jaseg/safety-reset
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ma: Fix citation style

Browse source
This commit is contained in:
jaseg 2020-05-25 15:38:22 +02:00
parent 37efb07f30
commit 53bc825532
2 changed files with 81 additions and 72 deletions
Download patch file Download diff file Expand all files Collapse all files

14
ma/safety_reset.bib
View file

@ -1515,4 +1515,18 @@
urldate = {2020-05-25},
}
@Book{mackay01,
author = {David J. C. MacKay},
date = {2005},
title = {Information theory, inference, and learning algorithms},
edition = {Repr. with corr.},
isbn = {0521642981},
note = {Literaturverz. S. 613 - 619},
pagetotal = {XII, 628},
publisher = {Univ. Press},
address = {Cambridge [u.a.]},
ppn_gvk = {50543234X},
year = {2005},
}
@Comment{jabref-meta: databaseType:biblatex;}

139
ma/safety_reset.tex
View file

@ -399,11 +399,11 @@ it does manage to capture our attention and lead us to modify our behavior, what
does an in-home display increase financial anxiety in economically disadvantaged customers?
Human Computer Interaction research has touched the topic of smart metering several times and has many insights to offer
for technologists\cite{pierce01,rodden01,lupton01,costanza01,fell01}. An issue pointed out in \textcite{rodden01} is
that at least in some countries consumers fundamentally distrust their utility companies. This trust issue is
exacerbated by smart meters being unilaterally forced onto consumers by utility companies. Much of the success of smart
metering's ubiquitous promises of energy savings fundamentally depends on consumer coöperation. Here, the aforementioned
trust issue calls into question smart metering's chances of long-term success.
for technologists\cite{pierce01,rodden01,lupton01,costanza01,fell01}. An issue pointed out in \cite{rodden01} is that at
least in some countries consumers fundamentally distrust their utility companies. This trust issue is exacerbated by
smart meters being unilaterally forced onto consumers by utility companies. Much of the success of smart metering's
ubiquitous promises of energy savings fundamentally depends on consumer coöperation. Here, the aforementioned trust
issue calls into question smart metering's chances of long-term success.
As \text{pierce01} pointed out smart metering developments could benefit greatly from early involvement of HCI research.
HCI research certainly would not have overlooked entire central issues such as privacy as it happened in the dutch
@ -427,7 +427,7 @@ full-featured SoC acting as the modem. At a casual glance this might seem to be
likely that this is done to ease integration of one metering platform with several different communication stacks (e.g.\
proprietary sub-gigahertz wireless, powerline communication (PLC) or ethernet). In these architectures there is a clear
line of functional demarcation between the metering SoC and the modem. As evidenced by over-the-air software update
functionality (see e.g.\ \textcite{honeywell01}) this does not however extend to an actual security boundary.
functionality (see e.g.\ \cite{honeywell01}) this does not however extend to an actual security boundary.
Energy usage is calculated by measuring both voltage and current at high resolution and then integrating the
measurements. Current measurements are usually made with either a current transformer or a shunt in a four-wire
@ -607,7 +607,7 @@ gateways\cite{gungor01}.
\subsubsection{Japan}
Japan is currently rolling out smart metering infrastructure. Compared to other countries in Japan significant
standardization effort has been spent on smart home integration.\cite{usitc01,sato01,brown01}. Japan has domestic
standardization effort has been spent on smart home integration\cite{usitc01,sato01,brown01}. Japan has domestic
standards (JIS) for metrology and physical dimensions. The TEPCO deployment currently being rolled out is based on the
IEC DLMS/COSEM standards suite for remote meter reading in conjuction with the Japanese ECHONET protocol for the
home-area network. Smart meters are connected to TEPCO's backend systems through the customer's internet connection,
@ -793,9 +793,9 @@ secure-world firmware used by Samsung in their mobile phone SoCs. The flaws the
flaws such as secret user input being passed through untrusted userspace processes without any protection and shocking
cryptographic flaws such as CVE-2016-1919\footnote{\url{http://cve.circl.lu/cve/CVE-2016-1919}}\cite{kanonov01}. And
Samsung is not the only large multinational corporation having trouble securing their secure world firmware
implementation. In 2014 \textcite{rosenberg01} found an embarrassing integer overflow flaw in the low-level code
handling untrusted input in Qualcomm's QSEE firmware. For an overview of ARM TrustZone including a survey of academic
work and past security vulnerabilities of TrustZone-based firmware see \textcite{pinto01}.
implementation. In 2014 researchers found an embarrassing integer overflow flaw in the low-level code handling untrusted
input in Qualcomm's QSEE firmware\cite{rosenberg01}. For an overview of ARM TrustZone including a survey of academic
work and past security vulnerabilities of TrustZone-based firmware see \cite{pinto01}.
