TECHNICAL FIELD

The invention relates to a battery management system, a battery unit, a control node, methods, a computer program and a computer program product.

BACKGROUND

Theft of lead-acid batteries in radio base stations is rather common. Many base stations are very remote with minimal supervision or security, which makes them tempting to thieves. Now operators are starting to use lithium-based batteries instead, partly to avoid theft. Theft of lithium batteries has unfortunately already started, and it is therefore of great importance to develop methods to secure batteries from theft, or render them inoperable if stolen to deter thieves.

Moreover, a processor accessible to the battery management system of a battery unit is usually of very limited capacity. It is therefore of interest that any method used places low demands on the processing power available to the battery unit.

In prior art, security measures for battery units are aimed at preventing counterfeit battery units from being installed, thereby preventing damage to the system as a whole from installing battery units not suitable for the application. For example, US 20150048684 A1 discloses systems and methods to facilitate monitoring and/or control of battery supplies in industrial control settings. In some embodiments, the systems and methods enable the power supply to authenticate itself against a central controller.

Similar systems and methods also exist to deter theft of automotive vehicles, for examples in US 20080027602 A1 where the automotive vehicle is equipped with a certificate which is checked before attempting update any software, and the owner can choose to revoke the certificate if the vehicle is stolen.

SUMMARY

An object of the invention is to deter theft of a battery unit.

According to a first aspect of the invention, there is a battery management system, BMS, for a battery unit. The BMS comprises a processor, a memory, and means to communicate with a control node. The BMS is configured to store a first cryptographic certificate in the memory, authenticate a cryptographically signed message received by the BMS from the control node using the cryptographic certificate stored in the memory, and if the message is authenticated as signed with a private key corresponding to the certificate, taking an action based on the cryptographically signed message. Hereby is achieved that the BMS may confirm that it is communicating with an authorized control node before performing an action.

According to an embodiment of the first aspect of the invention, the certificate uses an elliptic curve-based algorithm. Hereby is achieved that low demands are placed on the processor of the battery management system.

According to an embodiment of the first aspect of the invention, the action is to disable at least one function of the battery unit if the cryptographically signed message is a request for the battery unit to be locked. Hereby is achieved that the battery unit may be rendered inoperable to prospective thieves.

According to an embodiment of the first aspect of the invention, the action to disable the battery unit comprises switching off a discharge field-effect transistor in the battery unit. Hereby is achieved that the battery unit is rendered unable to supply power, but still able to be charged, transported, and installed.

According to an embodiment of the first aspect of the invention, the action is to enable at least one function of the battery unit if the cryptographically signed message is a request for the battery unit to be unlocked. Hereby is achieved that the battery unit may be rendered operable by an authorized control node.

According to an embodiment of the first aspect of the invention, the action to enable the battery unit comprises switching on a discharge field-effect transistor in the battery unit.

According to an embodiment of the first aspect of the invention, the BMS is configured to expect a message from the control node before the expiry of an authentication timer where the message is signed by a private key belonging to the control node. The BMS is further configured to attempt to authenticate the message as signed by the private key using a certificate stored in the memory of the BMS. Hereby is achieved that the BMS may confirm at regular time intervals that it is still in communication with a control node in possession of a private key corresponding to a valid certificate.

According to an embodiment of the first aspect of the invention, the BMS is further configured to disable at least one function of the battery unit if there is no authenticated message from a control node. Hereby is achieved that the BMS may lock the battery unit if it is no longer in communication with a control node in possession of a private key corresponding to a valid certificate.

According to an embodiment of the first aspect of the invention, the action is to store a second certificate corresponding to a second private key. Hereby is achieved that use of the battery unit may be allowed for multiple certificate holders.

According to an embodiment of the first aspect of the invention, the action is to invalidate a certificate stored in the memory of the BMS. Hereby is achieved that ownership of the battery unit may be transferred, temporarily or permanently.

According to a second aspect of the invention, there is a battery unit comprising a BMS according to the first aspect of the invention.

According to an embodiment of the second aspect, the communication between the BMS of the battery unit and the control node uses an unprotected channel. In a further embodiment, this unprotected channel uses the Modbus protocol.

According to a third aspect of the invention there is a method performed by a battery management system. The method comprises storing a first cryptographic certificate in a memory accessible to the BMS, authenticating a cryptographically signed message received from a control node, and if the message is authenticated as signed with a private key corresponding to the certificate taking an action based on the cryptographically signed message.

