this system translate into lower electricity +prices for DSM-enabled loads for the customer. Traditionally DSM was realized on a local level using ripple control +systems. In ripple control control data is coded by modulating a carrier at a low frequency such as \SI{400}{\hertz} on +top of the regular mains voltage. These systems require high-power transmitters at tens of kilowatts and still can only +bridge regional distances\cite{dzung01}. + +Another important additional function is that in some countries some smart meters can be used to remotely disconnect +consumer households with outstanding bills. Using euphemisms such as \emph{Utility Revenue Protection} or the more +cynical \emph{Consumer Empowerment}\cite{kamstrup01} these systems allow an utility company to remotely disconnect a +customer at any time. Whereas before smart metering this required either additional hardware or an expensive site visit +by a qualified technician smart meters have ushered in an era of frictionless control\footnote{ + Note that in some countries such as the UK non-networked mechanical prepayment meters did exist. In such systems the + user inserts coins into a coin slot that activates a load switch at the household's main electricity connection. + These systems were non-networked and did not allow for remote control. A disadvantage of such systems compared to + modern \emph{smart} systems are the high cost of the coin acceptor and the overhead of site visits required to empty + the coin box. % FIXME nice citation +}. -Smart meters usually are built around a standard microcontroller. \label{sm-cpu} -\subsubsection{Cryptographic coprocessors} -\subsubsection{Physical structure} -\subsubsection{Physical installation} +\subsection{Cryptographic coprocessors} + +Just like in legacy electricity meters in smart meters physical security is still a key component of the overall system +design. Since in both types of meter cost depends on physical quantities being measured at the customer premises +customers can save cost in case they are able to falsify the meter's measurements without being detected. For this +reason both types of meters employ countermeasures against physical intrusion. Compared to high-risk devices such as +card payment processing terminals or ATMs the tamper proofing used in smart meters is only basic. Common measures +include sealing the case by irreversibly ultrasonically welding front and back plastic shells together or the use of +security seals on the lid covering the input/output screw terminals. Low-tech attacks using magnets to saturate the +current transformer's ferrite cores are detected using hall sensors\cite{itron01,hager01,easymeter01}. + +German smart metering standards are unique in that they specify the use of a smartcard-like security module to provide +transport encryption and other cryptographic services\cite{bsi-tr-03109-2,bsi-tr-03109-2-a}. +% FIXME compare to other places where things are not as nice + +\subsection{Physical structure and installation} +% FIXME \section{Regulatory frameworks around the world} +% FIXME + \subsection{International standards} +% FIXME + \subsection{The regulatory situation in selected countries} +% FIXME + \subsubsection{Germany} +% FIXME + \subsubsection{France} +% FIXME + \subsubsection{the UK} +% FIXME + \subsubsection{Italy} +% FIXME + \subsubsection{Northern America} +% FIXME + \subsubsection{Japan} +% FIXME + \subsection{Common themes} +% FIXME + \section{Security in smart grids} The smart grid in practice is nothing more or less than an aggregation of embedded control and measurement devices that @@ -444,7 +695,7 @@ denial-of-service attacks on our system by any of the four attacker types. All r from the \emph{reset authority} and are cryptographically secured to provide authentication and tamper detection. Under this model, attacks on the electrical grid components between the \emph{reset authority} and the customer device degrade into man-in-the-middle attacks. To ensure the \textsc{safety} criterion from \ref{sec_criteria} holds we must -% FIXME check whether this \ref displays as intended +% TODO check whether this \ref displays as intended make sure our cryptography is secure against man-in-the-middle attacks and we must try to harden the system against denial-of-service attacks by the attacker types listed above. Given our attacker model we cannot fully guard against this sort of attack but we can at least choose a commmunication channel that is resilient against denial of service @@ -559,16 +810,16 @@ single transmitter can cover an entire synchronous area. Though the transmitter of a single large transmitter faces lower bureaucratic hurdles than integration of hundreds of smaller ones into hundreds of local systems each with autonomous goverance. -\subsubsection{The frequency dependance of grid frequency} +\subsubsection{The frequency dependency of grid frequency} Despite the awesome complexity of large power grids the physics underlying their response to changes in load and generation is surprisingly simple. Individual machines (loads and generators) can be approximated by a small number of differential equations and the entire grid can be modelled by aggregating these approximations into a large system of linear differential equations. Evaluating these systems it has been found that in large power grids small-signal steady-state changes in generation/consumption power balance cause a linear change in -frequency\cite{kundur01,entsoe02,entsoe04}. \emph{Small signal} here describes changes in power