From 7e1a6f24afd7377ee78af1ba5ce9fe67d3a6a840 Mon Sep 17 00:00:00 2001 From: jaseg Date: Tue, 12 May 2020 18:55:39 +0200 Subject: ma: more blurb --- ma/safety_reset.bib | 7 ++++ ma/safety_reset.tex | 114 +++++++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 112 insertions(+), 9 deletions(-) (limited to 'ma') diff --git a/ma/safety_reset.bib b/ma/safety_reset.bib index 129f4c7..5bd9ec9 100644 --- a/ma/safety_reset.bib +++ b/ma/safety_reset.bib @@ -1114,4 +1114,11 @@ year = {2015}, } +@WWW{silabs01, + author = {Vivek Mohan, {Silicon Labs}}, + date = {2015}, + title = {An Introduction to Wireless M-Bus}, + url = {http://pages.silabs.com/rs/634-SLU-379/images/introduction-to-wireless-mbus.pdf}, +} + @Comment{jabref-meta: databaseType:biblatex;} diff --git a/ma/safety_reset.tex b/ma/safety_reset.tex index 82c074e..3462740 100644 --- a/ma/safety_reset.tex +++ b/ma/safety_reset.tex @@ -289,10 +289,10 @@ metering SOCs\cite{ifixit01} while others use standard microcontrollers with cor external circuitry (cf.\ sec.\ \ref{sec-easymeter} where we detail the meter in our demonstration setup). Specialized SoCs usually contain a segment LCD driver along with some high-resolution analog-to-digital converters for the actual measurement functions. In many smart meter designs used outside of Germany the metering SoC will be connected to another -full-featured SoC acting as the MODEM. At a casual glance this might seem to be a security measure, but it may be more +full-featured SoC acting as the modem. At a casual glance this might seem to be a security measure, but it may be more likely that this is done to ease integration of one metering platform with several different communication stacks (e.g.\ proprietary sub-gigahertz wireless, powerline communication (PLC) or ethernet). In these architectures there is a clear -line of functional demarcation between the metering SoC and the MODEM. As evidenced by over-the-air software update +line of functional demarcation between the metering SoC and the modem. As evidenced by over-the-air software update functionality (see e.g.\ \textcite{honeywell01}) this does not however extend to an actual security boundary. Energy usage is calculated by measuring both voltage and current at high resolution and then integrating the @@ -669,7 +669,7 @@ Based on the above classification of attack angles and our observations on state We can ignore the other internal threats described in \textcite{fraunholz01} since an insider cooperating with a state actor is strictly worse in every respect. \item \textbf{State-sponsored external attackers} - A state actor can obviously directly attack the system through the internet. + A state actor can directly attack the system through the internet. \item \textbf{Customers controlled by a state actor} A state actor can very well compromise some customers for their purposes. They might either physically infiltrate the system posing as legitimate customers, or they might simply deceive or bribe existing customers @@ -740,10 +740,59 @@ simple to reduce attack surface there. %FIXME \subsection{Safety vs. Security: Opting for restoration instead of prevention} -%FIXME + +By implementing our reset system as a physically separate microcontroller we sidestep most security issues around the +main application microcontroller. There are some simple measures that can be taken to harden this firmware. +Implementing industry best practices such as memory protection or stack canaries will harden the system and increase the +cost of an attack but it will not yield a system that we can be confident enough in to say it is fully secure. The +complexity of the main application controller firmware makes fully securing the system a formidable effort--and one that +would have to be repeated by every meter vendor for every one of their code bases. + +In contrast to this our reset system does not provide any additional security. Any attack that could occur without it +can still occur with it in place. What it provides is a fail-safe mechanism that can quickly immobilize a malicious +actor even mid-attack. It does this in a way that can be adapted to any meter architecture and any microcontroller +platform with low effort since it relies on established standard interfaces such as JTAG and SWD. Concentrating +research and development resources on a single platform like this allows for a system that is more economical to +implement across device series and across vendors. + +Attack resilience in the power grid can benefit from a safety-focused approach. The greater danger such an attack poses +is not the temporary denial of service of utility metering functions. Even in a highly integrated smart grid as +envisioned by utility companies their measurement functions are used by utility companies to increase efficiency and +reduce cost but are not necessary for