From 9cc84c766c3b3887f8bbc42eae045432d01eaeed Mon Sep 17 00:00:00 2001 From: jaseg Date: Fri, 15 May 2020 16:16:25 +0200 Subject: ma: update text w/ more blurb --- ma/safety_reset.bib | 43 +++++ ma/safety_reset.tex | 481 +++++++++++++++++++++++++++++++++++----------------- 2 files changed, 371 insertions(+), 153 deletions(-) (limited to 'ma') diff --git a/ma/safety_reset.bib b/ma/safety_reset.bib index 5bd9ec9..d8d37bb 100644 --- a/ma/safety_reset.bib +++ b/ma/safety_reset.bib @@ -1121,4 +1121,47 @@ url = {http://pages.silabs.com/rs/634-SLU-379/images/introduction-to-wireless-mbus.pdf}, } +@Article{belega01, + author = {Daniel Belega and Dario Petri}, + date = {2013}, + journaltitle = {IEEE Transactions on Instrumentation and Measurement}, + title = {Accuracy Analysis of the Multicycle Synchrophasor Estimator Provided by the Interpolated DFT Algorithm}, + doi = {10.1109/tim.2012.2236777}, + issn = {0018-9456}, + issue = {5}, + pages = {942-953}, + volume = {62}, + year = {2013}, +} + +@Article{borkowski01, + author = {Jozef Borkowski and Dariusz Kania and Janusz Mroczka}, + date = {2014}, + journaltitle = {IEEE Transactions on Industrial Electronics}, + title = {Interpolated-DFT-Based Fast and Accurate Frequency Estimation for the Control of Power}, + doi = {10.1109/tie.2014.2316225}, + issn = {0278-0046}, + issue = {12}, + pages = {7026-7034}, + volume = {61}, + year = {2014}, +} + +@TechReport{semerow01, + author = {Anatoli Semerow and Sebastian Hohn and Matthias Luther and Walter Sattinger and Hans Abildgaard and Agustin Diaz Garcia and Giorgio Giannuzzi}, + date = {2015}, + institution = {{University of Erlangen-Nuremberg} and ENTSO-E}, + title = {Dynamic Study Model for the interconnected power system of Continental Europe in different simulation tools}, + doi = {10.1109/ptc.2015.7232578}, + year = {2015}, +} + +@WWW{entsoe05, + author = {ENTSO-E}, + date = {2019}, + title = {ENTSO-E Initial Dynamic Model of Continental Europe}, + url = {https://www.entsoe.eu/publications/system-operations-reports/#entso-e-initial-dynamic-model-of-continental-europe}, + urldate = {2020-05-14}, +} + @Comment{jabref-meta: databaseType:biblatex;} diff --git a/ma/safety_reset.tex b/ma/safety_reset.tex index 303b519..7f4bed0 100644 --- a/ma/safety_reset.tex +++ b/ma/safety_reset.tex @@ -36,6 +36,7 @@ \usetikzlibrary{shapes} \usepackage[binary-units]{siunitx} +\DeclareSIUnit{\baud}{Bd} \usepackage{hyperref} \usepackage{tabularx} \usepackage{commath} @@ -93,16 +94,49 @@ \newpage \chapter{Introduction} -% FIXME + +Like in all fields of engineering there is an ongoing diffusion of information systems into industrial control systems +in the power grid. Automation of these control systems has been practised for the better part of a century already. +Until recently this automation was mostly limited to core components of the grid. Generators in power stations are +computer-controlled according to electromechanical and economic models. Switching in substations is automated to allow +for fast failure recovery. Humans are still vital to these systems, but their tasks have shifted from pure operation to +engineering, maintenance and surveillance. + +A large-scale trend in power systems is the move from a model of centralized generation built around massive large-scale +fossil and nuclear power plants towards a more heterogenous model. In this new model large-scale fossil power plants +still serve a major role but two new factors come into play. One is the advance of renewable energies. The large-scale +use of wind and solar power in particular from a current standpoint seems unavoidable for our continued existence on +this planet. For the electrical grid however, these systems constitute a significant challenge. Fossil-fueled power +plants can be precisely controlled to match the expected energy consumption at any point in time. This tracking of +production and consumption is vital to the stability of the grid. Renewable energies such as wind and solar power do not +provide the same degree of controllability, and they introduce a large degree of uncertainty due to the +unpredictable way of the forces of nature. + +Along with this change in dynamic behavior renewable energies have brought forth the advance of distributed generation. +In distributed generation end-customers that previously only consumed energy have started to feed energy into the grid +from small solar installations on their property. Distributed generation is a chance for customers to gain autonomy and +shift from a purely passive role to being active participants of the electricity market. + +To match this new landscape of decentralized generation and unpredictable renewable resources the utility industry has +had to adapt itself in major ways. One aspect of this adaption that is particularly visible to ordinary people is the +computerization of end-user energy metering. Despite the widespread use of industrial control systems inside the +electrical grid and the far-reaching diffusion of computers into people's everyday lifes the energy meter has long been +one of the last remnants of an offline, analog time. Until the 2010s many of the world's households were still served +through electromechanical Ferraris-style meters that have their origin in the late 19th century. % FIXME citation. + +Today, under the terms \emph{Smart Grid} and \emph{Smart metering} the shift towards fully computerized, often networked +meters has been largely accomplished. +% FIXME continue here. + +\cite{crastan03} \section{Structure and operation of the electrical grid} + Since this thesis is filed under \emph{computer science} we will provide a very brief overview of some basic aspects of modern power grids. \subsection{Structure of the electrical grid} -% FIXME -\subsubsection{Hierarchical structure} The electical grid is composed of a large number of systems such as distribution systems, power stations and substations interconnected by long transmission lines. Mostly due to ohmic losses\footnote{ Power dissipation of a resistor of resistance $R [\Omega]$ given current $I [A]$ is $P_\text{loss} [W] = @@ -120,9 +154,37 @@ and the cost increase for the increased volatage rating of components such as tr considerations have led to a hierarchical structure where large amounts of energy are transmitted over very long distances (up to thousands of kilometers) at very high voltages (upwards of \SI{200}{\kilo\volt}) and voltages get lower the closer one gets to end-customer premises. In Germany at the local level a substation will distribute -\SIrange{10}{25}{\kilo\volt} % FIXME citation on this -to large industrial consumers and streets with small transformer substations converting this to the \SI{400}{\volt} -three-phase AC households are usually hooked up with. +\SIrange{10}{30}{\kilo\volt} to large industrial consumers and streets with small transformer substations converting +this to the \SI{400}{\volt} three-phase AC households are usually hooked up with\cite{crastan01}. + +\subsubsection{Transmission lines, bus bars and tie lines} + +The number one component of the electrical grid are transmission lines. Short transmission lines that tightly couple +parts of a substation are called \emph{bus bars}. Transmission lines that couple otherwise independent grid segments are +called \emph{tie lines}. A tie line often connects grid segments operated by two different operators e.g.