jaseg/safety-reset
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ma: first batch of corrections

Browse source
This commit is contained in:
jaseg 2020-06-02 12:06:06 +02:00
parent 4ed43522e8
commit c4420f81ef
1 changed files with 302 additions and 308 deletions
Download patch file Download diff file Expand all files Collapse all files

610
ma/safety_reset.tex
View file

@ -1,7 +1,7 @@
\documentclass[12pt,a4paper,notitlepage]{report}
\usepackage[ngerman, english]{babel}
\usepackage[utf8]{inputenc}
\usepackage[a4paper,textwidth=17cm, top=2cm, bottom=3.5cm]{geometry}
\usepackage[a4paper, top=2cm, bottom=3.5cm, left=3cm, right=4cm]{geometry}
\usepackage[T1]{fontenc}
\usepackage[
backend=biber,
@ -118,22 +118,22 @@
\chapter{Introduction}
%FIXME: sprinkle this section with citations.
Like in all fields of engineering there is an ongoing diffusion of information systems into industrial control systems
in the power grid. Automation of these control systems has been practised for the better part of a century already.
Until recently this automation was mostly limited to core components of the grid. Generators in power stations are
computer-controlled according to electromechanical and economic models. Switching in substations is automated to allow
for fast failure recovery. Humans are still vital to these systems, but their tasks have shifted from pure operation to
engineering, maintenance and surveillance.
In the power grid as in other engineered systems we can observe an ongoing diffusion of information systems into
industrial control systems. Automation of these control systems has been practised for the better part of a century
already. Throughout the 20th century this automation was mostly limited to core components of the grid. Generators in
power stations are computer-controlled according to electromechanical and economic models. Switching in substations is
automated to allow for fast failure recovery. Human operators are still vital to these systems, but their tasks have
shifted from pure operation to engineering, maintenance and surveillance.
A large-scale trend in power systems is the move from a model of centralized generation built around massive large-scale
fossil and nuclear power plants towards a more heterogenous model. In this new model large-scale fossil power plants
still serve a major role but two new factors come into play. One is the advance of renewable energies. The large-scale
use of wind and solar power in particular from a current standpoint seems unavoidable for our continued existence on
this planet. For the electrical grid however, these systems constitute a significant challenge. Fossil-fueled power
plants can be precisely controlled to match the expected energy consumption at any point in time. This tracking of
production and consumption is vital to the stability of the grid. Renewable energies such as wind and solar power do not
provide the same degree of controllability, and they introduce a large degree of uncertainty due to the
unpredictable way of the forces of nature.
With the turn of the century came a large-scale trend in power systems to move from a model of centralized generation
built around massive large-scale fossil and nuclear power plants towards a more heterogenous model of smaller-scale
generators working together. In this new model large-scale fossil power plants still serve a major role but two new
factors come into play. One is the advance of renewable energies. The large-scale use of wind and solar power in
particular from a current standpoint seems unavoidable for our continued existence on this planet. For the electrical
grid these systems constitute a significant challenge. Fossil-fueled power plants can be controlled in a precise and
quick way to match energy consumption. This tracking of consumption with production is vital to the stability of the
grid. Renewable energies such as wind and solar power do not provide the same degree of controllability, and they
introduce a large degree of uncertainty due to the unpredictable way of the forces of nature.
Along with this change in dynamic behavior renewable energies have brought forth the advance of distributed generation.
In distributed generation end-customers that previously only consumed energy have started to feed energy into the grid
@ -146,52 +146,51 @@ computerization of end-user energy metering. Despite the widespread use of indus
electrical grid and the far-reaching diffusion of computers into people's everyday lifes the energy meter has long been
one of the last remnants of an offline, analog time. Until the 2010s many households were still served through
electromechanical Ferraris-style meters that have their origin in the late 19th
century\cite{borlase01,ukgov04,bnetza02}.
Today under the umbrella term \emph{Smart Grid} the shift towards fully computerized, often networked meters has been
partially accomplished. The roll out of these \emph{Smart Meters} has not been very smooth overall with some countries
severely lagging behind other countries. As a safety-critical technology smart meter technology is usually standardized
on a per-country basis. This leads to an inhomogenous landscape with in some instances wildly incompatible systems.
Often vendors only serve a single country or have a separate model of their meter for each country. This complex
standardization landscape and market situation has led to a proliferation of highly complex, custom-coded
microcontroller firwmare. The complexity and scale of this often network-connected firmware makes for a ripe substrate
for bugs to surface.
century\cite{borlase01,ukgov04,bnetza02}. Today under the umbrella term \emph{Smart Metering} the shift towards fully
computerized, often networked meters is well underway. The roll out of these \emph{Smart Meters} has not been very
smooth overall with some countries severely lagging behind other countries. As a safety-critical technology smart
metering technology is usually standardized on a per-country basis. This leads to an inhomogenous landscape with in some
instances wildly incompatible systems. Often vendors only serve a single country or have separate models of a meter for
each country. This complex standardization landscape and market situation has led to a proliferation of highly complex,
custom-coded microcontroller firwmare. The complexity and scale of this often network-connected firmware makes for a
ripe substrate for bugs to surface.
A remotely exploitable flaw inside a smart meter's firmware\footnote{
There are several smart metering architectures that ascribe different roles to the component called \emph{smart
meter}. Coarsely divided into two camps these are systems where all metering and communication code resides within
one physical unit and systems where metering and communication are separated into two units, the \emph{smart meter}
and the \emph{smart meter gateway}\cite{stuber01}. An example for the former are setups in the USA, an example of
the latter is the one in Germany. For clarity in this introductory chapter we use \emph{smart meter} to describe the
entire system at the customer premises including both the meter and a potential gateway.
} could have consequences ranging from impaired billing
functionality to an existential threat to grid stability\cite{anderson01,anderson02}. A coördinated attack on meters in
a country where load switches are common could at worst cause widespread activation of grid safety systems by repeatedly
connecting and disconnecting megawatts of load capacity in just the wrong moments\cite{wu01}.
meter}. Coarsely divided into two camps these are systems where all metering and communication functions resides
within one physical unit and systems where metering and communication functions are separated into two units called
the \emph{smart meter} and the \emph{smart meter gateway}\cite{stuber01}. An example for the former are setups in
the USA, an example of the latter is the setup in Germany. For clarity, in this introductory chapter we use
\emph{smart meter} to describe the entire system at the customer premises including both the meter and a potential
gateway.
} could have consequences ranging from impaired billing functionality to an existential threat to grid
stability\cite{anderson01,anderson02}. In a country where meters commonly include disconnect switches for purposes such
as prepaid tariffs a coördinated attack could at worst cause widespread activation of grid safety systems by repeatedly
connecting and disconnecting Megawatts of load capacity in just the wrong moments\cite{wu01}.
Mitigation of these attacks through firmware security measures is unlikely to yield satisfactory results. The enormous
complexity of smart meter firmware makes firmware security extremely labor-intensive. The diverse standardization
landscape makes a coördinated, comprehensive response unlikely.
In this thesis instead of lamenting the state of firmware security we introduce a pragmatic solution to the in our minds
likely scenario of a large-scale compromise of smart meter firmware. In our proposal the components of the smart meter
that are threatened by remote compromise are equipped with a physically separate \emph{safety reset controller} that
listens for a reset command transmitted through the electrical grid itself and on reception forcibly resets the smart
meter's entire firmware to a known-good state. Our safety reset controller receives commands through Direct Sequence
Spread Spectrum (DSSS) modulation carried out on grid frequency through a large controllable load such as an aluminium
smelter. After forward error correction and cryptographic verification it re-flashes the target application
microcontroller over the standard JTAG interface.
In this thesis instead of focusing on the very hard task of improving firmware security we introduce a pragmatic
solution to the in our minds likely scenario of a large-scale compromise of smart meter firmware. In our proposal the
components of the smart meter that are threatened by remote compromise are equipped with a physically separate
\emph{safety reset controller} that listens for a reset command transmitted through the electrical grid's frequency and
on reception forcibly resets the smart meter's entire firmware to a known-good state. Our safety reset controller
receives commands through Direct Sequence Spread Spectrum (DSSS) modulation carried out on grid frequency through a
large controllable load such as an aluminium smelter. After forward error correction and cryptographic verification it
re-flashes the meter's main microcontroller over the standard JTAG interface.
In this thesis starting from a high-level architecture we have carried out extensive simulations of our proposal's
In this thesis, starting from a high-level architecture we have carried out extensive simulations of our proposal's
performance under real-world conditions. Based on these simulations we implemented an end-to-end prototype of our
proposed safety reset controller as part of a realistic smart meter demonstrator. Finally we experimentally validate our
results and give an outline of further steps towards practical implementation.
proposed safety reset controller as part of a realistic smart meter demonstrator. Finally we experimentally validated
our results and we will conclude with an outline of further steps towards a practical implementation.
\chapter{Fundamentals}
\section{Structure and operation of the electrical grid}
Since this thesis is filed under \emph{computer science} we will provide a very brief overview of some basic aspects of
Since this thesis is filed under \emph{computer science} we will provide a very brief overview of some basic concepts of
modern power grids.
\subsection{Structure of the electrical grid}
@ -202,9 +201,9 @@ interconnected by long transmission lines. Mostly due to ohmic losses\footnote{
U_\text{drop} \cdot I = I^2 \cdot R$. Fixing power $P_\text{transmitted} [W] = U_\text{line} \cdot I$ this yields a
dependency on line voltage $U_\text{line} [V]$ of $P_\text{loss} =
\left(\frac{P_\text{transmitted}}{U_\text{line}}\right)^2 \cdot R$. Thus, ignoring other losses a $2\times$ increase
in transmission voltage halves current and cuts ohmic losses to a quarter. In practice the economics of this are
much more complicated due to the cost of better isolation for higher-voltage parts and the added factor of power
factor compensation. }
in transmission voltage halves current and cuts ohmic losses to a quarter. In practice the economics are much more
complicated due to the cost of better insulation for higher-voltage parts and the cost of power factor compensation.
}
the efficiency of transmission of electricity through long transmission lines increases with the square of
voltage\cite{crastan01,simon01}. % simon01: p. 425, 9.4.1.1, crastan p.55, 3.1
In practice economic considerations take into account a reduction of the considerable transmission losses (about
@ -213,8 +212,8 @@ and the cost increase for the increased volatage rating of components such as tr
considerations have led to a hierarchical structure where large amounts of energy are transmitted over very long
distances (up to thousands of kilometers) at very high voltages (upwards of \SI{200}{\kilo\volt}) and voltages get lower
the closer one gets to end-customer premises. In Germany at the local level a substation will distribute
\SIrange{10}{30}{\kilo\volt} to large industrial consumers and streets with small transformer substations converting
this to the \SI{400}{\volt} three-phase AC households are usually hooked up with\cite{crastan01}.
\SIrange{10}{30}{\kilo\volt} to large industrial consumers and small transformer substations which converting this to
the \SI{400}{\volt} three-phase AC households are usually hooked up with\cite{crastan01}.
\subsubsection{Transmission lines, bus bars and tie lines}
@ -223,61 +222,63 @@ parts of a substation are called \emph{bus bars}. Transmission lines that couple
called \emph{tie lines}. A tie line often connects grid segments operated by two different operators e.g.\ across a
country border.
\emph{Short} transmission lines can be approximated as a simple lumped-component
RLC\footnote{resistor-inductor-capacitor} circuit. In this case the effect of wave propagation along the line does not
have to be taken into consideration. In this lumped model the transmission line is represented by a circuit of one or
two inductors, one or two capacitors and some resistors. This representation simplifies analysis. For \emph{long}
In mathematical analysis \emph{short} transmission lines can be approximated as a simple lumped-component
RLC\footnote{Resistor-inductor-capacitor.} circuit. In longer lines the effect of wave propagation along the line has to
be taken into consideration. In the lumped model the transmission line is represented by a circuit of one or two
inductors, one or two capacitors and some resistors. This representation simplifies analysis. For \emph{long}
transmission lines above \SI{50}{\kilo\meter} (cable) or \SI{250}{\kilo\meter} (overhead lines) this approximation
breaks down and wave propagation along the line's length has to be taken into account. The resulting model is what RF
engineering calls a \emph{transmission line} and models the line's parasitics\footnote{stray capacitance, ohmic
resistance and stray inductance} as being uniformly distributed along the length of the line. To approximate this model
in lumped-element evaluations the line is represented as a long chain of small lumped-component RLC sections. This
complex structure makes modelling more difficult in comparison to short lines\cite{crastan01}.
engineering calls a transmission line and models the line's parasitics\footnote{Stray capacitance, ohmic resistance and
stray inductance.} as being uniformly distributed along the length of the line. To approximate this model in
lumped-element evaluations the line is represented as a long chain of small lumped-component RLC sections. This complex
structure makes simulation and analysis more difficult in comparison to short lines\cite{crastan01}.
Almost all transmission lines used in the transmission and distribution grid use three-phase AC. Long-distance overland
lines are usually implemented as overhead lines due to their low cost and ease of maintenance. Underground cables are
much more expensive due to their isolation and are only used when overhead lines cannot be used for e.g.\ safety or
aesthetic reasons. In some specialized applications such as long, high-power undersea cables high-voltage DC (HVDC) is
used. In HVDC converter stations at both ends of the line convert between three-phase AC and the line's DC voltage.
These converter stations are controlled electronically and do not exhibit any of the electromechanical effects
generators in a power plant do. Since HVDC re-synthesizes three-phase AC from DC at the receiving end of the line it can
be used to couple non-synchronous grids. This also allows for additional degrees of control over the transmission of
power compared to a regular transmission line. These technical benefits are offset by the high initial cost (mostly due
to the converter stations) leading to HVDC being used in specific situations only\cite{crastan03}.
Almost all transmission lines used in the transmission and distribution grid use three-phase alternating current (AC).
Long-distance overland lines are usually implemented as overhead lines due to their low cost and ease of maintenance.
Underground cables are much more expensive because of their insulation and are only used when overhead lines cannot be
used for reasons such as safety or aesthetics. In specialized applications such as long, high-power undersea cables
high-voltage DC (HVDC) is used. In HVDC converter stations at both ends of the line convert between three-phase AC and
the line's DC voltage. These converter stations are controlled electronically and do not exhibit any of the mechanical
inertia that is characteristic for rotating generators in a power plant. Since HVDC re-synthesizes three-phase AC from
DC at the receiving end of the line it can be used to couple non-synchronous grids. This allows for additional degrees
of control over the transmission of power compared to a regular transmission line. These technical benefits are offset
by high initial cost (mostly due to the converter stations) leading to HVDC being used in specific situations
only\cite{crastan03}.
\subsubsection{Generators}
Traditionally all generators in the power grid were synchronous machines. A synchronous machine is a generator that is
wound and connected in such a way that during normal operation its rotation is synchonous with the grid frequency. Grid
frequency and generator rotation speed are bidirectionally electromechanically coupled. If a generator would lag behind
the grid it would receive electrical energy from the grid and convert it into mechanical energy, acting as a motor.
Small deviations between rotational speed and grid frequency will be absorbed by the electromechanical coupling between
both. All generators connected to the grid operate synchronously. Maintaining this synchronization over time is the task
of complex control systems within each power station\cite{simon01,crastan01}.
Traditionally all generators in the power grid were synchronous machines. A synchronous machine is a generator whose
copper coils are wound and connected in such a way that during normal operation its rotation is synchonous with the grid
frequency. Grid frequency and generator rotation speed are bidirectionally electromechanically coupled. If a generator's
angle of rotation would lag behind the grid it would receive electrical energy from the grid and convert it into
mechanical energy, acting as a motor--When the machine leads it acts as a generator and is braked. Small deviations
between rotational speed and grid frequency will be absorbed by the electromechanical coupling between both. Maintaining
optimal synchronization over time is the task of complex control systems inside power stations' speed
governors\cite{simon01,crastan01}.
