jaseg/safety-reset
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ma: add conclusion, add some polish, add version numbering

Browse source
This commit is contained in:
jaseg 2020-05-28 11:16:27 +02:00
parent 2f2cb339b6
commit a1e6a1115d
2 changed files with 78 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

5
ma/Makefile
View file

@ -15,11 +15,14 @@ safety_reset.pdf: resources/gps_clock_jitter_analysis.pdf
safety_reset.pdf: resources/dsss_experiments-ber.pdf
safety_reset.pdf: resources/freq_meas_validation_rocof_testsuite.pdf
%.pdf: %.tex %.bib
%.pdf: %.tex %.bib version.tex
pdflatex -shell-escape $<
biber $*
pdflatex -shell-escape $<
version.tex: safety_reset.tex safety_reset.bib
git describe --tags --long --dirty > $@
resources/%.pdf: $(LAB_PATH)/%.ipynb
jupyter-nbconvert --to=pdf --output-dir=resources --output=$* --LatexExporter.template_file=resources/nbexport.tplx $^

119
ma/safety_reset.tex
View file

@ -41,6 +41,7 @@
\usepackage{tabularx}
\usepackage{commath}
\usepackage{graphicx,color}
\usepackage{ccicons}
\usepackage{subcaption}
\usepackage{float}
\usepackage{footmisc}
@ -87,6 +88,22 @@
\mitverteidigung % entfernen, falls keine Verteidigung erfolgt %FIXME
\makeTitel
\selbstaendigkeitserklaerung{31.03.2020}
\vfill
\begin{minipage}[t][10cm][b]{\textwidth}
\center{\ccbysa}
\center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The full
text of the license can be found at:}
\center{\url{https://creativecommons.org/licenses/by-sa/4.0/}}
\center{For alternative licensing options, source files, questions or comments please contact the author at
\texttt{masterarbeit@jaseg.de}}.
\center{This is version \texttt{\input{version.tex}\unskip}. The git repository can be found at:}
\center{\url{https://git.jaseg.de/master-thesis.git}}
\end{minipage}
\newpage
% Hier folgt die eigentliche Arbeit (bei doppelseitigem Druck auf einem neuen Blatt):
@ -139,9 +156,9 @@ A remotely exploitable flaw inside a smart meter's firmware\footnote{
There are several smart metering architectures that ascribe different roles to the component called \emph{smart
meter}. Coarsely divided into two camps these are systems where all metering and communication code resides within
one physical unit and systems where metering and communication are separated into two units, the \emph{smart meter}
and the \emph{smart meter gateway}. An example for the former are setups in the USA, an example of the latter is the
one in Germany. For clarity in this introductory chapter we use \emph{smart meter} to describe the entire system at
the customer premises including both the meter and a potential gateway.
and the \emph{smart meter gateway}\cite{stuber01}. An example for the former are setups in the USA, an example of
the latter is the one in Germany. For clarity in this introductory chapter we use \emph{smart meter} to describe the
entire system at the customer premises including both the meter and a potential gateway.
} could have consequences ranging from impaired billing
functionality to an existential threat to grid stability\cite{anderson01,anderson02}. A coördinated attack on meters in
a country where load switches are common could at worst cause widespread activation of grid safety systems by repeatedly
@ -382,7 +399,7 @@ customers in situations where that was not previously economically possible\foot
introduction of smart metering\cite{vseaes01} cynically writes that remotely controllable load switches ``lead a new
tenant to swiftly register'' with the utility company. This whitepaper completely vanished from their website some
time after publication, but the internet archive has a copy.
}. Figure \ref{fig_smgw_schema} shows a schema of the smart metering installation in a typical household.
}. Figure \ref{fig_smgw_schema} shows a schema of the smart metering installation in a typical household\cite{stuber01}.
\begin{figure}
\centering
@ -1288,7 +1305,7 @@ P}{\Delta f}$, called \emph{Overall Network Power Frequency Characteristic} by E
\SI{25}{\giga\watt\per\hertz}.
We can derive general design parameter for any system utilizing grid frequency as a communications channel from the
policies of ENTSO-E\cite{entsoe02,entsoe03}. Probably any such system should stay below a modulation amplitude of
policies of ENTSO-E\cite{entsoe02,entsoe03}. Any such system should stay below a modulation amplitude of