\ across a +country border. + +\emph{Short} transmission lines can be approximated as a simple lumped-component +RLC\footnote{resistor-inductor-capacitor} circuit. In this case the effect of wave propagation along the line does not +have to be taken into consideration. In this lumped model the transmission line is represented by a circuit of one or +two inductors, one or two capacitors and some resistors. This representation simplifies analysis. For \emph{long} +transmission lines above \SI{50}{\kilo\meter} (cable) or \SI{250}{\kilo\meter} (overhead lines) this approximation +breaks down and wave propagation along the line's length has to be taken into account. The resulting model is what RF +engineering calls a \emph{transmission line} and models the line's parasitics\footnote{stray capacitance, ohmic +resistance and stray inductance} as being uniformly distributed along the length of the line. To approximate this model +in lumped-element evaluations the line is represented as a long chain of small lumped-component RLC sections. This +complex structure makes modelling more difficult in comparison to short lines\cite{crastan01}. + +Almost all transmission lines used in the transmission and distribution grid use three-phase AC. Long-distance overland +lines are usually implemented as overhead lines due to their low cost and ease of maintenance. Underground cables are +much more expensive due to their isolation and are only used when overhead lines cannot be used for e.g.\ safety or +aesthetic reasons. In some specialized applications such as long, high-power undersea cables high-voltage DC (HVDC) is +used. In HVDC converter stations at both ends of the line convert between three-phase AC and the line's DC voltage. +These converter stations are controlled electronically and do not exhibit any of the electromechanical effects +generators in a power plant do. Since HVDC re-synthesizes three-phase AC from DC at the receiving end of the line it can +be used to couple non-synchronous grids. This also allows for additional degrees of control over the transmission of +power compared to a regular transmission line. These technical benefits are offset by the high initial cost (mostly due +to the converter stations) leading to HVDC being used in specific situations only\cite{crastan03}. \subsubsection{Generators} @@ -132,9 +194,14 @@ frequency and generator rotation speed are bidirectionally electromechanically c the grid it would receive electrical energy from the grid and convert it into mechanical energy, acting as a motor. Small deviations between rotational speed and grid frequency will be absorbed by the electromechanical coupling between both. All generators connected to the grid operate synchronously. Maintaining this synchronization over time is the task -of complex control systems within each power station. +of complex control systems within each power station\cite{simon01,crastan01}. -% FIXME influence of non-rotating sources: photovoltaics +Nowadays besides traditional rotating generators the grid also contains a large amount of electronically controlled +inverters. These inverters are used in photovoltaic installations and other setups where either DC or non-synchronous AC +is to be fed into the grid. Setups like this behave differently to rotating generators. In particular \emph{inertia} in +these setups is either absent or a software parameter potentially reducing their overload capacity compared to rotating +generators. The fundamentally different nature of electronically controlled inverters has to be taken into account in +planning and regulation\cite{crastan03}. \subsubsection{Switchgear} @@ -155,6 +222,7 @@ circuit and extinguish the resulting arc discharge\cite{nelles01,crastan01,simon % disconnect switches, fuses, breakers -> crastan 1 (ch. 8) \subsubsection{Transformers} + Along with transmission lines transformers are one of the main components most people will be thinking of when talking about the electrical grid. Transformers connect grid segments at different voltage levels with one another. In the distribution grid transformers are used to provide standard end-user voltage levels to the customer (e.g. 230/400V in @@ -175,12 +243,14 @@ adjust secondary voltage under load\cite{simon01}. Tap changers are used in the specified voltage tolerances at the customer's connection. \subsubsection{Instrument transformers} + While operating on the exact same physical principles instrument transformers are very different from regular transformers in an energy system. Instrument transformers are specialized low-power transformers that are used as transducers to measure voltage or current at very high voltages. They are part of the control and protection systems of substations\cite{crastan01}. \subsubsection{Chokes} + Chokes are large inductors. In power grid applications their construction is similar to the construction of a transformer with the exception that they only have a single winding on the core. They are used for a variety of purposes. A frequent use is as a series inductor on one of the phases or the neutral connection to limit transient fault @@ -191,6 +261,7 @@ parrallel LC resonant circuit with the transmission line's earth capacitance. Tu petersen coil reduces earth fault current to levels low enough to quickly extinguish the arc\cite{simon01}. \subsubsection{Power factor correction} + Reactive power (also referred to as \emph{VAR} after its is unit Volt-Ampère Reactive) an important variable in the operation of electrical grids (see sec.\ \ref{frequency_estimation}). If reactive power generation and consumption are mismatched, high currents develop that lead to high transmission losses. For this reason grids include circuits to @@ -198,9 +269,6 @@ compensate reactive power imbalances\cite{crastan01}. These circuits can be as s connected to a power line but often can be switched to adapt to changing load conditions. Static Var compensators are particularly fast-acting reactive power compensation devices whose purpose is to maintain bus voltage\cite{rogers01}. -\subsubsection{Transmission lines, bus bars and tie lines} -% cite crastan 1 on transmission lines, bus bars (ch. 8) - \subsubsection{Loads} Lastly, there is the loads that the electrical grid serves. Loads range from mains-powered indicator lights in devices @@ -225,6 +293,7 @@ that can consume a good fraction of a gigawatt all on their own. \section{Smart meter technology} + Smart meters were a concept pushed by utility companies throughout the 00's. Smart metering is one component of the larger societal shift towards digitally interconnected technology. Old analog meters required that service pesonnel physically come to read the meter. \emph{Smart} meters automatically transmit their readings through modern @@ -284,10 +353,12 @@ for technologists\cite{pierce01,rodden01,lupton01,costanza01,fell01}. % FIXME continue this. \subsection{Common components} -\label{sm-cpu} Smart meters usually are built around an off-the-shelf microcontroller. Some meters use specialized smart -metering SOCs\cite{ifixit01} while others use standard microcontrollers with core metering functions implemented in -external circuitry (cf.\ sec.\ \ref{sec-easymeter} where we detail the meter in our demonstration setup). Specialized -SoCs usually contain a segment LCD driver along with some high-resolution analog-to-digital converters for the actual +\label{sm-cpu} + +Smart meters usually are built around an off-the-shelf microcontroller. Some meters use specialized smart metering +SOCs\cite{ifixit01} while others use standard microcontrollers with core metering functions implemented in external +circuitry (cf.\ sec.\ \ref{sec-easymeter} where we detail the meter in our demonstration setup). Specialized SoCs +usually contain a segment LCD driver along with some high-resolution analog-to-digital converters for the actual measurement functions. In many smart meter designs used outside of Germany the metering SoC will be connected to another full-featured SoC acting as the modem. At a casual glance this might seem to be a security measure, but it may be more likely that this is done to ease integration of one metering platform with several different communication stacks (e.g.