ma: finishing touches on conclusion, expand experiment results
This commit is contained in:
jaseg
parent
a5ccb91053
commit
dc98ce4106
1 changed files with 29 additions and 14 deletions
|
|
@ -2529,6 +2529,20 @@ experiment. We tried the demonstrator setup in Figure \ref{fig_proto_pic} using
|
|||
real-time. Our experiment went without any issues and the firmware implementation correctly reset the demonstrator's
|
||||
meter. We were happy to see that our extensive testing paid off: The demonstrator setup worked on its first try.
|
||||
|
||||
Our experiment consisted of the demonstrator prototype with the meter flashed with its factory firmware connected to a
|
||||
microcontroller development board acting as the safety reset controller. The safety reset controller is connected to a
|
||||
laptop's audio output through an adapter board. The laptop plays back an emulated grid voltage waveform that the safety
|
||||
reset microcontroller measures and analyzes as it would when directly connected to the mains. When the microcontroller
|
||||
receives a reset sequence that is a valid signature using a development key incorporated into its firmware through JTAG
|
||||
it re-programs the smart meter with a modified firmware image that displays a success message on the meter's LCD.
|
||||
|
||||
We used a signature truncated at 120 bit in our experiment. We chose a 5 bit DSSS sequence. Taking the sign bit into
|
||||
account the length of the encoded signature is 20 DSSS symbols. On top of this we used Reed-Solomon error correction at
|
||||
a 2:1 ratio inflating total message length to 30 DSSS symbols. At the \SI{1}{\second} chip rate we used in other
|
||||
simulations as well this equates to an overall transmission duration of approximately \SI{15}{\minute}. To give the
|
||||
demodulator some time to settle and to produce more realistic conditions of signal reception we padded the modulated
|
||||
signal unmodulated noise on both ends.
|
||||
|
||||
\section{Lessons learned}
|
||||
|
||||
Before settling on the commercial smart meter we first tried to use an \texttt{EVM430-F6779} smart meter evaluation kit
|
||||
|
|
@ -2603,8 +2617,9 @@ Our literature study suggests that this is an appropriate first order approximat
|
|||
modulation bandwidth in our simulations inside a \SIrange{1000}{100}{\milli\hertz} frequency band that we reason is most
|
||||
likely to exhibit this linear behavior in practice. At lower frequencies primary control kicks in. With the frequency
|
||||
delta thresholds specified for primary control systems\cite{entsoe04} this would lead to significant non-linear
|
||||
effects. At higher frequencies grid frequency estimation at the receiver becomes more complex. Higher frequencies also
|
||||
come close to modes of mechanical oscillation in generators (usually at \SI{5}{\hertz} and above\cite{crastan03}).
|
||||
effects. At higher frequencies grid frequency estimation at the receiver becomes more complex since the margins of the
|
||||
FFT transform shrink. Higher frequencies also come close to modes of mechanical oscillation in generators that usually
|
||||
lie at \SI{5}{\hertz} and above\cite{crastan03}.
|
||||
|
||||
An analysis of the above concerns can be performed using dynamic grid simulation models\cite{semerow01,entsoe05}.
|
||||
Presumably out of security concerns these models are only available under non-disclosure agreements. Integrating
|
||||
|
|
@ -2613,7 +2628,7 @@ challenge which is why we decided to leave this topic for a separate future work
|
|||
|
||||
After detailed model simulation we ultimately aim to validate our results experimentally. Assuming linear grid behavior
|
||||
even under very small disturbances a small-scale experiment is an option. Such a small-scale experiment would require
|
||||
very long integration times. Given a frequency characteristic of \SI{30}{\giga\watt\per\hertz} a stimulus of
|
||||
very long integration times: Given a frequency characteristic of \SI{30}{\giga\watt\per\hertz} a stimulus of
|
||||
\SI{10}{\kilo\watt} yields $\Delta f = \SI{0.33}{\micro\hertz}$. At an estimated \SI{20}{\milli\hertz} of RMS noise over
|
||||
a bandwidth of interest this results in an SNR slightly better than \SI{-50}{\decibel}. The correlation time necessary
|
||||
to offset this with DSSS processing gain at a chip rate of \SI{1}{\baud} would be in the order of days. With such long
|
||||
|
|
@ -2707,17 +2722,17 @@ elaborated the need for an out of band method to reset a meter's firmware due to
|
|||
complex firmware. To allow our system to be triggered even in the middle of a cyberattack we have developed a broadcast
|
||||
data transmission system based on intentional modulation of the global grid frequency. We have developed the theoretical
|
||||
foundations of the process based on an established model of inertial grid frequency response to load variations and
|
||||
shown the viability of our end-to-end design through extensive simulations. To properly base these simulations we have
|
||||
developed a grid frequency measurement methodology comprising of a custom-designed hardware device for electrically safe
|
||||
data capture and a set of software tools to archive and process captured data. Our simulations show good behavior of our
|
||||
broadcast communication system and give an indication that coöperating with a large consumer such as an aluminum
|
||||
smelter would be a feasible way to set up a transmitter with very low hardware overhead. Based on our broadcast
|
||||
primitive we have developed a cryptographic protocol ready for embedded implementation in resource-constrained systems
|
||||
that allows triggering all or a selected subset of devices within a quick response time of less than 30 minutes.
|
||||
Finally, we have experimentally validated our system using simulated grid frequency data in a demonstrator setup based
|
||||
on a commercial microcontroller as our safety reset controller and an off-the-shelf smart meter. We have laid out a path
|
||||
for further research and standardization related to our system. Our code and electronics designs are available at the
|
||||
public repository listed on the second page of this document.
|
||||
shown the viability of our end-to-end design through extensive simulations. To put these simulations on a solid
|
||||
foundation we have developed a grid frequency measurement methodology comprising of a custom-designed hardware device
|
||||
for electrically safe data capture and a set of software tools to archive and process captured data. Our simulations
|
||||
show good behavior of our broadcast communication system and give an indication that coöperating with a large consumer
|
||||
such as an aluminum smelter would be a feasible way to set up a transmitter with very low hardware overhead. Based on
|
||||
our broadcast primitive we have developed a cryptographic protocol ready for embedded implementation in
|
||||
resource-constrained systems that allows triggering all or a selected subset of devices within a quick response time of
|
||||
less than 30 minutes. Finally, we have experimentally validated our system using simulated grid frequency data in a
|
||||
demonstrator setup based on a commercial microcontroller as our safety reset controller and an off-the-shelf smart
|
||||
meter. We have laid out a path for further research and standardization related to our system. Our code and electronics
|
||||
designs are available at the public repository listed on the second page of this document.
|
||||
|
||||
\newpage
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue