safety-reset/paper/safety-reset-paper.tex

\documentclass[nohyperref]{iacrtrans}
\usepackage[T1]{fontenc}
\usepackage[
    backend=biber,
    style=numeric,
    natbib=true,
    url=false, 
    doi=true,
    eprint=false
    ]{biblatex}
\addbibresource{safety-reset.bib}
\usepackage{amssymb,amsmath}
\usepackage{eurosym}
\usepackage{wasysym}
\usepackage{amsthm}

\usepackage[binary-units]{siunitx}
\DeclareSIUnit{\baud}{Bd}
\DeclareSIUnit{\year}{a}
\usepackage{commath}
\usepackage{graphicx,color}
\usepackage{subcaption}
\usepackage{array}
\usepackage{hyperref}

\renewcommand{\floatpagefraction}{.8}
\newcommand{\degree}{\ensuremath{^\circ}}
\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}}
\newcommand{\partnum}[1]{\texttt{#1}}

\begin{document}

\title[Ripples in a Pond]{Transmitting Information through Grid Frequency Modulation}
\author{Jan Sebastian Götte \and Björn Scheuermann}
\institute{HIIG\\ \email{safetyreset@jaseg.de} \and HU Berlin \\ \email{scheuermann@informatik.hu-berlin.de}}
% FIXME keywords
\keywords{hardware security \and energy systems \and signal theory}
\maketitle

\begin{abstract}
\end{abstract}

\section{Introduction}

In the power grid, as in many other engineered systems, we can observe an ongoing diffusion of information systems into
industrial control systems. Automation of these control systems has already been practiced for the better part of a
century.  Throughout the 20th century this automation was mostly limited to core components of the grid. Generators in
power stations are computer-controlled according to electromechanical and economic models. Switching in substations is
automated to allow for fast failure recovery. Human operators are still vital to these systems, but their tasks have
shifted from pure operation to engineering, maintenance and surveillance\cite{crastan03,anderson02}.

With the turn of the century came a large-scale trend in power systems to move from a model of centralized generation,
built around massive large-scale fossil and nuclear power plants, towards a more heterogenous model of smaller-scale
generators working together. In this new model large-scale fossil power plants still serve a major role, but two new
factors come into play. One is the advance of renewable energies. The large-scale use of wind and solar power in
particular from a current standpoint seems unavoidable for our continued existence on this planet. For the electrical
grid these systems constitute a significant challenge. Fossil-fueled power plants can be controlled in a precise and
quick way to match energy consumption. This tracking of consumption with production is vital to the stability of the
grid. Renewable energies such as wind and solar power do not provide the same degree of controllability, and they
introduce a larger degree of uncertainty due to the unpredictability of the forces of nature\cite{crastan03}.

Along with this change in dynamic behavior, renewable energies have brought forth the advance of distributed generation.
In distributed generation end-customers that previously only consumed energy have started to feed energy into the grid
from small solar installations on their property. Distributed generation is a chance for customers to gain autonomy and
shift from a purely passive role to being active participants of the electricity market\cite{crastan03}.

To match this new landscape of decentralized generation and unpredictable renewable resources the utility industry has
had to adapt itself in major ways. One aspect of this adaptation that is particularly visible to ordinary people is the
computerization of end-user energy metering. Despite the widespread use of industrial control systems inside the
electrical grid and the far-reaching diffusion of computers into people's everyday lives the energy meter has long been
one of the last remnants of an offline, analog time. Until the 2010s many households were still served through
electromechanical Ferraris-style meters that have their origin in the late 19th
century\cite{borlase01,ukgov04,bnetza02}.  Today under the umbrella term \emph{Smart Metering} the shift towards fully
computerized, often networked meters is well underway. The roll out of these \emph{Smart Meters} has not been very
smooth overall with some countries severely lagging behind. As a safety-critical technology, smart metering technology
is usually standardized on a per-country basis. This leads to an inhomogenous landscape with--in some instances--wildly
incompatible systems.  Often vendors only serve a single country or have separate models of a meter for each country.
This complex standardization landscape and market situation has led to a proliferation of highly complex, custom-coded
microcontroller firmware. The complexity and scale of this--often network-connected--firmware makes for a ripe substrate
for bugs to surface.

A remotely exploitable flaw inside a smart meter's firmware\footnote{
    There are several smart metering architectures that ascribe different roles to the component called \emph{smart
    meter}. Not all systems are susceptible to attacks to the same degree, with the German implementation being almost
    immune as far as energy availability is concerned. For clarity, we use \emph{smart meter} to describe the entire
    system at the customer premises including both the meter and if present a gateway.
} could have consequences ranging from impaired billing functionality to an existential threat to grid
stability\cite{anderson01,anderson02}. In a country where meters commonly include disconnect switches for purposes such
as prepaid tariffs a coördinated attack could at worst cause widespread activation of grid safety systems by repeatedly
connecting and disconnecting megawatts of load capacity in just the wrong moments\cite{wu01}.

Mitigation of these attacks through firmware security measures is unlikely to yield satisfactory results. The enormous
complexity of smart meter firmware makes firmware security extremely labor-intensive. The diverse standardization
landscape makes a coördinated, comprehensive response unlikely.

In this paper, instead of focusing on the very hard task of improving firmware security we introduce a pragmatic
solution to the--in our opinion likely--scenario of a large-scale compromise of smart meter firmware. In our proposal
the components of the smart meter that are threatened by remote compromise are equipped with a physically separate
\emph{safety reset controller} that listens for a reset command transmitted through the electrical grid's frequency and
on reception forcibly resets the smart meter's entire firmware to a known-good state.  Our safety reset controller
receives commands through Direct Sequence Spread Spectrum (DSSS) modulation carried out on grid frequency through a
large controllable load such as an aluminum smelter. After forward error correction and cryptographic verification it
re-flashes the meter's main microcontroller over the standard JTAG interface.  Note that our modulation technique is one
\emph{changing grid frequency itself}.  This is fundamentally different in both generation and detection from systems
such as traditional PLC that superimpose a signal on grid voltage, but leave grid frequency itself unaffected.

In this thesis, starting from a high level architecture we have carried out extensive simulations of our proposal's
performance under real-world conditions. Based on these simulations we implemented an end-to-end prototype of our
proposed safety reset controller as part of a realistic smart meter demonstrator. Finally we experimentally validated
our results and we will conclude with an outline of further steps towards a practical implementation.

This work contains the following contributions:
\begin{enumerate}
    \item We introduce Grid Frequency Modulation (GFM) as a communication primitive. % FIXME done before in that one paper
    \item We elaborate the fundamental physics underlying GFM and theorize on the constrains of a practical
        implementation.
    \item We design a communication system based on GFM.
    \item We carry out extensive simulations of our systems to determine its performance characteristics.
    \item We show the simple grid voltage recorder design we used to capture data for our simulations.
    \item We introduce a new, simplified method to determine grid frequency from a capture of the grid voltage waveform
        that is simple to implement on constrained embedded devices.
\end{enumerate}

\section{Related work} 
\label{sec_related_work}

\section{Conclusion}
\label{sec_conclusion} 

\printbibliography[heading=bibintoc]

%%% FIXME remove appendix and work into text.

\center{
    \center{This is version \texttt{\input{version.tex}\unskip} of this paper, generated on \today. The git repository
    can be found at:}

    \center{\url{https://git.jaseg.de/safety-reset.git}}
}
\end{document}