diff options
Diffstat (limited to 'paper/safety-reset-paper.tex')
-rw-r--r-- | paper/safety-reset-paper.tex | 109 |
1 files changed, 82 insertions, 27 deletions
diff --git a/paper/safety-reset-paper.tex b/paper/safety-reset-paper.tex index f07a15e..7f8d287 100644 --- a/paper/safety-reset-paper.tex +++ b/paper/safety-reset-paper.tex @@ -37,7 +37,7 @@ Conference}{December 5--9}{Austin, TX, USA} Ripples in the Pond: Transmitting Information through Grid Frequency Modulation } -\author{Jan Götte} +\author{Jan Sebastian Götte} \affiliation{ \institution{Technische Universität Darmstadt} \city{Darmstadt} @@ -61,13 +61,66 @@ Conference}{December 5--9}{Austin, TX, USA} } \email{scheuermann@kom.tu-darmstadt.de} +\renewcommand{\shortauthors}{Götte, Katzir and Scheuermann} +\begin{CCSXML} +<ccs2012> +<concept> +<concept_id>10010583.10010662.10010668.10010671</concept_id> +<concept_desc>Hardware~Power networks</concept_desc> +<concept_significance>500</concept_significance> +</concept> +<concept> +<concept_id>10010583.10010662.10010668.10010672</concept_id> +<concept_desc>Hardware~Smart grid</concept_desc> +<concept_significance>300</concept_significance> +</concept> +<concept> +<concept_id>10010583.10010750.10010769</concept_id> +<concept_desc>Hardware~Safety critical systems</concept_desc> +<concept_significance>500</concept_significance> +</concept> +<concept> +<concept_id>10010520.10010553.10010562.10010561</concept_id> +<concept_desc>Computer systems organization~Firmware</concept_desc> +<concept_significance>300</concept_significance> +</concept> +<concept> +<concept_id>10010520.10010553.10010562.10010563</concept_id> +<concept_desc>Computer systems organization~Embedded hardware</concept_desc> +<concept_significance>300</concept_significance> +</concept> +<concept> +<concept_id>10002978.10002997.10002998</concept_id> +<concept_desc>Security and privacy~Malware and its mitigation</concept_desc> +<concept_significance>300</concept_significance> +</concept> +<concept> +<concept_id>10002978.10003001.10003003</concept_id> +<concept_desc>Security and privacy~Embedded systems security</concept_desc> +<concept_significance>500</concept_significance> +</concept> +<concept> +<concept_id>10002978.10003001.10003599.10011621</concept_id> +<concept_desc>Security and privacy~Hardware-based security protocols</concept_desc> +<concept_significance>300</concept_significance> +</concept> +</ccs2012> +\end{CCSXML} + +\ccsdesc[500]{Hardware~Power networks} +\ccsdesc[300]{Hardware~Smart grid} +\ccsdesc[500]{Hardware~Safety critical systems} +\ccsdesc[300]{Security and privacy~Malware and its mitigation} +\ccsdesc[500]{Security and privacy~Embedded systems security} +\ccsdesc[300]{Security and privacy~Hardware-based security protocols} + \begin{abstract} - The dependence of the electrical grid on networked control systems is steadily rising. While utilities can defend - their side of the grid effectively through rigorous IT security measures such as physically separated control - networks, the increasingly large heterogenous ecosystem of networked devices on the consumer side such as smart - meters or large IoT-connected appliances such as air conditioners is much harder to secure. We consider a crisis - scenario in which an attacker compromises a large number of consumer-side devices and modulates their electrical - power to destabilize the grid and cause an electrical outage~\cite{ctap+11,wu01,zlmz+21,kgma21,smp18,hcb19}. + The growing heterogenous ecosystem of networked consumer devices such as smart meters or IoT-connected appliances + such as air conditioners is difficult to secure, unlike the utility side of the grid which can be defended + effectively through rigorous IT security measures such as isolated control networks. In this paper, we consider a + crisis scenario in which an attacker compromises a large number of consumer-side devices and modulates their + electrical power to destabilize the grid and cause an electrical + outage~\cite{ctap+11,wu01,zlmz+21,kgma21,smp18,hcb19}. In this paper propose a broadcast channel based on the modulation of grid frequency through which utility operators can issue commands to devices at the consumer premises both during an attack for mitigation and in its wake to aid @@ -80,7 +133,7 @@ Conference}{December 5--9}{Austin, TX, USA} To validate our proposed design, we conducted simulations based on measured grid frequency behavior. Based on these simulations, we performed an experimental validation on simulated grid voltage waveforms using a smart meter - equipped with a prototype safety reset system based on an inexpensive commodity microcontroller. + equipped with a prototype safety reset system based on a commodity microcontroller. \end{abstract} \maketitle @@ -239,7 +292,7 @@ This work contains the following contributions: \subsection{Components and interactions} The electrical grid transmits alternating current electrical power from generators to loads. Any device that is -connected to the grid must run ``synchronously'' with the grid, i.e.\ it must produce or consume power following the +connected to the grid must run \emph{synchronous} with the grid, i.e.