paper draft

paper/safety-reset-paper.tex

@@ -144,10 +144,10 @@ In this paper, we focus on assisting the recovery procedure after a succesful at
 approach will yield a better return of investement in overall grid stability versus resources spent on security
 measures. Previous work on IoT and Smart Grid security has focused on the prevention of attacks though firmware security
 measures. While research on prevention is important, we estimate that its practical impact will be limited by the
-diversity of implementations found in the field~\cite{nbck+19,zlmz+21}. We predict that it would be a Sisyphean task to
-secure the firmware of sufficiently many devices to deny an attacker the critical mass needed to cause trouble. Even if
-all flaws in the firmware of a broad range of devices would be fixed, users still have to update. In smart grid and IoT
-devices, this presents a difficult problem since user awareness is low~\cite{nbck+19}.
+diversity of implementations found in the field~\cite{nbck+19,zlmz+21,smp18}. We predict that it would be a Sisyphean
+task to secure the firmware of sufficiently many devices to deny an attacker the critical mass needed to cause trouble.
+Even if all flaws in the firmware of a broad range of devices would be fixed, users still have to update. In smart grid
+and IoT devices, this presents a difficult problem since user awareness is low~\cite{nbck+19}.
 
 \subsection{Contents}
 
@@ -175,8 +175,8 @@ deviation $f_\Delta$ that the modulated carrier deviates from its nominal value
 milli-Hertz.
 
 When grid frequency is measured by first digitizing the mains voltage waveform, then de-modulating digitally, the FM's
-SNR is very high and is dominated by the ADC's quantization noise and nearby mains voltage noise sources such as
-resistive droop due to large inrush current of nearby machines.
+signal-to-noise ratio (SNR) is very high and is dominated by the ADC's quantization noise and nearby mains voltage noise
+sources such as resistive droop due to large inrush current of nearby machines.
 
 Note that both the carrier signal at $f_c$ and the modulation signal at $f_m$ both have unit Hertz. To disambiguate
 them, in this paper we will use \textbf{bold} letters to refer to the carrier waveform $\mathbf{U}$ or frequency
@@ -357,6 +357,18 @@ line.
 
 \subsection{Proposed Countermeasures}
 
+In~\cite{kgma21}, the authors propose an extension to grid control algorithms aimed at increasing the grid's robustness
+towards forced oscillations. In~\cite{smp18}, the authors propose that utility operators use a detailed attacker model
+to engineer additional safety margins into the grid while minimizing the economic inefficiency of these measures. On the
+IoT side, they note that due to the wide implementation diversity, the problem cannot be solved by individual measures
+and propose additional fundamental research on IoT device security.
+
+In~\cite{hcb19}, the authors conclude that simple demand attacks where compromised loads suddenly increase demand are
+adequately mitigated by existing safety measures, in particular \emph{Under-Frequency Load Shedding} (UFLS). As part of
+UFLS, during a contingency the utility will progressively disconnected loads according to set priorities until the
+production / generation balance has been restored and a blackout has been averted. UFLS is already deployed in any large
+electrical grid.
+
 % FIXME more sources!
 
 \section{Grid Frequency as a Communication Channel}
@@ -488,9 +500,9 @@ parts of the plant, as this is commonplace during routine maintenance activities
 Given the grid characteristics we measured using our custom waveform recorder and using a model of our transmitter, we
 can derive parameters for the modulation of our broadcast system.  The overall network power-frequency characteristic of
 the continental European synchronous area is about $\SI{25}{\giga\watt\per\hertz}$~\cite{entsoe02}. Thus, the main
-challenge for a GFM system will be poor SNR due to low transmission power. A second layer of modulation yielding some
-modulation gain beyond the basic amplitude modulation of the transmitter will be necessary to achieve sufficient overall
-SNR.
+challenge for a GFM system will be poor signal-to-noise ratio (SNR) due to low transmission power. A second layer of
+modulation yielding some modulation gain beyond the basic amplitude modulation of the transmitter will be necessary to
+achieve sufficient overall SNR.
 
 The grid's frequency noise has significant localized peaks that might interfere with this modulation. Further
 complicating things are the oscillation modes. A GFM system must be designed to avoid exciting these modes. However,
@@ -505,22 +517,46 @@ overall performance. DSSS chip timing should be as fast as the transmitter's phy
 region between $\SI{0.2}{\hertz}$ to $\SI{2.0}{\hertz}$ in Figure~\ref{fig_freq_spec}. Going past
 $\approx\SI{2}{\hertz}$ would complicate frequency measurement at the receiver side.
 
