diff options
author | jaseg <git@jaseg.de> | 2022-10-06 16:49:10 +0200 |
---|---|---|
committer | jaseg <git@jaseg.de> | 2022-10-06 16:49:23 +0200 |
commit | 319d4a7f9c10f23f88b4462143b29900b6128ddf (patch) | |
tree | 97249e6220518134e0c55cfedeb4a42185f0e905 /paper/safety-reset-paper.tex | |
parent | 713564b8298467f864d5dfef827aad7c51e49f28 (diff) | |
download | master-thesis-319d4a7f9c10f23f88b4462143b29900b6128ddf.tar.gz master-thesis-319d4a7f9c10f23f88b4462143b29900b6128ddf.tar.bz2 master-thesis-319d4a7f9c10f23f88b4462143b29900b6128ddf.zip |
Compress paper into strict 10 pg limit
Diffstat (limited to 'paper/safety-reset-paper.tex')
-rw-r--r-- | paper/safety-reset-paper.tex | 141 |
1 files changed, 67 insertions, 74 deletions
diff --git a/paper/safety-reset-paper.tex b/paper/safety-reset-paper.tex index 5255e95..f4e4633 100644 --- a/paper/safety-reset-paper.tex +++ b/paper/safety-reset-paper.tex @@ -50,7 +50,7 @@ Conference}{December 5--9}{Austin, TX, USA} \city{Tel Aviv} \country{Israel} } -\email{lirankat@tau.ac.il} +\email{lirankatzir@tau.ac.il} \author{Björn Scheuermann} \affiliation{ @@ -196,7 +196,7 @@ modifications. \begin{figure} \centering - \includegraphics[width=0.4\textwidth]{flowchart} + \includegraphics[width=0.45\textwidth]{flowchart} \caption{Structural overview of our concept. 1 - Government authority or utility operations center. 2 - Emergency radio link. 3 - Aluminium smelter. 4 - Electrical grid. 5 - Target smart meter.} \Description{A schematic overview of the safety reset system with its parts represented by icons. A signal is sent @@ -394,8 +394,6 @@ communication for smart meter reading~\cite{ec03,rs48,gungor01,agf16}. \section{Related work} \label{sec_related_work} -\subsection{IoT and Smart Grid security} - The security of IoT devices as well as the smart grid has received extensive attention in the literature~\cite{nbck+19,acsc20,smp18,ykll17,anderson01,anderson02,zlmz+21,kgma21,hcb19,mpdm+10,lzlw+20,chl20,lam21,olkd20,yomu+20}. The challenges of IoT device security and the security of smart meters and other smart grid devices are similar because @@ -612,30 +610,29 @@ distance between anode and cathode. In this setup, power can be electronically Since the system does not have any mechanical inertia, high modulation rates are possible. In~\cite{depree01}, the authors describe a setup where a large Aluminium smelter in continental Europe is used as -primary control reserve for frequency regulation. In this setup, a rise time of $\SI{15}{\second}$ was achieved to meet -the $\SI{30}{\second}$ requirement posed by local standards for primary control. In their conclusion, the authors note -that for their system, an effective thermal energy storage capacity of $\SI{7.7}{\giga\watt\hour}$ is possible if all -plants of a single operator are used. Given the maximum modulation depth of $\SI{100}{\percent}$ for up to one hour that -is mentioned by the authors, this results in an effective modulation power of $\SI{7.7}{\giga\watt}$. Over a longer -time span of $\SI{48}{\hour}$, they have demonstrated a $\SI{33}{\percent}$ modulation depth which would correspond to a -modulation power of $\SI{2.5}{\giga\watt}$. We conclude that a modulation of part of an aluminium smelter's power -consumption is possible at no significant production impact and at low infrastructure cost. Aluminium smelters are -already connected to the grid in a way that they do not pose a danger to other nearby consumers when they turn off or on -parts of the plant, as this is commonplace during routine maintenance activities. - -\subsection{The operational model of a GFM-based safety reset} +primary control reserve for frequency regulation. Their system achieved a rise time of $\SI{15}{\second}$, meeting the +local $\SI{30}{\second}$ requirement for primary control. The authors calculated that their system can provide an +equivalent thermal energy storage capacity of $\SI{7.7}{\giga\watt\hour}$ using all plants of a single operator. At the +maximum modulation depth of $\SI{100}{\percent}$ for up to one hour that the paper cites, the resulting effective +modulation power is $\SI{7.7}{\giga\watt}$. Over a longer time span of $\SI{48}{\hour}$, they have demonstrated a +$\SI{33}{\percent}$ modulation depth which would correspond to a modulation power of $\SI{2.5}{\giga\watt}$. The +experiment from~\cite{depree01} shows that a modulation of part of an aluminium smelter's power consumption is possible +at no significant production impact and at low infrastructure cost. Aluminium smelters are already connected to the grid +in a way that they do not pose a danger to other nearby consumers when they turn off or on parts of the plant, as this +is commonplace during routine maintenance activities. + +\subsection{Operating a GFM safety reset} While a single large Aluminium smelter could conceivably provide sufficient modulation power to cover the entire continental European synchronous area, we have to consider operation during a black start, when the grid temporarily divides into a number of disconnected power islands. A single transmitter would only be able to reach receivers on the same power island. -To alleviate this constraint, the system can use a number of transmitters that are distributed throughout the network. -Piggy-backing transmitters on existing industrial loads keeps the implementation cost of additional transmitters low. By -running transmitters from stable, synchronized frequency standards such as gps-disciplined rubidium standards, -transmissions can be precisely synchronized across power islands even after a holdover period of several days. This -allows a transmission to continue uninterrupted while the utility rejoins power island into the larger grid, since the -transmissions on both islands are precisely synchronized. +To alleviate this constraint, a number of smaller transmitters throughout the network can be synchronized to act in +unison. Using existing industrial loads keeps the implementation cost of additional transmitters low. GPS-disciplined +frequency standards can keep transmissions synchronized across power islands even after a holdover period of several +days. When the utility rejoins power islands into the larger grid, the synchronized transmissions will constructively +interfere. As illustrated in Figure~\ref{fig_intro_flowchart}, the transmitters are connected to a command center. For this connection, a redundant set of long-range radio or satellite links can be used, as well as wired connections through the @@ -709,7 +706,7 @@ durations move our signals' bandwidth into the lower-noise region from $\SI{0.2} \begin{figure} \centering - \includegraphics[width=0.45\textwidth]{../notebooks/fig_out/dsss_gold_nbits_overview} + \includegraphics[width=0.3\textwidth]{../notebooks/fig_out/dsss_gold_nbits_overview} \caption{Symbol Error Rate as a function of modulation amplitude for Gold sequences of several lengths.} \Description{A plot of symbol error rate versus amplitude in millihertz. The plot shows four lines, one each for 5 bit, 6 bit, 7 bit and 8 bit. All four lines form smooth step functions, plateauing at a symbol error rate of 1.0 for @@ -765,7 +762,7 @@ durations move our signals' bandwidth into the lower-noise region from $\SI{0.2} \label{fig_ser_chip} \end{figure} -\subsection{Parameterizing a proof-of-concept ``Safety Reset'' System Based on GFM} +\subsection{Parameterizing a PoC GFM ``Safety Reset''} %FIXME introduce scenario Taking these modulation parameters as a starting point, we proceeded to create a proof-of-concept smart meter emergency @@ -832,7 +829,7 @@ without triggering them to reset. \begin{figure} \centering - \includegraphics[width=0.45\textwidth]{prototype.jpg} + \includegraphics[width=0.35\textwidth]{prototype.jpg} \caption{The completed prototype setup. The board on the left is the safety reset microcontroller. It is connected to the smart meter in the middle through an adapter board. The top left contains a USB hub with debug interfaces to the reset microcontroller. The cables on the bottom left are the debug USB cable and the \SI{3.5}{\milli\meter} @@ -854,6 +851,19 @@ connected to the main application microcontroller of a smart meter. The reset co authenticated reset commands on the voltage waveform, and on reception of such a command resetting the smart meter application controller by flashing a known-good firmware image to its memory. +For our proof of concept, before settling on the commercial smart meter we first tried to use an \texttt{EVM430-F6779} +smart meter evaluation kit made by Texas Instruments. This evaluation kit did not turn out well for two main reasons. +One, it shipped with half the case missing and no cover for the high-voltage terminal blocks. Because of this some work +was required to get it electrically safe. The second issue we ran into was that the development board is based around a +specific microcontroller from TI's \texttt{MSP430} series that is incompatible with common JTAG programmers. + +Our initial assumption that a development kit would be easier to program than a commercial meter did not prove to be +true. Contrary to our expectations the commercial meter had JTAG enabled allowing