the grid to function at all. % TODO citation +Thus if we can provide mere \emph{safety} with a fail-safe semantic instead of unattainable perfect \emph{security} we +have gained resilience against a large class of realistic attack scenarios. \subsection{Technical outline of a safety reset system} -%FIXME + +There are several ways our system could be practically implemented. The most basic way is to add a separate +microcontroller connected to the meter's main application MCU and optionally other embedded microcontrollers such as +modems. This discrete chip could either be placed on the metering board itself or it could be placed on a separate PCB +connected to the programming interface(s) of the metering board. In certain cases the latter might allow use in +otherwise unmodified legacy designs. + +The saftey reset controller would be a much simpler MCU than the meter's main application controller. Its software can +be held simple leading to low program flash and RAM requirements. Since it does not need to address rich periphery such +as external parallel memory, LCDs etc.\ it can be a physically small, low-pin count device. If the main application +controller is supposed to be reset to a full factory image with little or no reduced functionality its firmware image +size is certainly too large for the reset controller's embedded flash. Thus a realistic setup would likely use an +external SPI flash chip to store this image. + +The most likely interfaces to reset the main application controller and possibly other microcontrollers such as modem +chips would be the controller's integrated programming port such as JTAG. There exist a variety of programming +interfaces for microcontrollers but for moderately complex ones JTAG has grown to be by far the most broadly supported +one. Parallel high-voltage flash programming has come to be uncommon in modern microcontrollers and most chips nowadays +use some form of a serial interface. Some vendors have their own proprietary serial in-system programming interfaces +that they use on certain parts instead of or in addition to JTAG. The reasons for this usually are either lower +complexity in parts that do not require full debugging capabilities as provided by JTAG or the high pin count of JTAG. + +The kind of microcontroller that would likely be used as the main application controller in a smart meter application +will almost certainly support JTAG. These microcontrollers are high pin-count devices since they need to connect to a +large set of peripherals such as the LCD and the large program flash makes it likely for a proper debugging interface to +be present. % TODO maybe citation here? + +The one remaining issue in this coarse technical outline is what communication interface should be used to transmit the +trigger command to the reset controller. In the following section we will give an overview on communication interfaces +established in energy metering applications and evaluate each of them for our purpose. \section{Communication channels on the grid} @@ -759,6 +808,7 @@ meters\cite{kabalci01}. Technologically, these wideband PLC systems are very di used by utilities for load management among other applications and they are not relevant to our analysis. \subsection{Powerline communication (PLC) systems and their use} + In long-distance communications for applications such as load management, PLC systems are attractive since they allow re-using the existing wiring infrastructure and have been used as early as in the 1930s\cite{hovi01}. Narrowband PLC systems are a potentially low-cost solution to the problem of transmitting data at small bandwidth over distances of @@ -776,6 +826,7 @@ the entire grid of a regional distribution utility, higher-bandwidth bidirection reading (AMR) in places such as italy or france require repeaters within a few hundred meters of a transmitter. \subsection{Landline and wireless IP-based systems} + Especially in automated meter reading (AMR) infrastructure the cost-benefit tradeoff of powerline systems does not always work out for utilities. A common alternative in these systems is to use the public internet for communication. Using the public internet has the advantage of low initial investment on the part of the utility company as well as @@ -789,8 +840,33 @@ For purposes such as meter reading for billing purposes, this stability is suffi hold up in crisis situations such as the recovery system we are contemplating in this thesis, the public internet may not provide sufficient reliability. -\subsection{Proprietary wireless systems} -% FIXME +\subsection{Short-range wireless systems} + +Smart meters contain copious amonuts of firmware but still pale in comparison to the complexity of full-scale computers +such as smartphones. For short-range communication between a meter and a cellular radio gateway mounted