Nowadays besides traditional rotating generators the grid also contains a large amount of electronically controlled
inverters. These inverters are used in photovoltaic installations and other setups where either DC or non-synchronous AC
is to be fed into the grid. Setups like this behave differently to rotating generators. In particular \emph{inertia} in
these setups is either absent or a software parameter potentially reducing their overload capacity compared to rotating
generators. The fundamentally different nature of electronically controlled inverters has to be taken into account in
planning and regulation\cite{crastan03}.
is to be fed into the grid. Setups like these behave differently to rotating generators. In particular \emph{inertia} in
these setups is either absent or a software parameter. This potentially reduces their overload capacity compared to
rotating generators. The fundamentally different nature of electronically controlled inverters has to be taken into
account in planning and regulation\cite{crastan03}.
\subsubsection{Switchgear}
In the electrical grid switches perform various roles. The ones a computer scientist would recognize are used for
routing electricity between transmission lines and transformers and can be classified into ones that can be switched
under load (called load switches) and ones that can not (called disconnectors). The latter are used to ensure parts of
the network are free from voltage. The former are used to re-route flows of electrical currents. A major difference in
their construction is that in contrast to disconnectors load switches have built-in components that extinguish the
high-power arc discharge that forms when the circuit is interrupted under load\footnote{
the network are free from voltage e.g.\ during maintenance. The former are used to re-route flows of electrical
currents. A major difference in their construction is that in contrast to disconnectors load switches have built-in
components that extinguish the high-power arc discharge that forms when the circuit is interrupted under load\footnote{
While an arc discharge is considered a fault condition in most low-voltage systems including computers, in energy
systems it is often part of normal operation.
}. Beyond this there are circuit breakers. Circuit breakers are safety devices that can still switch even under failure
conditions at several times the circuit's nominal current. They are activated automatically on conditions such as
overcurrent or overvoltage. Fuses can be considered non-resettable switches. The fuse in a computer power supply is
barely more than a glass tube with some wire in it that is designed to melt at the designated current. In energy systems
fuses are often much more complex devices that in some cases even utilize explosivese to quickly and decisively open the
circuit and extinguish the resulting arc discharge\cite{nelles01,crastan01,simon01}.
}. Beyond this there are circuit breakers. Circuit breakers are safety devices that even under failure conditions can
still switch at several times the circuit's nominal current. They are activated automatically on conditions such as
overcurrent or overvoltage. Finally, fuses can be considered non-resettable switches. The fuse in a computer power
supply is barely more than a glass tube with some wire in it that is designed to melt at the designated current. In
energy systems fuses are often much more complex devices that in some cases utilize explosives to quickly and decisively
open the circuit and extinguish the resulting arc discharge\cite{nelles01,crastan01,simon01}.
% disconnect switches, fuses, breakers -> crastan 1 (ch. 8)
\subsubsection{Transformers}
@ -285,14 +286,15 @@ circuit and extinguish the resulting arc discharge\cite{nelles01,crastan01,simon
Along with transmission lines transformers are one of the main components most people will be thinking of when talking
about the electrical grid. Transformers connect grid segments at different voltage levels with one another. In the
distribution grid transformers are used to provide standard end-user voltage levels to the customer (e.g. 230/400V in
Europe) from a \SIrange{10}{25}{\kilo\volt} feeder. Transformers can also be used to convert between buses without a
fourth neutral conductor and buses with one.
Europe) from a \SIrange{10}{25}{\kilo\volt} feeder. In places that use overhead wiring to connect customer households
this is the role of the pole-mounted gray devices the size of a small refrigerator that are characteristic for these
systems. Transformers can also be used to convert between buses without a fourth neutral conductor and buses with one.
Transformers are large and heavy devices consisting of thick copper wire or copper foil windings arranged around a core
made from thin stacked, insulated iron sheets. The entire core sits within a large metal enclosure that is filled with
liquid (usually a specialized oil) for both cooling and electrical insulation. This cooling liquid is cooled by means
such as radiator fins on the transformer enclosure itself or an external radiator. Depending on the design cooling may
rely on natural convection within the cooling liquid or on electrical pumps\cite{crastan01,simon01}.
liquid (usually a specialized oil) for both cooling and electrical insulation. This cooling liquid is cooled by radiator
fins on the transformer enclosure itself or an external heat exchanger. Depending on the design cooling may rely on
natural convection within the cooling liquid or on electrical pumps\cite{crastan01,simon01}.
Transformers come in a large variety of coil and wiring configurations. There exist autotransformers where the secondary
is part of the primary (or vice-versa) that are used to translate between voltage levels without galvanic isolation at
@ -313,11 +315,11 @@ substations\cite{crastan01}.
Chokes are large inductors. In power grid applications their construction is similar to the construction of a
transformer with the exception that they only have a single winding on the core. They are used for a variety of
purposes. A frequent use is as a series inductor on one of the phases or the neutral connection to limit transient fault
currents. In addition to use as simple series inductances for current limiting inductors are also used to tune LC
circuits. One such use are Petersen coils, large inductors in series with the earth connection at a transformer's star
point are used to quickly extinguish arcs between phase and ground on a transmission line. The Petersen coil forms a
parrallel LC resonant circuit with the transmission line's earth capacitance. Tuning this circuit through adjusting the
petersen coil reduces earth fault current to levels low enough to quickly extinguish the arc\cite{simon01}.
currents. In addition to this inductors are also used to tune LC circuits. One such use are Petersen coils, large
inductors in series with the earth connection at a transformer's star point that are used to quickly extinguish arcs
between phase and ground on a transmission line. The Petersen coil forms a parrallel LC resonant circuit with the
transmission line's earth capacitance. Tuning this circuit through adjusting the petersen coil reduces earth fault
current to a level low enough to quickly extinguish the arc\cite{simon01}.
\subsubsection{Power factor correction}
@ -330,56 +332,53 @@ the current at time $t$ is linear in voltage at constant factor $\frac{1}{R}$.
In contrast to this idealized scenario reality provides us with two common issues: One, the load may be reactive. This
means its current waveform is an ideal sinusoid, but there is a phase difference between mains voltage and load current
like so: $I(t) = \frac{V(t)}{R} = \frac{1}{\left|Z\right|} V_\text{pk} \sin\paren{\omega_\text{nom} t + \varphi}$ $Z$
would be the load's complex impedance combining inductive, capacitive and resistive components and $\varphi$ the phase
difference between the resulting current waveform and the mains voltage waveform. A common case of such loads are motors
and the inductive ballasts in old fluorescent lighting fixtures.
like so: $I(t) = \frac{V(t)}{R} = \frac{1}{\left|Z\right|} V_\text{pk} \sin\paren{\omega_\text{nom} t + \varphi}$. $Z$
is the load's complex impedance combining inductive, capacitive and resistive components and $\varphi$ is the phase
difference between the resulting current waveform and the mains voltage waveform. Examples of such loads are motors and
the inductive ballasts in old fluorescent lighting fixtures.
The second potential issue are loads with non-sinusoidal current waveform. There are many classes of these but the most
common one are switching-mode power supplies. Most SMPS for modern electronic devices have an input stage consisting of
a bridge rectifier followed by a capacitor that provide high-voltage DC power to the following switch-mode convert
circuit. This rectifier-capacitor input stage under normal load draws a high current only at the very peak of the input
voltage sinusoid and draws almost zero current for most of the period.
The second potential issue are loads with a non-sinusoidal current waveform. There are many classes of these but the
most common one are the switching-mode power supplies (SMPS) used in most modern electronic devicese.. Most SMPS have an
input stage consisting of a bridge rectifier followed by a capacitor that provide high-voltage DC power to the following
switch-mode convert circuit. This rectifier-capacitor input stage under normal load draws a high current only at the
very peak of the input voltage sinusoid and draws almost zero current for most of the period.
These two cases are measured by \emph{displacement power factor} and \emph{distortion power factor} that when combined
yield the overall true power factor. The power factor is a key quantity in the design and operation of the power grid
since a high power factor (close to $1.0$ or an in-phase sinusoidal current waveform) yields lowest transmission and
generation losses.
Reactive power (also referred to as \emph{VAR} after its is unit Volt-Ampère Reactive) an important variable in the
operation of electrical grids (see sec.\ \ref{frequency_estimation}). If reactive power generation and consumption are
mismatched and power factor is low, high currents develop that lead to high transmission losses. For this reason grids
include circuits to compensate reactive power imbalances\cite{crastan01}. These circuits can be as simple as inductors
or capacitors connected to a power line but often can be switched to adapt to changing load conditions. Static Var
compensators are particularly fast-acting reactive power compensation devices whose purpose is to maintain bus
voltage\cite{rogers01}.
yield the overall true power factor. The power factor is a key quantity in the design and operation of the power grid.