According to an embodiment of the third aspect, the certificate uses an elliptic curvebased algorithm.

According to an embodiment of the third aspect, the action is to disable at least one function of the battery unit if the cryptographically signed message is a request that the battery unit be locked. According to an embodiment of the third aspect, the action to disable the battery unit comprises switching off a discharge field-effect transistor in the battery unit.

According to an embodiment of the third aspect, the action is to enable at least one function of the battery unit if the cryptographically signed message is a request that the battery unit be unlocked.

According to an embodiment of the third aspect, the action to enable the battery unit comprises switching on a discharge field-effect transistor in the battery unit.

According to an embodiment of the third aspect, the method comprises waiting for a message from the control node before the expiry of an authentication timer, the message signed by a private key accessible to the control node, and attempting to authenticate the return message as signed by the private key using a certificate stored in the memory of the BMS.

According to an embodiment of the third aspect, the method comprises disabling at least one function of the battery unit if there is no authenticated message from a control node before the expiry of an authentication timer.

According to an embodiment of the third aspect, the action is to store a second certificate corresponding to a second private key.

According to an embodiment of the third aspect, the action is to invalidate the first certificate or the second certificate stored in the memory of the BMS.

According to a fourth aspect of the invention there is a method performed by a control node. The method comprises sending a message signed by a cryptographic certificate belonging to the control node to the BMS and monitoring the BMS to determine whether it performed the action associated with the sent message.

According to a fifth aspect of the invention there is a control node configured to send a message signed by a cryptographic certificate to a BMS and monitoring the BMS to determine whether it performed the action associated with the sent message.

According to a sixth aspect of the invention there is a computer program which comprises instructions. When run on the processor of a BMS, the instructions cause the BMS to perform the method of the third aspect of the invention. According to a seventh aspect of the invention, there is a computer program product which comprises a computer readable storage medium on which a computer program according to the sixth aspect is stored.

According to an eighth aspect of the invention, there is a computer program which comprises instructions. When run on the processor of a network node, the instructions cause the network node to perform the method of the fifth aspect.

According to a ninth aspect of the invention, there is a computer program product which comprises a computer readable storage medium on which a computer program according to the eighth aspect is stored.

BRIEF DESCRIPTION OF THE DRAWINGS

The inventive concept will now be described more fully with non-limiting reference to the accompanying drawings in which certain embodiments of the inventive concept are shown.

Fig. 1a is an overview of a communication between a battery management system and the control nodes in an exemplary embodiment.

Fig. 1 b is a block diagram of an exemplary control node according to the invention.

Fig. 2 is a block diagram of an exemplary battery unit with a battery management system according to the invention.

Fig. 3 is a handshake diagram of an embodiment of the method according to the invention.

Fig. 4 is a handshake diagram of an embodiment of the method according to the invention.

Fig. 5 is a handshake diagram of an embodiment of the method according to the invention.

Fig. 6 is a handshake diagram of an embodiment of the method according to the invention. Fig. 7 is a handshake diagram of an embodiment of the method according to the invention.

Fig. 8 is a handshake diagram of an embodiment of the method according to the invention.

Fig. 9 is a handshake diagram of an embodiment of the method according to the invention.

DETAILED DESCRIPTION OF THE DRAWINGS

Figure 1a shows an overview of the communicating nodes in a typical embodiment of a system comprising a battery management system.

A battery management system, BMS, 101 of a battery unit 200 (see Fig. 2) is an electronic system that manages a rechargeable battery unit. A primary function of the BMS is to protect the battery unit from operating outside its safe operating parameters (temperature range, voltage, charge level), which is achieved by monitoring its current state, in terms of for example voltage, temperature, and current in or out of the battery, calculating secondary data, for example state of charge or depth of discharge, the amount of available power for a defined time interval given current conditions, and maximum charge and discharge current, from the current state, and reporting said current state and secondary data to a first control node, 102. Not all battery management systems have all these functionalities, and some battery management systems have additional functionalities. It communicates with the first control node 102 in the form of a building management system which monitors site measurements such as temperature, humidity level, and battery status. The building management system communicates with a second control node 103 in the form of a network management system, which performs tasks associated with controlling a wireless network, such as a 3rd Generation Partnership Project, 3GPP, wireless network.