nearby or +between a meter an an meter reading operator in a vehicle on the street a protocol such as Wifi (802.11) might be too +complex in most cases. Absent widely-used standards in this space proprietary radio protocols instead grow very +attractive. These might be based on some standardized lower-level protocol such as ZigBee (802.15) or might be entirely +home-grown. To a meter manufacturer a proprietary radio protocol has several advantages. It is easy to implement and +requires zero external certification. It can be customized to its specific application. In addition it provides some +level of vendor lock-in to customers sharing infrastructure such as a cellular radio gateway between multiple devices. +In other fields where a lack of standardization has led to a proliferation of proprietary protocols such as home +automation this has led to a fragmented protocol landscape. In other fields this is a large problem since consumer +cannot easily integrated products made by different manufacturers into one system. In advanced metering infrastructure +this is unlikely to be a disadvantage since ususally there is only one distribution grid operator for an area. +Additionally shared resources such as a cellular radio gateway would most likely only be shared within a single building +and within a single building usually all meters are operated by the same provider. + +Systems in Europe commonly support Wireless M-Bus, an european standardized protocol\cite{mohan01} that operates on +several ISM bands\footnote{ + Frequency bands that can be used for \emph{Industrial, Scientific and Medical} applications by anyone and that do + not require obtaining a license for transmitter operation. Manufacturers can use whatever protocol they like on + these bands as long as they obtain certification that their transmitters obey certain spectral and power + limitations. +}. ZigBee is another popular standard and some vendors additionally support their own proprietary protcols\footnote{ + For an example see \textcite{honeywell01} +}. +% TODO expand this? \subsection{Frequency modulation as a communication channel} @@ -839,7 +915,7 @@ synchronous area. The ENTSO-E Operations Handbook Policy 1 chapter defines the activation threshold of primary control to be \SI{20}{\milli\hertz}. Ideally a modulation system would stay well below this threshold to avoid fighting the primary control reserve. Modulation line rate should probably be on the order of a few hundred millibaud. -% FIXME is using "probably" here and in the previous paragraph ok? +% TODO is using "probably" here and in the previous paragraph ok? Modulation at such high rates would outpace primary control action which is specified by ENTSO-E as acting within between ``a few seconds'' and \SI{15}{\second}. @@ -928,7 +1004,25 @@ of spectral energy in certain frequency ranges. \subsubsection{Overall system parameters} -% FIXME +In conclusion we end up with the following tunable parameters for a grid frequency modulation based on a large +controllable load: + +\begin{description} + \item[Modulation amplitude] proportionally related to modulation power. In a practical setup we might realize a + modulation power up to a few hundred \si{\mega\watt} which would yield maybe a few tens of \si{\milli\hertz} of + frequency amplitude. + \item[Modulation pre-emphasis and slew-rate control]. Pre-emphasis might be necessary to ensure an adequate SNR at + the receiver. Slew-rate control and other shaping measures might be necessary to reduce the impact of these + sudden load changes on the transmitter's primary function (say, aluminium smelting) and to prevent disturbances + to grid components. + \item[Modulation frequency]. For a practical implementation a careful study would be necessary to determine an + optimal frequency band for operation. On one hand we need to prevent disturbances to the grid such as through + excitation of some local or inter-area modes. On the other hand we need to optimize SNR and data rate to achieve + optimal latency between transmission start and successful reception and to reduce the overall burden on + transmitter and grid. + \item[Further modulation parameters]. The modulation itself has numerous parameters that are discussed in sec.\ + \ref{mod_params} below. +\end{description} \section{From grid frequency to a reliable communications channel} % FIXME @@ -939,6 +1033,8 @@ of spectral energy in certain frequency ranges. \subsection{Modulation and its parameters} +\label{mod_params} + The sensitivity of the grid to oscillation at particular frequencies described above means we should avoid any modulation technique that would concentrate a lot of energy in a small bandwidth. Taking this principle to its extreme provides us with a useful pointer towards techniques that might work well: Spread-spectrum techniques. By employing -- cgit