summaryrefslogtreecommitdiff
path: root/paper
diff options
context:
space:
mode:
authorjaseg <git@jaseg.de>2022-09-16 18:06:34 +0200
committerjaseg <git@jaseg.de>2022-09-16 18:06:34 +0200
commit3e3e03892abf97411066e2ac650e14fad3f9f0e9 (patch)
tree7c2a17db951c456555b20dfee56cb26f59dd7686 /paper
parente3b1ff9222cd2eef3374bd27bcd25adaf9ebc507 (diff)
downloadmaster-thesis-3e3e03892abf97411066e2ac650e14fad3f9f0e9.tar.gz
master-thesis-3e3e03892abf97411066e2ac650e14fad3f9f0e9.tar.bz2
master-thesis-3e3e03892abf97411066e2ac650e14fad3f9f0e9.zip
Rework WIP
Diffstat (limited to 'paper')
-rw-r--r--paper/Makefile2
-rw-r--r--paper/safety-reset-paper.tex70
2 files changed, 54 insertions, 18 deletions
diff --git a/paper/Makefile b/paper/Makefile
index 48d14c5..ac1edbb 100644
--- a/paper/Makefile
+++ b/paper/Makefile
@@ -10,7 +10,7 @@ MAKEFLAGS += --no-builtin-rules
main_tex ?= safety-reset-paper
-VERSION_STRING := $(shell git describe --tags --long)
+VERSION_STRING := 1.0 # $(shell git describe --tags --long)
all: ${main_tex}.pdf
diff --git a/paper/safety-reset-paper.tex b/paper/safety-reset-paper.tex
index 521194b..e79f7b3 100644
--- a/paper/safety-reset-paper.tex
+++ b/paper/safety-reset-paper.tex
@@ -187,6 +187,20 @@ task to secure the firmware of sufficiently many devices to deny an attacker the
Even if all flaws in the firmware of a broad range of devices would be fixed, users still have to update. In smart grid
and IoT devices, this presents a difficult problem since user awareness is low~\cite{nbck+19}.
+\subsection{Attacker model}
+
+According to the above criteria, our attacker model has the following key features:
+
+\begin{itemize}
+ \item The attacker cannot compromise the utility operators' SCADA systems.
+ \item The attacker can compromise and subsequently control a large number of target devices at the customer's
+ premises such as smart meters or large IoT devices such as air conditioners or central heating systems.
+ \item Target devices can be designed to include a separate firmware and factory reset function that the attacker
+ cannot circumvent. In the simplest case, this could be a separate microcontroller that is connected to the
+ device's application processor's programming port.
+ \item The attacker aims for maximum disruption as opposed to e.g. data extraction.
+\end{itemize}
+
\subsection{Contents}
Starting from a high level architecture, we have carried out simulations of our concept's performance under real-world
@@ -441,17 +455,20 @@ receiver hardware complexity.
To the best of the authors' knowledge, grid frequency modulation has only ever been proposed as a communication channel
at very small scales in microgrids before~\cite{urtasun01} and has not yet been considered for large-scale application.
+\subsection{Comparison to other communication channels}
+
Compared to traditional channels such as Fiber To The Home (FTTH), 5G or LoraWAN, grid frequency as a communication
-channel has a resiliency advantage: If there is power, a grid frequency modulation system is operational. Both FTTH and
-5G systems not only require power at their base stations, but also require centralized infrastructure to operate. Mesh
-networks such as LoraWAN can cover short distances up to $\SI{20}{\kilo\meter}$ without requiring infrastructure to be
-available, but for longer distances LoraWAN relies on the public internet for its network backbone. Additionally,
-systems such as FTTH, 5G and LoraWAN are built around a point-to-point communication model and usually do not support a
-generic broadcast primitive. During times when a large number of devices must be reached simultaneously this can lead to
-congestion of cellular towers and servers. Therefore, during an ongoing cyberattack, grid frequency is promising as a
-communication channel because only a single transmitter facility must be operational for it to function, and this single
-transmitter can reach all connected devices simultaneously. After a power outage, it can resume operation as soon as
-electrical power is restored, even while the public internet and mobile networks are still offline. It is unaffected by
+channel has a resiliency advantage. It can start transmission as soon as a power island with a connected transmitter is
+powered up, while communciation networks such as FTTH or 5G are still rebooting, or might be waiting for parts of their
+centralized infrastructure that are connected to different power islands to come back online. Mesh networks such as
+LoraWAN can cover short distances up to $\SI{20}{\kilo\meter}$ without requiring infrastructure to be available, but for
+longer distances LoraWAN relies on the public internet for its network backbone. Additionally, systems such as FTTH, 5G
+and LoraWAN are built around a point-to-point communication model and usually do not support a generic broadcast
+primitive. During times when a large number of devices must be reached simultaneously this can lead to congestion of
+cellular towers and servers. Therefore, during an ongoing cyberattack, grid frequency is promising as a communication
+channel because only a single transmitter facility must be operational for it to function, and this single transmitter
+can reach all connected devices simultaneously. After a power outage, it can resume operation as soon as electrical
+power is restored, even while the public internet and mobile networks are still offline. It is unaffected by
cyberattacks that target telecommunication networks.
\subsection{Characterizing Grid Frequency}
@@ -503,13 +520,12 @@ oscillation modes at $\SI{0.15}{\hertz}$ (east-west) and $\SI{0.25}{\hertz}$ (no
\section{Grid Frequency Modulation}
-A transmitter for grid frequency modulation would be a controllable load of several Megawatt that
-is located centrally within the grid. A baseline implementation would be a spool of wire submerged in a body of cooling
-liquid (such as a small lake) which is powered from a
-thyristor rectifier bank. Compared to this baseline solution, hardware and maintenance investment can be decreased
-by repurposing a large industrial load as a transmitter. Going through a
-list of energy-intensive industries in Europe~\cite{ec01}, we found that an aluminium smelter would be a good candidate.
-In aluminium smelting, aluminium is electrolytically extracted from alumina solution. High-voltage mains power is
+A transmitter for grid frequency modulation would be a controllable load of several Megawatt that is located centrally
+within the grid. A baseline implementation would be a spool of wire submerged in a body of cooling liquid (such as a
+small lake) which is powered from a thyristor rectifier bank. Compared to this baseline solution, hardware and
+maintenance investment can be decreased by repurposing a large industrial load as a transmitter. Going through a list of
+energy-intensive industries in Europe~\cite{ec01}, we found that an aluminium smelter would be a good candidate. In
+aluminium smelting, aluminium is electrolytically extracted from alumina solution. High-voltage mains power is
transformed, rectified and fed into approximately 100 series-connected electrolytic cells forming a \emph{potline}.
Inside these pots, alumina is dissolved in molten cryolite electrolyte at approximately \SI{1000}{\degreeCelsius} and
electrolysis is performed using a current of tens or hundreds of Kiloampère. The resulting pure aluminium settles at the
@@ -538,6 +554,26 @@ consumption is possible at no significant production impact and at low infrastru
already connected to the grid in a way that they do not pose a danger to other nearby consumers when they turn off or on
parts of the plant, as this is commonplace during routine maintenance activities.
+\subsection{The operational model of a GFM-based safety reset}
+
+While a single large Aluminium smelter could conceivably provide sufficient modulation power to cover the entire
+continental European synchronous area, we have to consider operation during a black start, when the grid temporarily
+divides into a number of disconnected power islands. A single transmitter would only be able to reach receivers on the
+same power island.
+
+Instead, the system can use a number of transmitters that are distributed throughout the network. Piggy-backing
+transmitters on existing industrial loads keeps the implementation cost of additional transmitters low. By running
+transmitters from gps-synchronized ovenized crystal oscillators or rubidium frequency standards, transmissions can be
+precisely synchronized across power islands even after a holdover period of several days. This allows a transmission to
+continue un-interrupted while the utility re-joins power island into the larger grid, since the transmissions on both
+islands are precisely synchronized.
+
+As illustrated in Figure~\ref{fig_intro_flowchart}, the transmitters are connected to a command center. For this
+connection, a redundant set of long-range radio or satellite links can be used, as well as wired connections through the
+utility's dedicated SCADA network. In an emergency, the command center can then trigger a transmission. Synchronized
+through their gps-backed frequency standards, two transmitters will then constructively interfere as soon as they are
+connected to the same power island.
+
\subsection{Parametrizing Modulation for GFM}
Given the grid characteristics we measured using our custom waveform recorder and using a model of our transmitter, we