\SI{100}{\milli\hertz} which is the threshold defined in the ENTSO-E incidents classification scale for a Scale 0-1
(from "Anomaly" to "Noteworthy Incident" scale) frequency degradation incident\cite{entsoe03} in the continental europe
synchronous area.
@ -1297,10 +1314,9 @@ synchronous area.
The ENTSO-E Operations Handbook Policy 1 chapter defines the activation threshold of primary control to be
\SI{20}{\milli\hertz}. Ideally a modulation system would stay well below this threshold to avoid fighting the primary
control reserve. Modulation line rate should probably be on the order of a few hundred millibaud.
% TODO is using "probably" here and in the previous paragraph ok?
Modulation at such high rates would outpace primary control action which is specified by ENTSO-E as acting within
between ``a few seconds'' and \SI{15}{\second}.
control reserve. Modulation line rate should likely be on the order of at most a few hundred millibaud. Modulation at
such high rates would outpace primary control action which is specified by ENTSO-E as acting within between ``a few
seconds'' and \SI{15}{\second}.
The effective \emph{Network Power Frequency Characteristic} of primary control in the european grid is reported by
ENTSO-E at around \SI{20}{\giga\watt\per\hertz}. Keeping modulation amplitude below this threshold would help to avoid
@ -1452,10 +1468,10 @@ excitation will cause a proportional change in the receiver's measurement. Using
we get a real-valued signed quantity. In this way grid frequency modulation is similar to a channel using coherent
modulation. We can transmit not only signal strength, but polarity too.
For our purposes we can discount both Time and Frequency Hopping Spread Spectrum techniques. Time
hopping aids to reduce interference between multiple transmitters but does not help with SNR any more than Direct
Sequence does. % FIXME verify this.
Our system is strictly limited to a single transmitter so we do not gain anything through Time Hopping.
For our purposes we can discount both Time and Frequency Hopping Spread Spectrum techniques. Time hopping aids to reduce
interference between multiple transmitters but does not help with SNR any more than Direct Sequence does since all it
does is allowing other transmitters to transmit. Our system is strictly limited to a single transmitter so we do not
gain anything through Time Hopping.
Frequency Hopping Spread Spectrum techniques require a carrier. Grid frequency modulation itself is very limited in
peak frequency deviation $\Delta f$. Frequency hopping could only be implemented as a second modulation on top of GFM,
@ -2619,11 +2635,24 @@ microcontroller providing this type of virtualization on the one hand and the co
virtualization on the other hand. Virtualization systems such as TrustZone are still orders of magnitude more complex to
correctly configure than it is to simply use separate hardware and secure the interfaces in between.
\chapter{Alternative uses of grid frequency modulation}
% FIXME random beacons? funky consensus protocols? proof of knowledge/cryptographic notary service?
\chapter{Conclusion}
%FIXME
In this thesis we have developed an end-to-end design of a reset system to restore smart meters to a safe operating
state during an ongoing large-scale cyberattack. We have laid out the fundamentals of smart metering infrastructure and
elaborated the need for an out-of-band method to reset device firmware due to the large attack surface of this complex
firmware. To allow our system to be triggered even in the middle of a cyberattack we have developed a broadcast data
transmission system based on intentional modulation of global grid frequency. We have developed the theoretical
foundations of the process based on an established model of inertial grid frequency response to load variations and
shown the veracity of our end-to-end design through extensive simulations. To properly base these simulations we have
developed a grid frequency measurement methodology comprising of a custom-designed hardware device for electrically safe
data capture and a set of software tools to archive and process captured data. Our simulations show good behavior of our
broadcast communication system and give an indication that coöperating with a large consumer such as an aluminium
