jaseg/master-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

paper: formulation WIP, update spectrum graph

Browse source
This commit is contained in:
jaseg 2022-05-06 17:59:15 +02:00
parent 76f34b4839
commit da4afa7354
12 changed files with 136 additions and 113 deletions
Download patch file Download diff file Expand all files Collapse all files

5
paper/Makefile
View file

@ -19,6 +19,11 @@ all: ${main_tex}.pdf
biber $*
pdflatex -shell-escape $<
.PHONY: once
once: safety-reset-paper.tex safety-reset.bib version.tex
biber safety-reset-paper
pdflatex -shell-escape $<
version.tex: ${main_tex}.tex safety-reset.bib
echo "${VERSION_STRING}" > $@

161
paper/safety-reset-paper.tex
View file

@ -370,19 +370,6 @@ networks.
\subsection{Characterizing Grid Frequency}
\label{grid-freq-characterization}
In utility SCADA systems, Phasor Measurement Units (PMUs, also called \emph{synchrophasors}) are used to precisely
measure grid frequency among other parameters. This task is a complicated task since a PMU has to make fast and precise
measurements given a distorted input signal. Details on the inner workings of commercial phasor measurement units are
scarce but there is a large amount of academic research on measurement
algorithms~\cite{narduzzi01,derviskadic01,belega01}.
In our application, we do not need the same level of precision. For the sake of simplicity, we use the universal
frequency estimation approach of Gasior and Gonzalez~\cite{gasior01}. In this algorithm, the windowed input signal is
processed using a Discrete Fourier Transform (DFT), then the signal's fundamental frequency is interpolated by fitting a
wavelet to the largest peak in the DFT result. The bias parameter of this curve fit is an accurate estimation of the
signal's fundamental frequency. This algorithm is similar to the simpler interpolated DFT algorithm referenced by phasor
measurement literature~\cite{borkowski01}.
To collect ground truth measurements for our analysis of grid frequency as a communication channel, we developed a
device to safely record mains voltage waveforms. Our system consists of an \texttt{STM32F030F4P6} ARM Cortex M0
microcontroller that records mains voltage using its internal 12-bit ADC and transmits measured values through a
@ -392,51 +379,65 @@ grid frequency error of $\SI{50}{\micro\hertz}$. We compared our oven-stabilized
found that over a time span of 20 minutes both stayed stable within 5 ppb of each other, which corresponds to the drift
specification of a typical crystal oven.
In utility SCADA systems, Phasor Measurement Units (PMUs, also called \emph{synchrophasors}) are used to precisely
measure grid frequency among other parameters. Details on the inner workings of commercial phasor measurement units are
scarce but there is a large amount of academic research on measurement. PMUs employ complex signal analysis algorithms
to provide fast and precise measurements even when given a heavily distorted input
signal~\cite{narduzzi01,derviskadic01,belega01}.
In our application, we do not need the same level of precision. For the sake of simplicity, we use the universal
frequency estimation approach of Gasior and Gonzalez~\cite{gasior01}. In this algorithm, the windowed input signal is
processed using a Discrete Fourier Transform (DFT), then the signal's fundamental frequency is interpolated by fitting a
wavelet to the largest peak in the DFT result. The bias parameter of this curve fit is an accurate estimation of the
signal's fundamental frequency. This algorithm is similar to the interpolated DFT algorithm referenced by phasor
measurement literature~\cite{borkowski01}.
\begin{figure}
\centering
\includegraphics[width=0.8\textwidth]{../notebooks/fig_out/freq_meas_spectrum}
\caption{The spectrum of grid frequency variations measured over a two-day timespan. The raw spectrum is shown in
gray, and a smoothed spectrum is shown in red. The blue line is inversely proportional to frequency and illustrates
the $1/f$ nature of the spectrum. Distinctive peaks in the spectrum are marked with red crosses, and their locations
\includegraphics[width=0.45\textwidth]{../notebooks/fig_out/freq_meas_spectrum_new}
\caption{The spectrum of grid frequency variations measured over 24 hours. The raw spectrum is shown in gray, and a
smoothed spectrum is shown in red. The blue line is inversely proportional to frequency and illustrates the $1/f$
nature of the spectrum. Distinctive peaks in the spectrum are marked with red crosses, and their locations
are given on the bottom of the diagram.}
\label{fig_freq_spec}
\end{figure}
A number of effects can be seen in our measurement results in Figure~\ref{fig_freq_spec}. Across the frequency range, we
observe a broad $1/f$ noise. Above a period of $\SI{10}{\second}$, this $1/f$ noise dips to a flat noise floor. We
estimate that this low-noise region is caused by the self-regulating effect of loads. %FIXME citation
Above a $\SI{10}{\second}$ period, primary control is activated and thus the $1/f$ noise we observe is the result of the
interaction between primary control and consumer demand. On top of this $1/f$ behavior, the spectrum shows several sharp
peaks at time intervals with a ``round'' number such as $\SI{10}{\second}$, $\SI{60}{\second}$ or multiples of
$\SI{300}{\second}$. These peaks are due to loads turning on- or off depending on wall-clock time. Besides the narrow
peaks caused by this effect we can also observe two wider bumps at $\SI{6.3}{\second}$ and $\SI{3.9}{\second}$. These
bumps closely correlate with continental european synchonous area's oscillation modes at $\SI{0.15}{\hertz}$ (east-west)
and $\SI{0.25}{\hertz}$ (north-south)~\cite{grebe01}.
% FIXME measurement results
Using our grid frequency recorder, we performed a two-day measurement series of grid frequency.
Figure~\ref{fig_freq_spec} shows the frequency spectrum of grid frequency over this two-day span. In this spectrum, we
observe a number of features. Across the frequency range, we observe a broad $1/f$ noise. Above a period of
$\SI{10}{\second}$, this $1/f$ noise dips to a flat noise floor. We estimate that this low-noise region is caused by the
self-regulating effect of loads. %FIXME citation Above a $\SI{10}{\second}$ period, primary control is activated and
thus the $1/f$ noise we observe is the result of the interaction between primary control and consumer demand. On top of
this $1/f$ behavior, the spectrum shows several sharp peaks at time intervals with a ``round'' number such as
$\SI{10}{\second}$, $\SI{60}{\second}$ or multiples of $\SI{300}{\second}$. These peaks are due to loads turning on- or
off depending on wall-clock time. Besides the narrow peaks caused by this effect we can also observe two wider bumps at
$\SI{7.0}{\second}$ and $\SI{4.7}{\second}$. These bumps closely correlate with continental european synchonous area's
oscillation modes at $\SI{0.15}{\hertz}$ (east-west) and $\SI{0.25}{\hertz}$ (north-south)~\cite{grebe01}.
\section{Grid Frequency Modulation}
In its most basic form a transmitter for grid frequency modulation would be a very large controllable load located
centrally within the grid. A spool of wire submerged in a body of cooling liquid such as a small lake along with a
thyristor rectifier bank would likely suffice. We can however decrease hardware and maintenance investment even compared
to this rather uncultivated solution by repurposing large industrial loads as transmitters. Going through a list of
energy-intensive industries in Europe~\cite{ec01}, we found that an aluminium smelter would be a good candidate. In
aluminium smelting, aluminium is electrolytically extracted from alumina solution. High-voltage mains power is
A transmitter for grid frequency modulation would be a controllable load of several Megawatt that
is located centrally within the grid. A baseline implementation would be a spool of wire submerged in a body of cooling
liquid (such as a small lake) which is powered from a
thyristor rectifier bank. Compared to this baseline solution, hardware and maintenance investment can be decreased
by repurposing a large industrial load as a transmitter. Going through a
list of energy-intensive industries in Europe~\cite{ec01}, we found that an aluminium smelter would be a good candidate.
In aluminium smelting, aluminium is electrolytically extracted from alumina solution. High-voltage mains power is
transformed, rectified and fed into about 100 series-connected electrolytic cells forming a \emph{potline}. Inside these
pots alumina is dissolved in molten cryolite electrolyte at about \SI{1000}{\degreeCelsius} and electrolysis is
performed using a current of tens or hundreds of Kiloampère. The resulting pure aluminium settles at the bottom of the
cell and is tapped off for further processing.
Aluminium smelters are operated around the clock, and due to the high financial stakes their behavior under power
outages has been carefully characterized by the industry. Power outages of tens of minutes up to two hours reportedly do
outages has been carefully characterized. Power outages of tens of minutes up to two hours reportedly do
not cause problems in aluminium potlines~\cite{eisma01,oye01}. Recently, even techniques for intentional power modulation
without affecting cell lifetime or product quality have been developed to take advantage of variable energy
prices.~\cite{duessel01,eisma01,depree01}. An aluminium plant's power supply is controlled to constantly keep all
smelter cells under optimal operating conditions. Modern power supply systems employ large banks of diodes or SCRs to
prices~\cite{duessel01,eisma01,depree01}. An aluminium plant's power supply is controlled to constantly keep all
smelter cells under optimal operating conditions. Modern power supply systems employ large banks of diodes or thyristors to
rectify low-voltage AC to DC to be fed into the potline~\cite{ayoub01}. Potline voltage is controlled through a
combination of a tap changer and a transductor. Individual cell voltages are controlled by changing the physical
distance between anode and cathode distance. In this setup, power can be modulated fully electronically. Since this
system does not have any mechanical inertia, high modulation rates can reasonably be achieved.
distance between anode and cathode distance. In this setup, power can be electronically modulated using the thyristor
rectifier. Since the system does not have any mechanical inertia, high modulation rates are possible.
In~\cite{depree01}, the authors describe a setup where a large Aluminium smelter in continental Europe is used as
primary control reserve for frequency \emph{regulation}. In this setup, a rise time of $\SI{15}{\second}$ was achieved
@ -444,23 +445,20 @@ to meet the $\SI{30}{\second}$ requirement posed by local standards for primary
authors note that for their system, an energy storage capacity of $\SI{7.7}{\giga\watt\hour}$ is possible if all plants
of a single operator are used. Given the maximum modulation depth of $\SI{100}{\percent}$ for up to one hour that is
mentioned by the authors, this results in an effective modulation power of $\SI{7.7}{\giga\watt}$. Over a longer
timespan of $\SI{48}{\hour}$, they have demonstrated a $\SI{33}{\percent}$ modulation depth which would correspond to
a modulation power of $\SI{2.5}{\giga\watt}$.
From this brief literature review, we conclude that a modulation of part of an aluminium smelter's power consumption
most likely is possible at no significant production impact and low infrastructure cost (such as for shell heat
exchangers as used in~\cite{depree01}). Aluminium smelters are connected to the grid in a way that they do not pose a
danger to other nearby consumers when they turn off or on parts of the plant, as this is commonplace during routine
maintenance activities. They are very large consumers of electrical power, but they are still small when seen in
relation to the entire grid.
timespan of $\SI{48}{\hour}$, they have demonstrated a $\SI{33}{\percent}$ modulation depth which would correspond to a
modulation power of $\SI{2.5}{\giga\watt}$. We conclude that a modulation of part of an aluminium smelter's power
consumption is possible at no significant production impact and at low infrastructure cost. Aluminium smelters are
already connected to the grid in a way that they do not pose a danger to other nearby consumers when they turn off or on
parts of the plant, as this is commonplace during routine maintenance activities.
\subsection{Parametrizing Modulation for GFM}
Given the grid characteristics we measured using our custom waveform recorder and using a model of our transmitter, we
can derive parameters for the modulation of our broadcast system. Modulating $\SI{25}{\mega\watt}$ of smelter power
would yield a frequency shift of $\SI{1}{\milli\hertz}$. At an RMS frequency noise of around $\SI{10}{\milli\hertz}$ in
the band around $\SI{1}{\hertz}$, this results in challenging SNR. A second layer of modulation yielding some modulation
gain is necessary to achieve sufficient overall SNR.
can derive parameters for the modulation of our broadcast system. The overall network power-frequency characteristic of
the continental European synchronous area is about $\SI{25}{\giga\watt\per\hertz}$~\cite{entsoe02}. Thus, the main
challenge for a GFM system will be poor SNR due to low transmission power. A second layer of modulation yielding some
modulation gain beyond the basic amplitude modulation of the transmitter will be necessary to achieve sufficient overall
SNR.
The grid's frequency noise has significant localized peaks that might interfere with this modulation. Further
complicating things are the oscillation modes. A GFM system must be designed to avoid exciting these modes. However,
@ -477,19 +475,19 @@ $\approx\SI{2}{\hertz}$ would complicate frequency measurement at the receiver s
We simulated a proof-of-concept modulator and demodulator using data captured from our grid frequency sensor. Our
simulations covered a range of parameters in modulation amplitude, DSSS sequence bit depth, chip duration and detection
threshold. Figure~\ref{fig_ser_nbits} shows symbol error rate (SER) as a function of modulation amplitude with Gold
sequences of several bit depths. As can be seen, realistic modulation amplitudes are in the range around
$\SI{1}{\milli\hertz}$. In the continental European synchronous area, this corresponds to a modulation power of
approximately $\SI{25}{\mega\watt}$. Figure~\ref{fig_ser_thf} shows SER against detection threshold relative to
background noise. Figure~\ref{fig_ser_chip} shows SER against chip duration for a given fixed symbol length. As expected
from looking at our measured grid frequency noise spectrum, performance is best for short chip durations and worsens for
longer chip durations since shorter chip durations move our signals' bandwidth into the lower-noise region from
$\SI{0.2}{\hertz}$ to $\SI{2}{\hertz}$.
threshold. Figure~\ref{fig_ser_nbits} shows our simulation results for symbol error rate (SER) as a function of
modulation amplitude with Gold sequences of several bit depths. From these graphs we conclude that the range of
practical modulation amplitudes starts at approximately $\SI{1}{\milli\hertz}$, which corresponds to a modulation power
of approximately $\SI{25}{\mega\watt}$~\cite{entsoe02}. Figure~\ref{fig_ser_thf} shows SER against detection threshold
relative to background noise. Figure~\ref{fig_ser_chip} shows SER against chip duration for a given fixed symbol length.
As expected from looking at our measured grid frequency noise spectrum, performance is best for short chip durations and
worsens for longer chip durations since shorter chip durations move our signals' bandwidth into the lower-noise region
from $\SI{0.2}{\hertz}$ to $\SI{2}{\hertz}$.
%FIXME introduce term "chip" somewhere
\begin{figure}
\centering
\includegraphics[width=0.6\textwidth]{../notebooks/fig_out/dsss_gold_nbits_overview}
\includegraphics[width=0.4\textwidth]{../notebooks/fig_out/dsss_gold_nbits_overview}
\caption{Symbol Error Rate as a function of modulation amplitude for Gold sequences of several lengths.}
\label{fig_ser_nbits}
\end{figure}
@ -510,8 +508,9 @@ $\SI{0.2}{\hertz}$ to $\SI{2}{\hertz}$.
\label{fig_ser_chip}
\end{figure}
\subsection{Parametrizing a proof-of-concept "Safety Reset" System Based on GFM}
\subsection{Parametrizing a proof-of-concept ``Safety Reset'' System Based on GFM}
%FIXME introduce scenario
Taking these modulation parameters as a starting point, we proceeded to create a proof-of-concept smart meter emergency
reset system. On top of the modulation described in the previous paragraphs we layered simple Reed-Solomon error
correction~\cite{mackay01} and some cryptography. The goal of our PoC cryptographic implementation was to allow the
@ -624,20 +623,30 @@ expect safety reset controllers to be commercially viable given adequate politic
\section{Conclusion}
\label{sec_conclusion}
In this paper we have developed an end-to-end design of a reset system to restore smart meters to a safe operating state
during an ongoing large-scale cyberattack. To allow our system to be triggered even in the middle of a cyberattack we
have developed a broadcast data transmission system based on intentional modulation of global grid frequency. We have
shown the viability of our end-to-end design through simulations. To put these simulations on a solid foundation we have
developed a grid frequency measurement methodology comprising of a custom-designed hardware device for electrically safe
data capture and a set of software tools to archive and process captured data. Our simulations show good behavior of our
broadcast communication system and give an indication that cooperating with a large consumer such as an aluminium smelter
would be a feasible way to set up a transmitter with low hardware overhead. We have outlined a simple cryptographic
protocol ready for embedded implementation in resource-constrained systems that allows triggering a safety reset with a
response time of less than 30 minutes. We have experimentally validated our system using simulated grid frequency data
in a demonstrator setup based on a commercial microcontroller as our safety reset controller and an off-the-shelf smart
meter. The next step in our evaluation will be to conduct an experimental evaluation of our modulation scheme in
collaboration with an utility and an operator of a multi-megawatt load. Source code and electronics CAD designs are
available at the public repository listed at the end of this document.
During an emergency in the electrical grid, the ability to communicate to large numbers of end-point devices is a
valuable tool for restoring normal operation. When a resilient communcation channel is available, loads such as smart
meters and IoT devices can be equipped with a supervisor circuit that allows for a remote ``safety reset'' that puts the
device into a safe operating state. Using this safety reset, an attacker that uses compromised smart meters or IoT
devices to attack grid stability can be interrupted before the conculusion of their attack. During recover from an
outage, a safety reset can be used to reduce stress on the system during a black start by turning of non-essential loads
such as air conditioners.
In this paper we have developed an end-to-end design of a safety reset system that provides these capabilities. Our
novel broadcast data transmission system is based on intentional modulation of global grid frequency. Our system is
independent of normal communication networks and can operate during a cyberattack. We have shown the practical viability
of our end-to-end design through simulations. Using our purpose-designed grid frequency recorder, we can capture and
process real-time grid frequency data in an electrically safe way. We used data captured this way as the basis for
simulations of our proposed grid frequency modulation communication channel. In these simulations, our system has proven
feasible. From our simulations we conclude that a large consumer such as an aluminium smelter at a small cost can be
modified to act as an on-demand grid frequency modulation transmitter.
We have demonstrated our modulation system in a small-scale practical demonstration. For this demonstration, we have
developed a simple cryptographic protocol ready for embedded implementation in resource-constrained systems that allows
triggering a safety reset with a response time of less than 30 minutes. In this demonstration we use simulated grid
frequency data to trigger a commercial microcontroller to perform a firmware reset of an off-the-shelf smart meter. The
next step in our evaluation will be to conduct an experimental evaluation of our modulation scheme in collaboration with
an utility and an operator of a multi-megawatt load. Source code and electronics CAD designs are available at the
public repository listed at the end of this document.
\printbibliography[heading=bibintoc]