The control node is a network device further equipped to send a control signal to network elements in a communication network. More tangibly, the control node (102,103) comprises a processor and a memory, on which is stored a computer program which, on execution by the processor, causes the control node to send the appropriate control signal. The control node may, for example, comprise a server host together with a computer program capable of analyzing data from multiple building management systems and transmitting appropriate control signals to the building management systems in response.

In an embodiment, the first control node sends all the messages to the battery management system while the second control node manages all valid certificates. In an embodiment, the communications between the building management system and the battery management system happens over a version of the Modbus protocol. The Modbus protocol is designed for industrial appliances to communicate. The precise implementation of the standardized Modbus protocol which is used varies depending on the specific use case. Communication between the network management system and the building management system may use any suitable suite of Internet Protocol, IP, such as transport layer security, TLS, network configuration protocol, NETCONF, and simple network management protocol, SNMP as specified by the Internet Engineering Task Force or another standardization body.

In general, the network management system and the building management system can be considered control nodes for the battery management system. Embodiments of the invention may comprise two control nodes, or only one. In the present disclosure, the term control node may thus henceforth refer interchangeably to the building management system, the network management system, or any other node configured to send a control signal to the battery management system.

Figure 2 shows an overview of a battery unit 200 with the BMS 101 . Some functions of the BMS are hardware based and some are software based. It will be evident to the person skilled in the art that a battery unit may comprise further functions or lack some of the functions compared to the embodiment of Figure 2. The battery unit 200 here comprises several individual cells 201 , 202, 203, 204. One function of the BMS is to balance the load between the cells to ensure that the battery unit supplies the correct voltage. A further function of the BMS is to control the temperature of each cell using a thermal management unit 205 to prevent damage to the cells.

The BMS of the battery unit further comprises a processor 206 which has access to a memory 207. The memory 207 may be internal as depicted in Fig. 2, but may in other embodiments be external to the battery unit. During production of the battery unit, or before the battery unit is transported to its final location, a certificate comprising a public key of a public-private key pair is stored in the memory. The certificate thus corresponds to a private key belonging to or, in other words, associated with, an owner of the battery unit, but the private key is not a part of the certificate.

The certificate may be associated for use with any public-key cryptography algorithm and a form according to any suitable standard. The associated algorithm is indicated in the certificate. Advantageously, the certificate may be used with an algorithm which places low demands on the processor of the BMS. A certificate comprising a key suitable for an elliptic curve-based signature verification algorithm, e.g. Elliptic Curve Digital Signature Algorithm (ECDSA), Elliptic -curve Diffie-Hellman, (ECDH) and X25519, is used in an embodiment. However, the certificate may be based on/configured for any asymmetric encryption scheme.

The certificate is bound to the BMS to allow a control node in possession of a corresponding private key to authenticate itself to the BMS. The skilled person will appreciate that the authentication procedure may differ depending on the precise nature of the signature. In one simple implementation, the signed message may comprise both a plain-text message m and a signature s such that the signature is the message m encrypted by a private key. To verify the signature, the BMS will use the certificate, which comprises a public key, to decrypt s and verify that the decrypted s is the same as the message m. This provides evidence that the signature was generated by an entity with access to a private key corresponding to a certificate bound to the BMS.

In embodiments of the present disclosure, the messages are typically very short, in the range of tens of bytes. However, in implementations, the control node may elect to instead sign a hash of the message for even greater computational efficiency.

The certificate may advantageously be according to the X.509 standard as defined by the International Telecommunications Union, or any suitable standard defined by a standardizing body, where the certificate is signed by a certificate authority acting as a trusted third party. In an embodiment using this type of certificate, the certificate authority may automatically revoke a certificate after a specified period of time. This is particularly advantageous in an embodiment where a battery unit according to the invention is leased to a customer for a certain amount of time. In such an embodiment, the customer certificate may be revoked or expire when the lease period/expiry date of the certificate is over, preventing the customer from using the battery without having an up-to-date lease agreement.

The BMS is moreover equipped with means to communicate with a control node. In the embodiment above where the control node is a building management system, the communication interface is a controller area network bus.

In an embodiment, the battery unit comprises a field-effect transistor (FET) module 208. This module here comprises a discharge field-effect transistor 210 and a charge field-effect transistor 211 . These transistors, when switched off, prevent the battery from discharging and charging respectively. This is a function of many battery management systems, which prevents the cells from discharging or charging to the point where cells of the battery unit are damaged. In an embodiment of the invention the discharge field-effect transistor is switched off, regardless of the charge state of the battery unit, on receiving and authenticating a message requesting that the battery unit be locked to prevent an unauthorized device or unauthorized system from using the battery. When the discharge field-effect transistor is switched off, the battery unit can be charged but will not supply power.

This is advantageous since a battery unit can be transported, charged, and installed in a cell site in a locked state and then remotely unlocked once installed.

Figure 3 shows a handshake diagram of an embodiment of the invention. In this embodiment, the first control node 102, such as the building management system, sends a cryptographically signed message 301 , such as a Modbus WriteFileRecord message to the battery management system, requesting that the battery management system enable the theft protection feature. The BMS will use a certificate stored in its memory and attempt to verify 302 the identity of the control node. The signed message may include an identifier informing the BMS of which certificate to use to verify the signature. If the message is authenticated as signed by a private key corresponding to a valid certificate stored in the memory of the BMS, the BMS will send a message 303, such as a Modbus WriteFileRecordResp message, to the first control node informing it that the theft protection feature is enabled. At the same time, the BMS will start a timer 304 for authorization/re- authorization. The duration of the timer may be set by e.g. the customer, e.g. through a graphical user interface provided through the first control node. Before the timer expires, the control node will again authenticate itself by sending a new signed message such as a Modbus WriteFileRecord message which is checked by the BMS. In other words, it can also be said that the BMS authenticates the control node again. In embodiments, the BMS will cause the battery to be inoperable if an authentication/re-authentication fails.

The skilled person will see that it may be advantageous to give the control node several tries to authenticate itself before causing the battery to become inoperable, to account for transmission errors. In some embodiments, the BMS may cause the battery unit to become inoperable if the control node fails to respond before the authorization timer expires.

The duration of the authorization timer, number of tries before causing the battery to become inoperable, and duration of time the BMS waits for a response may be tailored to a particular owner’s need.

The skilled person will appreciate that the BMS may take any number of measures if the authentication of the control node fails. In some implementations, the BMS will take no action if the authentication fails. In other implementations, the BMS may lock the battery by disabling at least one function of the battery unit if the authentication of the control node fails.

Figure 4 depicts an exemplary flow of communication to disable the theft protection feature present in some embodiments of the invention. In this flow, a control node 102 such as the building management system sends a cryptographically signed message 401 , such as a Modbus WriteFileRecord message, to the BMS 101 requesting that the theft protection feature be disabled. In embodiments, the key used for the cryptographic signature is based on an elliptic curve-based encryption scheme to place low demands on the processor of the BMS. The processor of the BMS attempts to verify 402 the signature using a certificate stored in the memory of the BMS. If the verification is successful, the BMS will stop 403 the authorization timer and leave the battery in an unlocked state. The BMS may then send the control node a message 404, such as a Modbus WriteFileRecordResp message, informing the control node that the theft protection feature was successfully disabled. Figure 5 depicts an exemplary flow of communication to lock the battery unit as in some embodiments of the invention, e.g. the embodiments described above. The exact nature of the locked state may vary between embodiments, but in all of them at least one feature of the battery unit is disabled. The purpose of the locked state is to render the battery unit useless to a potential thief or unauthorized user, thereby deterring theft of battery units. In embodiments, the battery unit is locked by switching off a discharge field-effect transistor. Hereby is achieved that the battery cannot be discharged and hence the battery unit cannot be used to supply power.

In an embodiment of the invention, the battery unit is locked immediately after production and storing of a first certificate. This deters theft during storage and transportation of the battery unit. The battery unit can then be unlocked after being installed at a cell site.

To lock the battery unit, a control node 102 may send a cryptographically signed request 501 , such as a Modbus WriteFileRecord message, to the BMS 101 requesting that the battery unit be locked. The BMS will attempt to verify 502 the signature using a certificate stored in the memory of the BMS. If the authentication is successful, the BMS will take an action to disable the battery unit and send a message 503, such as a Modbus WriteFileRecordResp message, to the control node informing the control node that the battery unit is now locked.

Figure 6 depicts an exemplary flow of messages between the BMS 101 and the control node 102 to unlock the battery unit as in an aspect of the invention.

