jaseg/master-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Paper WIP

Browse source
This commit is contained in:
jaseg 2022-04-07 11:14:00 +02:00
parent cbc7365345
commit 1dfe76a4ce
1 changed files with 89 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

113
paper/safety-reset-paper.tex
View file

@ -35,38 +35,82 @@
\title{Ripples in the Pond: Transmitting Information through Grid Frequency Modulation}
\titlerunning{Ripples in the Pond: Transmitting Information through Grid Frequency}
\author{Jan Sebastian Götte \and Liran Katzir \and Björn Scheuermann}
\institute{Alexander von Humboldt Institut for Internet and Society Berlin (HIIG)\\ \email{safetyreset@jaseg.de} \and Tel Aviv University\\Faculty of Engineering\\\email{lirankat@tau.ac.il} \and Humboldt-Universität zu Berlin\\ \email{scheuermann@informatik.hu-berlin.de}}
% FIXME keywords
\institute{TU Darmstadt\\ Communication Networks Lab\\ \email{safetyreset@jaseg.de}
\and Tel Aviv University\\ Faculty of Engineering\\ \email{lirankat@tau.ac.il}
\and TU Darmstadt\\ Communication Networks Lab\\ \email{scheuermann@informatik.hu-berlin.de}}
\maketitle
\keywords{Security, privacy and resilience in critical infrastructures \and Security and privacy in ``internet of
things'' \and Cyber-physical systems \and Hardware security \and Network Security \and Energy systems \and Signal theory}
\begin{abstract}
The smart grid is a large, complex and interconnected technological system. With remotely controllable load switches
having been rolled out at scale in some countries, a tiny flaw inside the firmware of one of these embedded devices
may enable attacks to remotely trigger large-scale disruption with potentially catastrophic results. Attaining
perfect security against such cyberphysical attacks is a monumental embedded engineering task---and observations do
not indicate that current efforts meet the requirements of this task.%FIXME cite recent RECESSIM work
With the rollout of the smart grid, the IT security of electrical infrastructure has attracted increased attention
in the last years. Smart Grid IT security has two major components: The security of central SCADA systems, and
the security of equipment at the consumer premises such as smart meters and IoT devices. While there is previous
work on both sides, their interactions have not yet received much attention.
In this paper, we approach the smart grid safety issue by introducing a new, resilient broadcast communication
channel based on modulating grid frequency that can be used as a last resort during large-scale cyberattacks. To
demonstrate this channel, we have implementing an emergency override that can be used to reset potentially
compromised smart meters to a known-good state and preempt subsequent compromise by cutting communication links.
Our system transmits error-corrected and cryptographically secured commands by modulating grid frequency using a
single large consumer such as a large aluminium smelter. This approach differs from traditional Powerline
Communication (PLC) systems in that it reaches every device within the same synchronous area as the signal is
embedded into the fundamental grid frequency instead of a superimposed voltage that is quickly attenuated across
long distances. The system only requires a single transmitting station anywhere on the grid and as such can operate
fully independent of public telecommunication infrastructure.
In this paper, we consider the previously proposed scenario where a large number of compromised consumer devices is
used alone or in conjunction with an attack on the grid's central SCADA systems to destabilize the grid by rapidly
modulating the total connected load. Such attacks might include IoT devices, but they might also target Smart
Meters, which in many parts of the world now contain remote-controlled disconnect switches. Such attacks are hard to
mitigate, and existing literature focuses on hardening device firmware to prevent compromise. Although perfect
firmware security is not practically achievable, there is little research on \emph{post-compromise} mitigation
approaches. A core issue of any post-attack mitigation is that the devices normal network connection may not work
due to the attack and as such an out-of-band communication channel is necessary.
Using simulations we have determined that control of a $\SI{25}{\mega\watt}$ load would allow for the transmission
of a crytographically secured \emph{reset} signal within $15$ minutes. We have designed and constructed a
proof-of-concept prototype receiver that demonstrates the feasibility of decoding such signals even on
resource-constrained microcontroller hardware.
We propose a \emph{safety reset} controller that is controlled through a novel, resilient, grid-wide powerline
communication technique. Our safety reset controller can be fitted into any Smart Meter or IoT device. Its purpose
is to await an out-of-band command to put the device into a safe state (e.g. \emphp{relay on} or \emph{light on})
that interrupts attacker control over the device. The safety reset controller is separated from the system's main
application controller and does not have any conventional network connections to reduce attack surface and cost.
Our proposed resilient communication channel is a grid-wide broadcast channel based on modulating grid frequency. It
can be operated by transmission system operators (TSOs) even during black-start recovery procedures and in this
situation bridges the gap between the TSO's private network and the consumer devices. To demonstrate our proposed
channel, we have implemented a system that transmits error-corrected and cryptographically secured commands.
Our approach differs from traditional Powerline Communication (PLC) systems in that it reaches every device within
the same synchronous area as the signal is embedded into the fundamental grid frequency. Traditional PLC uses a
superimposed voltage, which is quickly attenuated across long distances.
Using simulations we have determined that control of a $\SI{25}{\mega\watt}$ load such as a large aluminium smelter,
load bank or photovoltaic farm would allow for the transmission of a crytographically secured \emph{reset} signal
within $15$ minutes. We have designed and constructed a proof-of-concept prototype receiver that demonstrates the
feasibility of decoding such signals on a resource-constrained microcontroller.
\end{abstract}
\section{Introduction}
% FIXME This is meh.
% Maybe *start* with "the recovery from a blackout bla bla..."?
