summaryrefslogtreecommitdiff
path: root/paper/safety-reset-paper.tex
diff options
context:
space:
mode:
authorjaseg <git@jaseg.de>2021-07-30 17:30:32 +0200
committerjaseg <git@jaseg.de>2021-07-30 17:30:32 +0200
commitd1c605059c8c6614b5432efbfec823a20f1311b6 (patch)
tree854ab94b6e4cf5471bf7fa4117952fbb74ceef07 /paper/safety-reset-paper.tex
parent38b009da9f9498d3959a58826fe05a4826a4b7f6 (diff)
downloadmaster-thesis-d1c605059c8c6614b5432efbfec823a20f1311b6.tar.gz
master-thesis-d1c605059c8c6614b5432efbfec823a20f1311b6.tar.bz2
master-thesis-d1c605059c8c6614b5432efbfec823a20f1311b6.zip
paper rework WIP
Diffstat (limited to 'paper/safety-reset-paper.tex')
-rw-r--r--paper/safety-reset-paper.tex80
1 files changed, 61 insertions, 19 deletions
diff --git a/paper/safety-reset-paper.tex b/paper/safety-reset-paper.tex
index 367359c..c71ec26 100644
--- a/paper/safety-reset-paper.tex
+++ b/paper/safety-reset-paper.tex
@@ -33,7 +33,7 @@
\title{Ripples in the Pond: Transmitting Information through Grid Frequency Modulation}
\titlerunning{Ripples in the Pond: Transmitting Information through Grid Frequency}
\author{Jan Sebastian Götte \and Liran Katzir \and Björn Scheuermann}
-\institute{Alexander von Humboldt Institut für Internet und Gesellschaft (HIIG)\\ \email{safetyreset@jaseg.de} \and Tel Aviv University\\Faculty of Engineering\\\email{lirankat@tau.ac.il} \and Humboldt-Universität zu Berlin\\ \email{scheuermann@informatik.hu-berlin.de}}
+\institute{Alexander von Humboldt Institut for Internet and Society Berlin (HIIG)\\ \email{safetyreset@jaseg.de} \and Tel Aviv University\\Faculty of Engineering\\\email{lirankat@tau.ac.il} \and Humboldt-Universität zu Berlin\\ \email{scheuermann@informatik.hu-berlin.de}}
% FIXME keywords
\maketitle
\keywords{Security, privacy and resilience in critical infrastructures \and Security and privacy in ``internet of
@@ -48,11 +48,11 @@ things'' \and Cyber-physical systems \and Hardware security \and Network Securit
In this paper, we approach the smart grid safety issue by implementing an emergency override that can be used to
reset all connected devices to a known-good state and preempt subsequent compromise by cutting communication links.
- To yield a fully fail-safe design, our system does not rely on the internet or other conventional communication
- network to work. Instead, our system transmits error-corrected and cryptographically secured commands by modulating
- grid frequency using a single large consumer such as a large aluminium smelter. This approach differs from
- traditional Powerline Communication (PLC) systems in that it reaches every device within the same synchronous area
- as the signal is embedded into the fundamental grid frequency instead of a superimposed voltage that is quickly
+ To yield a fully fail-safe design, our system does not rely on the internet or other conventional telecommunication
+ networks to function. Instead, our system transmits error-corrected and cryptographically secured commands by
+ modulating grid frequency using a single large consumer such as a large aluminium smelter. This approach differs
+ from traditional Powerline Communication (PLC) systems in that it reaches every device within the same synchronous
+ area as the signal is embedded into the fundamental grid frequency instead of a superimposed voltage that is quickly
attenuated across long distances.
Using simulations we have determined that control of a $\SI{25}{\mega\watt}$ load would allow for the transmission
@@ -116,13 +116,29 @@ In this paper, instead of focusing on the very hard task of improving firmware s
solution to the---in our opinion likely---scenario of a large-scale compromise of smart meter firmware. In our concept
the components of the smart meter that are threatened by remote compromise are equipped with a physically separate
\emph{safety reset controller} that listens for a ``reset'' command transmitted through the electrical grid's frequency
-and on reception forcibly resets the smart meter's entire firmware to a known-good state. Our safety reset controller
-receives commands through Direct Sequence Spread Spectrum (DSSS) modulation carried out on grid frequency through a
-large controllable load such as an aluminium smelter. After forward error correction and cryptographic verification it
-re-flashes the meter's main microcontroller over the standard JTAG interface. Note that our modulation technique is
-\emph{changing the grid frequency itself}. This is fundamentally different in both generation and detection from
-systems such as traditional PLC that superimpose a signal on grid voltage, but leave the underlying grid frequency
-itself unaffected.
+and on reception forcibly resets the smart meter's entire firmware to a known-good state and disables all network
+functionality to prevent re-compromise. Our safety reset controller receives commands through Direct Sequence Spread
+Spectrum (DSSS) modulation carried out on grid frequency through a large controllable load such as an aluminium smelter.
+After forward error correction and cryptographic verification it re-flashes the meter's main microcontroller over the
+standard JTAG interface. Note that our modulation technique is \emph{changing the grid frequency itself}. This is
+fundamentally different in both generation and detection from systems such as traditional PLC that superimpose a signal
+on grid voltage, but leave the underlying grid frequency itself unaffected.
+
+\begin{figure}
+ \centering
+ \includegraphics[width=0.4\textwidth]{flowchart}
+ \caption{Structural overview of our concept. 1 - Government authority or utility operations center. 2 - Emergency
+ radio link. 3 - Aluminium smelter. 4 - Electrical grid. 5 - Target smart meter.}
+ \label{fig_intro_flowchart}
+\end{figure}
+
+Figure~\ref{fig_intro_flowchart} shows an overview of our concept. Two scenarios for its application are before or
+during a cyberattack, to stop an attack on the electrical grid in its tracks, and after an attack while power is being
+restored to prevent a repeated attack. In both scenarios, our concept is fully independent of all public communication
+networks (such as the Internet or mobile networks) as well as broadcast systems (such as cable television or terrestrial
+broadcast radio). A grid frequency-based system can function as long as power is still available, or as soon as power is
+restored after the attack. One powerful function this allows is ``flushing out`` an attacker from compromised smart
+meters after an attack, before restoring smart meter internet connectivity.
Starting from a high level architecture, we have carried out simulations of our concept's performance under real-world
conditions. Based on these simulations we implemented an end-to-end prototype of our proposed safety reset controller as
@@ -313,6 +329,16 @@ well as low receiver hardware complexity.
To the best of the authors' knowledge, grid frequency modulation has only ever been proposed as a communication channel
at very small scales in microgrids before~\cite{urtasun01} and has not yet been considered for large-scale application.
+Compared to traditional channels such as DSL, LTE or LoraWAN, grid frequency as a communication channel has a large
+resiliency advantage: If there is power, a grid frequency modulation system is operational. Both DSL and LTE systems not
+only require power but also require large amounts of centralized infrastructure to operate. Mesh networks such as
+LoraWAN can cover short distances up to $\SI{20}{\kilo\meter}$ without requiring infrastructure to be available, but for
+longer distances LoraWAN relies on the public internet for its network backbone. Therefore, during an ongoing
+cyberattack, grid frequency is promising as a communication channel as only a single transmitter facility must be
+operational for it to function. After a power outage, it can function as soon as electrical power is restored, even
+while the public internet and mobile networks are still offline and it is unaffected by cyberattacks that target
+telecommunication networks.
+
\subsection{Characterizing Grid Frequency}
In utility SCADA systems, Phasor Measurement Units (PMUs, also called \emph{synchrophasors}) are used to precisely
@@ -359,12 +385,28 @@ Aluminium smelters are operated around the clock, and due to the high financial
outages has been carefully characterized by the industry. Power outages of tens of minutes up to two hours reportedly do
not cause problems in aluminium potlines~\cite{eisma01,oye01}. Recently, even techniques for intentional power modulation
without affecting cell lifetime or product quality have been developed to take advantage of variable energy
-prices.~\cite{duessel01,eisma01}. An aluminium plant's power supply is controlled to constantly keep all smelter cells
-under optimal operating conditions. Modern power supply systems employ large banks of diodes or SCRs to rectify
-low-voltage AC to DC to be fed into the potline~\cite{ayoub01}. Potline voltage is controlled through a combination of a
-tap changer and a transductor. Individual cell voltages are controlled by changing the physical distance between anode
-and cathode distance. In this setup, power can be modulated fully electronically. Since this system does not have any
-mechanical inertia, high modulation rates can reasonably be achieved.
+prices.~\cite{duessel01,eisma01,depree01}. An aluminium plant's power supply is controlled to constantly keep all
+smelter cells under optimal operating conditions. Modern power supply systems employ large banks of diodes or SCRs to
+rectify low-voltage AC to DC to be fed into the potline~\cite{ayoub01}. Potline voltage is controlled through a
+combination of a tap changer and a transductor. Individual cell voltages are controlled by changing the physical
+distance between anode and cathode distance. In this setup, power can be modulated fully electronically. Since this
+system does not have any mechanical inertia, high modulation rates can reasonably be achieved.
+
+In~\cite{depree01}, the authors describe a setup where a large Aluminium smelter in continental Europe is used as
+primary control reserve for frequency \emph{regulation}. In this setup, a rise time of $\SI{15}{\second}$ was achieved
+to meet the $\SI{30}{\second}$ requirement posed by local standards for primary control. In their conclusion, the
+authors note that for their system, an energy storage capacity of $\SI{7.7}{\giga\watt\hour}$ is possible if all plants
+of a single operator are used. Given the maximum modulation depth of $\SI{100}{\percent}$ for up to one hour that is
+mentioned by the authors, this results in an effective modulation power of $\SI{7.7}{\giga\watt}$. Over a longer
+timespan of $\SI{48}{\hour}$, they have demonstrated a $\SI{33}{\percent}$ modulation depth which would correspond to
+a modulation power of $\SI{2.5}{\giga\watt}$.
+
+From this brief literature review, we conclude that a modulation of part of an aluminium smelter's power consumption
+most likely is possible at no significant production impact and low infrastructure cost (such as for shell heat
+exchangers as used in~\cite{depree01}). Aluminium smelters are connected to the grid in a way that they do not pose a
+danger to other nearby consumers when they turn off or on parts of the plant, as this is commonplace during routine
+maintenance activities. They are very large consumers of electrical power, but they are still small when seen in
+relation to the entire grid.
\subsection{Parametrizing Modulation for GFM}