-\paragraph{Direct Sequence Spread Spectrum (DSSS) modulation}
+\subsubsection{Direct Sequence Spread Spectrum (DSSS) modulation}
 
-% FIXME quickly explain DSSS here. 
+Direct Sequence Spread Spectrum modulation is a common spread-spectrum technique that forms the basis of a number of
+radio systems, most prominently all global navigation satellite systems (GNSS). As a spread-spectrum technique, DSSS
+spreads out the signal's energy across a broad spectral range. This decreases the susceptibility of a DSSS signal to
+narrowband interference. In GNSS, this allows the rejection of other nearby RF sources. In our use case, this makes the
+signal immune to the many narrow peaks in the grid frequency's noise spectrum that are caused by UTC-synchronized
+control systems (cf.~Fig.~\ref{fig_freq_spec}). In addition to better interference immunity, DSSS has two other
+important characteristics: It provides \emph{modulation gain}, i.e.~it allows a trade-off between data rate and receiver
+sensitivity, and it allows for Code Division Multiple Access (CDMA). In CDMA, multiple DSSS-modulated signals can be
+sent simultaneously through a shared channel with less impact to the resulting signal-to-noise ratio (SNR) than would be
+the case for other modulation techniques.
 
-\paragraph{DSSS parametrization}
+A DSSS signal is made up from pseudo-random \emph{symbols}, which in turn are made up from individual physical layer
+bits called \emph{chips}. Chips are encoded in the signal using a lower-layer modulation such as phase-shift keying
+(e.g.~in GPS) or frequency-shift keying (in this work). In DSSS, a \emph{code} is a library of symbols that are
+constructed to have minimal cross-correlation, meaning they are near-orthogonal. A transmitter sends a symbol by
+transmitting its particular pseudo-random chip sequence at a chosen polarity, conveying one bit of information. A
+receiver demodulates the signal by directly correlating the incoming physical-layer signal with the symbol's chip
+pattern, which results in a positive or negative peak depending on symbol polarity when a symbol is received.
 
-We simulated a proof-of-concept modulator and demodulator using data captured from our grid frequency sensor. Our
-simulations covered a range of parameters in modulation amplitude, DSSS sequence bit depth, chip duration and detection
-threshold. Figure~\ref{fig_ser_nbits} shows our simulation results for symbol error rate (SER) as a function of
-modulation amplitude with Gold sequences of several bit depths. From these graphs we conclude that the range of
-practical modulation amplitudes starts at approximately $\SI{1}{\milli\hertz}$, which corresponds to a modulation power
-of approximately $\SI{25}{\mega\watt}$~\cite{entsoe02}.  Figure~\ref{fig_ser_thf} shows SER against detection threshold
-relative to background noise. Figure~\ref{fig_ser_chip} shows SER against chip duration for a given fixed symbol length.
-As expected from looking at our measured grid frequency noise spectrum, performance is best for short chip durations and
-worsens for longer chip durations since shorter chip durations move our signals' bandwidth into the lower-noise region
-from $\SI{0.2}{\hertz}$ to $\SI{2}{\hertz}$.
+By increasing the DSSS sequence length by a factor of $2$, SNR is improved by $\sqrt{2}$ assuming an additive white
+gaussian noise (AWGN) channel. At the same time, when doubling the sequence length, common DSSS code construction
+methods provide twice the number of distinctive symbols allowing for twice the number of CDMA participants. The trade
+off between twice the sequence length (and transmission time) for approximately $\SI{1.5}{dB}$ in SNR is a steep
+trade-off, but is necessary in systems where transmitter power cannot be increased further and the resulting signal has
+a marginally low SNR.
+
+\subsubsection{DSSS parametrization}
+
+To find the parameters for our DSSS modulation, we simulated a proof-of-concept modulator and demodulator using data
+captured from our grid frequency sensor. Our simulations covered a range of combinations of modulation amplitude, DSSS
+sequence bit depth, chip duration and detection threshold. Figure~\ref{fig_ser_nbits} shows our simulation results for
+symbol error rate (SER) as a function of modulation amplitude with Gold sequences of several bit depths. From these
+graphs we conclude that the range of practical modulation amplitudes starts at approximately $\SI{1}{\milli\hertz}$,
+which corresponds to a modulation power of approximately $\SI{25}{\mega\watt}$~\cite{entsoe02}.
+Figure~\ref{fig_ser_thf} shows SER against detection threshold relative to background noise. Figure~\ref{fig_ser_chip}
+shows SER against chip duration for a given fixed symbol length. As expected from looking at our measured grid frequency
+noise spectrum, performance is best for short chip durations and worsens for longer chip durations since shorter chip
+durations move our signals' bandwidth into the lower-noise region from $\SI{0.2}{\hertz}$ to $\SI{2}{\hertz}$.
 %FIXME introduce term "chip" somewhere
 
 \begin{figure}