\ @@ -379,6 +450,7 @@ transport encryption and other cryptographic services\cite{bsi-tr-03109-2,bsi-tr \section{Security in smart grids} + The smart grid in practice is nothing more or less than an aggregation of embedded control and measurement devices that are part of a large control system. This implies that all the same security concerns that apply to embedded systems in general also apply to most components of a smart grid in some way. Where programmers have been struggling for decades @@ -412,6 +484,7 @@ rooted up one by one with no damage to consumers and very limmited damage to uti scenarios would be a far cry from the efficiency of an exponentially growing botnet. \subsection{Smart grid components as embedded devices} + A fundamental challenge in smart grid implementations is the central role smart electricity meters play. Smart meters are used both for highly-granular load measurement and (in some countries) load switching\cite{zheng01}. Smart electricity meters are effectively consumer devices. They are built down to a certain price point that is @@ -429,6 +502,7 @@ against attacks and simplify updates. Combined with the small market sizes in sm this produces a high cost pressure on the software development process for smart electricity meters. \subsection{The state of the art in embedded security} + Embedded security generally is much harder than security of higher-level systems. This is due to a combination of the unique constraints of embedded devices (hard to update, usually small quantity) and their lack of capabilities (processing power, memory protection functions, user interface devices). Even very well-funded companies continue to @@ -469,6 +543,7 @@ resources for the latter. % FIXME cite some figures on code size in smart meter firmware? \subsection{Attack avenues in the smart grid} + If we model the smart grid as a control system responding to changes in inputs by regulating outputs, on a very high level we can see two general categories of attacks: Attacks that directly change the state of the outputs, and attacks that try to influence the outputs indirectly by changing the system's view of its inputs. The former would be an attack @@ -479,6 +554,7 @@ oscillation in the amount of power generated by the plant according to the contr % FIXME expand \subsubsection{Communication channel attacks} + Communication channel attacks are attacks on the communication links between smart grid components. This could be attacks on IP-connected parts of the core network or attacks on shared busses between smart meters and IP gateways in substations. Generally, these attacks can be mitigated by securing the aforementioned communication links using modern @@ -497,6 +573,7 @@ attack to have more far-reaching consequences the attacker would need to comprom infrastructure\cite{kim01,kosut01}. \subsubsection{Exploiting centralized control systems} + The type of smart grid attack most often cited in popular discourse, and to the author's knowledge % FIXME verify, cite the only type that has so far been conducted in practice, is a direct attack on centralized control systems. In this attack, computer components of control systems are compromised by the same techniques used to compromise any other kind @@ -516,6 +593,7 @@ In addition, given political will these systems can readily be secured since the of them and driving a technician to every one of them in turn to install some security update is perfectly feasible. \subsubsection{Control function exploits} + Control function exploits are attacks on the mathematical control loops used by the centralized control system. One example of such an attack would be resonance attacks as described in \textcite{wu01}. In this kind of attack, inputs from peripheral sensors indicating grid load to the centralized control system are @@ -533,6 +611,7 @@ behavior such as oscillations. % FIXME cite mitigation approaches \subsubsection{Endpoint exploits} + One rather interesting attack on smart grid systems is one exploiting the grid's endpoint devices such as smart electricity meters\footnote{ Though potentially this could also aim at other kinds of devices distributed on a large scale such as sensors in @@ -564,9 +643,16 @@ that was mentioned above, this scenario poses a serious danger to grid stability % FIXME add small-scale load shedding for heaters etc. \subsection{Attacker models in the smart grid} +% FIXME + \subsection{Practical attacks} +% FIXME + \subsection{Practical threats} +% FIXME + \subsection{Conclusion, or why we are doomed} + We can conclude that a compromise of a large number of smart electricity meters cannot be ruled out. The complexity of network-connected smart meter firmware makes it exceedingly unlikely that it is in fact flawless. Large-scale deployments of these devices under some circumstances such as where they are used with load disconnect relays make them @@ -629,6 +715,7 @@ preferences about this due to fear of copyright infringement. \section{The theory of endpoint safety} \label{sec_criteria} + In order to gain anything by adding our reset controller to the smart meter's already complex design we must satisfy two interrelated conditions. \begin{enumerate} @@ -683,6 +770,7 @@ Based on the above classification of attack angles and our observations on state \end{enumerate} \subsection{Overall structural system security} + Considering overall security, we first introduce the \emph{reset authority}, a trusted party acting as the single authority for issuing reset commands in our system. In practice this trusted party may be part of the utility company, part of an external regulatory body or a hybrid setup requiring both to cooperate. We assume this party will be designed @@ -694,8 +782,8 @@ Using an asymmetric cryptographic design centered around the \emph{reset authori denial-of-service attacks on our system by any of the four attacker types. All reset commands in our system originate from the \emph{reset authority} and are cryptographically secured to provide authentication and tamper detection. Under this model, attacks on the electrical grid components between the \emph{reset authority} and the customer device -degrade into man-in-the-middle attacks. To ensure the \textsc{safety} criterion from \ref{sec_criteria} holds we must -% TODO check whether this \ref displays as intended +degrade into man-in-the-middle attacks. To ensure the \textsc{safety} criterion from Section \ref{sec_criteria} holds we +must % TODO check whether this \ref displays as intended make sure our cryptography is secure against man-in-the-middle attacks and we must try to harden the system against denial-of-service attacks by the attacker types listed above. Given our attacker model we cannot fully guard against this sort of attack but we can at least choose a commmunication channel that is resilient against denial of service @@ -708,16 +796,18 @@ out-of-scope. % FIXME include considerations on production testing somewhere (is the device working? is the right key programmed?) \subsection{Complex microcontroller firmware} + The \textsc{security} property from \ref{sec_criteria} is in a large part reliant on the security of our reset controller firmware. The best method to increase firmware security is to reduce attack surface by limiting external interfaces as much as possible and by reducing code complexity as much as possible. % FIXME formalize this as something like "Design Goal DG-023-42-1" ? If we avoid the complexity of most modern microcontroller firmware we gain another benefit beyond implicitly reduced attack surface: If the resulting design is small enough we may attempt formal verification of our security property. -Though formal verification tools are not yet suitable for highly complex tasks they are already barely adequate for -small amounds of code and simple interfaces. +Though formal verification tools are not yet suitable for highly complex tasks they are already adequate for small +amounts of code and simple interfaces. \subsection{Modern microcontroller hardware} + Microcontrollers have gained enormously in both performance/efficiency as well as in peripheral support. Alas, these gains have largely been driven by insatiable customer demand for faster, more powerful chips and for a long time security has not been considered important outside of some specific niches such as smartcards. Traditionally a @@ -857,7 +947,7 @@ this is unlikely to be a disadvantage since ususally there is only one distribut Additionally shared resources such as a cellular radio gateway would most likely only be shared within a single building and within a single building usually all meters are operated by the same provider. -Systems in Europe commonly support Wireless M-Bus, an european standardized protocol\cite{mohan01} that operates on +Systems in Europe commonly support Wireless M-Bus, an european standardized protocol\cite{silabs01} that operates on several ISM bands\footnote{ Frequency bands that can be used for \emph{Industrial, Scientific and Medical} applications by anyone and that do not require obtaining a license for transmitter operation. Manufacturers can use whatever protocol they like on @@ -1222,6 +1312,7 @@ part of the private key as the signature, and if we were to publish a signature derive additional signatures by ``mixing'' the two published signatures. \subsubsection{Winternitz Signatures} + An improvement to basic Lamport signatures as described above are Winternitz signatures as detailed in \textcite{merkle01} and \textcite{dods01}. Winternitz signatures reduce public key length as well as signature length for hash length $n$ from $2n$ to $\mathcal O \left(n/t\right)$ for some choice of parameter $t$ (usually a small number @@ -1243,6 +1334,7 @@ H\left(\sigma_i\right)$ matching $m_i' = m_i + 1$, this scheme is usually paired \textcite{merkle01}. \subsubsection{Using hash-based signatures for trigger authentication} + The most basic possible trigger authentication scheme would be to simply generate a random bit string secret key $s$ and publish $p = H(s)$ for some hash function $H$. To activate the trigger, $\sigma = s$ would be published and listeners could verify that $H(\sigma) = p = H(s)$. This simplistic scheme has one main disadvantage: It is a fundamentally @@ -1270,9 +1362,6 @@ realistically be up to $\mathcal O\left(10^3\right)$, which is easily enough for % some sort of scenario definition introducing those terms somewhere. \chapter{Practical implementation} -\section{Cryptographic validation} - - %FIXME \section{Data collection for channel validation} @@ -1283,6 +1372,7 @@ variable, as opposed to the frequency spectrum of mains voltage $V(t)$ itself). \subsection{Grid Frequency Estimation} \label{frequency_estimation} + In commercial power systems Phasor Measurement Units (PMUs) are used to precisely measure parameters of a mains voltage waveform. One of the parameters PMUs measure is mains frequency. PMUs are used as part of SCADA systems controlling transmission networks to characterize the operational state of the network. @@ -1354,15 +1444,6 @@ domain knowledge about the expected frequency spectrum of the signal can be empl techniques to re-construct the precise frequency of the spectrum's main component despite comparatively coarse STFT resolution and despite numerous distortions. -\begin{figure} - \centering - \includegraphics{../lab-windows/fig_out/mains_voltage_spectrum} - \caption{Fourier transform of a 24 hour capture of mains voltage. Data was captured using our frequency measurement - sensor described in section \ref{sec-fsensor} and FFT'ed after applying a blackman window. Vertical lines indicate - \SI{50}{\hertz} and odd harmonics.} - \label{mains_voltage_spectrum} -\end{figure} - Published grid frequency estimation algorithms such as \textcite{narduzzi01} or \textcite{derviskadic01} are rather sophisticated and use a combination of techniques to reduce numerical errors in FFT calculation and peak fitting. Given that we do not need reference standard-grade accuracy for our application we chose to start with a very basic algorithm @@ -1384,6 +1465,7 @@ worse than algorithms involving more complex models under some conditions but th that more complex perform worse when the input signal deviates from their models. \subsection{Frequency sensor hardware design} + \label{sec-fsensor} Our safety reset controller % FIXME is this the right term? will have to measure mains frequency to later demodulate a reset signal transmitted through it. Since we have decided to @@ -1432,15 +1514,15 @@ the signal processing to a regular computer and concentrating our hardware effor \label{fmeas-sens-diag} \end{figure} -An overall block diagram of our system is shown in fig. \ref{fmeas-sens-diag}. The mircrocontroller we chose is an -\texttt{STM32F030F4P6} ARM Cortex-M0 microcontroller made by ST Microelectronics. The ADC in fig. \ref{fmeas-sens-diag} -in our design is the integrated 12-bit ADC of this microcontroller, which is sufficient for our purposes. The USB -interface is a simple USB to serial converter IC (\texttt{CH340G}) and the galvanic digital isolation is accomplished -with a pair of high-speed optocouplers on its \texttt{RX} and \texttt{TX} lines. The analog signal processing is a -simple voltage divider using high-power resistors to get the required creepage along with some high-frequency filter -capacitors and an op-amp buffer. The power supply is an off-the-shelf mains-input power module. The system is -implemented on a single two-layer PCB that is housed in an off-the-shelf industrial plastic case fitted with a printed -label and a few status lights on its front. +An overall block diagram of our system is shown in Figure \ref{fmeas-sens-diag}. The mircrocontroller we chose is an +\texttt{STM32F030F4P6} ARM Cortex-M0 microcontroller made by ST Microelectronics. The ADC in Figure +\ref{fmeas-sens-diag} in our design is the integrated 12-bit ADC of this microcontroller, which is sufficient for our +purposes. The USB interface is a simple USB to serial converter IC (\texttt{CH340G}) and the galvanic digital isolation +is accomplished with a pair of high-speed optocouplers on its \texttt{RX} and \texttt{TX} lines. The analog signal +processing is a simple voltage divider using high-power resistors to get the required creepage along with some +high-frequency filter capacitors and an op-amp buffer. The power supply is an off-the-shelf mains-input power module. +The system is implemented on a single two-layer PCB that is housed in an off-the-shelf industrial plastic case fitted +with a printed label and a few status lights on its front. \subsection{Clock accuracy considerations} @@ -1532,67 +1614,20 @@ with IO contention on the raspberry PI/linux side causing only 16 skipped sample \subsection{Frequency sensor measurement results} -\begin{figure} - \centering - \includegraphics{../lab-windows/fig_out/freq_meas_trace_24h} - \caption{Trace of grid frequency over a 24 hour window. One clearly visible feature are large positive and negative - transients at full hours. Times shown are UTC. Note that the european continental synchronous area that this - sensor is placed in covers several time zones which may result in images of daily load peaks appearing in 1 hour - intervals. Fig.\ \ref{freq_meas_trace_mag} contains two magnified intervals from this plot.} - \label{freq_meas_trace} -\end{figure} -\begin{figure} - \begin{subfigure}{\textwidth} - \centering - \includegraphics{../lab-windows/fig_out/freq_meas_trace_2h_1} - \caption{A 2 hour window around 00:00 UTC.} - \end{subfigure} - \begin{subfigure}{\textwidth} - \centering - \includegraphics{../lab-windows/fig_out/freq_meas_trace_2h_2} - \caption{A 2 hour window around 18:30 UTC.} - \end{subfigure} - \caption{Two magnified 2 hour windows of the trace from fig.\ \ref{freq_meas_trace}.