balance that are small -compared to overall grid power. \emph{Steady state} describes changes over a timeframe of multiple cycles as opposed to -transient events that only last a few milliseconds. +frequency\cite{kundur01,crastan03,entsoe02,entsoe04}. \emph{Small signal} here describes changes in power balance that +are small compared to overall grid power. \emph{Steady state} describes changes over a timeframe of multiple cycles as +opposed to transient events that only last a few milliseconds. This approximately linear relationship allows the specification of a coefficient linking $\Delta P$ and $\Delta f$ with unit \si{\watt\per\hertz}. In this thesis we are using the European power grid as our model system. We are @@ -597,7 +848,7 @@ ENTSO-E at around \SI{20}{\giga\watt\per\hertz}. Keeping modulation amplitude be spuriously triggering these control functions. This works out to an upper bound on modulation power of \SI{20}{\mega\watt\per\milli\hertz}. -\subsubsection{Practical transmitter implementation} +\subsubsection{An outline of practical transmitter implementation} In its most basic form a transmitter for grid frequency modulation would be a very large controllable load connected to the power grid at a suitable vantage point. A spool of wire submerged in a body of cooling water (such as a small lake @@ -652,9 +903,9 @@ one rectifier pulse to the next, i.e. within a fraction of a single cycle.} data Modern power systems are complex electromechanical systems. Each component is controlled by several carefully tuned feedback loops to ensure voltage, load and frequency regulation. Multiple components are coupled through transmission lines that themselves exhibit complex dynamic behavior. The overall system is generally stable, but may exhbit some -instabilities to particular small-signal stimuli. These instabilities, called \emph{modes} occur when due to mis-tuning -of parameters or physical constraints the overall system exhibits oscillation at particular frequencies. -\textcite{kundur01} split these into four categories: +instabilities to particular small-signal stimuli\cite{kundur01,crastan03}. These instabilities, called \emph{modes} +occur when due to mis-tuning of parameters or physical constraints the overall system exhibits oscillation at particular +frequencies. \textcite{kundur01} split these into four categories: \begin{description} \item[Local modes] where a single power station oscillates in some parameter @@ -679,9 +930,6 @@ of spectral energy in certain frequency ranges. % FIXME -\subsubsection{An outline of practical implementation} -% FIXME - \section{From grid frequency to a reliable communications channel} % FIXME @@ -1438,7 +1686,6 @@ indicates SER is related fairly monotonically to the signal-to-noise margins ins \end{figure} \section{Implementation of a demonstrator unit} - %FIXME To demonstrate the viability of our reset architecture we decided to implement a demonstrator system. In this demonstrator we use JTAG to reset part of a commodity smart meter from an externally-connected reset controller. The @@ -1451,6 +1698,7 @@ implementation cost low the reset controller is fed a simulation of a modulated }. \subsection{Selecting a smart meter for demonstration purposes} +\label{sec-easymeter} For our demonstrator to make sense we wanted to select a realistic reset target. In Germany where this thesis was written a standards-compliant setup would consist of a fairly dumb smart meter and a smart meter gateway (SMGW) @@ -1461,8 +1709,8 @@ to the SMGW effectively mitigating any attack vector for remote compormise. Despite these considerations we still chose to reset the application MCU inside smart meter for two reasons. One is that SMGWs are much harder to come by on the second-hand market. The other is that SMGWs are a particular feature of the -German standardization landscape and in many other countries the functions of an SMGW are integrated into the meter -itself. % FIXME citation +German standardization landscape and in many other countries functions of an SMGW such as wireless protocol handling are +integrated into the meter itself (see e.g.\ \cite{honeywell01}). In the end we settled on an Q3DA1002 three-phase 60A meter made by German manufacturer EasyMeter. This meter is typical of what would be found in an average German household and can be acquired very inexpensively as new old stock on online @@ -1499,6 +1747,8 @@ logic as part of the meter itself\cite{honeywell01,ifixit01}. As an example, the 71M6541 main application microcontroller along with a Texas Instruments CC1000 series radio transceiver and is advertised to support both over-the-air firmware upgrades and a remotely accessible ``service control switch''. +% TODO add pics of the intact easymeter and of the one with the safety reset0r hooked up + \begin{figure} \centering \begin{subfigure}{\textwidth} @@ -1530,7 +1780,7 @@ advertised to support both over-the-air firmware upgrades and a remotely accessi \end{subfigure} \caption{ - Composite images of the circuit boards inside the EasyMeter Q3DA1002 "smart" electricity meter used in our + Composite images of the circuit boards inside the EasyMeter Q3DA1002 ``smart'' electricity meter used in our demonstration. } \label{easymeter_composites} @@ -1581,6 +1831,7 @@ compensated for at the transmitter by selecting appropriate modulation parameter the receiver by equalization with a matched filter. \section{Experimental results} +% TODO add some pictures of the finished demo setup in action % FIXME \section{Lessons learned} -- cgit