The power grids of the world are some of the most complex man-made technological systems. Their operation is essential
for modern human life and with the proliferation of ransomware and state-sponsored attacks their IT security has come
under close scrutiny. To grid operators, there are two main challenges that complicate IT security efforts. First, all
parts of the electrical grid are physically coupled and faults can have consequences far from their source. Second, many
of the networked devices used in grid applications are special-purpose devices built in low volumes, which limits the
amount of engineering effort that could have been spent on their firmware security.
We expect that a serious compromise can never fully be ruled out since the combined attack surface of a large number of
diverse devices is too large to effectively secure, and perimeter security measures are only effective to a point when
devices are spread out across a vast geographical area. Thus, in this paper we focus not on the prevention of an attack,
but on the recovery from one.
%The IT security of the power grid is a complicated issue. Transmission system operators are faced with multiple
%challenges.
%First, the grid is composed of myriad different devices that are interconnected on a contintental scale. Since all these
%devices are physically coupled, faults in one system can have ripple effects far away. In other critical infrastructure
%such as the water supply, transportation or the public health system, a number of fundamentally independent sub-systems
%are only linked at an organizational level, which means faults due to either natural disasters or hacking attacks are
%likely to be localized. In contrast, a transmission system operator has to make sure no faults happen anywhere in the
%system for the system to be stable. Ensuring faultless operation across thousands of devices is hard.
%Like any other complex technological system, the components that make up the power grid are increasingly being outfitted
%with networked computer systems for monitoring and control.
%They have to secure a large and diverse fleet of networked systems, many of which are special-purpose devices customized
%for this particular application. Small production quantities
%mean that the limit of economically achievable security is already low. Coupled with the high complexity of each of
%these devices, this results in
\subsection{The digitalization of the grid}
In the power grid, as in many other engineered systems, we can observe an ongoing diffusion of information systems into
the domain of industrial control. Automation of these control systems has already been practiced for the better part of a
century. Throughout the 20th century this automation was mostly limited to core components of the grid. Generators in
@ -77,8 +121,8 @@ shifted from pure operation to engineering, maintenance and surveillance~\cite{c
With the turn of the century came a large-scale trend in power systems to move from a model of centralized generation,
built around massive large-scale fossil and nuclear power plants, towards a more heterogenous model of smaller-scale
generators working together. In this new model large-scale fossil power plants still serve a major role, but new
factors come into play. One such factor is the advance of renewable energies. The large-scale use of wind and solar power in
particular seems unavoidable for continued human life on this planet. For the electrical
factors come into play. One such factor is the advance of renewable energies. The large-scale use of wind and solar
power in particular seems unavoidable for continued human life on this planet. For the electrical
grid these systems constitute a significant challenge. Fossil-fueled power plants can be controlled in a precise and
quick way to match energy consumption. This tracking of consumption with production is vital to the stability of the
grid. Renewable energies such as wind and solar power do not provide the same degree of controllability, and they
@ -100,7 +144,11 @@ electromechanical Ferraris-style meters that have their origin in the late 19th
century~\cite{borlase01,ukgov04,bnetza02}. Today, under the umbrella term \emph{Smart Metering}, the shift towards fully
computerized, often networked meters is well underway. The roll out of these \emph{Smart Meters} has not been very
smooth overall with some countries severely lagging behind. As a safety-critical technology, smart metering technology
is usually standardized on a per-country basis. This leads to an inhomogenous landscape with---in some
is usually standardized on a per-country basis.
\subsection{Perfect firmware security}
% FIXME join these paragraphs
This leads to an inhomogenous landscape with---in some
instances---wildly incompatible systems. Often vendors only serve a single country or have separate models of a meter
for each country. This complex standardization landscape and market situation has led to a proliferation of highly
complex, custom-coded microcontroller firmware. The complexity and scale of this---often network-connected---firmware
@ -174,6 +222,23 @@ This work contains the following contributions:
\item We carry out extensive simulations of our systems to determine its performance characteristics.
\end{enumerate}
\section{Notation}
To a computer scientist there is one confusing aspect to the theory of grid frequency modulation. GFM can be seen as a
frequency modulation (FM) with a baseband signal in the band below approximately $f_m = \SI{5}{\hertz}$ that is
modulated on top of a carrier signal at $f_c = \SI{50}{\hertz}$ in case of the European electrical grid. The frequency
deviation $f_\Delta$ that the modulated carrier deviates from its nominal value of $f_m$ is very small at only a few
milli-Hertz.
When grid frequency is measured by first digitizing the mains voltage waveform, then de-modulating digitally, the FM's
SNR is very high and is dominated by the ADC's quantization noise and nearby mains voltage noise sources such as
resistive droop due to large inrush current of nearby machines.
Note that both the carrier signal at $f_c$ and the modulation signal at $f_m$ both have unit Hertz. To disambiguate
them, in this paper we will use \textbf{bold} letters to refer to the carrier waveform $\mathbf{U}$ or frequency
$\mathbf{f_c}$ as well as its deviation $\mathbf{f_\Delta}$, and we will use normal weight for the actual modulation
signal and its properties such as $f_m$.
\section{Related work}
\label{sec_related_work}