} - \label{freq_meas_trace_mag} -\end{figure} - -\begin{figure} - \centering - \includegraphics{../lab-windows/fig_out/mains_voltage_spectrum} - \caption{Power spectral density of the mains voltage trace in fig. \ref{freq_meas_trace}. We can see the expected - peak at \SI{50}{\hertz} along with smaller peaks at odd harmonics. We can also see a number of spurious tones both - between harmonics and at low frequencies, as well as some bands containing high noise energy around - \SI{0.1}{\hertz}. This graph demonstrates a high signal-to-noise ratio that is not very demanding on our frequency - estimation algorithm. - } - \label{mains_voltage_spectrum} -\end{figure} - -\begin{figure} - \centering - \includegraphics[width=\textwidth]{../lab-windows/fig_out/freq_meas_spectrum} - \caption{Power spectral density of the 24 hour grid frequency trace in fig. \ref{freq_meas_trace} with some notable - peaks annotated with the corresponding period in seconds. The $\frac{1}{f}$ line indicates a pink noise spectrum. - Around a period of \SI{20}{\second} the PSD starts to fall off at about $\frac{1}{f^3}$ until we can make out some - bumps at periods around $2$ and \SI{3}{\second}. Starting at at around \SI{1}{Hz} we can see a white noise floor in - the order of \si{\micro\hertz^2\per\hertz}. - % TODO: where does this noise floor come from? Is it a fundamental property of the grid? Is it due to limitations of - % our measurement setup (such as ocxo stability/phase noise) ??? - } - \label{freq_meas_spectrum} -\end{figure} - -Captured raw waveform data is processed in the Jupyter Lab environment\cite{kluyver01} and grid frequency estimates are -extracted as described in sec. \ref{frequency_estimation} using the \textcite{gasior01} technique. Appendix -\ref{grid_freq_estimation_notebook} contains the Jupyter notebook we used for frequency measurement. In fig.\ +Captured raw waveform data has been processed in the Jupyter Lab environment\cite{kluyver01} and grid frequency +estimates are extracted as described in sec. \ref{frequency_estimation} using the \textcite{gasior01} technique. +Appendix \ref{grid_freq_estimation_notebook} contains the Jupyter notebook we used for frequency measurement. In Figure \ref{freq_meas_feedback} we fed back to the frequency estimator its own output giving us an indication of its numerical performance. The result was \SI{1.3}{\milli\hertz} of RMS noise over a \SI{3600}{\second} simulation time. This indicates performance is good enough for our purposes. In addition to this we validated our algorithm's performance by applying it to the test waveforms from \textcite{wright01}. In this test we got errors of \SI{4.4}{\milli\hertz} for the \emph{noise} test waveform, \SI{0.027}{\milli\hertz} for the \emph{interharmonics} test waveform and -\SI{46}{\milli\hertz} for the \emph{amplitude and phase step} test waveform. Full results can be found in fig.\ +\SI{46}{\milli\hertz} for the \emph{amplitude and phase step} test waveform. Full results can be found in Figure \ref{freq_meas_rocof_reference}. +Figures \ref{freq_meas_trace} and \ref{freq_meas_trace_mag} show our measurement results over a 24-hour and a 2-hour +window respectively. + \begin{figure} \centering \includegraphics[width=\textwidth]{../lab-windows/fig_out/freq_meas_feedback} @@ -1617,6 +1652,44 @@ applying it to the test waveforms from \textcite{wright01}. In this test we got \label{freq_meas_rocof_reference} \end{figure} +\begin{figure} + \centering + \includegraphics{../lab-windows/fig_out/freq_meas_trace_24h} + \caption{Trace of grid frequency over a 24 hour window. One clearly visible feature are large positive and negative + transients at full hours. Times shown are UTC. Note that the european continental synchronous area that this + sensor is placed in covers several time zones which may result in images of daily load peaks appearing in 1 hour + intervals. Figure \ref{freq_meas_trace_mag} contains two magnified intervals from this plot.} + \label{freq_meas_trace} +\end{figure} + +\begin{figure} + \begin{subfigure}{\textwidth} + \centering + \includegraphics{../lab-windows/fig_out/freq_meas_trace_2h_1} + \caption{A 2 hour window around 00:00 UTC.} + \end{subfigure} + \begin{subfigure}{\textwidth} + \centering + \includegraphics{../lab-windows/fig_out/freq_meas_trace_2h_2} + \caption{A 2 hour window around 18:30 UTC.} + \end{subfigure} + \caption{Two magnified 2 hour windows of the trace from Figure \ref{freq_meas_trace}.} + \label{freq_meas_trace_mag} +\end{figure} + +\begin{figure} + \centering + \includegraphics{../lab-windows/fig_out/mains_voltage_spectrum} + \caption{Power spectral density of the mains voltage trace in Figure \ref{freq_meas_trace}. Data was captured using + our frequency measurement sensor (\ref{sec-fsensor}) and FFT'ed after applying a blackman window. Vertical lines + indicate \SI{50}{\hertz} and odd harmonics. We can see the expected peak at \SI{50}{\hertz} along with smaller + peaks at odd harmonics. We can also see a number of spurious tones both between harmonics and at low frequencies, as + well as some bands containing high noise energy around \SI{0.1}{\hertz}. This graph demonstrates a high + signal-to-noise ratio that is not very demanding on our frequency estimation algorithm. + } + \label{mains_voltage_spectrum} +\end{figure} + \section{Channel simulation and parameter validation} \label{sec-ch-sim} @@ -1636,12 +1709,26 @@ estimate the impact of this problem we re-ran some of our simulations with artif power spectral density matching that of our capture. To do this, we first measured our capture's PSD, then fitted a low-resolution spline to the PSD curve in log-log coordinates. We then generated white noise, multiplied the resampled spline with the DFT of the synthetic noise and performed an iDFT on the result. The resulting time-domain signal is our -synthetic grid frequency data. Fig.\ \ref{freq_meas_spectrum} shows the PSD of our measured grid frequency signal. The -red line indicates the low-resolution log-log spline interpolation used for shaping our artificial noise. Fig.\ +synthetic grid frequency data. Figure \ref{freq_meas_spectrum} shows the PSD of our measured grid frequency signal. The +red line indicates the low-resolution log-log spline interpolation used for shaping our artificial noise. Figure \ref{simulated_noise_spectrum} shows the PSD of our simulated signal overlayed with the same spline as a red line and shows time-domain traces of both simulated (blue) and reference signals (orange) at various time scales. Visually both signals look very similar, suggesting we have found a good synthetic approximation of our measurements. +\begin{figure} + \centering + \includegraphics[width=\textwidth]{../lab-windows/fig_out/freq_meas_spectrum} + \caption{Power spectral density of the 24 hour grid frequency trace in Figure \ref{freq_meas_trace} with some notable + peaks annotated with the corresponding period in seconds. The $\frac{1}{f}$ line indicates a pink noise spectrum. + Around a period of \SI{20}{\second} the PSD starts to fall off at about $\frac{1}{f^3}$ until we can make out some + bumps at periods around $2$ and \SI{3}{\second}. Starting at at around \SI{1}{Hz} we can see a white noise floor in + the order of \si{\micro\hertz^2\per\hertz}. + % TODO: where does this noise floor come from? Is it a fundamental property of the grid? Is it due to limitations of + % our measurement setup (such as ocxo stability/phase noise) ??? + } + \label{freq_meas_spectrum} +\end{figure} + \begin{figure} \centering \includegraphics[width=\textwidth]{../lab-windows/fig_out/simulated_noise_spectrum} @@ -1654,13 +1741,14 @@ signals look very similar, suggesting we have found a good synthetic approximati In our simulations, we manipulated four main variables of our modulation scheme and demodulation algorithm and observed their impact on symbol error rate (SER): + \begin{description} \item[Modulation amplitude.] Higher amplitude should correspond to a lower SER. \item[Modulation bit count.] Higher bit count $n$ means longer transmissions but yields higher theoretical decoding gain, and should increase demodulator sensitivity. Ultimately, we want to find a sweet spot of manageable transmission length at good demodulator sensitivity. - \item[Decimation] or DSSS chip duration. The chip time determines where in the grid frequency spectrum (fig.\ - \ref{freq_meas_spectrum} our modulated signal is located. Given our noise spectrum (fig.\ + \item[Decimation.] or DSSS chip duration. The chip time determines where in the grid frequency spectrum (Figure + \ref{freq_meas_spectrum} our modulated signal is located. Given our noise spectrum (Figure \ref{freq_meas_spectrum}) lower chip durations (shifting our signal upwards in the spectrum) should yield lower in-band background noise which should correspond to lower symbol error rates. \item[Demodulation correlator peak threshold factor.] The first step of our prototype demodulation algorithm is to @@ -1671,16 +1759,32 @@ their impact on symbol error rate (SER): following maximum likelihood estimation (MLE) decoding. % FIXME do we actually do MLS? \end{description} -As indicated by our results, symbol error rate is a good proxy of demodulation performance. With decreasing -signal-to-noise ratio, margins in various parts of the demodulator decrease which statistically leads to an increased -symbol error rate. Our simulations yield smooth, reproducible SER curves with adequately low error bounds. This -indicates SER is related fairly monotonically to the signal-to-noise margins inside our demodulator prototype. +Our results indicate that symbol error rate is a good proxy of demodulation performance. With decreasing signal-to-noise +ratio, margins in various parts of the demodulator decrease which statistically leads to an increased symbol error rate. +Our simulations yield smooth, reproducible SER curves with adequately low error bounds. This shows SER is related +monotonically to the signal-to-noise margins inside our demodulator prototype. + +\subsection{Sensitivity as a function of sequency length} + +A basic parameter of our DSSS modulation is the length of the Gold codes used. The length of a Gold code is exponential +in the code's bit count. Figure \ref{dsss_gold_nbits_overview} shows a plot of the symbol error rate of our demodulator +prototype depending on amplitude for each of five, six, seven and eigth-bit Gold sequences. In regions where symbol +error rate is between $0$ and $1$ we can see the expected dependency that a $n+1$ bit Gold sequence at roughly twice +the length yields roughly one half the SER. We can also observe a saturation effect: At low amplitudes, increasing the +correlation length does not seem to yield much of a benefit in SER anymore. In particular there seems to be a level of +about \SI{2.5}{\milli\hertz} signal amplitude where even with asymptotically infinite sequence length our demodulator +would still not be able to produce a good demodulation. This is likely due to numerical errors in our demodulator. Since +Gold codes of more than 7 bit would yield unacceptably long transmission times this does not pose a problem in practice. + +Figure \ref{dsss_gold_nbits_sensitivity} for each bit count shows the minimum signal amplitude where our demodulator +crossed below $\text{SER}=0.5$. If we have sufficient transmitter power to allocate selecting either a 5 bit or a 6 bit +gold code looks to yield good enough performance at manageable data rates. \begin{figure} \centering \includegraphics{../lab-windows/fig_out/dsss_gold_nbits_overview} \caption{ - Symbol Error Rate (SER) as a function of transmission amplitude. The line indicates the mean of several + Symbol Error Rate (SER) as a function of transmission amplitude. The line represents the mean of several measurements for each parameter set. The shaded areas indicate one standard deviation from the mean. Background noise for each trial is a random segment of measured grid frequency. Background noise amplitude is the same for all trials. Shown are four traces for four different DSSS sequence lengths. Using a 5-bit gold code, one DSSS @@ -1706,42 +1810,72 @@ indicates SER is related fairly monotonically to the signal-to-noise margins ins \label{dsss_gold_nbits_sensitivity} \end{figure} +\subsection{Sensitivity versus peak detection threshold factor} + +One of the high-level parameters of our demodulation algorithm is the \emph{threshold factor}. This parameter is +an implementation detail specific to our algorithm and not general to all possible DSSS demodulation algorithms. After +correlating the input signal against the template Gold sequences our algorithm runs a single-channel discrete wavelet +transform (DWT) on the correlator output to better discriminate peaks from background noise. The output of this DWT is +then normalized against a running average and then fed into a simple threshold detector. The threshold of this detector +is our threshold factor. This threshold is the ratio that a correlation peak after DWT has to stand out from long-term +average background noise to be considered a peak. + +The threshold factor is an empirically-determined parameter Low threshold factors yield many false positives that in the +extreme ultimately overload our MLE estimator's capacity to discard them. Moderate numbers of false positive do not pose +much of a challenge to our MLE since these spurious peaks have a random time distribution and are easily discarded by +our MLE's symbol chain detection. High threshold factors lead the algorithm to completely ignore some valid peaks. To +some degree this can be compensated by our later interpolation step for missing peaks but in the extreme will also break +demodulation. In our simulations good values lie in the range from $4.0$ to $5.5$. + +% FIXME algo flow chart + +Figure \ref{dsss_thf_amplitude_5678} contains plots of demodulator sensitivity like the one in Figure +\ref{dsss_gold_nbits_overview}. This time there is one color-coded trace for each threshold factor between $1.5$ and +$10.0$ in steps of $0.5$. We can see a clear dependency of demodulation performance from trheshold factor with both very +low and very high values breaking the demodulator. The ``runaway'' traces that we can see at low threshold factors are +artifacts of an implementation issue with our prototype code. We later fixed this issue in the demonstrator firmware +implementation in Section \ref{sec-demo-fw-impl}. For comparison purposes this issue do not matter. + \begin{figure} \centering \includegraphics{../lab-windows/fig_out/dsss_thf_amplitude_5678} \caption{ - SER vs.\ amplitude graph similar to fig.\ \ref{dsss_gold_nbits_overview} with dependence on threshold factor - color-coded. Each graph shows traces for a single DSSS symbol length. + SER vs.\ amplitude graph similar to Figure \ref{dsss_gold_nbits_overview} with one color-coded traces for + threshold factors between $1.5$ and $10.0$. Each graph shows traces for a single DSSS symbol length. } \label{dsss_thf_amplitude_5678} \end{figure} + +If we again look at the intercept points where the amplitude traces cross $\text{SER}=0.5$ in these graphs we get the +plots in Figure \ref{dsss_thf_sensitivity_all_bits}. From this we can conclude that the range between $4.0$ and $5.0$ will +yield adequate threshold factors for our use case. + \begin{figure} - \ContinuedFloat - \begin{subfigure}{\textwidth} - \centering - \includegraphics{../lab-windows/fig_out/dsss_thf_sensitivity_5678} - \label{dsss_thf_sensitivity_5678} - \caption{ - \footnotesize Graphs of amplitude at $SER=0.5$ for each symbol length as well as asymptotic SER for large - amplitudes. Areas shaded red indicate that $SER=0.5$ was not reached for any amplitude in the simulated - range. We can observe that smaller symbol lengths favor lower threshold factors, and that optimal threshold - factors for all symbol lengths are between $4.0$ and $5.0$. - } - \end{subfigure} + \centering + \includegraphics{../lab-windows/fig_out/dsss_thf_sensitivity_5678} \caption{ - Dependence of demodulator sensitivity on the threshold factor used for correlation peak detection in our - DSSS demodulator. This is an empirically-determined parameter specific to our demodulation algorithm. At low - threshold factors our classifier yields lots of spurious peaks that have to be thrown out by our maximum - likelihood estimator. These spurious peaks have a random time distribution and thus do not pose much of a - challenge to our MLE but at very low threshold factors the number of spurious peaks slows down decoding and - does still clog our MLE's internal size-limited candidate lists which leads to failed decodings. At very - high threshold factors decoding performance suffers greatly since many valid correlation peaks get - incorrectly ignored. The glitches at medium threshold factors in the 7- and 8-bit graphs are artifacts of - our prototype decoding algorithm that we have not fixed in the prototype implementation since we wanted to - focus on the final C version.} - \label{dsss_thf_sensitivity} + Graphs of amplitude at $SER=0.5$ for each symbol length as well as asymptotic SER for large amplitudes. Areas + shaded red indicate that $SER=0.5$ was not reached for any amplitude in the simulated range. The bumps in the 7 + bit and 8 bit graphs are due to the convergence problem we identified above and do not exist in our demonstrator + implementation. We see that smaller symbol lengths favor lower threshold factors, and that optimal threshold + factors for all symbol lengths are between $4.0$ and $5.0$. + } + \label{dsss_thf_sensitivity_all_bits} \end{figure} +\subsection{Chip duration and bandwidth} + +A parameter of any DSSS system is the frequency band used for transmission. Instead of specifying absolute frequencies +in our simulations we expressed DSSS bandwidth through chip duration and Gold sequence length. In our prototype, chip +duration is specified in grid frequency sampling periods to ease implementation without loss of generalization. + +Figure \ref{chip_duration_sensitivity} shows the dependence of symbol error rate at a fixed good threshold factor from +chip duration. The color bars indicate both chip duration translated to seconds real-time and the resulting symbol +duration at the given Gold code length. In the lower graphs we show the trace of ampltude at $\text{SER}=0.5$ over chip +duration like we did in Figure \ref{dsss_thf_sensitivity_all_bits} for threshold facotr. In both graphs we can just about +see an optimum for very short chips with a decrease of sensitivity for long chips. This effect is due to longer chips +moving the signal band into noisier spectral regions (cf.\ Figure \ref{freq_meas_spectrum}). + \begin{figure} \begin{subfigure}{\textwidth} \centering @@ -1765,18 +1899,25 @@ indicates SER is related fairly monotonically to the signal-to-noise margins ins \caption{ Dependence of demodulator sensitivity on DSSS chip duration. Due to computational constraints this simulation is limited to 5 bit and 6 bit DSSS sequences. There is a clearly visible sensitivity maximum at fairly short chip - lengths around $0.2 \text{s}$. Short chip durations shift the entire transmission band up in frequency. In fig.\ - \ref{freq_meas_spectrum} we can see that noise energy is mostly concentrated at lower frequencies, so shifting - our signal up in frequency will reduce the amount of noise the decoder sees behind the correlator by shifting - the band of interest into a lower-noise spectral region. For a practical implementation chip duration is limited - by physical factors such as the maximum modulation slew rate ($\frac{\text{d}P}{\text{d}t}$), the maximum - Rate-Of-Change-Of-Frequency (ROCOF, $\frac{\text{d}f}{\text{d}t}$) the grid can tolerate and possible inertial - effects limiting response of frequency to load changes at certain load levels. + lengths around $0.2 \text{s}$. Short chip durations shift the entire transmission band up in frequency. In + Figure \ref{freq_meas_spectrum} we can see that noise energy is mostly concentrated at lower frequencies, so + shifting our signal up in frequency will reduce the amount of noise the decoder sees behind the correlator by + shifting the band of interest into a lower-noise spectral region. For a practical implementation chip duration + is limited by physical factors such as the maximum modulation slew rate ($\frac{\text{d}P}{\text{d}t}$), the + maximum Rate-Of-Change-Of-Frequency (ROCOF, $\frac{\text{d}f}{\text{d}t}$) the grid can tolerate and possible + inertial effects limiting response of frequency to load changes at certain load levels. % FIXME are these inertial effects likely? Ask an expert. } \label{chip_duration_sensitivity} \end{figure} +In the previous graphs we have used random clips of measured grid frequency noise as noise in our simulations. Comparing +between a simulation using measured noise and synthetic noise generated as we outlined in the beginning of Section +\label{sec-ch-sim} we get the plots in Figure \ref{chip_duration_sensitivity_cmp}. We can see that while not perfect our +simulated noise is an adequate approximation of reality: Our prototype demodulator shows no significant difference in +behavior between measured and simulated noise. Simulated noise causes slightly worse performance for long chips. Overall +the results for both are very close in absolute value. + \begin{figure} \begin{subfigure}{\textwidth} \centering @@ -1798,10 +1939,10 @@ indicates SER is related fairly monotonically to the signal-to-noise margins ins } \end{subfigure} \caption{ - Chip duration/sensitivity simulation results like in fig.\ \ref{chip_duration_sensitivity} compared between a + Chip duration/sensitivity simulation results like in Figure \ref{chip_duration_sensitivity} compared between a simulation using measured frequency data like previous graphs and one using artificially generated noise. There - is almost no visible difference indicating that we have found a good model of reality in our noise synthesizer, - but also that real grid frequency behaves like a frequency-shaped gaussian noise process. + is little visible difference indicating that we have found a good model of reality in our noise synthesizer, but + also that real grid frequency behaves like a frequency-shaped gaussian noise process. } \label{chip_duration_sensitivity_cmp} \end{figure} @@ -1816,7 +1957,8 @@ implementation cost low the reset controller is fed a simulation of a modulated By generously cutting two PCB traces the meter we chose to use can be easily modified to provide strong galvanic separation between grid and main application microcontroller. With this modification we have to supply power to its main application MCU externally along with the JTAG interface. -}. +}. Measurement of actual grid frequency instead would simply require a voltage divider and depending on the setup an +analog optoisolator. \subsection{Selecting a smart meter for demonstration purposes} \label{sec-easymeter} @@ -1839,8 +1981,8 @@ marketplaces. The meter consists of a plastic enclosure with a transparent polycarbonate top part and a grey ABS bottom part that are ultrasonically welded shut. In the bottom part of the case a PCB we call the \emph{measurement} board is potted in -epoxide resin (see fig.\ \ref{easymeter_composites}). This PCB contains three separate energy measurement ASICs for the -three phases (see fig.\ \ref{easymeter_detail_xrays}). It also contains a capacitive dropper power supply for the meter +epoxide resin (see Figure \ref{easymeter_composites}). This PCB contains three separate energy measurement ASICs for the +three phases (see Figure \ref{easymeter_detail_xrays}). It also contains a capacitive dropper power supply for the meter circuitry and external modules such as a SMGW. The measurement board through three infrared links (one per phase) communicates with a smaller unpotted PCB we call the \emph{display} board in the top of the case. This PCB handles measurement logging and aggregation, controls a small segment LCD displaying totals and handles the externally @@ -1929,14 +2071,14 @@ advertised to support both over-the-air firmware upgrades and a remotely accessi \end{figure} \subsection{Firmware implementation} +\label{sec-demo-fw-impl} + We based our safety reset demonstrator firmware on the grid frequency sensor firmware we developed in sec.\ \ref{sec-fsensor}. We implemented DSSS demodulation by translating the python prototype code we developed in sec.\ \ref{sec-ch-sim} to embedded C code. After validating the C translation in extensive simulations we integrated our code with a reed-solomon implementation and a libsodium-based implementation of the cryptographic protocol we designed in -sec.\ \ref{sec-crypto}. % FIXME WIP - -To reprogram the target MSP430 microcontroller we ported over the low-level bitbang JTAG driver of -mspdebug\footnote{\url{https://github.com/dlbeer/mspdebug}}. +sec.\ \ref{sec-crypto}. To reprogram the target MSP430 microcontroller we ported over the low-level bitbang JTAG driver +of mspdebug\footnote{\url{https://github.com/dlbeer/mspdebug}}. For all computation-heavy high-level modules of our firmware such as the DSSS demodulator or the grid frequency estimator we wrote test fixtures that allow the same code that runs on the microcontroller to be executed on the host @@ -1944,6 +2086,7 @@ for testing. These test fixtures are very simple C programs that load input data the algorithm and print results on standard output. \section{Grid frequency modulation emulation} + To emulate a modulated grid frequency signal we superimposed a DSSS-modulated signal at the proper amplitude with synthetic grid frequency noise generated according to the measurements we took in sec. \ref{sec-fsensor}. In this primitive simulation we do not simulate the precise impulse response of the grid to a DSSS-modulated stimulus signal. @@ -1979,7 +2122,7 @@ In the firmware development phase our approach of testing every module individua decoder, grid frequency estimation) proved to be very useful. In particular debugging benefited greatly from being able to run a couple thousand tests within seconds. In case of our DSSS demodulator this modular testing and simulation architecture allowed us to simulate many thousand runs of our implementation on test data and directly compare it to our -Jupyter/Python prototype (see fig.\ \ref{fw_proto_comparison}). Since we spent more time polishing our embedded C +Jupyter/Python prototype (see Figure \ref{fw_proto_comparison}). Since we spent more time polishing our embedded C implementation it turned out to perform much better than our initial python prototype. At the same time it shows fundamentally similar response to its parameters. One significant bug we fixed in the embedded C version is the python version's tendency towards incorrect decodings at even very large amplitudes. @@ -2000,7 +2143,7 @@ version's tendency towards incorrect decodings at even very large amplitudes. \caption{ Symbol error rate plots versus threshold factor for both our python prototype (above) and our firmware implementation of our demodulation algorithm. Note the slightly different threshold factor color scales. Cf.\ - fig.\ \ref{dsss_thf_amplitude_5678}. + Figure \ref{dsss_thf_amplitude_5678}. } \label{fw_proto_comparison} \end{figure} @@ -2017,13 +2160,49 @@ this total. Overall the most heavy-weight operations by far are the SHA512 imple from ARM's CMSIS signal processing library. \chapter{Future work} + +\section{Precise grid characterization} + +We based our simulations on a linear relationship between generation/consumption power imbalance and grid frequency. +Our literature study suggests that this is an appropriate first-order approximation. %FIXME citation +We kept modulation bandwidth in our simulations inside a \SIrange{1000}{100}{\milli\hertz} frequency band that we reason +is most likely to exibit this linear behavior in practice. At lower frequencies primary control kicks in. With the +frequency delta thresholds specified for primary control systems\cite{entsoe04} this will likely lead to significant +non-linear effects. At higher frequencies grid frequency estimation at the receiver becomes more complex. Higher +frequencies also come close to modes of mechanical oscillation in generators (usually at \SI{5}{\hertz} and +above\cite{crastan03}). + +Some limited analysis of the above concerns can be done through established dynamic grid simulation +models\cite{semerow01,entsoe05}. Presumably out of safety concerns these models are only available under non-disclosure +agreements. Integrating even just NDA-encumbered results stemming from such a model in an open-source publication such as +this one poses a logistical challenge which is why we decided to leave this topic for a separate future work. +After detailed model simulation we ultimately aim to validate our results experimentally. Assuming linear grid behavior +even under very small disturbances a small-scale experiment is an option. Such a small-scale experiment would require +very long integration times. + +Given a frequency characteristic of \SI{30}{\giga\watt\per\hertz} a stimulus of \SI{10}{\kilo\watt} yields $\Delta f = +\SI{0.33}{\micro\hertz}$. At an estimated \SI{20}{\milli\hertz} of RMS noise over a bandwidth of interest this results +in an SNR slightly better than \SI{-50}{\decibel}. The correlation time necessary to offset this with DSSS processing +gain at a chip rate of \SI{1}{\baud} would be in the order of days. With such long correlation times clock stability +starts to become a problem as during correlation transmitter and receiver must maintain close phase alignment w.r.t.\ +one chip period. A $\leq \SI{10}{\degree}$ phase difference requirement over this period of time would translate into +clock stability better than \SI{10}{ppm}. Though certainly not impossible to achieve this does pose an engineering +challenge. + +A possible way to maintain clock alignment is to use grid frequency itself as a reference. Instead of keying the DSSS +modulator/demodulator on a local crystal oscillator, chip timings would be described in fractions of a mains voltage +cycle. This would track grid frequency variations synchronously at both ends and would maintain phase alignment even +over long periods of time at cost of a slight increase in system complexity. + \section{Technical standardization} + The description of a safety reset system provided in this work could be translated into a formalized technical standard with relatively low effort. Our system is very simple compared to e.g. a full smart meter communication standard and thus can conceivably be described in a single, concise document. The much more complicated side of standardization would be the standardization of the backend operation including key management, coordination and command authorization. \section{Regulatory adoption} + Since the proposed system adds significant cost and development overhead at no immediate benefit to either consumer or utility company it is unlikely that it would be adopted voluntarily. Market forces limit what long-term planning utility companies can do. An advanced mitigation such as this one might be out of their reach on their own and might require @@ -2098,16 +2277,12 @@ correctly configure than it is to simply use separate hardware and secure the in %FIXME \newpage -\appendix -\chapter{Acknowledgements} - %FIXME -\newpage -\chapter{References} \nocite{*} % FIXME \printbibliography \newpage +\appendix \chapter{Transcripts of Jupyter notebooks used in this thesis} %\includenotebook{Grid frequency estimation}{grid_freq_estimation} -- cgit