us to easily read out its stock +firmware requiring neither reverse-engineering vendor firmware update files nor circumventing code protection measures. +The fact that its firmware was only available in its compiled binary form was not much of a hindrance as it proved not +to be too complex and all we wanted to know we found with just a few hours of digging in +Ghidra\footnote{\url{https://ghidra-sre.org/}}. + The signal processing chain of our PoC is shown in Figure~\ref{fig_demo_sig_schema}. To interoperate with existing implementations of SHA-512 and reed-solomon decoding, this implementation was written in the C programming language. To demonstrate an application close to a field implementation, we chose an Easymeter \texttt{Q3DA1002} smart meter as our @@ -888,11 +898,17 @@ the meter's display after boot-up. To measure grid frequency in our demonstrator, we ported the same code we used in Section~\label{grid-freq-characterization} to our demonstrator, again using the voltage measured using the microcontroller's internal ADC but using a regular crystal instead of a crystal oven for the microcontroller's system -clock. Since we did not have an aluminium smelter ready, we decided to feed our proof-of-concept reset controller with -an emulated grid voltage sine wave from a computer's headphone jack. Where in a real application this microcontroller -would take ADC readings of input mains voltage divided down by a long resistive divider chain, we instead feed the ADC -from a $\SI{3.5}{\milli\meter}$ audio input. For operational safety, we disconnected the meter microcontroller from its -grid-referenced capacitive dropper power supply and connected it to our reset controller's debug USB power supply. +clock. We decided to feed our proof-of-concept reset controller with an emulated grid voltage sine wave from a +computer's headphone output. Where in a real application this microcontroller would take ADC readings of input mains +voltage divided down by a long resistive divider chain, we instead feed the ADC from a $\SI{3.5}{\milli\meter}$ audio +input. For operational safety, we disconnected the meter microcontroller from its grid-referenced capacitive dropper +power supply and connected it to our reset controller's debug USB power supply. + +In the firmware development phase of our proof of concept, we tested every module such as DSSS demodulator, Reed-Solomon +decoder, or grid frequency estimation individually. This approach proved very useful for debugging. The modular +architecture allowed us to directly compare our demodulator implementation to our Jupyter/Python prototype, where we +found that our C implementation outperformed the Python prototype. Despite the algorithms's complexity, the +microcontroller C implementation has no issues processing data in real-time due to the low sampling rate necessary. We performed several successful experiments using a signature truncated at 120 bit and a 5 bit DSSS sequence. Taking the sign bit into account, the length of the encoded signature is 20 DSSS symbols. On top of this we used Reed-Solomon error @@ -901,49 +917,6 @@ other simulations as well this equates to an overall transmission duration of ap the demodulator some time to settle and to produce more realistic conditions of signal reception we padded the modulated signal with unmodulated noise on both ends. -\section{Lessons learned} - -For our proof of concept, before settling on the commercial smart meter we first tried to use an \texttt{EVM430-F6779} -smart meter evaluation kit made by Texas Instruments. This evaluation kit did not turn out well for two main reasons. -One, it shipped with half the case missing and no cover for the high-voltage terminal blocks. Because of this some work -was required to get it electrically safe. Even after mounting it in an electrically safe manner the safety reset -controller prototype would also have to be galvanically isolated to not pose an electrical safety risk since the main -MCU is not isolated from the grid and the JTAG port is also galvanically coupled. The second issue we ran into was that -the development board is based around a specific microcontroller from TI's \texttt{MSP430} series that is incompatible -with common JTAG programmers. - -Our initial assumption that a development kit would be easier to program than a commercial meter did not prove to be -true. Contrary to our expectations the commercial meter had JTAG enabled allowing us to easily read out its stock -firmware requiring neither reverse-engineering vendor firmware update files nor circumventing code protection measures. -The fact that its firmware was only available in its compiled binary form was not much of a hindrance as it proved not -to be too complex and all we wanted to know we found with just a few hours of digging in -Ghidra\footnote{\url{https://ghidra-sre.org/}}. - -In the firmware development phase we tested every module such as DSSS demodulator, Reed-Solomon decoder, or grid -frequency estimation individually. This approach proved particularly useful for debugging. The modular architecture -allowed us to directly compare our demodulator implementation to our Jupyter/Python prototype, where we found that our C -implementation outperformed the Python prototype. Despite the algorithms's complexity, the microcontroller C -implementation has no issues processing data in real-time due to the low sampling rate necessary. - -\section{Conclusion} -\label{sec_conclusion} - -In this paper we have developed an end-to-end design for a safety reset system that provides these capabilities. -Our novel broadcast data transmission system is based on intentional modulation of global grid frequency. Our system is -independent of normal communication networks and can operate during a cyber attack. We have shown the practical -viability of our end-to-end design through simulations. Using our purpose-designed grid frequency recorder, we can -capture and process real-time grid frequency data in an electrically safe way. We used data captured this way as the -basis for simulations of our proposed grid frequency modulation communication channel. In these simulations, our system -has proven feasible. From our simulations we conclude that a large consumer such as an aluminium smelter at a small cost -can be modified to act as an on-demand grid frequency modulation transmitter. - -We have demonstrated our modulation system in a small-scale practical demonstration. For this demonstration, we have -developed a simple cryptographic protocol ready for embedded implementation in resource-constrained systems that allows -triggering a safety reset with a response time of less than 30 minutes. In this demonstration we use simulated grid -frequency data to trigger a commercial microcontroller to perform a firmware reset of an off-the-shelf smart meter. The -next step in our evaluation will be to conduct an experimental evaluation of our modulation scheme in collaboration with -an utility and an operator of a multi-megawatt load. - \subsection{Discussion} During an emergency in the electrical grid, the ability to communicate to large numbers of end-point devices is a @@ -967,7 +940,27 @@ a practical demonstration of broadcast data transmission through grid frequency controllable load as well as further optimization of the modulation and data encoding and the demodulator implementation. -\subsection{Artifacts} +\section{Conclusion} +\label{sec_conclusion} + +In this paper we have developed an end-to-end design for a safety reset system that provides these capabilities. +Our novel broadcast data transmission system is based on intentional modulation of global grid frequency. Our system is +independent of normal communication networks and can operate during a cyber attack. We have shown the practical +viability of our end-to-end design through simulations. Using our purpose-designed grid frequency recorder, we can +capture and process real-time grid frequency data in an electrically safe way. We used data captured this way as the +basis for simulations of our proposed grid frequency modulation communication channel. In these simulations, our system +has proven feasible. From our simulations we conclude that a large consumer such as an aluminium smelter at a small cost +can be modified to act as an on-demand grid frequency modulation transmitter. + +We have demonstrated our modulation system in a small-scale practical demonstration. For this demonstration, we have +developed a simple cryptographic protocol ready for embedded implementation in resource-constrained systems that allows +triggering a safety reset with a response time of less than 30 minutes. In this demonstration we use simulated grid +frequency data to trigger a commercial microcontroller to perform a firmware reset of an off-the-shelf smart meter. The +next step in our evaluation will be to conduct an experimental evaluation of our modulation scheme in collaboration with +an utility and an operator of a multi-megawatt load. + +\appendix +\section{Artifacts} Source code for the demonstrator and simulations, as well as hardware EDA designs are available at the public git repository at the following URL: |