diff options
Diffstat (limited to 'paper/safety-reset-paper.tex')
| -rw-r--r-- | paper/safety-reset-paper.tex | 141 |
1 files changed, 75 insertions, 66 deletions
diff --git a/paper/safety-reset-paper.tex b/paper/safety-reset-paper.tex index be7d40e..fe8097d 100644 --- a/paper/safety-reset-paper.tex +++ b/paper/safety-reset-paper.tex @@ -1,16 +1,6 @@ \documentclass[letterpaper,twocolumn,10pt]{article} \usepackage{usenix} -\usepackage[T1]{fontenc} -\usepackage[ - backend=biber, - style=numeric, - natbib=true, - url=false, - doi=true, - eprint=false - ]{biblatex} -\addbibresource{safety-reset.bib} \usepackage{amssymb,amsmath} \usepackage{eurosym} \usepackage{wasysym} @@ -35,8 +25,8 @@ % https://eepublicdownloads.entsoe.eu/clean-documents/pre2015/publications/entsoe/Operation_Handbook/Policy_1_Appendix%20_final.pdf \date{} -\title{Ripples in the Pond: Transmitting Information through Grid Frequency Modulation} -\author{Jan Sebastian Götte \and Liran Katzir \and Björn Scheuermann} +\title{\large\bf Ripples in the Pond:\\Transmitting Information through Grid Frequency Modulation} +\author{{\rm Jan Sebastian Götte}\\TU Darmstadt \and {\rm Liran Katzir}\\Tel Aviv University\and {\rm Björn Scheuermann}\\TU Darmstadt} %\institute{TU Darmstadt\\ Communication Networks Lab\\ \email{safetyreset@jaseg.de} %\and Tel Aviv University\\ Faculty of Engineering\\ \email{lirankat@tau.ac.il} %\and TU Darmstadt\\ Communication Networks Lab\\ \email{scheuermann@informatik.hu-berlin.de}} @@ -45,29 +35,25 @@ %things'' \and Cyber-physical systems \and Hardware security \and Network Security \and Energy systems \and Signal theory} \begin{abstract} - Previous work has explored the scenario of an attacker compromising a large number of consumer devices, and - modulating the power of these devices to cause large load swings at particular resonant frequencies of the - electrical grid's control systems that ultimately cause a large-scale outage~\cite{ctap+11,wu01}. Previous work has - focused on attacks using smart meters with integrated remote disconnect switches as first proposed - in~\cite{anderson01}, but the same attack scenario also applies to large IoT devices such as IoT-equipped air - conditioners or central heating systems. - - Prior work on mitigation of this attack scenario includes generic firmware hardening techniquies % FIXME citation - and reducing the susceptibility of the electrical grid towards these resonant oscillation modes~\cite{entsoe01}. - In this paper, we will complement these mitigation efforts by considering the recovery process after a successful - attack. To transmission system operators (TSOs), the major challenge after such a Smart Meter-triggered outage is - that the attacker will likely persist through the outage, and compromised Smart Meters will resume malicious - activity after their power is restored. In the event of such an attack, TSOs would need a way to remotely put these - compromised devices into a \emph{safe} mode of operation. For this purpose, we propose a remote-controllable - \emph{Safety reest} that is designed to remain operational even during a large-scale attack. - - Given that public telecommunications networks including the internet, cellular networks, and LoRa base stations may - also be disrupted during a blackout, the challenging aspect of this \emph{Safety Reset} is the communication channel - between TSO and the smart meter. For this purpose, in this paper we propose a simple yet effective communication - channel based on modulating grid frequency by modulating the power of a connected load or generator. Our proposed - communciation channel (1) requires minimal infrastructure, (2) has a reach spanning the entire power grid and (3) is - fully independent of other telecommunication networks and functions even under severe disruption of the grid. The - resulting safety reset can be applied to any grid-connected device including smart meters and IoT devices. + The dependence of the electrical grid on networked control systems is steadily rising. While utilities are defending + their side of the grid effectively through rigorous IT security measures such as physically separated control + networks, the increasing number of networked devices on the consumer side such as smart meters or large + IoT-connected appliances such as air conditioners are much harder to secure due to their heterogeneity. We consider + a crisis scenario in which an attacker compromises a large number of consumer-side devices and modulates their + electrical to destabilize the grid and cause an electrical outage~\cite{ctap+11,wu01,zlmz+21,kgma21,smp18,hcb19}. + + In this paper propose a broadcast channel based on the modulation of grid frequency through which utility operators + can issue commands to devices at the consumer premises both during an attack for mitigation and in its wake to aid + recovery. Our proposed grid frequency modulation (GFM) channel is independent of other telecommunication networks. + It is resilient towards localized blackouts and it is operational immediately as soon as power is restored. + + Based on our GFM broadcast channel we propose a ``safety reset'' system to mitigate an ongoing attack by disabling a + device's network interfaces and restting its control functions. It can also be used in the wake of an attack to aid + recovery by shutting down non-essential loads to reduce strain on the grid. + + To validate our proposed design, we conducted simulations based on measured grid frequency behavior. Based on these + simulations, we performed an experimental validation on simulated grid voltage waveforms using a smart meter + equipped with a prototype safety reset system based on an inexpensive commodity microcontroller. \end{abstract} \section{Introduction} @@ -79,12 +65,15 @@ their interactions have not yet received much attention. In this paper, we consider the previously proposed scenario where a large number of compromised consumer devices is used alone or in conjunction with an attack on the grid's central SCADA systems to destabilize the grid by rapidly modulating -the total connected load~\cite{ctap+11,wu01}. Previous work considered compromised smart meters with integrated remote -disconnect switches as likely candidates for such an attack, but the same attack can also be performed using compromised -IoT devices. Such attacks are hard to mitigate, and existing literature focuses on hardening device firmware to prevent +the total connected load~\cite{ctap+11,wu01,zlmz+21,kgma21,smp18,hcb19}. Several devices have been identified as likely +targets for such an attack including smart meters with integrated remote disconnect switches~\cite{ctap+11,anderson01}, +large IoT-connected appliances~\cite{smp18,hcb19,chl20,olkd20} and electric vehicle +chargers~\cite{kgma21,zlmz+21,olkd20}. Such attacks are hard to mitigate, and existing literature focuses on hardening +grid control systems~\cite{kgma21,lzlw+20,lam21,zlmz+21} and device firmware\cite{mpdm+10,smp18,zb20,yomu+20} to prevent compromise. Despite the infeasibility of perfect firmware security, there is little research on \emph{post-compromise} -mitigation approaches. A core issue with post-attack mitigation is that the devices normal network connection may not -work due to the attack and as such an out-of-band communication channel is necessary. +mitigation approaches. A core issue with post-attack mitigation is that network connections such as internet and +cellular networks between the utility and devices on consumer premises may not work due to the attack. Thus, mitigation +strategies that involve devices on the consumer premises will need an out-of-band communication channel. We propose a \emph{safety reset} controller that is controlled through a novel, resilient, grid-wide powerline communication technique. Our safety reset controller can be fitted into any Smart Meter or IoT device. Its purpose is to @@ -92,14 +81,31 @@ await an out-of-band command to put the device into a safe state (e.g. \emph{rel interrupts attacker control over the device. The safety reset controller is separated from the system's main application controller and does not have any conventional network connections to reduce attack surface and cost. -We propose a resilient grid-wide broadcast channel based on modulating grid frequency. This channel can be operated by -transmission system operators (TSOs) even during black-start recovery procedures and in this situation bridges the gap -between the TSO's private network and the consumer devices. To demonstrate our proposed channel, we have implemented a -system that transmits error-corrected and cryptographically secured commands. - -Our approach differs from traditional Powerline Communication (PLC) systems in that it reaches every device within one -synchronous area as the signal is embedded into the fundamental grid frequency. Traditional PLC uses a superimposed -voltage, which is quickly attenuated across long distances. +To facilitate resilient communication between the grid operator and the safety reset controller, we propose a grid-wide +broadcast channel based on grid frequency modulation (GFM). This channel can be operated by transmission system +operators (TSOs) even during black-start recovery procedures and it bridges the gap between the TSO's private control +network and consumer devices that can not economically be equipped with other resilient communication techniques such as +satellite transceivers. To demonstrate our proposed channel, we have implemented a system that transmits error-corrected +and cryptographically secured commands through an emulated grid frequency-modulated voltage waveform to an off-the-shelf +smart meter equipped with a prototype safety reset controller based on a small off-the-shelf microcontroller. + +The frequency behavior of the electrical grid can be analyzed by examining the grid as a large collection of mechanical +oscillators coupled through the grid via the electromotive force~\cite{rogers01,wcje+12}. The generators and motors that +are electromagnetically coupled through the grid's transmission lines and transformers run synchronously with each +other, with only minor localized variations in their rotation angle. The dynamic behavior of grid frequency is a direct +product of this electromechanical coupling: With increasing load, frequency drops because shafts move slower under +higher torque, and consequentially with decreasing load frequency rises. Industrial control systems keep frequency close +to its nominal value over time spans of minutes or hours, but at shorter time frames the combined inertia of all +grid-connected generators and motors is what regulates frequency. + +Grid frequency modulation works by quickly modulating the power of a large, grid-connected load or generator. When this +modulation is at low amplitude and high frequency, it is below the thresholds set for the grid's automated control +systems and monitoring systems and it will directly affect frequency according to the grid's inertia. GFM differs from +traditional Powerline Communication (PLC) systems in that it reaches every device within one synchronous area as the +signal is embedded into the fundamental grid frequency. Traditional PLC uses a superimposed voltage, which is quickly +attenuated across long distances. Practically speaking, using GFM a single large transmitter can cover an entire +synchronous area, while in traditional PLC hundreds or thousands of smaller transmitters would be necessary. Unlike +traditional PLC, any large industrial load that allows for fast computer control can act as a GFM transmitter. \begin{figure} \centering @@ -109,17 +115,18 @@ voltage, which is quickly attenuated across long distances. \label{fig_intro_flowchart} \end{figure} -Figure~\ref{fig_intro_flowchart} shows an overview of our concept. Two scenarios for its application are before or -during a cyberattack, to stop an attack on the electrical grid in its tracks, and after an attack while power is being -restored to prevent a repeated attack. In both scenarios, our concept is independent of telecommunication networks (such -as the internet or cellular networks) as well as broadcast systems (such as cable television or terrestrial broadcast -radio) while requiring only inexpensive signal processing hardware and no external antennas (such as are needed for -satellite communication). A grid frequency-based system can function as long as power is still available, or as soon as -power is restored after the attack. One powerful function this allows is ``flushing out`` an attacker from compromised -smart meters after an attack, before restoring smart meter internet connectivity. +Figure~\ref{fig_intro_flowchart} shows an overview of our concept, where a large aluminium smelter has been temporarily +re-purposed as a GFM transmitter. Two scenarios for its application are before or during a cyberattack, to stop an +attack on the electrical grid in its tracks, and after an attack while power is being restored to prevent a repeated +attack. In both scenarios, our concept is independent of telecommunication networks (such as the internet or cellular +networks) as well as broadcast systems (such as cable television or terrestrial broadcast radio) while requiring only +inexpensive signal processing hardware and no external antennas (such as are needed for satellite communication). A grid +frequency-based system can function as long as power is still available, or as soon as power is restored after the +attack. One powerful function this allows is ``flushing out`` an attacker from compromised smart meters after an attack, +before restoring smart meter internet connectivity. Using simulations we have determined that control of a $\SI{25}{\mega\watt}$ load such as a large aluminium smelter, -load bank or photovoltaic farm would allow for the transmission of a crytographically secured \emph{reset} signal within +load bank or photovoltaic farm would allow for the transmission of a crytographically secured safety reset signal within $15$ minutes. We have designed and constructed a proof-of-concept prototype receiver that demonstrates the feasibility of decoding such signals on a resource-constrained microcontroller. @@ -172,9 +179,10 @@ restore the grid to its normal state. \subsection{Contents} Starting from a high level architecture, we have carried out simulations of our concept's performance under real-world -conditions. Based on these simulations we implemented an end-to-end prototype of our proposed safety reset controller as -part of a realistic smart meter demonstrator. Finally, we experimentally validated our results and we will conclude with -an outline of further steps towards a practical implementation. +conditions using measured grid frequency data. Based on these simulations we implemented an end-to-end prototype of our +proposed safety reset controller as part of a realistic smart meter demonstrator. Finally, we experimentally validated +our results based on a simulated mains voltage signal and we will conclude with an outline of further steps towards a +practical implementation. This work contains the following contributions: \begin{enumerate}[topsep=4pt] @@ -494,14 +502,14 @@ from $\SI{0.2}{\hertz}$ to $\SI{2}{\hertz}$. \begin{figure} \centering - \includegraphics[width=0.4\textwidth]{../notebooks/fig_out/dsss_gold_nbits_overview} + \includegraphics[width=0.45\textwidth]{../notebooks/fig_out/dsss_gold_nbits_overview} \caption{Symbol Error Rate as a function of modulation amplitude for Gold sequences of several lengths.} \label{fig_ser_nbits} \end{figure} \begin{figure} \centering - \hspace*{-1cm}\includegraphics[width=1.2\textwidth]{../notebooks/fig_out/dsss_thf_amplitude_5678} + \hspace*{-1cm}\includegraphics[width=0.5\textwidth]{../notebooks/fig_out/dsss_thf_amplitude_5678} \caption{SER vs.\ Amplitude and detection threshold. Detection threshold is set as a factor of background noise level.} \label{fig_ser_thf} @@ -509,7 +517,7 @@ from $\SI{0.2}{\hertz}$ to $\SI{2}{\hertz}$. \begin{figure} \centering - \hspace*{-1cm}\includegraphics[width=1.2\textwidth]{../notebooks/fig_out/chip_duration_sensitivity_6} + \hspace*{-1cm}\includegraphics[width=0.5\textwidth]{../notebooks/fig_out/chip_duration_sensitivity_6} \vspace*{-1cm} \caption{SER vs.\ DSSS chip duration.} \label{fig_ser_chip} @@ -542,7 +550,7 @@ need for computationally expensive public key cryptography inside the smart mete \begin{figure} \centering - \includegraphics[width=0.6\textwidth]{prototype.jpg} + \includegraphics[width=0.45\textwidth]{prototype.jpg} \caption{The completed prototype setup. The board on the left is the safety reset microcontroller. It is connected to the smart meter in the middle through an adapter board. The top left contains a USB hub with debug interfaces to the reset microcontroller. The cables on the bottom left are the debug USB cable and the \SI{3.5}{\milli\meter} @@ -571,7 +579,7 @@ the meter's display after boot-up. \begin{figure} \centering - \includegraphics[width=\textwidth]{prototype_schema} + \includegraphics[width=0.45\textwidth]{prototype_schema} \caption{The signal processing chain of our demonstrator.} \label{fig_demo_sig_schema} \end{figure} @@ -652,7 +660,8 @@ commercially viable. Source code and EDA designs are available at the public repository listed at the end of this document. -\printbibliography[heading=bibintoc] +\bibliographystyle{plain} +\bibliography{\jobname} \center{ \center{This is version \texttt{\input{version.tex}\unskip} of this paper, generated on \today. The git repository |