diff options
Diffstat (limited to 'paper/safety-reset-paper.tex')
-rw-r--r-- | paper/safety-reset-paper.tex | 161 |
1 files changed, 85 insertions, 76 deletions
diff --git a/paper/safety-reset-paper.tex b/paper/safety-reset-paper.tex index f4b24e6..e6f043f 100644 --- a/paper/safety-reset-paper.tex +++ b/paper/safety-reset-paper.tex @@ -370,19 +370,6 @@ networks. \subsection{Characterizing Grid Frequency} \label{grid-freq-characterization} -In utility SCADA systems, Phasor Measurement Units (PMUs, also called \emph{synchrophasors}) are used to precisely -measure grid frequency among other parameters. This task is a complicated task since a PMU has to make fast and precise -measurements given a distorted input signal. Details on the inner workings of commercial phasor measurement units are -scarce but there is a large amount of academic research on measurement -algorithms~\cite{narduzzi01,derviskadic01,belega01}. - -In our application, we do not need the same level of precision. For the sake of simplicity, we use the universal -frequency estimation approach of Gasior and Gonzalez~\cite{gasior01}. In this algorithm, the windowed input signal is -processed using a Discrete Fourier Transform (DFT), then the signal's fundamental frequency is interpolated by fitting a -wavelet to the largest peak in the DFT result. The bias parameter of this curve fit is an accurate estimation of the -signal's fundamental frequency. This algorithm is similar to the simpler interpolated DFT algorithm referenced by phasor -measurement literature~\cite{borkowski01}. - To collect ground truth measurements for our analysis of grid frequency as a communication channel, we developed a device to safely record mains voltage waveforms. Our system consists of an \texttt{STM32F030F4P6} ARM Cortex M0 microcontroller that records mains voltage using its internal 12-bit ADC and transmits measured values through a @@ -392,51 +379,65 @@ grid frequency error of $\SI{50}{\micro\hertz}$. We compared our oven-stabilized found that over a time span of 20 minutes both stayed stable within 5 ppb of each other, which corresponds to the drift specification of a typical crystal oven. +In utility SCADA systems, Phasor Measurement Units (PMUs, also called \emph{synchrophasors}) are used to precisely +measure grid frequency among other parameters. Details on the inner workings of commercial phasor measurement units are +scarce but there is a large amount of academic research on measurement. PMUs employ complex signal analysis algorithms +to provide fast and precise measurements even when given a heavily distorted input +signal~\cite{narduzzi01,derviskadic01,belega01}. + +In our application, we do not need the same level of precision. For the sake of simplicity, we use the universal +frequency estimation approach of Gasior and Gonzalez~\cite{gasior01}. In this algorithm, the windowed input signal is +processed using a Discrete Fourier Transform (DFT), then the signal's fundamental frequency is interpolated by fitting a +wavelet to the largest peak in the DFT result. The bias parameter of this curve fit is an accurate estimation of the +signal's fundamental frequency. This algorithm is similar to the interpolated DFT algorithm referenced by phasor +measurement literature~\cite{borkowski01}. + \begin{figure} \centering - \includegraphics[width=0.8\textwidth]{../notebooks/fig_out/freq_meas_spectrum} - \caption{The spectrum of grid frequency variations measured over a two-day timespan. The raw spectrum is shown in - gray, and a smoothed spectrum is shown in red. The blue line is inversely proportional to frequency and illustrates - the $1/f$ nature of the spectrum. Distinctive peaks in the spectrum are marked with red crosses, and their locations + \includegraphics[width=0.45\textwidth]{../notebooks/fig_out/freq_meas_spectrum_new} + \caption{The spectrum of grid frequency variations measured over 24 hours. The raw spectrum is shown in gray, and a + smoothed spectrum is shown in red. The blue line is inversely proportional to frequency and illustrates the $1/f$ + nature of the spectrum. Distinctive peaks in the spectrum are marked with red crosses, and their locations are given on the bottom of the diagram.} \label{fig_freq_spec} \end{figure} -A number of effects can be seen in our measurement results in Figure~\ref{fig_freq_spec}. Across the frequency range, we -observe a broad $1/f$ noise. Above a period of $\SI{10}{\second}$, this $1/f$ noise dips to a flat noise floor. We -estimate that this low-noise region is caused by the self-regulating effect of loads. %FIXME citation -Above a $\SI{10}{\second}$ period, primary control is activated and thus the $1/f$ noise we observe is the result of the -interaction between primary control and consumer demand. On top of this $1/f$ behavior, the spectrum shows several sharp -peaks at time intervals with a ``round'' number such as $\SI{10}{\second}$, $\SI{60}{\second}$ or multiples of -$\SI{300}{\second}$. These peaks are due to loads turning on- or off depending on wall-clock time. Besides the narrow -peaks caused by this effect we can also observe two wider bumps at $\SI{6.3}{\second}$ and $\SI{3.9}{\second}$. These -bumps closely correlate with continental european synchonous area's oscillation modes at $\SI{0.15}{\hertz}$ (east-west) -and $\SI{0.25}{\hertz}$ (north-south)~\cite{grebe01}. -% FIXME measurement results +Using our grid frequency recorder, we performed a two-day measurement series of grid frequency. +Figure~\ref{fig_freq_spec} shows the frequency spectrum of grid frequency over this two-day span. In this spectrum, we +observe a number of features. Across the frequency range, we observe a broad $1/f$ noise. Above a period of +$\SI{10}{\second}$, this $1/f$ noise dips to a flat noise floor. We estimate that this low-noise region is caused by the +self-regulating effect of loads. %FIXME citation Above a $\SI{10}{\second}$ period, primary control is activated and +thus the $1/f$ noise we observe is the result of the interaction between primary control and consumer demand. On top of +this $1/f$ behavior, the spectrum shows several sharp peaks at time intervals with a ``round'' number such as +$\SI{10}{\second}$, $\SI{60}{\second}$ or multiples of $\SI{300}{\second}$. These peaks are due to loads turning on- or +off depending on wall-clock time. Besides the narrow peaks caused by this effect we can also observe two wider bumps at +$\SI{7.0}{\second}$ and $\SI{4.7}{\second}$. These bumps closely correlate with continental european synchonous area's +oscillation modes at $\SI{0.15}{\hertz}$ (east-west) and $\SI{0.25}{\hertz}$ (north-south)~\cite{grebe01}. \section{Grid Frequency Modulation} -In its most basic form a transmitter for grid frequency modulation would be a very large controllable load located -centrally within the grid. A spool of wire submerged in a body of cooling liquid such as a small lake along with a -thyristor rectifier bank would likely suffice. We can however decrease hardware and maintenance investment even compared -to this rather uncultivated solution by repurposing large industrial loads as transmitters. Going through a list of -energy-intensive industries in Europe~\cite{ec01}, we found that an aluminium smelter would be a good candidate. In -aluminium smelting, aluminium is electrolytically extracted from alumina solution. High-voltage mains power is +A transmitter for grid frequency modulation would be a controllable load of several Megawatt that +is located centrally within the grid. A baseline implementation would be a spool of wire submerged in a body of cooling +liquid (such as a small lake) which is powered from a +thyristor rectifier bank. Compared to this baseline solution, hardware and maintenance investment can be decreased +by repurposing a large industrial load as a transmitter. Going through a +list of energy-intensive industries in Europe~\cite{ec01}, we found that an aluminium smelter would be a good candidate. +In aluminium smelting, aluminium is electrolytically extracted from alumina solution. High-voltage mains power is transformed, rectified and fed into about 100 series-connected electrolytic cells forming a \emph{potline}. Inside these pots alumina is dissolved in molten cryolite electrolyte at about \SI{1000}{\degreeCelsius} and electrolysis is performed using a current of tens or hundreds of Kiloampère. The resulting pure aluminium settles at the bottom of the cell and is tapped off for further processing. Aluminium smelters are operated around the clock, and due to the high financial stakes their behavior under power -outages has been carefully characterized by the industry. Power outages of tens of minutes up to two hours reportedly do +outages has been carefully characterized. Power outages of tens of minutes up to two hours reportedly do not cause problems in aluminium potlines~\cite{eisma01,oye01}. Recently, even techniques for intentional power modulation without affecting cell lifetime or product quality have been developed to take advantage of variable energy -prices.~\cite{duessel01,eisma01,depree01}. An aluminium plant's power supply is controlled to constantly keep all -smelter cells under optimal operating conditions. Modern power supply systems employ large banks of diodes or SCRs to +prices~\cite{duessel01,eisma01,depree01}. An aluminium plant's power supply is controlled to constantly keep all +smelter cells under optimal operating conditions. Modern power supply systems employ large banks of diodes or thyristors to rectify low-voltage AC to DC to be fed into the potline~\cite{ayoub01}. Potline voltage is controlled through a combination of a tap changer and a transductor. Individual cell voltages are controlled by changing the physical -distance between anode and cathode distance. In this setup, power can be modulated fully electronically. Since this -system does not have any mechanical inertia, high modulation rates can reasonably be achieved. +distance between anode and cathode distance. In this setup, power can be electronically modulated using the thyristor +rectifier. Since the system does not have any mechanical inertia, high modulation rates are possible. In~\cite{depree01}, the authors describe a setup where a large Aluminium smelter in continental Europe is used as primary control reserve for frequency \emph{regulation}. In this setup, a rise time of $\SI{15}{\second}$ was achieved @@ -444,23 +445,20 @@ to meet the $\SI{30}{\second}$ requirement posed by local standards for primary authors note that for their system, an energy storage capacity of $\SI{7.7}{\giga\watt\hour}$ is possible if all plants of a single operator are used. Given the maximum modulation depth of $\SI{100}{\percent}$ for up to one hour that is mentioned by the authors, this results in an effective modulation power of $\SI{7.7}{\giga\watt}$. Over a longer -timespan of $\SI{48}{\hour}$, they have demonstrated a $\SI{33}{\percent}$ modulation depth which would correspond to -a modulation power of $\SI{2.5}{\giga\watt}$. - -From this brief literature review, we conclude that a modulation of part of an aluminium smelter's power consumption -most likely is possible at no significant production impact and low infrastructure cost (such as for shell heat -exchangers as used in~\cite{depree01}). Aluminium smelters are connected to the grid in a way that they do not pose a -danger to other nearby consumers when they turn off or on parts of the plant, as this is commonplace during routine -maintenance activities. They are very large consumers of electrical power, but they are still small when seen in -relation to the entire grid. +timespan of $\SI{48}{\hour}$, they have demonstrated a $\SI{33}{\percent}$ modulation depth which would correspond to a +modulation power of $\SI{2.5}{\giga\watt}$. We conclude that a modulation of part of an aluminium smelter's power +consumption is possible at no significant production impact and at low infrastructure cost. Aluminium smelters are +already connected to the grid in a way that they do not pose a danger to other nearby consumers when they turn off or on +parts of the plant, as this is commonplace during routine maintenance activities. \subsection{Parametrizing Modulation for GFM} Given the grid characteristics we measured using our custom waveform recorder and using a model of our transmitter, we -can derive parameters for the modulation of our broadcast system. Modulating $\SI{25}{\mega\watt}$ of smelter power -would yield a frequency shift of $\SI{1}{\milli\hertz}$. At an RMS frequency noise of around $\SI{10}{\milli\hertz}$ in -the band around $\SI{1}{\hertz}$, this results in challenging SNR. A second layer of modulation yielding some modulation -gain is necessary to achieve sufficient overall SNR. +can derive parameters for the modulation of our broadcast system. The overall network power-frequency characteristic of +the continental European synchronous area is about $\SI{25}{\giga\watt\per\hertz}$~\cite{entsoe02}. Thus, the main +challenge for a GFM system will be poor SNR due to low transmission power. A second layer of modulation yielding some +modulation gain beyond the basic amplitude modulation of the transmitter will be necessary to achieve sufficient overall +SNR. The grid's frequency noise has significant localized peaks that might interfere with this modulation. Further complicating things are the oscillation modes. A GFM system must be designed to avoid exciting these modes. However, @@ -477,19 +475,19 @@ $\approx\SI{2}{\hertz}$ would complicate frequency measurement at the receiver s We simulated a proof-of-concept modulator and demodulator using data captured from our grid frequency sensor. Our simulations covered a range of parameters in modulation amplitude, DSSS sequence bit depth, chip duration and detection -threshold. Figure~\ref{fig_ser_nbits} shows symbol error rate (SER) as a function of modulation amplitude with Gold -sequences of several bit depths. As can be seen, realistic modulation amplitudes are in the range around -$\SI{1}{\milli\hertz}$. In the continental European synchronous area, this corresponds to a modulation power of -approximately $\SI{25}{\mega\watt}$. Figure~\ref{fig_ser_thf} shows SER against detection threshold relative to -background noise. Figure~\ref{fig_ser_chip} shows SER against chip duration for a given fixed symbol length. As expected -from looking at our measured grid frequency noise spectrum, performance is best for short chip durations and worsens for -longer chip durations since shorter chip durations move our signals' bandwidth into the lower-noise region from -$\SI{0.2}{\hertz}$ to $\SI{2}{\hertz}$. +threshold. Figure~\ref{fig_ser_nbits} shows our simulation results for symbol error rate (SER) as a function of +modulation amplitude with Gold sequences of several bit depths. From these graphs we conclude that the range of +practical modulation amplitudes starts at approximately $\SI{1}{\milli\hertz}$, which corresponds to a modulation power +of approximately $\SI{25}{\mega\watt}$~\cite{entsoe02}. Figure~\ref{fig_ser_thf} shows SER against detection threshold +relative to background noise. Figure~\ref{fig_ser_chip} shows SER against chip duration for a given fixed symbol length. +As expected from looking at our measured grid frequency noise spectrum, performance is best for short chip durations and +worsens for longer chip durations since shorter chip durations move our signals' bandwidth into the lower-noise region +from $\SI{0.2}{\hertz}$ to $\SI{2}{\hertz}$. %FIXME introduce term "chip" somewhere \begin{figure} \centering - \includegraphics[width=0.6\textwidth]{../notebooks/fig_out/dsss_gold_nbits_overview} + \includegraphics[width=0.4\textwidth]{../notebooks/fig_out/dsss_gold_nbits_overview} \caption{Symbol Error Rate as a function of modulation amplitude for Gold sequences of several lengths.