\ it must produce or consume power following the grid's voltage waveform. In generators and motors, the electromotive force acts to synchronize the device with the grid. Connecting a generator that has not been synchronized to the grid leads to large currents flowing through the generator's windings, inducing extreme forces that can mechanically destroy the generator. Similarly, if the inverters @@ -247,7 +300,7 @@ of a solar power station would try to fight the grid, the grid would win and the release their magic smoke. Originally, all power sources on the grid were synchronous rotating generators. Today, the shift towards renewable -energies and the introduction of high-voltage DC links has led to some of the grid's generating capacity being replaced +energy and the introduction of high-voltage DC links has led to some of the grid's generating capacity being replaced with inverters that electronically emulate the grid's voltage waveform to efficiently convert a DC input to the grid's alternating current. @@ -349,15 +402,18 @@ makes the task harder. In~\cite{smp18}, Soltan, Mittal and Poor investigated an attack scenario where an attacker first gains control over a large number of high wattage devices through an IoT security vulnerability, then uses this control to cause rapid load -spikes. The researchers performed computer simulations for a range of parameters and concluded that given sufficiently -many compromised devices, an attacker can cause issues up to a large-scale blackout. - -In~\cite{hcb19}, Huang, Cardenas and Baldick raised a counter-point to the conclusions of Soltan et al., finding that -limitations of their simulations in~\cite{smp18} have lead them to over-estimate the severity of an attack. Using a more -accurate model, they confirmed that such attacks can cause problems such as localized blackouts and the decay of the -grid into islands, but they found that overall the electrical grid is less vulnerable than previously assumed and -particularly large-scale blackouts are very unlikely, primarily due to the action of protection systems such as load -shedding and over frequency protection. +spikes. The researchers performed computer simulations for a range of parameters and concluded that an attacker +controlling 200 - 300 devices of $\SI{1}{\kilo\watt}$ each per megawatt of total grid power (equivalent to +30\% of total connected power) can cause a large-scale blackout in a healthy grid, while 10 such compromised +devices per megawatt (1\% of total power) are enough to cause cascading line failures that may ultimately lead +up to a large-scale blackout. + +In~\cite{hcb19}, Huang, Cardenas and Baldick raised a counter-point to the conclusions of Soltan et al., arguing that +limitations of their simulations in~\cite{smp18} have lead them to over-estimate the severity of an attack. Using a +model tailored to accurately represent the grid's protection mechanisms, they found that due to the action of protection +systems such as load shedding and over frequency protection, large attacks of 30\% of total grid power are likely to +cause only localized blackouts and the decay of the grid into islands, instead of a large-scale blackout. Smaller attack +sizes between 1\% and 10\% proved to be largely harmless in their simulations. From literature, we get the overall impression that both IoT and Smart Grid security are challenging. Both lack behind the security standard of state of the art desktop, server and smartphone operating systems. Reasons for this are the @@ -377,9 +433,7 @@ In this instance, market forces do not align with the interest of the public at especially in code implementing complex network protocols such as TLS~\cite{georgiev01}, which may even be mandated by national standards in some devices such as smart electricity meters. -\subsection{Reliably resetting an IoT or Smart Grid device} - - +%\subsection{Reliably resetting an IoT or Smart Grid device} \subsection{Oscillations in the electrical grid} @@ -467,7 +521,7 @@ powered up, while communciation networks such as FTTH or 5G are still rebooting, centralized infrastructure that are connected to different power islands to come back online. Mesh networks such as LoraWAN can cover short distances up to $\SI{20}{\kilo\meter}$ without requiring infrastructure to be available, but for longer distances LoraWAN relies on the public internet for its network backbone. Additionally, systems such as FTTH, 5G -and LoraWAN are built around a point-to-point communication model and usually do not support a generic broadcast +and LoraWAN are built around a point-to-point communication model and usually do not support a global broadcast primitive. During times when a large number of devices must be reached simultaneously this can lead to congestion of cellular towers and servers. Therefore, during an ongoing cyberattack, grid frequency is promising as a communication channel because only a single transmitter facility must be operational for it to function, and this single transmitter @@ -855,13 +909,14 @@ Source code and EDA designs are available at the public repository listed at the This work has been co-funded by the LOEWE initiative (Hesse, Germany) within the emergenCITY center. \end{acks} -\bibliographystyle{plain} -\bibliography{\jobname} - \center{ \footnotesize - \center{This is version \texttt{\input{version.tex}\unskip} of this paper, generated on \today.} + %\center{This is version \texttt{\input{version.tex}\unskip} of this paper, generated on \today.} \center{Source files and associated data for this work can be found in the git repository at the following URL: \url{https://git.jaseg.de/safety-reset.git} } +} + +\bibliographystyle{ACM-Reference-Format} +\bibliography{\jobname} \end{document} |