Unlocking the battery unit may be achieved in different ways depending on how the battery unit was locked, but the purpose of unlocking is to enable any functionalities of the battery unit which were disabled by locking the battery unit. In an embodiment, the battery unit is unlocked by switching on a discharge field-effect transistor in the battery unit, thereby enabling the battery unit to supply power.

The control node may send a cryptographically signed request 601 , such as a Modbus WriteFileRecord message, to the BMS requesting that the battery unit be unlocked. The BMS will attempt to verify 602 the signature using a certificate stored in the memory of the BMS. If the authentication is successful, the BMS will take an action to unlock the battery unit and send a message 603, such as a Modbus WriteFileRecordResp message, to the control node confirming that the battery unit is now unlocked.

Figure 7 depicts an exemplary flow of messages between a control node 102 and a BMS 101 leading to a second certificate being stored in the memory of the BMS according to some implementations of the invention as claimed. Battery units are often produced and initially owned by one person and leased to a second person. Embodiments of the invention as displayed in this figure allow for handling of several different certificates corresponding to the same or different individuals who may have legitimate reason to access the battery unit.

A second certificate may, in some embodiments, be bound to the battery unit already during production, where a second owner is clearly identified that early. However, ownership may be transferred completely or partially later during the battery unit’s lifetime. In that scenario, the procedure for binding a new certificate may be carried out according to the procedure depicted in Figure 7.

The control node sends a cryptographically signed message 701 , such as a Modbus WriteFileRecord message, to the BMS indicating that it wishes to bind a new certificate. The BMS attempts to verify 702 the signature using a certificate stored in the memory using a suitable procedure. If the signature is authenticated, and the certificate has the permission to bind new certificates, the BMS may return a message 703, such as a Modbus WriteFileRecordResp message, that the verification was successful. The control node now transmits 704, using for example a Modbus WriteFileRecord message, the new certificate to the BMS. Since the communication may happen over an unsecured channel, the control node is in an embodiment sending the certificate encrypted. If the certificate was encrypted, the BMS may decrypt it and store 705 the second certificate in the memory. Finally, the BMS may send a message 706, such as a Modbus WriteFileRecordResp message, to the control node, informing it that the binding of the second certificate succeeded.

In embodiments, the first certificate and the second certificate may have different permissions. For example, a secondary certificate belonging to a leaser of a battery unit may not have the permission to bind new certificates. In other embodiments, the battery unit may be produced by a contractor. In this scenario, the contractor may have permission to lock the battery unit to secure it for transportation, but not access any other functionalities.

In other embodiments, the ownership of the battery unit is transferred to a new owner. In these embodiments, the second certificate may be used to invalidate the first certificate to complete the transfer of ownership.

Figure 8 depicts an exemplary flow of communications between a control node 102 and the BMS 101 leading to invalidating a certificate stored in the memory of the BMS. The control node sends a cryptographically signed message 801 , such as a Modbus WriteFileRecord message, to the BMS, requesting that a specific certificate be invalidated. If the signature is verified 802, and the certificate associated with the signature has permission 803 to invalidate a certificate, the BMS will invalidate the specified certificate. The BMS then sends a message 804 to the control node, such as a Modbus WriteFileRecordResp message, indicating that the certificate was successfully invalidated.

The skilled person will appreciate that embodiments of the invention as claimed may further be used to provide evidence of ownership of a battery unit. In Figure 9, an exemplary flow of communication between a control node 102 and the battery management system 101 of a battery unit with the purpose of providing evidence of ownership is depicted. This covers the scenario where a battery unit according to the second aspect of the invention of disputed provenance appears and a purported owner wishes to provide evidence of ownership. The purported owner interfaces with the battery unit using a suitable control node. The control node sends a cryptographically signed message 901 to the BMS, such as a Modbus WriteFileRecord message, the message requesting that the BMS take an action, the effect of which is measurable by the control node or an external observer. The BMS attempts to verify the signature and, if the signature is authenticated, takes an appropriate action. The appropriate action may comprise the BMS sending the control node a message 902, such as a Modbus WriteFileRecordResp message, indicating the action performed.

The control node monitors the communication channel with the BMS for a message 902 confirming that the action was taken. If no such message is received, the control node or the external observer monitors the battery unit for signs that the BMS executed the action associated with the sent message. The skilled person will appreciate that the signs may vary depending on what command was sent to the BMS. In an embodiment, the message comprises a request that the battery unit be unlocked. In this embodiment, a sign to monitor may be whether the battery unit is able to supply power.