} \label{fig_ser_nbits} \end{figure} @@ -510,8 +508,9 @@ $\SI{0.2}{\hertz}$ to $\SI{2}{\hertz}$. \label{fig_ser_chip} \end{figure} -\subsection{Parametrizing a proof-of-concept "Safety Reset" System Based on GFM} +\subsection{Parametrizing a proof-of-concept ``Safety Reset'' System Based on GFM} +%FIXME introduce scenario Taking these modulation parameters as a starting point, we proceeded to create a proof-of-concept smart meter emergency reset system. On top of the modulation described in the previous paragraphs we layered simple Reed-Solomon error correction~\cite{mackay01} and some cryptography. The goal of our PoC cryptographic implementation was to allow the @@ -624,20 +623,30 @@ expect safety reset controllers to be commercially viable given adequate politic \section{Conclusion} \label{sec_conclusion} -In this paper we have developed an end-to-end design of a reset system to restore smart meters to a safe operating state -during an ongoing large-scale cyberattack. To allow our system to be triggered even in the middle of a cyberattack we -have developed a broadcast data transmission system based on intentional modulation of global grid frequency. We have -shown the viability of our end-to-end design through simulations. To put these simulations on a solid foundation we have -developed a grid frequency measurement methodology comprising of a custom-designed hardware device for electrically safe -data capture and a set of software tools to archive and process captured data. Our simulations show good behavior of our -broadcast communication system and give an indication that cooperating with a large consumer such as an aluminium smelter -would be a feasible way to set up a transmitter with low hardware overhead. We have outlined a simple cryptographic -protocol ready for embedded implementation in resource-constrained systems that allows triggering a safety reset with a -response time of less than 30 minutes. We have experimentally validated our system using simulated grid frequency data -in a demonstrator setup based on a commercial microcontroller as our safety reset controller and an off-the-shelf smart -meter. The next step in our evaluation will be to conduct an experimental evaluation of our modulation scheme in -collaboration with an utility and an operator of a multi-megawatt load. Source code and electronics CAD designs are -available at the public repository listed at the end of this document. +During an emergency in the electrical grid, the ability to communicate to large numbers of end-point devices is a +valuable tool for restoring normal operation. When a resilient communcation channel is available, loads such as smart +meters and IoT devices can be equipped with a supervisor circuit that allows for a remote ``safety reset'' that puts the +device into a safe operating state. Using this safety reset, an attacker that uses compromised smart meters or IoT +devices to attack grid stability can be interrupted before the conculusion of their attack. During recover from an +outage, a safety reset can be used to reduce stress on the system during a black start by turning of non-essential loads +such as air conditioners. + +In this paper we have developed an end-to-end design of a safety reset system that provides these capabilities. Our +novel broadcast data transmission system is based on intentional modulation of global grid frequency. Our system is +independent of normal communication networks and can operate during a cyberattack. We have shown the practical viability +of our end-to-end design through simulations. Using our purpose-designed grid frequency recorder, we can capture and +process real-time grid frequency data in an electrically safe way. We used data captured this way as the basis for +simulations of our proposed grid frequency modulation communication channel. In these simulations, our system has proven +feasible. From our simulations we conclude that a large consumer such as an aluminium smelter at a small cost can be +modified to act as an on-demand grid frequency modulation transmitter. + +We have demonstrated our modulation system in a small-scale practical demonstration. For this demonstration, we have +developed a simple cryptographic protocol ready for embedded implementation in resource-constrained systems that allows +triggering a safety reset with a response time of less than 30 minutes. In this demonstration we use simulated grid +frequency data to trigger a commercial microcontroller to perform a firmware reset of an off-the-shelf smart meter. The +next step in our evaluation will be to conduct an experimental evaluation of our modulation scheme in collaboration with +an utility and an operator of a multi-megawatt load. Source code and electronics CAD designs are available at the +public repository listed at the end of this document. \printbibliography[heading=bibintoc] |