As a variable in the operation of electrical grids it is also referred to as \emph{VAR} after its is unit Volt-Ampère
Reactive. A high power factor (close to $1.0$, i.e.\ an in-phase sinusoidal current waveform) yields lowest
transmission and generation losses. If reactive power generation and consumption are mismatched and power factor is
low, high currents develop that lead to high transmission losses. For this reason grids include circuits to compensate
reactive power imbalances\cite{crastan01}. These circuits can be as simple as inductors or capacitors connected to a
power line but often can be switched to adapt to changing load conditions. Static var compensators are particularly
fast-acting reactive power compensation devices whose purpose is to maintain a constant bus voltage\cite{rogers01}.
\subsubsection{Loads}
Lastly, there is the loads that the electrical grid serves. Loads range from mains-powered indicator lights in devices
such as light switches or power strips weighing in at mere milliwatts to large smelters in industrial metal production
that can consume a good fraction of a gigawatt all on their own.
that can consume a fraction of a gigawatt all on their own.
\subsection{Operational concerns}
\subsubsection{Modelling the electrical grid}
Modelling performs an important role in the engineering of a reliable power infrastructure. The grid is a complex,
highly dynamic system. To maintain operational parameters such as voltage in various parts of the grid, grid frequency
and currents inside their specified ranges complex control systems are necessary. To design and parametrize such control
systems simulations are a valuable tool. Using model calculations the effects of control systems on operational
variables such as transmission efficiency or generation losses can be estimated. Model simulations can be used to
identify structural issues such as potential points of congestion. The same models can then be used to engineer
solutions to such issues, e.g.\ by simulating the effect of a new transmission line.
highly dynamic system. To maintain operational parameters such as voltage, grid frequency and currents inside their
specified ranges complex control systems are necessary. To design and parametrize such control systems simulations are a
valuable tool. Using model calculations the effects of control systems on operational variables such as transmission
efficiency or generation losses can be estimated. Model simulations can be used to identify structural issues such as
potential points of congestion. The same models can then be used to engineer solutions to such issues, e.g.\ by
simulating the effect of a new transmission line.
There are several aspects under which the grid or parts of the grid can be simulated. There are static analysis methods
such as modal analysis that yield information on electromechanical oscillations by computing the eigenvalues of a
large system of differential equations describing the collective behavior of all components of the grid. Modal analysis
is one example of simulations used in grid planning. Using modal analysis likely oscillatory modes can be identified and
ultimately these results can inform a decision to install additional stabilization systems in a particular location.
In contrast to static analysis, transient simulations calculate an approximation of the time-domain behavior of some
variable of interest under a given model. Transient simulations are used e.g.\ in the design of control systems.
Power flow equations describe the flow of electrical energy throughout the network from generator to load. Numerical
solutions these equations are used to optimize control parameters to increase overall efficiency.
such as modal analysis that yield information on problematic electromechanical oscillations by computing the eigenvalues
of a large system of differential equations describing the collective behavior of all components of the grid. Modal
analysis is one example of simulations used in grid planning. Modal analysis is used in decisions to install additional
stabilization systems in a particular location. In contrast to static analysis, transient simulations calculate an
approximation of the time-domain behavior of some variable of interest under a given model. Transient simulations are
used e.g.\ in the design of control systems. Finally, power flow equations describe the flow of electrical energy
throughout the network from generator to load. Numerical solutions these equations are used to optimize control
parameters to increase overall efficiency.
% TODO decide what of this to keep.
% \subsubsection{Generator controls}
@ -389,96 +388,100 @@ solutions these equations are used to optimize control parameters to increase ov
\section{Smart meter technology}
Smart meters were a concept pushed by utility companies throughout the 00's. Smart metering is one component of the
Smart meters were a concept pushed by utility companies throughout the early 21st century. Smart metering is one component of the
larger societal shift towards digitally interconnected technology. Old analog meters required that service pesonnel
physically come to read the meter. \emph{Smart} meters automatically transmit their readings through modern
technologies. Utility companies were very interested in this move not only because of the cost savings for meter reading
personnel. Beyond this, an always-connected meter allows several entirely new use cases that have not been possible
before. One often-cited one is utilizing the new high-resolution load data to improve load forecasting to allow for
greater generation efficiency. Computerizing the meter also allows for new fee models where electricity cost is no
longer fixed over time but adapts to market conditions. Models such as prepayment electricity plans where the customer
is automatically disconnected until they pay their bill are significantly aided by a fully electronic system that can be
personnel: An always-connected meter also allows several entirely new use cases that have not been possible before. One
often-cited one is utilizing the new high-resolution load data to improve load forecasting to allow for greater
generation efficiency. Computerizing the meter also allows for new fee models where electricity cost is no longer fixed
over time but adapts to market conditions. Models such as prepayment electricity plans where the customer is
automatically disconnected until they pay their bill are significantly aided by a fully electronic system that can be
controlled and monitored remotely\cite{anderson02}. A remotely controllable load switch can also be used to coerce
customers in situations where that was not previously economically possible\footnote{
The swiss association of electrical utility companies in sec.\ 7.2 par.\ (2)a of their 2010 whitepaper on the
introduction of smart metering\cite{vseaes01} cynically writes that remotely controllable load switches ``lead a new
tenant to swiftly register'' with the utility company. This whitepaper completely vanished from their website some
time after publication, but the internet archive has a copy.
}. Figure \ref{fig_smgw_schema} shows a schema of the smart metering installation in a typical household\cite{stuber01}.
}. Figure \ref{fig_smgw_schema} shows a schema of a smart metering installation in a typical household\cite{stuber01}.
\begin{figure}
\centering
\includegraphics{resources/smgw_usage_scenario}
\caption{A typical usage scenario of a smart metering system in a typical home.}
\caption{A typical usage scenario of a smart metering system in a typical home. This diagram shows a gateway
connected to multiple smart meters through its local metrological network (LMN) and a multitude of devices on the
customer's home area network (HAN). A solar inverter and an electric car are connected through a controllable local
systems (CLS) adaptor.}
\label{fig_smgw_schema}
\end{figure}
To the customer the utility of a smart meter is largely limited to the convenience of being able to read it without
going to the basement. In the long term it is said that there will be second-order savings to the customer since
going to their basement. In the long term it is said that there will be second-order savings to the customer since
electricity prices adapting to the market situation along with this convenience will lead them to consume less
electricity and to consume it in a way that is more amenable to utilities, both leading to reduced
cost\cite{borlase01,bmwi03,anderson02}.
Traditional Ferraris counters with their distinctive rotating aluminium disc are simple electromechanical devices. Since
it does not include any failure-prone semiconductors or other high technology a cheap Ferraris-style meter can easily
last decades. In contrast to this, smart meters are complex high technology. They are vastly more expensive to develop
in the first place since they require the development and integration of large amounts of complex, custom firwmare. Once
deployed, their lifetime is severely limited by this very complexity. Complex semiconductor devices tend to fail, and
firmware that needs to communicate with the outside world tends to not age well\cite{borkar01}.
This combination of higher unit cost and lower expected lifetime leads to grossly increased costs per household. This
cost is usually shared between utility and customer.
they do not include any semiconductors or other high technology that might be prone to failure a cheap Ferraris-style
meter can last decades. In contrast to this, smart meters are complex high technology. They are vastly more expensive to
develop in the first place since they require the development and integration of large amounts of complex, custom
firwmare. Once deployed, their lifetime is limited by this complexity. Complex semiconductor devices tend to fail, and
firmware that needs to communicate with the outside world tends to not age well\cite{borkar01}. This combination of
higher unit cost and lower expected lifetime leads to increased costs per household. This cost is usually shared between
utility and customer.
As part of its smart metering rollout the German government in 2013 had a study conducted on the economies of smart
meter installations. This study came to the conclusion that for the majority of households computerizing an existing
ferraris meter is uneconomical. For larger consumers or new installations the higher cost of installation over time is
offset by the resulting savings in electricity cost\cite{bmwi03}.
expected to be offset by the resulting savings in electricity cost\cite{bmwi03}.
\subsection{Human-Computer Interaction aspects of smart meter technology}
\subsection{Smart metering and Human-Computer Interaction}
A fundamental aspect in realizing the cost and energy savings promised by the smart metering revolution is that it
requires a paradigm shift in consumer interaction. Previously most consumers would only confront their energy use when
their monthly or yearly electricity bill arrived. All of the cost savings smart meters promise over traditional metering
infrastructure\footnote{
We are excluding savings from Demand-Side Response (DSR) implemented through smart meters here: Traditional ripple
control systems already allowed for these, and due to the added cost of high-power relays many smart meters do not
include such features.
} critically depend on the consumer regularly interacting with the meter through an in-home display or app. We live in
an era where our attention is already highly contested. A myriad of apps and platforms compete for our attention through
our smart phones and other devices. Introducing an entirely new service into this already complex battleground is a large
endeavour. On the one hand it is not clear how this new service would compete with everything else. On the other hand if
it does manage to capture our attention and lead us to modify our behavior, what are the side effects? For instance,
does an in-home display increase financial anxiety in economically disadvantaged customers?
A fundamental aspect in realizing many of the cost and energy savings promised by the smart metering revolution is that
it requires a paradigm shift in consumer interaction. Previously most consumers would only confront their energy use
when they receive their monthly or yearly electricity bill. A large part of the cost savings smart meters promise over
traditional metering infrastructure\footnote{ We are excluding savings from Demand-Side Response (DSR) implemented
through smart meters here: Traditional ripple control systems already allowed for these\cite{dzung01}, and due to the
added cost of high-power relays many smart meters do not include such features. } critically depend on the consumer
regularly interacting with the meter through an in-home display or app, then changing their behavior. We live in an era
where our attention is already highly contested. A myriad of apps and platforms compete for our attention through our
smart phones and other devices. Introducing an entirely new service exerting cognitive pressure into this already
complex battleground is a large endeavour. On the one hand it is not clear how this new service would compete with
everything else. On the other hand if it does manage to capture our attention and lead us to modify our behavior, what
are the side effects? For instance an in-home display might increase financial anxiety in economically disadvantaged
customers.
Human Computer Interaction research has touched the topic of smart metering several times and has many insights to offer
for technologists\cite{pierce01,rodden01,lupton01,costanza01,fell01}. An issue pointed out in \cite{rodden01} is that at
least in some countries consumers fundamentally distrust their utility companies. This trust issue is exacerbated by
smart meters being unilaterally forced onto consumers by utility companies. Much of the success of smart metering's
ubiquitous promises of energy savings fundamentally depends on consumer coöperation. Here, the aforementioned trust
issue calls into question smart metering's chances of long-term success.
ubiquitous promises of energy savings depends on consumer coöperation. Here, the aforementioned trust issue calls into
question smart metering's chances of long-term success.
As \text{pierce01} pointed out smart metering developments could benefit greatly from early involvement of HCI research.
As \cite{pierce01} pointed out smart metering developments could benefit greatly from early involvement of HCI research.
HCI research certainly would not have overlooked entire central issues such as privacy as it happened in the dutch
case\cite{cuijpers01}. The current corporate-driven approach to a technological advance forced through national
standardization bears a serious risk of failing to meet its ostensible objectives for consumers. The role of consumers
and the complex sociotechnological environment posed by this new technology is seriously considered nowhere in the
standardization process. While certainly noone will admit to outright ignoring consumers in smart meter standardization
their role is largely limited to the occassional public consultation. At the same time the standards are written by
technologists--it seems largely without input on their practicality or socio-technological implications from fields such
as HCI. % TODO citation? too much burn?
standardization bears a risk of failing to meet its ostensible objectives for consumers. The role of consumers and the
complex sociotechnological environment posed by this new technology is not seriously considered in the standardization
process. While certainly no one will admit to outright ignoring consumers in smart meter standardization, their role is
largely limited to the occassional public consultation. At the same time the standards are written by technologists--it
seems largely without input on their practicality or socio-technological implications from fields such as HCI.
% TODO citation? too much burn?
\subsection{Common components}
\label{sm-cpu}
Smart meters usually are built around an off-the-shelf microcontroller. Some meters use specialized smart metering
SOCs\cite{ifixit01} while others use standard microcontrollers with core metering functions implemented in external
circuitry (cf.\ sec.\ \ref{sec-easymeter} where we detail the meter in our demonstration setup). Specialized SoCs
usually contain a segment LCD driver along with some high-resolution analog-to-digital converters for the actual
measurement functions. In many smart meter designs used outside of Germany the metering SoC will be connected to another
full-featured SoC acting as the modem. At a casual glance this might seem to be a security measure, but it may be more
likely that this is done to ease integration of one metering platform with several different communication stacks (e.g.\
proprietary sub-gigahertz wireless, powerline communication (PLC) or ethernet). In these architectures there is a clear
line of functional demarcation between the metering SoC and the modem. As evidenced by over-the-air software update
functionality (see e.g.\ \cite{honeywell01}) this does not however extend to an actual security boundary.
Smart meters usually are built around an off-the-shelf microcontroller (microcontroller unit, MCU). Some meters use
specialized smart metering system-on-chips (SoCs)\cite{ifixit01} while others use standard microcontrollers with core
metering functions implemented in external circuitry (cf.\ sec.\ \ref{sec-easymeter} where we detail the meter in our
demonstration setup). Specialized SoCs usually contain a segment LCD driver along with some high-resolution
analog-to-digital converters for the actual measurement functions. In many smart meter designs the metering SoC is
connected to another full-featured SoC acting as the modem. At a casual glance this might seem to be a security measure,
but it is be more likely that this is done to ease integration of one metering platform with several different
communication stacks (e.g.\ proprietary sub-gigahertz wireless, powerline communication (PLC) or ethernet). In these
architectures there is a clear line of functional demarcation between the metering SoC and the modem. As evidenced by
over-the-air software update functionality (see e.g.\ \cite{honeywell01}) this does not however extend to an actual
security boundary.
Energy usage is calculated by measuring both voltage and current at high resolution and then integrating the
measurements. Current measurements are usually made with either a current transformer or a shunt in a four-wire
@ -490,29 +493,27 @@ as well as an indirect indication of power through a rotating wheel one of the s
ability to calculate advanced statistics on energy use. These statistics are supposed to help customers better target
energy conservation measures\cite{bmwi03}.
In addition to the pure measurement and data aggregation functions smart meters can perform additional functions. One is
to serve as a gateway between the utility company's control systems and large controllable loads in the consumer's
household for Demand-Side Management (DSM)\cite{borlase01}. In DSM the utility company can control when exactly a
high-power device such as a water storage heater is turned on. To the customer the precise timing does not matter since
the storage heater is set so that it has enough hot water in its reservoir at all times. The utility company however can
use this degree of control to reduce load variations during temporary imbalances such as peaks. The efficiency gains
realized with this system translate into lower electricity prices for DSM-enabled loads for the customer. Traditionally
DSM was realized on a local level using ripple control systems. In ripple control control data is coded by modulating a
carrier at a low frequency such as \SI{400}{\hertz} on top of the regular mains voltage. These systems require
high-power transmitters at tens of kilowatts and still can only bridge regional distances\cite{dzung01}.
Smart meters can perform additional functions in addition to pure measurement and data aggregation. One is to serve as a
gateway between the utility company's control systems and large controllable loads in the consumer's household for
Demand-Side Management (DSM)\cite{borlase01}. In DSM the utility company can control when exactly a high-power device
such as a water storage heater is switched on. To the customer the precise timing does not matter since the storage
heater is set so that it has enough hot water in its reservoir at all times. The utility company however can use this
degree of control to reduce load variations during peak times. The efficiency gains realized with this system translate
into lower electricity prices for DSM-enabled loads for the customer. Traditionally DSM was realized on a local level
using ripple control systems. In ripple control control data is coded by modulating a carrier at a low frequency such as
\SI{400}{\hertz} on top of the regular mains voltage. These systems require high-power transmitters at tens of kilowatts
and still can only bridge regional distances\cite{dzung01}.
Another important additional function is that in some countries some smart meters can be used to remotely disconnect
consumer households with outstanding bills. Using euphemisms such as \emph{utility revenue protection}\cite{kamstrup01}
or \emph{reducing nontechnical losses}\cite{brown01} while cynically claiming \emph{Consumer
Empowerment}\cite{kamstrup01} these systems allow an utility company to remotely disconnect a customer at any time.
Whereas before smart metering this required either additional hardware or an expensive site visit by a qualified
technician smart meters have ushered in an era of frictionless control\footnote{
Note that in some countries such as the UK non-networked mechanical prepayment meters did exist. In such systems the
user inserts coins into a coin slot that activates a load switch at the household's main electricity connection.
These systems were non-networked and did not allow for remote control. A disadvantage of such systems compared to
modern \emph{smart} systems are the high cost of the coin acceptor and the overhead of site visits required to empty
the coin box\cite{anderson02}.
}.
Another important additional function is that some smart meters can be used to remotely disconnect consumer households
with outstanding bills. Using euphemisms such as \emph{utility revenue protection}\cite{kamstrup01} or \emph{reducing
nontechnical losses}\cite{brown01} while cynically claiming \emph{Consumer Empowerment}\cite{kamstrup01} these systems
allow an utility company to remotely disconnect a customer at any time\cite{anderson01}. Whereas before smart metering
this required either additional hardware or an expensive site visit by a qualified technician smart meters have ushered
in an era of frictionless control\footnote{ Note that in some countries such as the UK non-networked mechanical
prepayment meters did exist. In such systems the user inserts coins into a coin slot that activates a load switch at the
household's main electricity connection. These systems were non-networked and did not allow for remote control. A
disadvantage of such systems compared to modern \emph{smart} systems are the high cost of the coin acceptor and the
overhead of site visits required to empty the coin box\cite{anderson02}. }.
\subsection{Cryptographic coprocessors}
@ -521,11 +522,11 @@ design. Since in both types of meter cost depends on physical quantities being m
customers can save cost in case they are able to falsify the meter's measurements without being
detected\cite{anderson02}. For this reason both types of meters employ countermeasures against physical intrusion.
Compared to high-risk devices such as card payment processing terminals or ATMs the tamper proofing used in smart meters
is only basic\cite{anderson02}. Common measures include sealing the case by irreversibly ultrasonically welding front
and back plastic shells together or the use of security seals on the lid covering the input/output screw terminals.
Low-tech attacks using magnets to saturate the current transformer's ferrite cores are detected using hall
sensors\cite{anderson02,anderson03,itron01,hager01,easymeter01}. German smart metering standards specify the use of a
smartcard-like security module to provide transport encryption and other cryptographic
is only basic\cite{anderson02}. Common measures include sealing the case by irreversibly ultrasonically welding the
front and back plastic shells together or the use of security seals on the lid covering the input and output screw
terminals. The common low-tech attack of using magnets to saturate the current transformer's ferrite cores is detected
using hall sensors\cite{anderson02,anderson03,itron01,hager01,easymeter01}. German smart metering standards specify the
use of a smartcard-like security module to provide transport encryption and other cryptographic
services\cite{bsi-tr-03109-2,bsi-tr-03109-2-a}. During our literature review we did not find many references to similar
requirements in other national standards, though this does not mean that individual manufacturers do not use smartcards
for engineering reasons or due to pressure from utilities. The limited documentation on meter internals that we did find
@ -543,10 +544,10 @@ wired into the house or apartment's electrical connection.
Modern smart meters are usually made with plastic cases. Ferraris meters often used cases stamped from sheet metal with
glass windows on them. Smart meters now look much more like other modern electronic devices. A common construction style
is to separate the case in a front and back half with both halves clipped or ultrasonically welded together. Ultrasonic
welding gives a robust, airtight interface. This interface cannot easily be separated and re-connected without leaving
visible traces, which helps with tamper evidence properties. As an industry-standard process common in various consumer
goods ultrasonic welding is a cheap and accessible technology\cite{easymeter01,ifixit01}.
is to separate the case into front and back halves with both clipped or ultrasonically welded together. Ultrasonic
welding gives a robust, airtight interface that cannot easily be separated and re-connected without leaving visible
traces, which helps with tamper evidence properties. As an industry-standard process common in various consumer goods
ultrasonic welding is a cheap and accessible technology\cite{easymeter01,ifixit01}.
Communication interfaces sometimes are brought out through regular electromechanical connectors but often also are
optical interfaces. A popular style here is to use a regular UART connected to an LED/phototransistor optocoupler
@ -572,19 +573,19 @@ supported.
The family of standards one encounters most in smart metering applications are IEC 62056 specifying the Device Language
Message Specification (DLMS) and the Companion Specification for Electronic Metering (COSEM). DLMS/COSEM are
application-layer standards describing a request/response schema similar to e.g.\ HTTP. DLMS/COSEM are mapped onto a
application-layer standards describing a request/response schema similar to HTTP. DLMS/COSEM are mapped onto a
multitude of wire protocols. They can be spoken over TCP/IP or mapped onto low-speed UART serial interfaces
\cite{sato01,stuber01}. Besides DLMS/COSEM there are a multitude of standards usually specifying how DLMS/COSEM are to
be applied.
DLMS/COSEM show some amount of feature creep. They do not adhere to the age-old systems design adage that a tool should
\emph{do one thing and do it well}. Instead they try to capture the convex hull of all possible applications. This led
to a complicated design that requires extensive additional specification and testing to maintain even basic
interoperability. In particular in the area of transport security it becomes evident that the IEC as an electrical
engineering standards body stretched their area of expertise and resorting to established standard protocols would have
improved the situation\cite{weith01}. Compared to industry-standard transport security the IEC standards provide
a simplistic key management framework based on a static shared key with unlimited lifetime and provide sub-optimal
transport security properties (e.g.\ lack of forward-secrecy)\cite{khurana01,sato01}.
to a complicated design that requires extensive additional specification and testing to maintain interoperability. In
particular in the area of transport security it becomes evident that the IEC as an electrical engineering standards body
stretched their area of expertise where resorting to established standard protocols would have led to a better
outcome\cite{weith01}. Compared to industry-standard transport security the IEC standards provide a simplistic key
management framework based on a static shared key with unlimited lifetime and provide sub-optimal transport security
properties (e.g.\ lack of forward-secrecy)\cite{khurana01,sato01}.
% TODO maybe expand this?
\subsection{The regulatory situation in selected countries}
@ -592,7 +593,7 @@ transport security properties (e.g.\ lack of forward-secrecy)\cite{khurana01,sat
In this section we will give an overview of the situation in a number of countries. This list of countries is not
representative and notably does not include any developing countries and is geographically biased. We selected these
countries for illustration only and based our selection in a large part on the availability of information in a language
we read. We will conclude this section with a summarization of common themes.
we can read. We will conclude this section with a summarization of common themes.
\subsubsection{Germany}
@ -604,33 +605,33 @@ major renovations but does not require most legacy residential installations to
customers\cite{bmwi03,bmwi1,bmwe01,brown01}.
The German standards strictly separate between metering and communication functions. Both are split into separate
devices, the \emph{meter} and the \emph{gateway} (called emph{smart meter gateway} in full and often abbreviated
emph{SMGW}). One or several meters connect to a gateway through a COSEM-derived protocol. The communication interface
devices, the \emph{meter} and the \emph{gateway} (called \emph{smart meter gateway} in full and often abbreviated
\emph{SMGW}). One or several meters connect to a gateway through a COSEM-derived protocol. The communication interface
between meter and gateway can optionally be physically unidirectional. An unidirectional interface eliminates any
possibility of meter firmware compromise. The gateway contains a cryptographic security module similar to a
smartcard\cite{mahlknecht01} that is entrusted with signing of measurements and maintaining an authenticated and
encrypted communication channel with its authorities. Security of the system is certified according to a Common Criteria
process.
The German specification does not include any support for load switches outside of demand-side management as they are
common in some other countries. It does not prohibit the installation of one behind the smart meter installation. This
makes it theoretically possible for a utility company to still install a load switch to disconnect a customer, but this
would be a spearate installation from the smart meter. In Germany there are significant barriers that have to be met
before a utility company may cut power to a household\cite{delaw01}. The elision of a load switch means attacks on
German meters will be limited in influence to billing irregularities and attacks using DSM equipment.
The German specification does not include any support for load switches as they are common in some other countries
outside of demand-side management. It only does not prohibit the installation of one behind the smart meter
installation. This makes it theoretically possible for a utility company to still install a load switch to disconnect a
customer, but this would be a spearate installation from the smart meter. In Germany there are significant barriers that
have to be met before a utility company may cut power to a household\cite{delaw01}. The elision of a load switch means
attacks on German meters will be limited in influence to billing irregularities and attacks using DSM equipment.
% TODO elaborate DSM attacks vs. whole-household attacks in attacks section
\subsubsection{The Netherlands}
The Netherlands were early to take initiative to roll out smart metering after its recognition by the European
Commission in 2006\cite{cuijpers01,ec04}. After overcoming political issuses the Netherlands were above the European
median in 2018 having replaced almost half of all meters\cite{cuijpers01,ec03}. Dutch smart meters are standardized by a
consortium of distribution system operators. They integrate gateway and metrology functions into one device. The
utility-facing interface is a IEC DLMS/COSEM-based interface over cellular radio such as GPRS or
LTE\cite{aubel01}. Like e.g.\ the German standard, the Dutch standard precisely specifies all communication
interfaces of the meter\cite{dsmrp3}. Another parallel is that the Dutch standard also does not cover any functionality
for remotely disconnecting a household. This absence of a load switch limits attacks on Dutch smart meters to causing
billing irregularities.
median in 2018, having replaced almost half of all meters\cite{cuijpers01,ec03}. Dutch smart meters are standardized by
a consortium of distribution system operators. They integrate gateway and metrology functions into one device. The
utility-facing interface is a IEC DLMS/COSEM-based interface over cellular radio such as GPRS or LTE\cite{aubel01}. Like
e.g.\ the German standard, the Dutch standard precisely specifies all communication interfaces of the
meter\cite{dsmrp3}. Another parallel is that the Dutch standard also does not cover any functionality for remotely
disconnecting a household. This absence of a load switch limits attacks on Dutch smart meters, too to causing billing
irregularities.
\subsubsection{The UK}
@ -643,8 +644,8 @@ smart metering standard, as is remote firmware update functionality\cite{ukgov02
standards is performed through a gateway (there called \emph{communications hub}) that can be shared between several
meters \cite{ukgov01,ukgov02,ukgov03,brown01,sato01}. The combination of both gas and electricity metering into one
family of standards and the exceptionally large set of \emph{required} features make the UK regulations the maximalist
among the ones in this section. The mandatory inclusion of both load switches and remote connectivity up to remote
firmware update make it an interesting attack target.
option among the regulations in this section. The mandatory inclusion of both load switches and remote connectivity up
to remote firmware update make it an interesting attack target\cite{anderson01}.
\subsubsection{Italy}
@ -661,10 +662,11 @@ gateways\cite{gungor01}.
Japan is currently rolling out smart metering infrastructure. Compared to other countries in Japan significant
standardization effort has been spent on smart home integration\cite{usitc01,sato01,brown01}. Japan has domestic
standards (JIS) for metrology and physical dimensions. The TEPCO deployment currently being rolled out is based on the
IEC DLMS/COSEM standards suite for remote meter reading in conjuction with the Japanese ECHONET protocol for the
home-area network. Smart meters are connected to TEPCO's backend systems through the customer's internet connection,
sub-gigahertz radio based on 802.15.4 framing, regular landline internet or PLC\cite{toshiba01,sato01}.
standards under its Japanese Industrial Standards organization (JIS) that determine metrology and physical dimensions.
Tokyo utility company TEPCO is currently rolling out a deployment that is based on the IEC DLMS/COSEM standards suite
for remote meter reading in conjuction with the Japanese ECHONET home-area network protocol. Smart meters are
connected to TEPCO's backend systems through the customer's internet connection, sub-gigahertz radio based on 802.15.4
framing, regular landline internet or PLC\cite{toshiba01,sato01}.
A unique point in the Japanese utility metering landscape is that the current practice is monthly manual readings. In
Japan residential utility meters are usually mounted outside the building on an exterior wall and every month someone
@ -675,18 +677,19 @@ consumption but does incur significant pesonnel overhead. % TODO decide on citat
\subsubsection{The USA}
In the USA the rollout of smart meters has been promoted by law as early as 2005. The US electricity market is highly
complex with states having significant authority to decide on their own policies\cite{brown01}. Different from the IEC
standards used in large fraction of the rest of the world, the USA have their own domestic set of standards for smart
meters developed by ANSI\cite{sato01}. The main difference between IEC and ANSI-standard meters is that ANSI-standard
meters are round devices that plug into a wall-mounted socket while IEC devices are usually rectangular and connected
directly to the mains wiring through large screw terminals\cite{ifixit01}.
complex with states having significant authority to decide on their own policies\cite{brown01}. Originally different
from the IEC standards used in large fraction of the rest of the world the USA developed their own domestic set of
standards for smart meters under the Americal National Standards Institute (ANSI)\cite{sato01}. Today ANSI is converging
with the IEC on the protcol layer. An obvious feature of ANSI-standard meters is that they are round and plug into a
wall-mounted socket while IEC devices are usually rectangular and connected directly to the mains wiring through large
screw terminals\cite{ifixit01}.
\subsection{Common themes}
Researching the current situation around the world for the above sections we were able to distill some common themes.
First, smart metering is slowly advancing on a global scale and despite significant reservations from privacy-conscious
people and consumer advocates it seems it is here to stay. There are some notable exceptions of countries that have
decided to scale-back an ongoing rollout effort after subsequent analysis showed economical or other
people and consumer advocates it seems it is here to stay. Still, there are some notable exceptions of countries that
have decided to scale-back an ongoing rollout effort after subsequent analysis showed economical or other
issues\footnote{cf.\ the Netherlands and Germany}.
\subsubsection{The introduction of smart metering}
@ -696,8 +699,8 @@ rollout. The most prominent argument is a general increase in energy-efficiency
This argument is based on the estimation that smart metering will increase private customers' awareness of their own
consumption and this will lead them to reduce their consumption. The second highly popular argument for smart metering
is that it is necessary for the widespread adoption of renewable energies. This argument again builds on the trend
towards \emph{green} energy to rationalize smart metering. Often it is formulated as an \emph{inevitability} instead of
a choice.
towards green energy to rationalize smart metering. Interestingly this argument is often formulated as an inevitability
instead of a choice.
Academic reception of smart metering is dyed with an almost unanimous enthusiasm. In particular smart meter
communication infrastructure has received a large amount of research
@ -707,46 +710,46 @@ interaction claims that smart meters will reduce customer energy consumption hav
\subsubsection{Standardization and reality of smart devices}
Regulators, utilities and academics meet in their enthusiasm on the issue of smart home integration of smart metering. A
feature of many setups is that the meter acts as the centerpiece of a modern, fully integrated smart
feature of many concepts is that the meter acts as the centerpiece of a modern, fully integrated smart
home\cite{aubel01,geelen01,bsi-tr-03109-1,abdallah01}. The smart meter serves as a communication hub between a new class
of grid-aware loads and the utility company's control center. Large (usually thermal) loads such as dishwashers,
refrigerators and air conditioners are forecasted to intelligently adapt their heating/cooling cycles to better match
the grid's supply. A frequent scenario is that in which the meter bills the customer using near-real time pricing, and
refrigerators and air conditioners are expected to intelligently adapt their heating/cooling cycles to better match
the grid's supply. A frequent scenario is one in which the meter bills the customer using near-real time pricing, and
supplies large loads in the customer's household with this pricing information. These loads then intelligently schedule
their operation to minimize cost\cite{sato01}. At the time in the mid-2000nds when smart metering proposals were first
advanced this vision might have been an effect of the \emph{law of the instrument}\cite{kaplan01,anderson02}. Back then
outside of specialty applications household devices were not usually networked\cite{merz01}. Smart meters at the time
may have seemed the obvious choice for a smart home communications hub.
their operation to minimize cost\cite{sato01}. At the time between 2000 and 2005 when smart metering proposals were
first advanced this vision might have been an effect of the \emph{law of the instrument}\cite{kaplan01,anderson02}. Back
then outside of specialty applications household devices were not usually networked\cite{merz01}. Smart meters at the
time may have seemed to be the obvious choice for a smart home communications hub.
From today's perspective, this idea is obviously outdated. Smart \emph{things} now have found their way into many homes.
Only these things are directly interconnected through the internet--foregoing the home-area network (HAN) technologies
anticipated by the smart metering pioneers. The simple reason for this is that nowadays anyone has Wifi, and Wifi
anticipated by smart metering pioneers. The simple reason for this is that nowadays anyone has Wifi, and Wifi
transceivers have become inexpensive enough to disappear in the bill of materials (BOM) cost of a large home device such
as a washing machine. Smart meters are usually situated in the basement--physically far away from most of one's devices.
This makes connecting them to said devices awkward and connecting them via the local Wifi lends the question why the
smart devices should not simply use the internet in the first place.
smart devices should not simply use the internet directly.
Connecting things to a smart meter through a local bus is academically appealing. It promises cost-savings from a
simpler physical layer (such as ZigBee instead of Wifi) and it neatly separates concerns into \emph{home infrastructure}
and the regular internet. Communication between smart meter and devices never leaves the house. This gives potential
additional tolerance to utility backend systems breaking. It also physically keeps communication inside the house,
bypassing the utility's eyes improving both customer privacy and agency. The presently popular model of a device as
simple as a light switch proxying its every action through a manufacturer's servers somewhere on the public internet is
in stark contrast to this scenario. Alas, the reason that this model is as popular is that in most cases it simply
works. Device manufacturers simply integrate one of many off-the-shelf Wifi modules. The resulting device will work
anywhere on earth\footnote{For some places channel assignments may have to be updated. This is a configuration-level
change and in some devices is done by the end-user during provisioning.}. A HAN-connected device would have several
variants with different modems for different standards. Some might work across countries, but some might not. And in
some countriese there might not even be a standard for smart grid HANs.
simpler physical layer (such as ZigBee instead of Wifi) and it neatly separates concerns into home infrastructure and
the regular internet. Communication between smart meter and devices never leaves the house. This promises tolerance to
utility backend systems breaking. It also physically keeps communication inside the house, bypassing the utility's eyes
improving both customer privacy and agency. The presently popular model of a device as simple as a light bulb proxying
its every action through a manufacturer's servers somewhere on the public internet is in stark contrast to this
scenario. Alas, the reason that this model is as popular is that in most cases it simply works. Device manufacturers
integrate one of many off-the-shelf Wifi modules. The resulting device will work anywhere on earth\footnote{For some
places channel assignments may have to be updated. This is a configuration-level change and in some devices can be done
by the end-user during provisioning.}. A HAN-connected device would have several variants with different modems for
different standards. Some might work across countries, but some might not. And in some countries there might not even be
a standard for smart grid HANs.
Looking at the situation like this begs the question why this realization has not yet found its way into mainstream
acceptance by smart metering implementors. The customer-facing functionality promised through smart meters would be
simple to implement as part of a now-standard \emph{internet of things} application. An in-home display that shows
real-time energy consumption and cost statistics would simply be an android tablet fetching summarized data from the
utility's billing backend. Demand-side response by large loads would be as simple as an HTTP request with a token
identifying the customer's contract that returns the electricity price the meter is currently charging along with a
recommendation to switch on or off. It seems the smart home has already arrived while smart metering standardization is
still getting off the starting blocks\cite{anderson02}.
simple to implement as part of a now-standard \emph{Internet of Things} application. An in-home display that shows
real time energy consumption and cost statistics would simply be an Android tablet fetching summarized data from the
utility's billing backend. Custom hardware for this purposes seems anachronistic today. Demand-side response by large
loads would be as simple as an HTTPS request with a token identifying the customer's contract that returns the
electricity price the meter is currently charging along with a recommendation to switch on or off. It seems the smart
home has already arrived while smart metering is still getting off the starting blocks\cite{anderson02}.
% TODO is this too critical? Is maybe the modern smart home compatible with smart meters? Is maybe the local-only path
% of data, avoiding utility clouds a design feature? (may be true in DE, NL, probably not anywhere else)
@ -754,36 +757,27 @@ still getting off the starting blocks\cite{anderson02}.
The smart grid in practice is nothing more or less than an aggregation of embedded control and measurement devices that
are part of a large control system. This implies that all the same security concerns that apply to embedded systems in
general also apply to most components of a smart grid in some way. Where programmers have been struggling for decades
now with input validation\cite{leveson01}, the same potential issue raises security concerns in smart grid scenarios as
well\cite{mo01, lee01}. Only, in smart grid we have two complicating factors present: Many components are embedded
systems, and as such inherently hard to update. Also, the smart grid and its control algorithms act as a large
(partially-)distributed system, making problems such as input validation or authentication difficult to
implement\cite{blaze01} and adding a host of distributed systems problems on top\cite{lamport01}.
general also apply to most components of a smart grid. Where programmers have been struggling for decades now with input
validation\cite{leveson01}, the same potential issue raises security concerns in smart grid scenarios as well\cite{mo01,
lee01}. Only, in smart grid we have two complicating factors present: Many components are embedded systems, and as such
inherently hard to update. Also, the smart grid and its control algorithms act as a large (partially-)distributed
system making problems such as input validation or authentication harder\cite{blaze01} and adding a host of distributed
systems problems on top\cite{lamport01}.
Given that the electrical grid is a major piece of essential infrastructure in modern civilization, these problems
amount to significant issues in practice. Attacks on the electrical grid may have grave
consequences\cite{anderson01,lee01} all the while the long maintenance cycles of various components make the system slow
to adapt. Thus, components for the smart grid need to be built to a much higher standard of security than most consumer
devices to ensure they live up to well-funded attackers even decades down the road. This requirement intensifies the
challenges of embedded security and distributed systems security among others that are inherent in any modern complex
technological system. The safety-critical nature of modern smart metering ecosystems in particular was quickly
recognized by security experts\cite{anderson01}.
Given that the electrical grid is essential infrastructure in our modern civilization, these problems amount to
significant issues in practice. Attacks on the electrical grid may have grave consequences\cite{anderson01,lee01} while
the long maintenance cycles of various components make the system slow to adapt. Thus, components for the smart grid
need to be built to a much higher standard of security than most consumer devices to ensure they live up to well-funded
attackers even decades down the road. This requirement intensifies the challenges of embedded security and distributed
systems security among others that are inherent in any modern complex technological system. The safety-critical nature
of the modern smart metering ecosystem in particular was quickly recognized by security experts\cite{anderson01}.
A point we will not consider in much depth is theft of electricity. An incentive for the introduction of smart metering
that is frequently cited in utility industry publications outside of a general public's view is the reduction of
electricity theft\cite{czechowski01}. Academic papers tend to either focus on other benefits such as generation
efficiency gains through better forecasting or try to rationalize the funamentally anti-consumer nature of smart
metering with strenuous claims of ``enormous social benefits''\cite{mcdaniel01}. Academics rarely point out the large
economical incentive such \emph{revenue protection} mechanisms provide\cite{anderson01,anderson02}.
This thesis will entirely focus on grid stability and discard electricity theft. For the attack scenarios we lay out
billing inaccuracies of utility companies are of very low urgency compared to grid stability. In fact stability is a
precondition for billing to happen. Additionally utility companies can already limit the volume of theft by
cross-refrencing meter readings against trusted readings from upstream sections of the grid. This capability works even
without smart meters and only gains speed from smart meters. A smart meter cannot prevent the customer from bypassing it
with a section of wire. Due to the limit on its volume, electricity theft using smart meter hacking would not scale.
Hackers would quickly be triangulated with no damage to consumers and limited damage to utility companies.
A point we will not consider in much depth in this work is theft of electricity. An incentive for the introduction of
smart metering that is frequently cited in utility industry publications outside of a general public's view is the
reduction of electricity theft\cite{czechowski01}. Academic publications tend to either focus on other benefits such as
generation efficiency gains through better forecasting or rationalize the consumer-unfriendly aspects of smart metering
with ``enormous social benefits''\cite{mcdaniel01}. They do not usually point out the economical incentive such
\emph{revenue protection} mechanisms provide\cite{anderson01,anderson02}.
\subsection{Privacy in the smart grid}