If all of these very large companies have trouble securing parts of their secure embedded software stacks measuring a
mere few hundred bytes in Apple's case or a few kilobytes in Qualcomm's, what is a smart electricity meter manufacturer
@ -863,8 +863,8 @@ having a technician drive to every one of them in turn to install a firmware sec
\subsubsection{Control function exploits}
Control function exploits are attacks on the mathematical control loops used by the centralized control system. One
example of this type of attack are resonance attacks as described in \textcite{wu01}. In this kind of attack, inputs
from peripheral sensors indicating grid load to the centralized control system are carefully modified to cause a
example of this type of attack are resonance attacks as described in \cite{wu01}. In this kind of attack, inputs from
peripheral sensors indicating grid load to the centralized control system are carefully modified to cause a
disproportionally large oscillation in control system action. This type of attack relies on complex resonance effects
that arise when mechanical generators are electrically coupled. These resonances, coloquially called ``modes'' are
well-studied in power system engineering\cite{rogers01,grebe01,entsoe01,crastan03}. Even disregarding modern attack
@ -895,7 +895,7 @@ unpaid for a certain period. In countries that use these kinds of systems on a w
switch is controlled by the smart meter's central microcontroller. This allows anyone compromising this
microcontroller's firmware to actuate the load switch at will. Given control over a large number of network-connected
smart meters, an attacker might thus be able to cause large-scale disruptions of power consumption\cite{anderson01}.
Combined with an attack method such as the resonance attack from \textcite{wu01} that was mentioned above, this scenario
Combined with an attack method such as the resonance attack from \cite{wu01} that was mentioned above, this scenario
poses a serious danger to grid stability.
In places where Demand-Side Management (DSM) is common this functionality may be abused in a similar way. In DSM the
@ -1004,21 +1004,21 @@ providers of meter-reading services.
Due to the critical nature of the electrical grid, we have to include hostile state actors in our attacker model. When
acting directly, these would be classified as third-party attackers by the above schema, but they can reasonably be
expected to be able to assume either of the other two roles as well e.g. through infiltration or bribery.
\textcite{fraunholz01} in their elaboration of their generalized attacker model give some classification of attackers
and provide a nice taxonomy of attacker properties. In their threat/capability rating, criminals are still considered
to have higher threat rating than state-sponsored attackers. The New York Times reported in 2016 that some states
recruit their hacking personnel in part from cyber-criminals. If this report is true, in a worst-case scenario we have
to assume a state-sponsored attacker to be the worst of both types. Comparing this against the other attacker types in
\textcite{fraunholz01}, this state-sponsored attacker is strictly worse than any other type in both variables. We are
left with a highly-skilled, very well-funded, highly intentional and motivated attacker.
expected to be able to assume either of the other two roles as well e.g. through infiltration or bribery. In the
generalized attacker model in \cite{fraunholz01} the authors give a classification of attackers and provide a nice
taxonomy of attacker properties. In their threat/capability rating, criminals are still considered to have higher threat
rating than state-sponsored attackers. The New York Times reported in 2016 that some states recruit their hacking
personnel in part from cyber-criminals. If this report is true, in a worst-case scenario we have to assume a
state-sponsored attacker to be the worst of both types. Comparing this against the other attacker types in
\cite{fraunholz01}, this state-sponsored attacker is strictly worse than any other type in both variables. We are left
with a highly-skilled, very well-funded, highly intentional and motivated attacker.
