From 3e3e03892abf97411066e2ac650e14fad3f9f0e9 Mon Sep 17 00:00:00 2001
From: jaseg <git@jaseg.de>
Date: Fri, 16 Sep 2022 18:06:34 +0200
Subject: Rework WIP

---
 paper/Makefile               |  2 +-
 paper/safety-reset-paper.tex | 70 +++++++++++++++++++++++++++++++++-----------
 2 files changed, 54 insertions(+), 18 deletions(-)

(limited to 'paper')

diff --git a/paper/Makefile b/paper/Makefile
index 48d14c5..ac1edbb 100644
--- a/paper/Makefile
+++ b/paper/Makefile
@@ -10,7 +10,7 @@ MAKEFLAGS += --no-builtin-rules
 
 main_tex ?= safety-reset-paper
 
-VERSION_STRING := $(shell git describe --tags --long)
+VERSION_STRING := 1.0 # $(shell git describe --tags --long)
 
 all: ${main_tex}.pdf
 
diff --git a/paper/safety-reset-paper.tex b/paper/safety-reset-paper.tex
index 521194b..e79f7b3 100644
--- a/paper/safety-reset-paper.tex
+++ b/paper/safety-reset-paper.tex
@@ -187,6 +187,20 @@ task to secure the firmware of sufficiently many devices to deny an attacker the
 Even if all flaws in the firmware of a broad range of devices would be fixed, users still have to update. In smart grid
 and IoT devices, this presents a difficult problem since user awareness is low~\cite{nbck+19}.
 
+\subsection{Attacker model}
+
+According to the above criteria, our attacker model has the following key features:
+
+\begin{itemize}
+    \item The attacker cannot compromise the utility operators' SCADA systems.
+    \item The attacker can compromise and subsequently control a large number of target devices at the customer's
+        premises such as smart meters or large IoT devices such as air conditioners or central heating systems.
+    \item Target devices can be designed to include a separate firmware and factory reset function that the attacker
+        cannot circumvent. In the simplest case, this could be a separate microcontroller that is connected to the
+        device's application processor's programming port.
+    \item The attacker aims for maximum disruption as opposed to e.g. data extraction.
+\end{itemize}
+
 \subsection{Contents}
 
 Starting from a high level architecture, we have carried out simulations of our concept's performance under real-world
@@ -441,17 +455,20 @@ receiver hardware complexity.
 To the best of the authors' knowledge, grid frequency modulation has only ever been proposed as a communication channel
 at very small scales in microgrids before~\cite{urtasun01} and has not yet been considered for large-scale application.
 
+\subsection{Comparison to other communication channels}
+
 Compared to traditional channels such as Fiber To The Home (FTTH), 5G or LoraWAN, grid frequency as a communication
-channel has a resiliency advantage: If there is power, a grid frequency modulation system is operational. Both FTTH and
-5G systems not only require power at their base stations, but also require centralized infrastructure to operate. Mesh
-networks such as LoraWAN can cover short distances up to $\SI{20}{\kilo\meter}$ without requiring infrastructure to be
-available, but for longer distances LoraWAN relies on the public internet for its network backbone. Additionally,
-systems such as FTTH, 5G and LoraWAN are built around a point-to-point communication model and usually do not support a
-generic broadcast primitive. During times when a large number of devices must be reached simultaneously this can lead to
-congestion of cellular towers and servers. Therefore, during an ongoing cyberattack, grid frequency is promising as a
-communication channel because only a single transmitter facility must be operational for it to function, and this single
-transmitter can reach all connected devices simultaneously. After a power outage, it can resume operation as soon as
-electrical power is restored, even while the public internet and mobile networks are still offline. It is unaffected by
+channel has a resiliency advantage. It can start transmission as soon as a power island with a connected transmitter is
+powered up, while communciation networks such as FTTH or 5G are still rebooting, or might be waiting for parts of their
+centralized infrastructure that are connected to different power islands to come back online. Mesh networks such as
+LoraWAN can cover short distances up to $\SI{20}{\kilo\meter}$ without requiring infrastructure to be available, but for
+longer distances LoraWAN relies on the public internet for its network backbone. Additionally, systems such as FTTH, 5G
+and LoraWAN are built around a point-to-point communication model and usually do not support a generic broadcast
+primitive. During times when a large number of devices must be reached simultaneously this can lead to congestion of
+cellular towers and servers. Therefore, during an ongoing cyberattack, grid frequency is promising as a communication
+channel because only a single transmitter facility must be operational for it to function, and this single transmitter
+can reach all connected devices simultaneously. After a power outage, it can resume operation as soon as electrical
+power is restored, even while the public internet and mobile networks are still offline. It is unaffected by
 cyberattacks that target telecommunication networks.
 