smelter would be a feasible way to set up a transmitter at very low hardware overhead. Based on our broadcast primitive
we have developed a cryptographic protocol ready for embedded implementation in resource-constrained systems that allows
quick (response time less than 30 minutes) triggering of all or a selected subset of devices. Finally, we have
experimentally validated our system using simulated grid frequency data in a demonstrator setup based on a commercial
microcontroller as our safety reset controller and an off-the-shelf smart meter. We have laid out a path for further
research and standardization related to our system.
\newpage
@ -2632,12 +2661,12 @@ correctly configure than it is to simply use separate hardware and secure the in
\newpage
\appendix
\chapter{Transcripts of Jupyter notebooks used in this thesis}
%\chapter{Transcripts of Jupyter notebooks used in this thesis}
\includenotebook{Grid frequency estimation}{grid_freq_estimation}
\includenotebook{Grid frequency estimation validation against ROCOF test suite}{freq_meas_validation_rocof_testsuite}
\includenotebook{Frequency sensor clock stability analysis}{gps_clock_jitter_analysis}
\includenotebook{DSSS modulation experiments}{dsss_experiments-ber}
%\includenotebook{Grid frequency estimation}{grid_freq_estimation}
%\includenotebook{Grid frequency estimation validation against ROCOF test suite}{freq_meas_validation_rocof_testsuite}
%\includenotebook{Frequency sensor clock stability analysis}{gps_clock_jitter_analysis}
%\includenotebook{DSSS modulation experiments}{dsss_experiments-ber}
\chapter{Frequency sensor schematics}
\fancyhead[C]{Frequency sensor schematics (1/3)}
@ -2650,29 +2679,29 @@ correctly configure than it is to simply use separate hardware and secure the in
\includepdf[fitpaper,landscape,pagecommand={\thispagestyle{fancy}}]{resources/platform-export-pg3.pdf}
\fancyfoot[C]{\thepage}
\chapter{Firmware source code excerpts}
\section{DMA-backed ADC capture (adc.c)}
\inputminted[fontsize=\footnotesize,linenos,firstline=18,lastline=115,breaklines]{C}{../gm_platform/fw/adc.c}
\section{Frequency sensor packetized serial interface}
\subsection{serial.c}
\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../gm_platform/fw/serial.c}
\subsection{packet\_interface.c}
\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../gm_platform/fw/packet_interface.c}
\subsection{cobs.c}
\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../gm_platform/fw/cobs.c}
\subsection{Host data logging utility (tw\_test.py)}
\inputminted[fontsize=\footnotesize,linenos,breaklines]{python}{../gm_platform/fw/tw_test.py}
\section{Frequency estimation (freq\_meas.c)}
\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/freq_meas.c}
\section{DSSS demodulation (dsss\_demod.c)}
\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/dsss_demod.c}
\section{Cryptographic protocol handling}
\subsection{protocol.c}
\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/protocol.c}
\subsection{crypto.c}
\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/crypto.c}
%\chapter{Firmware source code excerpts}
%\section{DMA-backed ADC capture (adc.c)}
%\inputminted[fontsize=\footnotesize,linenos,firstline=18,lastline=115,breaklines]{C}{../gm_platform/fw/adc.c}
%
%\section{Frequency sensor packetized serial interface}
%\subsection{serial.c}
%\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../gm_platform/fw/serial.c}
%\subsection{packet\_interface.c}
%\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../gm_platform/fw/packet_interface.c}
%\subsection{cobs.c}
%\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../gm_platform/fw/cobs.c}
%\subsection{Host data logging utility (tw\_test.py)}
%\inputminted[fontsize=\footnotesize,linenos,breaklines]{python}{../gm_platform/fw/tw_test.py}
%
%\section{Frequency estimation (freq\_meas.c)}
%\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/freq_meas.c}
%\section{DSSS demodulation (dsss\_demod.c)}
%\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/dsss_demod.c}
%\section{Cryptographic protocol handling}
%\subsection{protocol.c}
%\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/protocol.c}
%\subsection{crypto.c}
%\inputminted[fontsize=\footnotesize,linenos,breaklines]{C}{../controller/fw/src/crypto.c}
\chapter{Demonstrator firmware symbol size map}