Based on the above classification of attack angles and our observations on state-sponsored attacks, we can adapt
\textcite{fraunholz01} to our problem, yielding the following new attacker types:
\cite{fraunholz01} to our problem, yielding the following new attacker types:
\begin{enumerate}
\item \textbf{Utility company insiders controlled by a state actor}
We can ignore the other internal threats described in \textcite{fraunholz01} since an insider cooperating with a
We can ignore the other internal threats described in \cite{fraunholz01} since an insider cooperating with a
state actor is strictly worse in every respect.
\item \textbf{State-sponsored external attackers}
A state actor can directly attack the system through the internet.
@ -1218,7 +1218,7 @@ several ISM bands\footnote{
these bands as long as they obtain certification that their transmitters obey certain spectral and power
limitations.
}. ZigBee is another popular standard and some vendors additionally support their own proprietary protcols\footnote{
For an example see \textcite{honeywell01}
For an example see \cite{honeywell01}.
}.
% TODO expand this?
@ -1335,7 +1335,7 @@ feedback loops to ensure voltage, load and frequency regulation. Multiple compon
lines that themselves exhibit complex dynamic behavior. The overall system is generally stable, but may exhbit some
instabilities to particular small-signal stimuli\cite{kundur01,crastan03}. These instabilities, called \emph{modes}
occur when due to mis-tuning of parameters or physical constraints the overall system exhibits oscillation at particular
frequencies. \textcite{kundur01} split these into four categories:
frequencies. These are separated into four categories in \cite{kundur01}:
\begin{description}
\item[Local modes] where a single power station oscillates in some parameter
@ -1346,15 +1346,14 @@ frequencies. \textcite{kundur01} split these into four categories:
\end{description}
The oscillation frequencies associated with each of these modes are usually between a few tens of Millihertz and a few
Hertz, see for example \textcite{grebe01} and \textcite{entsoe01}. It is hard to predict the particular modes of a
power system at the scale of the central-european interconnected system. Theoretical analysis and simulation may give
rough indications but cannot yield conclusive results. Due to the obvious danger as well as high economical impact due
to inefficiencies experimental measurements are infeasible. Finally, modes are highly dependent on the power grid's
structure and will change with changes in the power grid over time. For all of these reasons, a grid frequency
modulation system must be designed very conservatively without relying on the absence (or presence) of modes at
particular frequencies. A concrete design guideline that we can derive from this situation is that the frequency
spectrum of any grid frequency modulation system should not exhibit any notable peaks and should avoid a concentration
of spectral energy in certain frequency ranges.
Hertz\cite{grebe01,entsoe01,crastan03}. It is hard to predict the particular modes of a power system at the scale of the
central-european interconnected system. Theoretical analysis and simulation may give rough indications but cannot yield
conclusive results. Due to the obvious danger as well as high economical impact due to inefficiencies experimental
measurements are infeasible. Finally, modes are highly dependent on the power grid's structure and will change with
changes in the power grid over time. For all of these reasons, a grid frequency modulation system must be designed very
conservatively without relying on the absence (or presence) of modes at particular frequencies. A concrete design
guideline that we can derive from this situation is that the frequency spectrum of any grid frequency modulation system
should not exhibit any notable peaks and should avoid a concentration of spectral energy in certain frequency ranges.
\subsubsection{Overall system parameters}
@ -1414,11 +1413,11 @@ weaker stimulus, allowing further reduction of the probability of disturbance to
techniques also inherently allow us to tune the tradeoff between receiver sensitivity and data rate. This tunability is
a highly useful parameter to have for the overall system design.
Spread spectrum covers a whole family of techniques. \textcite{goiser01} separates these techniques into the coarse
Spread spectrum covers a whole family of techniques. In \cite{goiser01} these techniques are divided into the coarse
categories of \emph{Direct Sequence Spread Spectrum}, \emph{Frequency Hopping Spread Spectrum} and \emph{Time Hopping
Spread Spectrum}.
\textcite{goiser01} assumes a BPSK or similar modulation underlying the spread-spectrum technique. Our grid frequency
In \cite{goiser01} a BPSK or similar modulation is assumed underlying the spread-spectrum technique. Our grid frequency
modulation channel effectively behaves more like a DC-coupled wire than a traditional radio channel: Any change in
excitation will cause a proportional change in the receiver's measurement. Using our fft-based measurement methodology
we get a real-valued signed quantity. In this way grid frequency modulation is similar to a channel using coherent
@ -1468,14 +1467,11 @@ power. With lower SNR comes higher BER (bit error rate). Packet error rate grows
For our relatively long transmissions we would realistically get unacceptable error rates.