 \subsection{Characterizing Grid Frequency}
@@ -503,13 +520,12 @@ oscillation modes at $\SI{0.15}{\hertz}$ (east-west) and $\SI{0.25}{\hertz}$ (no
 
 \section{Grid Frequency Modulation}
 
-A transmitter for grid frequency modulation would be a controllable load of several Megawatt that
-is located centrally within the grid. A baseline implementation would be a spool of wire submerged in a body of cooling
-liquid (such as a small lake) which is powered from a 
-thyristor rectifier bank. Compared to this baseline solution, hardware and maintenance investment can be decreased
-by repurposing a large industrial load as a transmitter. Going through a
-list of energy-intensive industries in Europe~\cite{ec01}, we found that an aluminium smelter would be a good candidate.
-In aluminium smelting, aluminium is electrolytically extracted from alumina solution. High-voltage mains power is
+A transmitter for grid frequency modulation would be a controllable load of several Megawatt that is located centrally
+within the grid. A baseline implementation would be a spool of wire submerged in a body of cooling liquid (such as a
+small lake) which is powered from a thyristor rectifier bank. Compared to this baseline solution, hardware and
+maintenance investment can be decreased by repurposing a large industrial load as a transmitter. Going through a list of
+energy-intensive industries in Europe~\cite{ec01}, we found that an aluminium smelter would be a good candidate. In
+aluminium smelting, aluminium is electrolytically extracted from alumina solution. High-voltage mains power is
 transformed, rectified and fed into approximately 100 series-connected electrolytic cells forming a \emph{potline}.
 Inside these pots, alumina is dissolved in molten cryolite electrolyte at approximately \SI{1000}{\degreeCelsius} and
 electrolysis is performed using a current of tens or hundreds of Kiloampère. The resulting pure aluminium settles at the
@@ -538,6 +554,26 @@ consumption is possible at no significant production impact and at low infrastru
 already connected to the grid in a way that they do not pose a danger to other nearby consumers when they turn off or on
 parts of the plant, as this is commonplace during routine maintenance activities.
 
+\subsection{The operational model of a GFM-based safety reset}
+
+While a single large Aluminium smelter could conceivably provide sufficient modulation power to cover the entire
+continental European synchronous area, we have to consider operation during a black start, when the grid temporarily
+divides into a number of disconnected power islands. A single transmitter would only be able to reach receivers on the
+same power island.
+
+Instead, the system can use a number of transmitters that are distributed throughout the network. Piggy-backing
+transmitters on existing industrial loads keeps the implementation cost of additional transmitters low. By running
+transmitters from gps-synchronized ovenized crystal oscillators or rubidium frequency standards, transmissions can be
+precisely synchronized across power islands even after a holdover period of several days. This allows a transmission to
+continue un-interrupted while the utility re-joins power island into the larger grid, since the transmissions on both
+islands are precisely synchronized.
+
+As illustrated in Figure~\ref{fig_intro_flowchart}, the transmitters are connected to a command center. For this
+connection, a redundant set of long-range radio or satellite links can be used, as well as wired connections through the
+utility's dedicated SCADA network. In an emergency, the command center can then trigger a transmission. Synchronized
+through their gps-backed frequency standards, two transmitters will then constructively interfere as soon as they are
+connected to the same power island.
+
 \subsection{Parametrizing Modulation for GFM}
 
 Given the grid characteristics we measured using our custom waveform recorder and using a model of our transmitter, we
-- 
cgit