From 3e3e03892abf97411066e2ac650e14fad3f9f0e9 Mon Sep 17 00:00:00 2001 From: jaseg Date: Fri, 16 Sep 2022 18:06:34 +0200 Subject: Rework WIP --- paper/Makefile | 2 +- paper/safety-reset-paper.tex | 70 +++++++++++++++++++++++++++++++++----------- 2 files changed, 54 insertions(+), 18 deletions(-) (limited to 'paper') diff --git a/paper/Makefile b/paper/Makefile index 48d14c5..ac1edbb 100644 --- a/paper/Makefile +++ b/paper/Makefile @@ -10,7 +10,7 @@ MAKEFLAGS += --no-builtin-rules main_tex ?= safety-reset-paper -VERSION_STRING := $(shell git describe --tags --long) +VERSION_STRING := 1.0 # $(shell git describe --tags --long) all: ${main_tex}.pdf diff --git a/paper/safety-reset-paper.tex b/paper/safety-reset-paper.tex index 521194b..e79f7b3 100644 --- a/paper/safety-reset-paper.tex +++ b/paper/safety-reset-paper.tex @@ -187,6 +187,20 @@ task to secure the firmware of sufficiently many devices to deny an attacker the Even if all flaws in the firmware of a broad range of devices would be fixed, users still have to update. In smart grid and IoT devices, this presents a difficult problem since user awareness is low~\cite{nbck+19}. +\subsection{Attacker model} + +According to the above criteria, our attacker model has the following key features: + +\begin{itemize} + \item The attacker cannot compromise the utility operators' SCADA systems. + \item The attacker can compromise and subsequently control a large number of target devices at the customer's + premises such as smart meters or large IoT devices such as air conditioners or central heating systems. + \item Target devices can be designed to include a separate firmware and factory reset function that the attacker + cannot circumvent. In the simplest case, this could be a separate microcontroller that is connected to the + device's application processor's programming port. + \item The attacker aims for maximum disruption as opposed to e.g. data extraction. +\end{itemize} + \subsection{Contents} Starting from a high level architecture, we have carried out simulations of our concept's performance under real-world @@ -441,17 +455,20 @@ receiver hardware complexity. To the best of the authors' knowledge, grid frequency modulation has only ever been proposed as a communication channel at very small scales in microgrids before~\cite{urtasun01} and has not yet been considered for large-scale application. +\subsection{Comparison to other communication channels} + Compared to traditional channels such as Fiber To The Home (FTTH), 5G or LoraWAN, grid frequency as a communication -channel has a resiliency advantage: If there is power, a grid frequency modulation system is operational. Both FTTH and -5G systems not only require power at their base stations, but also require centralized infrastructure to operate. Mesh -networks such as LoraWAN can cover short distances up to $\SI{20}{\kilo\meter}$ without requiring infrastructure to be -available, but for longer distances LoraWAN relies on the public internet for its network backbone. Additionally, -systems such as FTTH, 5G and LoraWAN are built around a point-to-point communication model and usually do not support a -generic broadcast primitive. During times when a large number of devices must be reached simultaneously this can lead to -congestion of cellular towers and servers. Therefore, during an ongoing cyberattack, grid frequency is promising as a -communication channel because only a single transmitter facility must be operational for it to function, and this single -transmitter can reach all connected devices simultaneously. After a power outage, it can resume operation as soon as -electrical power is restored, even while the public internet and mobile networks are still offline. It is unaffected by +channel has a resiliency advantage. It can start transmission as soon as a power island with a connected transmitter is +powered up, while communciation networks such as FTTH or 5G are still rebooting, or might be waiting for parts of their +centralized infrastructure that are connected to different power islands to come back online. Mesh networks such as +LoraWAN can cover short distances up to $\SI{20}{\kilo\meter}$ without requiring infrastructure to be available, but for +longer distances LoraWAN relies on the public internet for its network backbone. Additionally, systems such as FTTH, 5G +and LoraWAN are built around a point-to-point communication model and usually do not support a generic broadcast +primitive. During times when a large number of devices must be reached simultaneously this can lead to congestion of +cellular towers and servers. Therefore, during an ongoing cyberattack, grid frequency is promising as a communication +channel because only a single transmitter facility must be operational for it to function, and this single transmitter +can reach all connected devices simultaneously. After a power outage, it can resume operation as soon as electrical +power is restored, even while the public internet and mobile networks are still offline. It is unaffected by cyberattacks that target telecommunication networks. \subsection{Characterizing Grid Frequency} @@ -503,13 +520,12 @@ oscillation modes at $\SI{0.15}{\hertz}$ (east-west) and $\SI{0.25}{\hertz}$ (no \section{Grid Frequency Modulation} -A transmitter for grid frequency modulation would be a controllable load of several Megawatt that -is located centrally within the grid. A baseline implementation would be a spool of wire submerged in a body of cooling -liquid (such as a small lake) which is powered from a -thyristor rectifier bank. Compared to this baseline solution, hardware and maintenance investment can be decreased -by repurposing a large industrial load as a transmitter. Going through a -list of energy-intensive industries in Europe~\cite{ec01}, we found that an aluminium smelter would be a good candidate. -In aluminium smelting, aluminium is electrolytically extracted from alumina solution. High-voltage mains power is +A transmitter for grid frequency modulation would be a controllable load of several Megawatt that is located centrally +within the grid. A baseline implementation would be a spool of wire submerged in a body of cooling liquid (such as a +small lake) which is powered from a thyristor rectifier bank. Compared to this baseline solution, hardware and +maintenance investment can be decreased by repurposing a large industrial load as a transmitter. Going through a list of +energy-intensive industries in Europe~\cite{ec01}, we found that an aluminium smelter would be a good candidate. In +aluminium smelting, aluminium is electrolytically extracted from alumina solution. High-voltage mains power is transformed, rectified and fed into approximately 100 series-connected electrolytic cells forming a \emph{potline}. Inside these pots, alumina is dissolved in molten cryolite electrolyte at approximately \SI{1000}{\degreeCelsius} and electrolysis is performed using a current of tens or hundreds of Kiloampère. The resulting pure aluminium settles at the @@ -538,6 +554,26 @@ consumption is possible at no significant production impact and at low infrastru already connected to the grid in a way that they do not pose a danger to other nearby consumers when they turn off or on parts of the plant, as this is commonplace during routine maintenance activities. +\subsection{The operational model of a GFM-based safety reset} + +While a single large Aluminium smelter could conceivably provide sufficient modulation power to cover the entire +continental European synchronous area, we have to consider operation during a black start, when the grid temporarily +divides into a number of disconnected power islands. A single transmitter would only be able to reach receivers on the +same power island. + +Instead, the system can use a number of transmitters that are distributed throughout the network. Piggy-backing +transmitters on existing industrial loads keeps the implementation cost of additional transmitters low. By running +transmitters from gps-synchronized ovenized crystal oscillators or rubidium frequency standards, transmissions can be +precisely synchronized across power islands even after a holdover period of several days. This allows a transmission to +continue un-interrupted while the utility re-joins power island into the larger grid, since the transmissions on both +islands are precisely synchronized. + +As illustrated in Figure~\ref{fig_intro_flowchart}, the transmitters are connected to a command center. For this +connection, a redundant set of long-range radio or satellite links can be used, as well as wired connections through the +utility's dedicated SCADA network. In an emergency, the command center can then trigger a transmission. Synchronized +through their gps-backed frequency standards, two transmitters will then constructively interfere as soon as they are +connected to the same power island. + \subsection{Parametrizing Modulation for GFM} Given the grid characteristics we measured using our custom waveform recorder and using a model of our transmitter, we -- cgit