Error correcting codes are a very broad field with many options for specialization. Since we are implementing nothing
more than a prototype in this thesis we chose to not expend resources on optimization too much and settled for a
comparatively simple low-density parity check code. The state of the art has advanced considerably since the discovery
of general LDPC codes. %FIXME cite
% FIXME LDPC is old, new is Reed-Solomon!
The main areas of improvement are overhead and decoding speed. Since transmission length % FIXME have we defined this yet?
in our system limits system response time but we do not have a fixed target there we can tolerate some degree of
sub-optimal overhead. % FIXME get actual pröper numbers on our stuff vs. some state of the art citations.
Decoding speed is of no concern to us as our data rate is extremely low.
more than a prototype in this thesis we chose to not expend resources on optimization too much and settled on a basic
reed-solomon code. The state of the art has advanced considerably since the discovery of reed-solomon
codes\cite{mackay01}. The main areas of improvement are overhead and decoding speed. Since message length in our system
limits system response time but we do not have a fixed target we can tolerate some degree of overhead. Decoding speed
is of very low concern to us because our data rate is extremely low.
An important concern for our prototype implementation was the availability of reference implementations of our error
correcting code. We need a python implementation for test signal generation on a regular computer and we need a small C
@ -1597,9 +1593,8 @@ derive additional signatures by ``mixing'' the two published signatures.
\subsubsection{Winternitz signatures}
An improvement to basic Lamport signatures as described above are Winternitz signatures as detailed in
\cite{merkle01,dods01}. Winternitz signatures reduce public key length as well as signature length
for hash length $n$ from $2n$ to $\mathcal O \left(n/t\right)$ for some choice of parameter $t$ (usually a small number
such as 4).
\cite{merkle01,dods01}. Winternitz signatures reduce public key length as well as signature length for hash length $n$
from $2n$ to $\mathcal O \left(n/t\right)$ for some choice of parameter $t$ (usually a small number such as 4).
\paragraph{Setup.} The signer generates a private key $s = \left(s_i\right)$ consisting of $\ceil{\frac{n}{t}}$ random
bit strings. The signer publishes a public key $p = \left(H^{2^t}\left(s_i\right)\right)$ where each element
@ -1736,21 +1731,21 @@ domain knowledge about the expected frequency spectrum of the signal can be empl
techniques to re-construct the precise frequency of the spectrum's main component despite comparatively coarse STFT
resolution and despite numerous distortions.
Published grid frequency estimation algorithms such as \textcite{narduzzi01} or \textcite{derviskadic01} are rather
sophisticated and use a combination of techniques to reduce numerical errors in FFT calculation and peak fitting. Given
that we do not need reference standard-grade accuracy for our application we chose to start with a very basic algorithm
instead. We chose to use a general approach to estimate the precise fundamental frequency of an arbitrary signal that
was developed by experimental physicists at CERN and that is described by \textcite{gasior01}. This approach assumes a
general sinusoidal signal superimposed with harmonics and broadband noise. Applicable to a wide spectrum of practical
signal analysis tasks it is a reasonable first-degree approximation of the much more sophisticated estimation algorithms
developed specifically for power systems. Some algorithms have components such as kalman filters\cite{narduzzi01} that
require a phyiscal model. As a general algorithm from \textcite{gasior01} does not require this kind of
application-specific tuning, eliminating one source of error.
Published grid frequency estimation algorithms such as \cite{narduzzi01,derviskadic01} are rather sophisticated and use
a combination of techniques to reduce numerical errors in FFT calculation and peak fitting. Given that we do not need
reference standard-grade accuracy for our application we chose to start with a very basic algorithm instead. We chose to
use a general approach to estimate the precise fundamental frequency of an arbitrary signal that was published by
experimental physicists Gasior and Gonzalez at CERN\cite{gasior01}. This approach assumes a general sinusoidal signal
superimposed with harmonics and broadband noise. Applicable to a wide spectrum of practical signal analysis tasks it is
a reasonable first-degree approximation of the much more sophisticated estimation algorithms developed specifically for
power systems. Some algorithms have components such as kalman filters\cite{narduzzi01} that require a phyiscal model.
As a general algorithm \cite{gasior01} does not require this kind of application-specific tuning, eliminating one source
of error.
The \textcite{gasior01} algorithm passes the windowed input signal through a DFT, then interpolates the signal's
fundamental frequency by fitting a wavelet such as a gaussian to the largest peak in the DFT results. The bias parameter
of this curve fit is an accurate estimation of the signal's fundamental frequency. This algorithm is similar to the
simpler interpolated DFT algorithm used as a reference in much of the synchrophasor estimation
The Gasior and Gonzalez algorithm\cite{gasior01} passes the windowed input signal through a DFT, then interpolates the
signal's fundamental frequency by fitting a wavelet such as a gaussian to the largest peak in the DFT results. The bias
parameter of this curve fit is an accurate estimation of the signal's fundamental frequency. This algorithm is similar
to the simpler interpolated DFT algorithm used as a reference in much of the synchrophasor estimation
literature\cite{borkowski01}. The three-term variant of the maximum sidelobe decay window often used there is a blackman
window with parameter $\alpha = \frac{1}{4}$. Analysis has shown\cite{belega01} that the interpolated DFT algorithm is
worse than algorithms involving more complex models under some conditions but that there is \emph{no free lunch} meaning
@ -1906,15 +1901,15 @@ with IO contention on the raspberry PI/linux side causing only 16 skipped sample
\subsection{Frequency sensor measurement results}
Captured raw waveform data has been processed in the Jupyter Lab environment\cite{kluyver01} and grid frequency
estimates are extracted as described in sec. \ref{frequency_estimation} using the \textcite{gasior01} technique.
Appendix \ref{grid_freq_estimation_notebook} contains the Jupyter notebook we used for frequency measurement. In Figure
\ref{freq_meas_feedback} we fed back to the frequency estimator its own output giving us an indication of its numerical
performance. The result was \SI{1.3}{\milli\hertz} of RMS noise over a \SI{3600}{\second} simulation time. This
indicates performance is good enough for our purposes. In addition to this we validated our algorithm's performance by
applying it to the test waveforms from \textcite{wright01}. In this test we got errors of \SI{4.4}{\milli\hertz} for the
\emph{noise} test waveform, \SI{0.027}{\milli\hertz} for the \emph{interharmonics} test waveform and
\SI{46}{\milli\hertz} for the \emph{amplitude and phase step} test waveform. Full results can be found in Figure
\ref{freq_meas_rocof_reference}.
estimates are extracted as described in sec. \ref{frequency_estimation} using the Gasior and Gonzalez\cite{gasior01}
technique. Appendix \ref{grid_freq_estimation_notebook} contains the Jupyter notebook we used for frequency
measurement. In Figure \ref{freq_meas_feedback} we fed back to the frequency estimator its own output giving us an
indication of its numerical performance. The result was \SI{1.3}{\milli\hertz} of RMS noise over a \SI{3600}{\second}
simulation time. This indicates performance is good enough for our purposes. In addition to this we validated our
algorithm's performance by applying it to the test waveforms from \cite{wright01}. In this test we got errors of
\SI{4.4}{\milli\hertz} for the \emph{noise} test waveform, \SI{0.027}{\milli\hertz} for the \emph{interharmonics} test
waveform and \SI{46}{\milli\hertz} for the \emph{amplitude and phase step} test waveform. Full results can be found in
Figure \ref{freq_meas_rocof_reference}.
Figures \ref{freq_meas_trace} and \ref{freq_meas_trace_mag} show our measurement results over a 24-hour and a 2-hour
window respectively.
@ -1937,8 +1932,8 @@ window respectively.
\centering
\includegraphics[width=\textwidth]{../lab-windows/fig_out/freq_meas_rocof_reference}
\caption{
Performance of our frequency estimation algorithm against the test suite specified in \textcite{wright01}. Shown
are standard deviation and variance measurements as well as time-domain traces of differences.
Performance of our frequency estimation algorithm against the test suite specified in \cite{wright01}. Shown are
standard deviation and variance measurements as well as time-domain traces of differences.
}
\label{freq_meas_rocof_reference}
\end{figure}