GPS-dependent applications are being utilised widely in our everyday lives, writes Xiaoyuan Fan, Seemita Pal and Paul Skare of the Electricity Infrastructure Group, Pacific Northwest National Laboratory.
By 2020 the estimated number of GNSS devices in use around the world is expected to grow to eight billion ; and with the increased reliance on GNSS devices comes the responsibility of making them more secure and resilient.
The most critical infrastructures are dependent on the GPS system. Cyber attacks on timing infrastructure can lead to significant negative impacts on systems that are dependent on GPS for precise position, navigation, and timing; such as, synchrophasor-based applications used for power grid synchronisation or automation identification systems (AIS) used in maritime transportation, etc. Since spoofing poses a greater threat than jamming of systems, this will focus on solutions for spoofing attacks on the smart grid.
Cyber attacks on GPS signals can lead to negative impacts on other systems as well.
They can confuse or mislead automated financial traders; interrupt cellular communications; crash unmanned aerial or ground transportation systems; alter mileage, location, and speed of tracking devices in cars for insurance purposes; gain an edge in augmented reality games (e.g., Pokemon Go); and falsify evidence pertinent to law enforcement organisations.
Cyber attacks on timing infrastructure by malicious actors intending to cause damage to the system are becoming common. These malicious actors may be nation-state actors, terrorists, insiders, criminals, hackers, etc.
The GPS receiver can determine the precise time and position by a process known as trilateration, which means positioning from three distances. The time of signal transmission from each satellite is encoded in the transmitted data, and the receiver knows the time of signal reception. The distance between the satellite and the receiver is estimated by calculating their difference and multiplying them by the propagation speed (which is assumed to be the speed of light). Due to internal hardware bias of the receiver clock oscillator, the receiver clock has an offset from the satellite clock, and therefore the estimated distance is referred to as the pseudo-range.
Each pseudo-range measurement defines a sphere centred on the satellite, and in theory, by measuring the distance from three different satellites simultaneously, a receiver should be able to determine the three-dimensional position. However, due to the presence of the clock offset, it is necessary for the receiver to track at least four visible satellites so that it can estimate this fourth unknown, and therefore determine the position and time accurately. The satellites are arranged in a way so that a minimum of four satellites are in view to users at any time at any place .
GNSS signals coming from the satellites are very weak – the signal strength measured at the surface of the earth being about -160 dB. This is roughly equivalent to viewing a 25 Watt light bulb from a distance of 10,000 miles . Hence, these weak broadcasted signals can be overridden by signals in the same frequency band, and they need not be strong. Furthermore, since the signal structure is available in the public domain, the transparency and predictability of the GPS signal make it easy to imitate and counterfeit .
Some of the other technical problems relevant to the timing infrastructure of the Phasor Measurement Units (PMUs) are GPS time drift and mislabelling due to the occurrence of a leap second, but we are not addressing those problems here.
In the power grid, PMU data, which are synchronised using GPS signal, are presently used for forensic event analysis (e.g., disturbance), power system model validation, and transmission protection schemes. To date, there are 2,500 PMUs at key locations in the North American power grid; such as major transmission interconnections, key generation plants, substations, and major load centres.
More and more control room applications are integrating these high-resolution synchronised measurements to improve grid reliability and efficiency. It is increasingly being used for performing phasor measurements-based linear state estimation, detecting modal oscillations, and providing additional visibility of power flows. PMUs can also be used for generator synchronisation, islanding detection, system black-start restoration, digital fault recorders, and protective relays.
The cybersecurity of the synchrophasor measurements generated by PMUs is of great concern. In general, the civilian GPS signal utilised in PMUs is publicly known and readily predictable, and this makes the GPS-based timing signal more vulnerable to cyber attacks like GPS spoofing attacks (GSA). By injecting a spoofed ensemble of GPS signals into the antenna of the receiver clock that provides a timing reference to the PMU, an intruder can manipulate the phase angle measurements and the measurement timestamps. If an adversary is successful in executing GSA, the impacted synchrophasor measurements will diverge from their nominal values and provide a wrong perception of the state of the grid or trigger incorrect control actions that can result in system destabilisation. Figure 1 illustrates a hypothetical drone-based GSA targeting one PMU, causing a potential synchrophasor phase shift of 60 degrees in seven seconds.
GPS spoofing threat model
The threat model assumes that the adversary focuses on the User Segment; i.e., the GPS receiver of the victim. The adversary is physically located where it can broadcast/ rebroadcast fake signals that will interfere with the signals received by the victim GPS receiver. The adversary may know the position of the victim receiver and the strength of the GPS signal at that location in order to transmit the malicious signals of suitable strength in the correct direction and with synchronised code and carrier phase. The two most concerning attacks are jamming and spoofing, which jeopardise the availability and the integrity of GPS signals.
By executing such attacks, the adversary can negatively impact the systems that are dependent on them for the precise position, navigation, and timing .
A GPS spoofing attack can be carried out by broadcasting a fake GPS signal that matches the true signal phase, code delay, and encoded data, but has signal strength higher than that of the true signal. In 2013, a professor from the University of Texas at Austin used a $2,000, custom-made spoofing device to take control of a 65m (213ft), $80 million in the Ionian Sea.
In the power grid, spoofing attacks can introduce an error in the phase angle at a rate of 1.73 degrees per minute , which is above the allowable maximum phase error. A spoofing attack poses a greater threat than jamming because the receiver continues to receive GPS signals and is completely unaware of any issues, so in this article, we will focus on spoofing resolution. Different designs for GPS spoofers are given as follows:
GPS signal simulator: This is one of the simplest GPS spoofers in which a GPS signal simulator is employed along with an RF frontend in order to generate signals that imitate authentic GPS signals.
Simple receiver-based spoofer: This is a slightly more advanced kind of spoofer, which consists of a GPS receiver to first synchronise to the current GPS signals, extract the true position, time, and satellite ephemeris, and finally generate a spoofing signal. This spoofed signal is projected toward the intended target receiver antenna with slightly higher signal strength and correct delay.
Sophisticated receiver-based spoofer: This is the most complex type of spoofing technique, which requires centimetre level position knowledge of the target antenna phase centre from the transmit antenna phase centre of the spoofer, and hence the spoofing signal code and carrier phase are perfectly synchronised to the authentic signals. It may employ several transmit antennas.
A data-centric solution for GSA
Existing hardware solutions for GSA mitigation experience the challenges from technology maturity, high cost, and limited market acceptance as well as constrained upgrade needs from utility companies. On the other hand, the Pacific Northwest National Laboratory (PNNL) research team has developed a datacentric solution for GSA, which aims to improve the cyber-resilience of power grid operations and applications that rely on GPS-based timing. Figure 2 illustrates how the GSA model is incorporated in the detection algorithm and how the most likely GSA location is determined through data analytics; subsequently, data correction is applied to correct the spoofed data and further update the power system state estimation results.
Before the IEEE 1588 Precision Timing Protocol  is fully implemented by utility companies, the proposed methodology could mitigate the potential GSA and corresponding risks during the transition period. This is achieved by online detection of GSA with advanced data analytics and streaming PMU measurements across the studying region. A general framework of this solution is shown in Figure 3. The essential measurements and power system network parameters will be extracted to formulate the input, and the outputs will be computed through the proposed data-centric solution. The outputs consist of information regarding whether there is a GSA attack, and if yes, the estimated location, phase shift, and remedial action to be triggered are also provided.
Extensive simulations were carried out to illustrate the effectiveness of the proposed closed-form analytical solution for GPSspoofed synchrophasor data correction.
The effect of the location of GSA and the value of GSA phase shift was examined and analysed by the following case studies.
The simulation results show significant improvements in GSA location detection and phase estimation (averaged from 80% to 96%) for eight testing scenarios. More importantly, the near-real-time detection capabilities were validated through time-domain simulation, which enables the promising integration of the proposed solution into control room applications.
In summary, GSAs are an imminent threat to the smart grid. A closed-form datacentric solution for detecting GSAs has been proposed and validated. The Monte Carlo simulations and the time sequence dynamic simulations demonstrated the effectiveness of the proposed solution when integrated into the spoofing detection and correction framework. It is possible to enhance the power grid resilience regarding GSA by integrating the proposed spoofing detection and correction framework into the control room near-real-time applications. SEI
PNNL is one of the US Department of Energy’s 17 national laboratories and has a global reach. Researchers at PNNL are working on solving some of the world’s greatest science and technology challenges like unlocking the mysteries of Earth’s climate, helping modernise the U.S. electric power grid, or safeguarding ports around the world from nuclear smuggling. Through world-class research, PNNL envisions creating a world that is safer, cleaner, more prosperous, and more secure.
About the authors
Xiaoyuan Fan is a Senior Power System Research Engineer at the Department of Energy’s Pacific Northwest National Laboratory (PNNL).
Seemita Pal is a Research Engineer in the Cybersecurity team of the Electricity Infrastructure Group at the Pacific Northwest National Laboratory (PNNL).
Paul Skare is the Chief Cybersecurity Programme Manager in Electricity Infrastructure at Pacific Northwest National Laboratory (PNNL), Richland, WA.