Rework WIP
This commit is contained in:
jaseg
parent
e3b1ff9222
commit
3e3e03892a
2 changed files with 54 additions and 18 deletions
|
|
@ -10,7 +10,7 @@ MAKEFLAGS += --no-builtin-rules
|
|||
|
||||
main_tex ?= safety-reset-paper
|
||||
|
||||
VERSION_STRING := $(shell git describe --tags --long)
|
||||
VERSION_STRING := 1.0 # $(shell git describe --tags --long)
|
||||
|
||||
all: ${main_tex}.pdf
|
||||
|
||||
|
|
|
|||
|
|
@ -187,6 +187,20 @@ task to secure the firmware of sufficiently many devices to deny an attacker the
|
|||
Even if all flaws in the firmware of a broad range of devices would be fixed, users still have to update. In smart grid
|
||||
and IoT devices, this presents a difficult problem since user awareness is low~\cite{nbck+19}.
|
||||
|
||||
\subsection{Attacker model}
|
||||
|
||||
According to the above criteria, our attacker model has the following key features:
|
||||
|
||||
\begin{itemize}
|
||||
\item The attacker cannot compromise the utility operators' SCADA systems.
|
||||
\item The attacker can compromise and subsequently control a large number of target devices at the customer's
|
||||
premises such as smart meters or large IoT devices such as air conditioners or central heating systems.
|
||||
\item Target devices can be designed to include a separate firmware and factory reset function that the attacker
|
||||
cannot circumvent. In the simplest case, this could be a separate microcontroller that is connected to the
|
||||
device's application processor's programming port.
|
||||
\item The attacker aims for maximum disruption as opposed to e.g. data extraction.
|
||||
\end{itemize}
|
||||
|
||||
\subsection{Contents}
|
||||
|
||||
Starting from a high level architecture, we have carried out simulations of our concept's performance under real-world
|
||||
|
|
@ -441,17 +455,20 @@ receiver hardware complexity.
|
|||
To the best of the authors' knowledge, grid frequency modulation has only ever been proposed as a communication channel
|
||||
at very small scales in microgrids before~\cite{urtasun01} and has not yet been considered for large-scale application.
|
||||
|
||||
\subsection{Comparison to other communication channels}
|
||||
|
||||
Compared to traditional channels such as Fiber To The Home (FTTH), 5G or LoraWAN, grid frequency as a communication
|
||||
channel has a resiliency advantage: If there is power, a grid frequency modulation system is operational. Both FTTH and
|
||||
5G systems not only require power at their base stations, but also require centralized infrastructure to operate. Mesh
|
||||
networks such as LoraWAN can cover short distances up to $\SI{20}{\kilo\meter}$ without requiring infrastructure to be
|
||||
available, but for longer distances LoraWAN relies on the public internet for its network backbone. Additionally,
|
||||
systems such as FTTH, 5G and LoraWAN are built around a point-to-point communication model and usually do not support a
|
||||
generic broadcast primitive. During times when a large number of devices must be reached simultaneously this can lead to
|
||||
congestion of cellular towers and servers. Therefore, during an ongoing cyberattack, grid frequency is promising as a
|
||||
communication channel because only a single transmitter facility must be operational for it to function, and this single
|
||||
transmitter can reach all connected devices simultaneously. After a power outage, it can resume operation as soon as
|
||||
electrical power is restored, even while the public internet and mobile networks are still offline. It is unaffected by
|
||||
channel has a resiliency advantage. It can start transmission as soon as a power island with a connected transmitter is
|
||||
powered up, while communciation networks such as FTTH or 5G are still rebooting, or might be waiting for parts of their
|
||||
centralized infrastructure that are connected to different power islands to come back online. Mesh networks such as
|
||||
LoraWAN can cover short distances up to $\SI{20}{\kilo\meter}$ without requiring infrastructure to be available, but for
|
||||
longer distances LoraWAN relies on the public internet for its network backbone. Additionally, systems such as FTTH, 5G
|
||||
and LoraWAN are built around a point-to-point communication model and usually do not support a generic broadcast
|
||||
primitive. During times when a large number of devices must be reached simultaneously this can lead to congestion of
|
||||
cellular towers and servers. Therefore, during an ongoing cyberattack, grid frequency is promising as a communication
|
||||
channel because only a single transmitter facility must be operational for it to function, and this single transmitter
|
||||
can reach all connected devices simultaneously. After a power outage, it can resume operation as soon as electrical
|
||||
power is restored, even while the public internet and mobile networks are still offline. It is unaffected by
|
||||
cyberattacks that target telecommunication networks.
