Paper: WIP

paper/Makefile

@@ -14,17 +14,17 @@ VERSION_STRING := $(shell git describe --tags --long --dirty)
 
 all: ${main_tex}.pdf
 
-%.pdf: %.tex safety-reset.bib version.tex
+%.pdf: %.tex safety-reset-paper.bib version.tex
 	pdflatex -shell-escape $<
-	biber $* 
+	bibtex $* 
 	pdflatex -shell-escape $<
 
 .PHONY: once
-once: safety-reset-paper.tex safety-reset.bib version.tex
+once: safety-reset-paper.tex safety-reset-paper.bib version.tex
-	biber safety-reset-paper
+	bibtex safety-reset-paper
 	pdflatex -shell-escape $<
 
-version.tex: ${main_tex}.tex safety-reset.bib
+version.tex: ${main_tex}.tex safety-reset-paper.bib
 	echo "${VERSION_STRING}" > $@
 
 resources/%.pdf: $(LAB_PATH)/%.ipynb

paper/safety-reset-paper.tex

@@ -1,16 +1,6 @@
 \documentclass[letterpaper,twocolumn,10pt]{article}
 \usepackage{usenix}
 
-\usepackage[T1]{fontenc}
-\usepackage[
-    backend=biber,
-    style=numeric,
-    natbib=true,
-    url=false, 
-    doi=true,
-    eprint=false
-    ]{biblatex}
-\addbibresource{safety-reset.bib}
 \usepackage{amssymb,amsmath}
 \usepackage{eurosym}
 \usepackage{wasysym}
@@ -35,8 +25,8 @@
 % https://eepublicdownloads.entsoe.eu/clean-documents/pre2015/publications/entsoe/Operation_Handbook/Policy_1_Appendix%20_final.pdf
 
 \date{}
-\title{Ripples in the Pond: Transmitting Information through Grid Frequency Modulation}
+\title{\large\bf Ripples in the Pond:\\Transmitting Information through Grid Frequency Modulation}
-\author{Jan Sebastian Götte \and Liran Katzir \and Björn Scheuermann}
+\author{{\rm Jan Sebastian Götte}\\TU Darmstadt \and {\rm Liran Katzir}\\Tel Aviv University\and {\rm Björn Scheuermann}\\TU Darmstadt}
 %\institute{TU Darmstadt\\ Communication Networks Lab\\ \email{safetyreset@jaseg.de}
 %\and Tel Aviv University\\ Faculty of Engineering\\ \email{lirankat@tau.ac.il}
 %\and TU Darmstadt\\ Communication Networks Lab\\ \email{scheuermann@informatik.hu-berlin.de}}
@@ -45,29 +35,25 @@
 %things'' \and Cyber-physical systems \and Hardware security \and Network Security \and Energy systems \and Signal theory}
 
 \begin{abstract}
-    Previous work has explored the scenario of an attacker compromising a large number of consumer devices, and
+    The dependence of the electrical grid on networked control systems is steadily rising. While utilities are defending
-    modulating the power of these devices to cause large load swings at particular resonant frequencies of the
+    their side of the grid effectively through rigorous IT security measures such as physically separated control
-    electrical grid's control systems that ultimately cause a large-scale outage~\cite{ctap+11,wu01}. Previous work has
+    networks, the increasing number of networked devices on the consumer side such as smart meters or large
-    focused on attacks using smart meters with integrated remote disconnect switches as first proposed
+    IoT-connected appliances such as air conditioners are much harder to secure due to their heterogeneity. We consider
-    in~\cite{anderson01}, but the same attack scenario also applies to large IoT devices such as IoT-equipped air
+    a crisis scenario in which an attacker compromises a large number of consumer-side devices and modulates their
-    conditioners or central heating systems.
+    electrical to destabilize the grid and cause an electrical outage~\cite{ctap+11,wu01,zlmz+21,kgma21,smp18,hcb19}.
+    
+    In this paper propose a broadcast channel based on the modulation of grid frequency through which utility operators
+    can issue commands to devices at the consumer premises both during an attack for mitigation and in its wake to aid
+    recovery. Our proposed grid frequency modulation (GFM) channel is independent of other telecommunication networks.
+    It is resilient towards localized blackouts and it is operational immediately as soon as power is restored.
 
-    Prior work on mitigation of this attack scenario includes generic firmware hardening techniquies % FIXME citation
+    Based on our GFM broadcast channel we propose a ``safety reset'' system to mitigate an ongoing attack by disabling a
-    and reducing the susceptibility of the electrical grid towards these resonant oscillation modes~\cite{entsoe01}.
+    device's network interfaces and restting its control functions. It can also be used in the wake of an attack to aid
-    In this paper, we will complement these mitigation efforts by considering the recovery process after a successful
+    recovery by shutting down non-essential loads to reduce strain on the grid.
-    attack. To transmission system operators (TSOs), the major challenge after such a Smart Meter-triggered outage is
-    that the attacker will likely persist through the outage, and compromised Smart Meters will resume malicious
-    activity after their power is restored. In the event of such an attack, TSOs would need a way to remotely put these
-    compromised devices into a \emph{safe} mode of operation. For this purpose, we propose a remote-controllable
-    \emph{Safety reest} that is designed to remain operational even during a large-scale attack.
 
-    Given that public telecommunications networks including the internet, cellular networks, and LoRa base stations may
+    To validate our proposed design, we conducted simulations based on measured grid frequency behavior. Based on these
-    also be disrupted during a blackout, the challenging aspect of this \emph{Safety Reset} is the communication channel
+    simulations, we performed an experimental validation on simulated grid voltage waveforms using a smart meter
-    between TSO and the smart meter. For this purpose, in this paper we propose a simple yet effective communication
+    equipped with a prototype safety reset system based on an inexpensive commodity microcontroller.
-    channel based on modulating grid frequency by modulating the power of a connected load or generator. Our proposed
-    communciation channel (1) requires minimal infrastructure, (2) has a reach spanning the entire power grid and (3) is
-    fully independent of other telecommunication networks and functions even under severe disruption of the grid. The
-    resulting safety reset can be applied to any grid-connected device including smart meters and IoT devices.
 \end{abstract}
 
 \section{Introduction}
@@ -79,12 +65,15 @@ their interactions have not yet received much attention.
 
 In this paper, we consider the previously proposed scenario where a large number of compromised consumer devices is used
 alone or in conjunction with an attack on the grid's central SCADA systems to destabilize the grid by rapidly modulating
-the total connected load~\cite{ctap+11,wu01}. Previous work considered compromised smart meters with integrated remote
+the total connected load~\cite{ctap+11,wu01,zlmz+21,kgma21,smp18,hcb19}. Several devices have been identified as likely
-disconnect switches as likely candidates for such an attack, but the same attack can also be performed using compromised
+targets for such an attack including smart meters with integrated remote disconnect switches~\cite{ctap+11,anderson01},
-IoT devices.  Such attacks are hard to mitigate, and existing literature focuses on hardening device firmware to prevent
+large IoT-connected appliances~\cite{smp18,hcb19,chl20,olkd20} and electric vehicle
+chargers~\cite{kgma21,zlmz+21,olkd20}.  Such attacks are hard to mitigate, and existing literature focuses on hardening
+grid control systems~\cite{kgma21,lzlw+20,lam21,zlmz+21} and device firmware\cite{mpdm+10,smp18,zb20,yomu+20} to prevent
 compromise. Despite the infeasibility of perfect firmware security, there is little research on \emph{post-compromise}
-mitigation approaches. A core issue with post-attack mitigation is that the devices normal network connection may not
+mitigation approaches. A core issue with post-attack mitigation is that network connections such as internet and
-work due to the attack and as such an out-of-band communication channel is necessary.
+cellular networks between the utility and devices on consumer premises may not work due to the attack. Thus, mitigation
+strategies that involve devices on the consumer premises will need an out-of-band communication channel.
 
 We propose a \emph{safety reset} controller that is controlled through a novel, resilient, grid-wide powerline
 communication technique. Our safety reset controller can be fitted into any Smart Meter or IoT device. Its purpose is to
@@ -92,14 +81,31 @@ await an out-of-band command to put the device into a safe state (e.g. \emph{rel
 interrupts attacker control over the device. The safety reset controller is separated from the system's main application
 controller and does not have any conventional network connections to reduce attack surface and cost.
 
-We propose a resilient grid-wide broadcast channel based on modulating grid frequency. This channel can be operated by
+To facilitate resilient communication between the grid operator and the safety reset controller, we propose a grid-wide
-transmission system operators (TSOs) even during black-start recovery procedures and in this situation bridges the gap
+broadcast channel based on grid frequency modulation (GFM). This channel can be operated by transmission system
-between the TSO's private network and the consumer devices. To demonstrate our proposed channel, we have implemented a
+operators (TSOs) even during black-start recovery procedures and it bridges the gap between the TSO's private control
-system that transmits error-corrected and cryptographically secured commands.
+network and consumer devices that can not economically be equipped with other resilient communication techniques such as
+satellite transceivers. To demonstrate our proposed channel, we have implemented a system that transmits error-corrected
+and cryptographically secured commands through an emulated grid frequency-modulated voltage waveform to an off-the-shelf
+smart meter equipped with a prototype safety reset controller based on a small off-the-shelf microcontroller.
 
-Our approach differs from traditional Powerline Communication (PLC) systems in that it reaches every device within one
+The frequency behavior of the electrical grid can be analyzed by examining the grid as a large collection of mechanical
-synchronous area as the signal is embedded into the fundamental grid frequency. Traditional PLC uses a superimposed
+oscillators coupled through the grid via the electromotive force~\cite{rogers01,wcje+12}. The generators and motors that
-voltage, which is quickly attenuated across long distances.
+are electromagnetically coupled through the grid's transmission lines and transformers run synchronously with each
+other, with only minor localized variations in their rotation angle. The dynamic behavior of grid frequency is a direct
+product of this electromechanical coupling: With increasing load, frequency drops because shafts move slower under
+higher torque, and consequentially with decreasing load frequency rises. Industrial control systems keep frequency close
+to its nominal value over time spans of minutes or hours, but at shorter time frames the combined inertia of all
+grid-connected generators and motors is what regulates frequency.
+
+Grid frequency modulation works by quickly modulating the power of a large, grid-connected load or generator. When this
+modulation is at low amplitude and high frequency, it is below the thresholds set for the grid's automated control
+systems and monitoring systems and it will directly affect frequency according to the grid's inertia. GFM differs from
+traditional Powerline Communication (PLC) systems in that it reaches every device within one synchronous area as the
+signal is embedded into the fundamental grid frequency. Traditional PLC uses a superimposed voltage, which is quickly
+attenuated across long distances. Practically speaking, using GFM a single large transmitter can cover an entire
+synchronous area, while in traditional PLC hundreds or thousands of smaller transmitters would be necessary. Unlike
+traditional PLC, any large industrial load that allows for fast computer control can act as a GFM transmitter.
 
 \begin{figure}
     \centering
@@ -109,17 +115,18 @@ voltage, which is quickly attenuated across long distances.
     \label{fig_intro_flowchart}
 \end{figure}
 
-Figure~\ref{fig_intro_flowchart} shows an overview of our concept.  Two scenarios for its application are before or
+Figure~\ref{fig_intro_flowchart} shows an overview of our concept, where a large aluminium smelter has been temporarily
-during a cyberattack, to stop an attack on the electrical grid in its tracks, and after an attack while power is being
+re-purposed as a GFM transmitter.  Two scenarios for its application are before or during a cyberattack, to stop an
-restored to prevent a repeated attack. In both scenarios, our concept is independent of telecommunication networks (such
+attack on the electrical grid in its tracks, and after an attack while power is being restored to prevent a repeated
-as the internet or cellular networks) as well as broadcast systems (such as cable television or terrestrial broadcast
+attack. In both scenarios, our concept is independent of telecommunication networks (such as the internet or cellular
-radio) while requiring only inexpensive signal processing hardware and no external antennas (such as are needed for
+networks) as well as broadcast systems (such as cable television or terrestrial broadcast radio) while requiring only
-satellite communication). A grid frequency-based system can function as long as power is still available, or as soon as
+inexpensive signal processing hardware and no external antennas (such as are needed for satellite communication). A grid
-power is restored after the attack. One powerful function this allows is ``flushing out`` an attacker from compromised
+frequency-based system can function as long as power is still available, or as soon as power is restored after the
-smart meters after an attack, before restoring smart meter internet connectivity.
+attack. One powerful function this allows is ``flushing out`` an attacker from compromised smart meters after an attack,
+before restoring smart meter internet connectivity.
 
 Using simulations we have determined that control of a $\SI{25}{\mega\watt}$ load such as a large aluminium smelter,
-load bank or photovoltaic farm would allow for the transmission of a crytographically secured \emph{reset} signal within
+load bank or photovoltaic farm would allow for the transmission of a crytographically secured safety reset signal within
 $15$ minutes. We have designed and constructed a proof-of-concept prototype receiver that demonstrates the feasibility
 of decoding such signals on a resource-constrained microcontroller.
 
@@ -172,9 +179,10 @@ restore the grid to its normal state.
 \subsection{Contents}
 
 Starting from a high level architecture, we have carried out simulations of our concept's performance under real-world
-conditions. Based on these simulations we implemented an end-to-end prototype of our proposed safety reset controller as
+conditions using measured grid frequency data. Based on these simulations we implemented an end-to-end prototype of our
-part of a realistic smart meter demonstrator. Finally, we experimentally validated our results and we will conclude with
+proposed safety reset controller as part of a realistic smart meter demonstrator. Finally, we experimentally validated
-an outline of further steps towards a practical implementation.
+our results based on a simulated mains voltage signal and we will conclude with an outline of further steps towards a
+practical implementation.
 
 This work contains the following contributions:
 \begin{enumerate}[topsep=4pt]
@@ -494,14 +502,14 @@ from $\SI{0.2}{\hertz}$ to $\SI{2}{\hertz}$.
 
 \begin{figure}
     \centering
-    \includegraphics[width=0.4\textwidth]{../notebooks/fig_out/dsss_gold_nbits_overview}
+    \includegraphics[width=0.45\textwidth]{../notebooks/fig_out/dsss_gold_nbits_overview}
     \caption{Symbol Error Rate as a function of modulation amplitude for Gold sequences of several lengths.}
     \label{fig_ser_nbits}
 \end{figure}
 
 \begin{figure}
     \centering
-    \hspace*{-1cm}\includegraphics[width=1.2\textwidth]{../notebooks/fig_out/dsss_thf_amplitude_5678}
+    \hspace*{-1cm}\includegraphics[width=0.5\textwidth]{../notebooks/fig_out/dsss_thf_amplitude_5678}
     \caption{SER vs.\ Amplitude and detection threshold. Detection threshold is set as a factor of background noise
     level.}
     \label{fig_ser_thf}
@@ -509,7 +517,7 @@ from $\SI{0.2}{\hertz}$ to $\SI{2}{\hertz}$.
 
 \begin{figure}
     \centering
-    \hspace*{-1cm}\includegraphics[width=1.2\textwidth]{../notebooks/fig_out/chip_duration_sensitivity_6}
+    \hspace*{-1cm}\includegraphics[width=0.5\textwidth]{../notebooks/fig_out/chip_duration_sensitivity_6}
     \vspace*{-1cm}
     \caption{SER vs.\ DSSS chip duration.}
     \label{fig_ser_chip}
@@ -542,7 +550,7 @@ need for computationally expensive public key cryptography inside the smart mete
 
 \begin{figure}
     \centering
-    \includegraphics[width=0.6\textwidth]{prototype.jpg}
+    \includegraphics[width=0.45\textwidth]{prototype.jpg}
     \caption{The completed prototype setup. The board on the left is the safety reset microcontroller. It is connected
     to the smart meter in the middle through an adapter board. The top left contains a USB hub with debug interfaces to
     the reset microcontroller. The cables on the bottom left are the debug USB cable and the \SI{3.5}{\milli\meter}
@@ -571,7 +579,7 @@ the meter's display after boot-up.
 
 \begin{figure}
     \centering
-    \includegraphics[width=\textwidth]{prototype_schema}
+    \includegraphics[width=0.45\textwidth]{prototype_schema}
     \caption{The signal processing chain of our demonstrator.}
     \label{fig_demo_sig_schema}
 \end{figure}
@@ -652,7 +660,8 @@ commercially viable.
 
 Source code and EDA designs are available at the public repository listed at the end of this document.
 
-\printbibliography[heading=bibintoc]
+\bibliographystyle{plain}
+\bibliography{\jobname}
 
 \center{
     \center{This is version \texttt{\input{version.tex}\unskip} of this paper, generated on \today. The git repository