jaseg/master-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

paper draft

Browse source
This commit is contained in:
jaseg 2022-06-23 14:41:13 +02:00
parent f5c1695898
commit 36552f3174
1 changed files with 58 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

80
paper/safety-reset-paper.tex
View file

@ -144,10 +144,10 @@ In this paper, we focus on assisting the recovery procedure after a succesful at
approach will yield a better return of investement in overall grid stability versus resources spent on security approach will yield a better return of investement in overall grid stability versus resources spent on security
measures. Previous work on IoT and Smart Grid security has focused on the prevention of attacks though firmware security measures. Previous work on IoT and Smart Grid security has focused on the prevention of attacks though firmware security
measures. While research on prevention is important, we estimate that its practical impact will be limited by the measures. While research on prevention is important, we estimate that its practical impact will be limited by the
diversity of implementations found in the field~\cite{nbck+19,zlmz+21}. We predict that it would be a Sisyphean task to diversity of implementations found in the field~\cite{nbck+19,zlmz+21,smp18}. We predict that it would be a Sisyphean
secure the firmware of sufficiently many devices to deny an attacker the critical mass needed to cause trouble. Even if task to secure the firmware of sufficiently many devices to deny an attacker the critical mass needed to cause trouble.
all flaws in the firmware of a broad range of devices would be fixed, users still have to update. In smart grid and IoT Even if all flaws in the firmware of a broad range of devices would be fixed, users still have to update. In smart grid
devices, this presents a difficult problem since user awareness is low~\cite{nbck+19}. and IoT devices, this presents a difficult problem since user awareness is low~\cite{nbck+19}.
\subsection{Contents} \subsection{Contents}
@ -175,8 +175,8 @@ deviation $f_\Delta$ that the modulated carrier deviates from its nominal value
milli-Hertz. milli-Hertz.
When grid frequency is measured by first digitizing the mains voltage waveform, then de-modulating digitally, the FM's When grid frequency is measured by first digitizing the mains voltage waveform, then de-modulating digitally, the FM's
SNR is very high and is dominated by the ADC's quantization noise and nearby mains voltage noise sources such as signal-to-noise ratio (SNR) is very high and is dominated by the ADC's quantization noise and nearby mains voltage noise
resistive droop due to large inrush current of nearby machines. sources such as resistive droop due to large inrush current of nearby machines.
Note that both the carrier signal at $f_c$ and the modulation signal at $f_m$ both have unit Hertz. To disambiguate Note that both the carrier signal at $f_c$ and the modulation signal at $f_m$ both have unit Hertz. To disambiguate
them, in this paper we will use \textbf{bold} letters to refer to the carrier waveform $\mathbf{U}$ or frequency them, in this paper we will use \textbf{bold} letters to refer to the carrier waveform $\mathbf{U}$ or frequency
@ -357,6 +357,18 @@ line.
\subsection{Proposed Countermeasures} \subsection{Proposed Countermeasures}
In~\cite{kgma21}, the authors propose an extension to grid control algorithms aimed at increasing the grid's robustness
towards forced oscillations. In~\cite{smp18}, the authors propose that utility operators use a detailed attacker model
to engineer additional safety margins into the grid while minimizing the economic inefficiency of these measures. On the
IoT side, they note that due to the wide implementation diversity, the problem cannot be solved by individual measures
and propose additional fundamental research on IoT device security.
In~\cite{hcb19}, the authors conclude that simple demand attacks where compromised loads suddenly increase demand are
adequately mitigated by existing safety measures, in particular \emph{Under-Frequency Load Shedding} (UFLS). As part of
UFLS, during a contingency the utility will progressively disconnected loads according to set priorities until the
production / generation balance has been restored and a blackout has been averted. UFLS is already deployed in any large
electrical grid.
% FIXME more sources! % FIXME more sources!
\section{Grid Frequency as a Communication Channel} \section{Grid Frequency as a Communication Channel}
@ -488,9 +500,9 @@ parts of the plant, as this is commonplace during routine maintenance activities
Given the grid characteristics we measured using our custom waveform recorder and using a model of our transmitter, we Given the grid characteristics we measured using our custom waveform recorder and using a model of our transmitter, we
can derive parameters for the modulation of our broadcast system. The overall network power-frequency characteristic of can derive parameters for the modulation of our broadcast system. The overall network power-frequency characteristic of
the continental European synchronous area is about $\SI{25}{\giga\watt\per\hertz}$~\cite{entsoe02}. Thus, the main the continental European synchronous area is about $\SI{25}{\giga\watt\per\hertz}$~\cite{entsoe02}. Thus, the main
challenge for a GFM system will be poor SNR due to low transmission power. A second layer of modulation yielding some challenge for a GFM system will be poor signal-to-noise ratio (SNR) due to low transmission power. A second layer of
modulation gain beyond the basic amplitude modulation of the transmitter will be necessary to achieve sufficient overall modulation yielding some modulation gain beyond the basic amplitude modulation of the transmitter will be necessary to
SNR. achieve sufficient overall SNR.
The grid's frequency noise has significant localized peaks that might interfere with this modulation. Further The grid's frequency noise has significant localized peaks that might interfere with this modulation. Further
complicating things are the oscillation modes. A GFM system must be designed to avoid exciting these modes. However, complicating things are the oscillation modes. A GFM system must be designed to avoid exciting these modes. However,
@ -505,22 +517,46 @@ overall performance. DSSS chip timing should be as fast as the transmitter's phy
region between $\SI{0.2}{\hertz}$ to $\SI{2.0}{\hertz}$ in Figure~\ref{fig_freq_spec}. Going past region between $\SI{0.2}{\hertz}$ to $\SI{2.0}{\hertz}$ in Figure~\ref{fig_freq_spec}. Going past
$\approx\SI{2}{\hertz}$ would complicate frequency measurement at the receiver side. $\approx\SI{2}{\hertz}$ would complicate frequency measurement at the receiver side.
\paragraph{Direct Sequence Spread Spectrum (DSSS) modulation} \subsubsection{Direct Sequence Spread Spectrum (DSSS) modulation}
% FIXME quickly explain DSSS here. Direct Sequence Spread Spectrum modulation is a common spread-spectrum technique that forms the basis of a number of
radio systems, most prominently all global navigation satellite systems (GNSS). As a spread-spectrum technique, DSSS
spreads out the signal's energy across a broad spectral range. This decreases the susceptibility of a DSSS signal to
narrowband interference. In GNSS, this allows the rejection of other nearby RF sources. In our use case, this makes the
signal immune to the many narrow peaks in the grid frequency's noise spectrum that are caused by UTC-synchronized
control systems (cf.~Fig.~\ref{fig_freq_spec}). In addition to better interference immunity, DSSS has two other
important characteristics: It provides \emph{modulation gain}, i.e.~it allows a trade-off between data rate and receiver
sensitivity, and it allows for Code Division Multiple Access (CDMA). In CDMA, multiple DSSS-modulated signals can be
sent simultaneously through a shared channel with less impact to the resulting signal-to-noise ratio (SNR) than would be
the case for other modulation techniques.
\paragraph{DSSS parametrization} A DSSS signal is made up from pseudo-random \emph{symbols}, which in turn are made up from individual physical layer
bits called \emph{chips}. Chips are encoded in the signal using a lower-layer modulation such as phase-shift keying
(e.g.~in GPS) or frequency-shift keying (in this work). In DSSS, a \emph{code} is a library of symbols that are
constructed to have minimal cross-correlation, meaning they are near-orthogonal. A transmitter sends a symbol by
transmitting its particular pseudo-random chip sequence at a chosen polarity, conveying one bit of information. A
receiver demodulates the signal by directly correlating the incoming physical-layer signal with the symbol's chip
pattern, which results in a positive or negative peak depending on symbol polarity when a symbol is received.
We simulated a proof-of-concept modulator and demodulator using data captured from our grid frequency sensor. Our By increasing the DSSS sequence length by a factor of $2$, SNR is improved by $\sqrt{2}$ assuming an additive white
simulations covered a range of parameters in modulation amplitude, DSSS sequence bit depth, chip duration and detection gaussian noise (AWGN) channel. At the same time, when doubling the sequence length, common DSSS code construction
threshold. Figure~\ref{fig_ser_nbits} shows our simulation results for symbol error rate (SER) as a function of methods provide twice the number of distinctive symbols allowing for twice the number of CDMA participants. The trade
modulation amplitude with Gold sequences of several bit depths. From these graphs we conclude that the range of off between twice the sequence length (and transmission time) for approximately $\SI{1.5}{dB}$ in SNR is a steep
practical modulation amplitudes starts at approximately $\SI{1}{\milli\hertz}$, which corresponds to a modulation power trade-off, but is necessary in systems where transmitter power cannot be increased further and the resulting signal has
of approximately $\SI{25}{\mega\watt}$~\cite{entsoe02}. Figure~\ref{fig_ser_thf} shows SER against detection threshold a marginally low SNR.
relative to background noise. Figure~\ref{fig_ser_chip} shows SER against chip duration for a given fixed symbol length.
As expected from looking at our measured grid frequency noise spectrum, performance is best for short chip durations and \subsubsection{DSSS parametrization}
worsens for longer chip durations since shorter chip durations move our signals' bandwidth into the lower-noise region
from $\SI{0.2}{\hertz}$ to $\SI{2}{\hertz}$. To find the parameters for our DSSS modulation, we simulated a proof-of-concept modulator and demodulator using data
captured from our grid frequency sensor. Our simulations covered a range of combinations of modulation amplitude, DSSS
sequence bit depth, chip duration and detection threshold. Figure~\ref{fig_ser_nbits} shows our simulation results for
symbol error rate (SER) as a function of modulation amplitude with Gold sequences of several bit depths. From these
graphs we conclude that the range of practical modulation amplitudes starts at approximately $\SI{1}{\milli\hertz}$,
which corresponds to a modulation power of approximately $\SI{25}{\mega\watt}$~\cite{entsoe02}.
Figure~\ref{fig_ser_thf} shows SER against detection threshold relative to background noise. Figure~\ref{fig_ser_chip}
shows SER against chip duration for a given fixed symbol length. As expected from looking at our measured grid frequency
noise spectrum, performance is best for short chip durations and worsens for longer chip durations since shorter chip
durations move our signals' bandwidth into the lower-noise region from $\SI{0.2}{\hertz}$ to $\SI{2}{\hertz}$.
%FIXME introduce term "chip" somewhere %FIXME introduce term "chip" somewhere
\begin{figure} \begin{figure}