|
||||
|
||||
\subsection{Characterizing Grid Frequency}
|
||||
|
|
@ -503,13 +520,12 @@ oscillation modes at $\SI{0.15}{\hertz}$ (east-west) and $\SI{0.25}{\hertz}$ (no
|
|||
|
||||
\section{Grid Frequency Modulation}
|
||||
|
||||
A transmitter for grid frequency modulation would be a controllable load of several Megawatt that
|
||||
is located centrally within the grid. A baseline implementation would be a spool of wire submerged in a body of cooling
|
||||
liquid (such as a small lake) which is powered from a
|
||||
thyristor rectifier bank. Compared to this baseline solution, hardware and maintenance investment can be decreased
|
||||
by repurposing a large industrial load as a transmitter. Going through a
|
||||
list of energy-intensive industries in Europe~\cite{ec01}, we found that an aluminium smelter would be a good candidate.
|
||||
In aluminium smelting, aluminium is electrolytically extracted from alumina solution. High-voltage mains power is
|
||||
A transmitter for grid frequency modulation would be a controllable load of several Megawatt that is located centrally
|
||||
within the grid. A baseline implementation would be a spool of wire submerged in a body of cooling liquid (such as a
|
||||
small lake) which is powered from a thyristor rectifier bank. Compared to this baseline solution, hardware and
|
||||
maintenance investment can be decreased by repurposing a large industrial load as a transmitter. Going through a list of
|
||||
energy-intensive industries in Europe~\cite{ec01}, we found that an aluminium smelter would be a good candidate. In
|
||||
aluminium smelting, aluminium is electrolytically extracted from alumina solution. High-voltage mains power is
|
||||
transformed, rectified and fed into approximately 100 series-connected electrolytic cells forming a \emph{potline}.
|
||||
Inside these pots, alumina is dissolved in molten cryolite electrolyte at approximately \SI{1000}{\degreeCelsius} and
|
||||
electrolysis is performed using a current of tens or hundreds of Kiloampère. The resulting pure aluminium settles at the
|
||||
|
|
@ -538,6 +554,26 @@ consumption is possible at no significant production impact and at low infrastru
|
|||
already connected to the grid in a way that they do not pose a danger to other nearby consumers when they turn off or on
|
||||
parts of the plant, as this is commonplace during routine maintenance activities.
|
||||
|
||||
\subsection{The operational model of a GFM-based safety reset}
|
||||
|
||||
While a single large Aluminium smelter could conceivably provide sufficient modulation power to cover the entire
|
||||
continental European synchronous area, we have to consider operation during a black start, when the grid temporarily
|
||||
divides into a number of disconnected power islands. A single transmitter would only be able to reach receivers on the
|
||||
same power island.
|
||||
|
||||
Instead, the system can use a number of transmitters that are distributed throughout the network. Piggy-backing
|
||||
transmitters on existing industrial loads keeps the implementation cost of additional transmitters low. By running
|
||||
transmitters from gps-synchronized ovenized crystal oscillators or rubidium frequency standards, transmissions can be
|
||||
precisely synchronized across power islands even after a holdover period of several days. This allows a transmission to
|
||||
continue un-interrupted while the utility re-joins power island into the larger grid, since the transmissions on both
|
||||
islands are precisely synchronized.
|
||||
|
||||
As illustrated in Figure~\ref{fig_intro_flowchart}, the transmitters are connected to a command center. For this
|
||||
connection, a redundant set of long-range radio or satellite links can be used, as well as wired connections through the
|
||||
utility's dedicated SCADA network. In an emergency, the command center can then trigger a transmission. Synchronized
|
||||
through their gps-backed frequency standards, two transmitters will then constructively interfere as soon as they are
|
||||
connected to the same power island.
|
||||
|
||||
\subsection{Parametrizing Modulation for GFM}
|
||||
|
||||
Given the grid characteristics we measured using our custom waveform recorder and using a model of our transmitter, we
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue