jaseg/safety-reset
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rework WIP

Browse source
This commit is contained in:
jaseg 2022-09-16 18:06:34 +02:00
parent e3b1ff9222
commit 3e3e03892a
2 changed files with 54 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

2
paper/Makefile
View file

@ -10,7 +10,7 @@ MAKEFLAGS += --no-builtin-rules
main_tex ?= safety-reset-paper main_tex ?= safety-reset-paper
VERSION_STRING := $(shell git describe --tags --long) VERSION_STRING := 1.0 # $(shell git describe --tags --long)
all: ${main_tex}.pdf all: ${main_tex}.pdf

70
paper/safety-reset-paper.tex
View file

@ -187,6 +187,20 @@ task to secure the firmware of sufficiently many devices to deny an attacker the
Even if all flaws in the firmware of a broad range of devices would be fixed, users still have to update. In smart grid Even if all flaws in the firmware of a broad range of devices would be fixed, users still have to update. In smart grid
and IoT devices, this presents a difficult problem since user awareness is low~\cite{nbck+19}. and IoT devices, this presents a difficult problem since user awareness is low~\cite{nbck+19}.
\subsection{Attacker model}
According to the above criteria, our attacker model has the following key features:
\begin{itemize}
\item The attacker cannot compromise the utility operators' SCADA systems.
\item The attacker can compromise and subsequently control a large number of target devices at the customer's
premises such as smart meters or large IoT devices such as air conditioners or central heating systems.
\item Target devices can be designed to include a separate firmware and factory reset function that the attacker
cannot circumvent. In the simplest case, this could be a separate microcontroller that is connected to the
device's application processor's programming port.
\item The attacker aims for maximum disruption as opposed to e.g. data extraction.
\end{itemize}
\subsection{Contents} \subsection{Contents}
Starting from a high level architecture, we have carried out simulations of our concept's performance under real-world Starting from a high level architecture, we have carried out simulations of our concept's performance under real-world
@ -441,17 +455,20 @@ receiver hardware complexity.
To the best of the authors' knowledge, grid frequency modulation has only ever been proposed as a communication channel To the best of the authors' knowledge, grid frequency modulation has only ever been proposed as a communication channel
at very small scales in microgrids before~\cite{urtasun01} and has not yet been considered for large-scale application. at very small scales in microgrids before~\cite{urtasun01} and has not yet been considered for large-scale application.
\subsection{Comparison to other communication channels}
Compared to traditional channels such as Fiber To The Home (FTTH), 5G or LoraWAN, grid frequency as a communication Compared to traditional channels such as Fiber To The Home (FTTH), 5G or LoraWAN, grid frequency as a communication
channel has a resiliency advantage: If there is power, a grid frequency modulation system is operational. Both FTTH and channel has a resiliency advantage. It can start transmission as soon as a power island with a connected transmitter is
5G systems not only require power at their base stations, but also require centralized infrastructure to operate. Mesh powered up, while communciation networks such as FTTH or 5G are still rebooting, or might be waiting for parts of their
networks such as LoraWAN can cover short distances up to $\SI{20}{\kilo\meter}$ without requiring infrastructure to be centralized infrastructure that are connected to different power islands to come back online. Mesh networks such as
available, but for longer distances LoraWAN relies on the public internet for its network backbone. Additionally, LoraWAN can cover short distances up to $\SI{20}{\kilo\meter}$ without requiring infrastructure to be available, but for
systems such as FTTH, 5G and LoraWAN are built around a point-to-point communication model and usually do not support a longer distances LoraWAN relies on the public internet for its network backbone. Additionally, systems such as FTTH, 5G
generic broadcast primitive. During times when a large number of devices must be reached simultaneously this can lead to and LoraWAN are built around a point-to-point communication model and usually do not support a generic broadcast
congestion of cellular towers and servers. Therefore, during an ongoing cyberattack, grid frequency is promising as a primitive. During times when a large number of devices must be reached simultaneously this can lead to congestion of
communication channel because only a single transmitter facility must be operational for it to function, and this single cellular towers and servers. Therefore, during an ongoing cyberattack, grid frequency is promising as a communication
transmitter can reach all connected devices simultaneously. After a power outage, it can resume operation as soon as channel because only a single transmitter facility must be operational for it to function, and this single transmitter
electrical power is restored, even while the public internet and mobile networks are still offline. It is unaffected by can reach all connected devices simultaneously. After a power outage, it can resume operation as soon as electrical
power is restored, even while the public internet and mobile networks are still offline. It is unaffected by
cyberattacks that target telecommunication networks. cyberattacks that target telecommunication networks.
\subsection{Characterizing Grid Frequency} \subsection{Characterizing Grid Frequency}
@ -503,13 +520,12 @@ oscillation modes at $\SI{0.15}{\hertz}$ (east-west) and $\SI{0.25}{\hertz}$ (no
\section{Grid Frequency Modulation} \section{Grid Frequency Modulation}
A transmitter for grid frequency modulation would be a controllable load of several Megawatt that A transmitter for grid frequency modulation would be a controllable load of several Megawatt that is located centrally
is located centrally within the grid. A baseline implementation would be a spool of wire submerged in a body of cooling within the grid. A baseline implementation would be a spool of wire submerged in a body of cooling liquid (such as a
liquid (such as a small lake) which is powered from a small lake) which is powered from a thyristor rectifier bank. Compared to this baseline solution, hardware and
thyristor rectifier bank. Compared to this baseline solution, hardware and maintenance investment can be decreased maintenance investment can be decreased by repurposing a large industrial load as a transmitter. Going through a list of
by repurposing a large industrial load as a transmitter. Going through a energy-intensive industries in Europe~\cite{ec01}, we found that an aluminium smelter would be a good candidate. In
list of energy-intensive industries in Europe~\cite{ec01}, we found that an aluminium smelter would be a good candidate. aluminium smelting, aluminium is electrolytically extracted from alumina solution. High-voltage mains power is
In aluminium smelting, aluminium is electrolytically extracted from alumina solution. High-voltage mains power is
transformed, rectified and fed into approximately 100 series-connected electrolytic cells forming a \emph{potline}. transformed, rectified and fed into approximately 100 series-connected electrolytic cells forming a \emph{potline}.
Inside these pots, alumina is dissolved in molten cryolite electrolyte at approximately \SI{1000}{\degreeCelsius} and Inside these pots, alumina is dissolved in molten cryolite electrolyte at approximately \SI{1000}{\degreeCelsius} and
electrolysis is performed using a current of tens or hundreds of Kiloampère. The resulting pure aluminium settles at the electrolysis is performed using a current of tens or hundreds of Kiloampère. The resulting pure aluminium settles at the
@ -538,6 +554,26 @@ consumption is possible at no significant production impact and at low infrastru
already connected to the grid in a way that they do not pose a danger to other nearby consumers when they turn off or on already connected to the grid in a way that they do not pose a danger to other nearby consumers when they turn off or on
parts of the plant, as this is commonplace during routine maintenance activities. parts of the plant, as this is commonplace during routine maintenance activities.
\subsection{The operational model of a GFM-based safety reset}
While a single large Aluminium smelter could conceivably provide sufficient modulation power to cover the entire
continental European synchronous area, we have to consider operation during a black start, when the grid temporarily
divides into a number of disconnected power islands. A single transmitter would only be able to reach receivers on the
same power island.
Instead, the system can use a number of transmitters that are distributed throughout the network. Piggy-backing
transmitters on existing industrial loads keeps the implementation cost of additional transmitters low. By running
transmitters from gps-synchronized ovenized crystal oscillators or rubidium frequency standards, transmissions can be
precisely synchronized across power islands even after a holdover period of several days. This allows a transmission to
continue un-interrupted while the utility re-joins power island into the larger grid, since the transmissions on both
islands are precisely synchronized.
As illustrated in Figure~\ref{fig_intro_flowchart}, the transmitters are connected to a command center. For this
connection, a redundant set of long-range radio or satellite links can be used, as well as wired connections through the
utility's dedicated SCADA network. In an emergency, the command center can then trigger a transmission. Synchronized
through their gps-backed frequency standards, two transmitters will then constructively interfere as soon as they are
connected to the same power island.
\subsection{Parametrizing Modulation for GFM} \subsection{Parametrizing Modulation for GFM}
Given the grid characteristics we measured using our custom waveform recorder and using a model of our transmitter, we Given the grid characteristics we measured using our custom waveform recorder and using a model of our transmitter, we