jaseg/master-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

paper rework WIP

Browse source
This commit is contained in:
jaseg 2021-07-30 17:30:32 +02:00
parent 38b009da9f
commit d1c605059c
4 changed files with 1169 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
paper/flowchart.pdf Normal file
View file

Binary file not shown.

1098
paper/flowchart.svg Normal file
View file

File diff suppressed because it is too large Load diff
Side by side

After

Width:  |  Height:  |  Size: 43 KiB

80
paper/safety-reset-paper.tex
View file

@ -33,7 +33,7 @@
\title{Ripples in the Pond: Transmitting Information through Grid Frequency Modulation}
\titlerunning{Ripples in the Pond: Transmitting Information through Grid Frequency}
\author{Jan Sebastian Götte \and Liran Katzir \and Björn Scheuermann}
\institute{Alexander von Humboldt Institut für Internet und Gesellschaft (HIIG)\\ \email{safetyreset@jaseg.de} \and Tel Aviv University\\Faculty of Engineering\\\email{lirankat@tau.ac.il} \and Humboldt-Universität zu Berlin\\ \email{scheuermann@informatik.hu-berlin.de}}
\institute{Alexander von Humboldt Institut for Internet and Society Berlin (HIIG)\\ \email{safetyreset@jaseg.de} \and Tel Aviv University\\Faculty of Engineering\\\email{lirankat@tau.ac.il} \and Humboldt-Universität zu Berlin\\ \email{scheuermann@informatik.hu-berlin.de}}
% FIXME keywords
\maketitle
\keywords{Security, privacy and resilience in critical infrastructures \and Security and privacy in ``internet of
@ -48,11 +48,11 @@ things'' \and Cyber-physical systems \and Hardware security \and Network Securit
In this paper, we approach the smart grid safety issue by implementing an emergency override that can be used to
reset all connected devices to a known-good state and preempt subsequent compromise by cutting communication links.
To yield a fully fail-safe design, our system does not rely on the internet or other conventional communication
network to work. Instead, our system transmits error-corrected and cryptographically secured commands by modulating
grid frequency using a single large consumer such as a large aluminium smelter. This approach differs from
traditional Powerline Communication (PLC) systems in that it reaches every device within the same synchronous area
as the signal is embedded into the fundamental grid frequency instead of a superimposed voltage that is quickly
To yield a fully fail-safe design, our system does not rely on the internet or other conventional telecommunication
networks to function. Instead, our system transmits error-corrected and cryptographically secured commands by
modulating grid frequency using a single large consumer such as a large aluminium smelter. This approach differs
from traditional Powerline Communication (PLC) systems in that it reaches every device within the same synchronous
area as the signal is embedded into the fundamental grid frequency instead of a superimposed voltage that is quickly
attenuated across long distances.
Using simulations we have determined that control of a $\SI{25}{\mega\watt}$ load would allow for the transmission
@ -116,13 +116,29 @@ In this paper, instead of focusing on the very hard task of improving firmware s
solution to the---in our opinion likely---scenario of a large-scale compromise of smart meter firmware. In our concept
the components of the smart meter that are threatened by remote compromise are equipped with a physically separate
\emph{safety reset controller} that listens for a ``reset'' command transmitted through the electrical grid's frequency
and on reception forcibly resets the smart meter's entire firmware to a known-good state. Our safety reset controller
receives commands through Direct Sequence Spread Spectrum (DSSS) modulation carried out on grid frequency through a
large controllable load such as an aluminium smelter. After forward error correction and cryptographic verification it
re-flashes the meter's main microcontroller over the standard JTAG interface. Note that our modulation technique is
\emph{changing the grid frequency itself}. This is fundamentally different in both generation and detection from
systems such as traditional PLC that superimpose a signal on grid voltage, but leave the underlying grid frequency
itself unaffected.
and on reception forcibly resets the smart meter's entire firmware to a known-good state and disables all network
functionality to prevent re-compromise. Our safety reset controller receives commands through Direct Sequence Spread
Spectrum (DSSS) modulation carried out on grid frequency through a large controllable load such as an aluminium smelter.
After forward error correction and cryptographic verification it re-flashes the meter's main microcontroller over the
standard JTAG interface. Note that our modulation technique is \emph{changing the grid frequency itself}. This is
fundamentally different in both generation and detection from systems such as traditional PLC that superimpose a signal
on grid voltage, but leave the underlying grid frequency itself unaffected.
\begin{figure}
\centering
\includegraphics[width=0.4\textwidth]{flowchart}
\caption{Structural overview of our concept. 1 - Government authority or utility operations center. 2 - Emergency
radio link. 3 - Aluminium smelter. 4 - Electrical grid. 5 - Target smart meter.}
\label{fig_intro_flowchart}
\end{figure}
Figure~\ref{fig_intro_flowchart} shows an overview of our concept. Two scenarios for its application are before or
during a cyberattack, to stop an attack on the electrical grid in its tracks, and after an attack while power is being
restored to prevent a repeated attack. In both scenarios, our concept is fully independent of all public communication
networks (such as the Internet or mobile networks) as well as broadcast systems (such as cable television or terrestrial
broadcast radio). A grid frequency-based system can function as long as power is still available, or as soon as power is
restored after the attack. One powerful function this allows is ``flushing out`` an attacker from compromised smart
meters after an attack, before restoring smart meter internet connectivity.
Starting from a high level architecture, we have carried out simulations of our concept's performance under real-world
conditions. Based on these simulations we implemented an end-to-end prototype of our proposed safety reset controller as
@ -313,6 +329,16 @@ well as low receiver hardware complexity.
To the best of the authors' knowledge, grid frequency modulation has only ever been proposed as a communication channel
at very small scales in microgrids before~\cite{urtasun01} and has not yet been considered for large-scale application.
Compared to traditional channels such as DSL, LTE or LoraWAN, grid frequency as a communication channel has a large
resiliency advantage: If there is power, a grid frequency modulation system is operational. Both DSL and LTE systems not
only require power but also require large amounts of centralized infrastructure to operate. Mesh networks such as
LoraWAN can cover short distances up to $\SI{20}{\kilo\meter}$ without requiring infrastructure to be available, but for
longer distances LoraWAN relies on the public internet for its network backbone. Therefore, during an ongoing
cyberattack, grid frequency is promising as a communication channel as only a single transmitter facility must be
operational for it to function. After a power outage, it can function as soon as electrical power is restored, even
while the public internet and mobile networks are still offline and it is unaffected by cyberattacks that target
telecommunication networks.
\subsection{Characterizing Grid Frequency}
In utility SCADA systems, Phasor Measurement Units (PMUs, also called \emph{synchrophasors}) are used to precisely
@ -359,12 +385,28 @@ Aluminium smelters are operated around the clock, and due to the high financial
outages has been carefully characterized by the industry. Power outages of tens of minutes up to two hours reportedly do
not cause problems in aluminium potlines~\cite{eisma01,oye01}. Recently, even techniques for intentional power modulation
without affecting cell lifetime or product quality have been developed to take advantage of variable energy
prices.~\cite{duessel01,eisma01}. An aluminium plant's power supply is controlled to constantly keep all smelter cells
under optimal operating conditions. Modern power supply systems employ large banks of diodes or SCRs to rectify
low-voltage AC to DC to be fed into the potline~\cite{ayoub01}. Potline voltage is controlled through a combination of a
tap changer and a transductor. Individual cell voltages are controlled by changing the physical distance between anode
and cathode distance. In this setup, power can be modulated fully electronically. Since this system does not have any
mechanical inertia, high modulation rates can reasonably be achieved.
prices.~\cite{duessel01,eisma01,depree01}. An aluminium plant's power supply is controlled to constantly keep all
smelter cells under optimal operating conditions. Modern power supply systems employ large banks of diodes or SCRs to
rectify low-voltage AC to DC to be fed into the potline~\cite{ayoub01}. Potline voltage is controlled through a
combination of a tap changer and a transductor. Individual cell voltages are controlled by changing the physical
distance between anode and cathode distance. In this setup, power can be modulated fully electronically. Since this
system does not have any mechanical inertia, high modulation rates can reasonably be achieved.
In~\cite{depree01}, the authors describe a setup where a large Aluminium smelter in continental Europe is used as
primary control reserve for frequency \emph{regulation}. In this setup, a rise time of $\SI{15}{\second}$ was achieved
to meet the $\SI{30}{\second}$ requirement posed by local standards for primary control. In their conclusion, the
authors note that for their system, an energy storage capacity of $\SI{7.7}{\giga\watt\hour}$ is possible if all plants
of a single operator are used. Given the maximum modulation depth of $\SI{100}{\percent}$ for up to one hour that is
mentioned by the authors, this results in an effective modulation power of $\SI{7.7}{\giga\watt}$. Over a longer
timespan of $\SI{48}{\hour}$, they have demonstrated a $\SI{33}{\percent}$ modulation depth which would correspond to
a modulation power of $\SI{2.5}{\giga\watt}$.
From this brief literature review, we conclude that a modulation of part of an aluminium smelter's power consumption
most likely is possible at no significant production impact and low infrastructure cost (such as for shell heat
exchangers as used in~\cite{depree01}). Aluminium smelters are connected to the grid in a way that they do not pose a
danger to other nearby consumers when they turn off or on parts of the plant, as this is commonplace during routine
maintenance activities. They are very large consumers of electrical power, but they are still small when seen in
relation to the entire grid.
\subsection{Parametrizing Modulation for GFM}

10
paper/safety-reset.bib
View file

@ -916,6 +916,16 @@
editor = {Geoff Bearne and Marc Dupuis and Gary Tarcy},
pages = {683-688},
}
@InBook{depree01,
author = {N. Depree and R. Düssel and P. Patel and T. Reek},
booktitle = {Light Metals 2016},
date = {2016},
doi = {10.1007/978-3-319-48251-4_96},
title = {The Virtual Battery — Operating an Aluminium Smelter with Flexible Energy Input},
editor = {E. Williams},
pages = {571-576},
}
@InProceedings{duessel01,
author = {Roman Düssel},