Sunday, February 18, 2018

The (potential) problem of distributed energy storage

Over the last 18 months, there have been significant developments in the debate around renewable energy in South Australia. Here are some:
  1. South Australia had a state-wide blackout. It was variously attributed to a storm, wind turbines, renewable energy, the Australian Energy Market Operator, the phase of the moon, and probably other things.
  2. Load shedding (also known as brownouts, or rolling blackouts) was applied to 90000 households in SA on the afternoon of a particularly hot day. This was apparently triple what was requested by the market operator to maintain grid stability, and occurred at a time when a gas-fired power station at Pelican Point (in Adelaide) was idle.
  3. Elon Musk, the CEO of Tesla, told South Australia that Tesla can fix our energy problems in 100 days or it's free -- and has completed the installation of the "big battery" within that 100 day period
  4. The South Australian government released a comprehensive plan calling for grid level battery storage (100 MW), a government owned gas turbine and other energy initiatives
  5. Malcolm Turnbull has proposed an upgrade to the Snowy Mountains hydro facility that will allow it to operate as a pumped hydro plant (effectively a huge battery)
Whew! On top of this, there have been calls to the SA government that, as well as embracing a grid-level battery storage system, they should pursue distributed residential energy storage using a scheme such as Reposit (AGL is also rolling out such a system now, called the virtual battery). The Liberal party, as part of their platform in the upcoming election, are also proposing to subsidise home battery systems in some sort of virtual battery system. This is an internet-coordinated distributed power company that manages home batteries to release energy to the grid during times when the short-term cost (spot price) is high. Households can make money by doing this.

I think this is a great idea, and it's commendable that such policies have bipartisan support in South Australia. It is good for people in cities to install battery storage systems, as long as they remain connected to the grid. There are a few reasons I think this:
  1. The grid is a sunk cost. It's already built so we should use it
  2. Generally speaking, shared resources are used more efficiently. Let's assume that 5% of houses have a battery installed (in a few years time). We, as a society, will be much better off if those batteries are used to stabilise the grid during times of peak demand, rather than have those households disconnect from the grid. Those households should be paid for the service of course!
  3. Distributed power is a good thing because it lessens the load on the grid and improves resiliance (there is not a central point to fail), it also reduces power transmission losses.

The problem

One of the big benefits of having distributed power supplies is that of resilience. If one (or a few) systems fail or are disconnected it probably doesn't matter for the grid as a whole. It lessens our dependence on the grid as a whole, and so improves resilience.

But... although it decreases reliance on the electricity grid, it greatly increases reliance on the telecommunications grid. The internet is vital to coordinate the distributed "virtual" battery. Without the distributed batteries being able to talk to each other and the central controller, which needs to get data from the grid, it is impossible for them to coordinate their activities and the system ceases to function properly (for example, with no internet, it becomes impossible for the grid to request delivery of power from the distributed storage at a time of need).

Do not believe technical people who tell you a system is secure. It is not secure -- it is only a matter of time until software or hardware vulnerabilities are discovered and exploited.

A mitigation

"Solution" is the wrong word here: it's not possible to remove the consequences of attacks -- we can only reduce their consequence and likelihood of success. The distributed battery system needs to communicate, and that communication is inherently insecure. The system needs to be built so that it is resilient to internet-based attacks at the system level. I am not an expert in internet security, but here are my thoughts:
  • The system should be designed with security in mind. The critical aspect of the system is its ability to respond to legitimate internet instructions (only!) and react accordingly. The designers need to be aware of the inherent risk of exposing such command and control interfaces to the internet. The security team should have oversight across all teams during the development of this system. There needs to be robust testing of the system(s) (at all levels, from low level to high level) to examine the security implications of design and implementation decisions.
  • The system should be heterogenous. There should be many types of devices communicating on an agreed open protocol. Having many types of devices means that, even if some of them are compromised by an attacker, they are unlikely all to fail (they will be based on different hardware and software making it unlikely that a universal security vulnerability exists). This represents security through diversity.
  • The system should fail-safe. The internet should not be the only method of communication between devices. They should second-guess the instructions they receive from the cloud, by performing their own assessments of grid stability. For example, the grid can use frequency modulation to signal whether more generation capacity is needed (eg. if the frequency starts to fall from a nominal 50 Hz to 49 Hz, that is a recognised signal -- this needs to be preserved as a signalling method). In this way, the devices should use the internet as a communications channel where it is available, but not be dependent on it for all aspects of their function.
  • User interface elements should be kept separate from the control systems. User interfaces are almost always less secure than system interface elements. This is because user interfaces have the added constraint of usability, which is often at odds with security requirements. User interfaces should be through a seperate cloud/web portal that has no direct connection to the system interface.

On many occasions, systems have been designed to use internet platforms with the unconscious assumption that the internet is both safe and persistent. The internet is neither of those things. I hope that the designers of distributed storage are mindful of this, so that their system(s) will be resilient in the face of unexpected communications downtime or malicious attacks.

No comments:

Post a Comment

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.