UNDERSTANDING AND MITIGATING THE IMPACTS OF GPS/GNSS VULNERABILITIES - - PowerPoint PPT Presentation

ANNUAL INDUSTRY WORKSHOP NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG

UNIVERSITY OF ILLINOIS | DARTMOUTH COLLEGE | UC DAVIS | WASHINGTON STATE UNIVERSITY

FUNDING SUPPORT PROVIDED BY DOE-OE AND DHS S&T

1

UNDERSTANDING AND MITIGATING THE IMPACTS OF GPS/GNSS VULNERABILITIES T.W. GEHRELS

J.J. MAKELA, X. JIANG, A. DOMINGUEZ-GARCIA,G. GAO, R. BOBBA

UNIVERSITY OF ILLINOIS AT URBANA CHAMPAIGN NOVEMBER 2013

2

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

MOTIVATION

• PMUs are increasingly prevalent in power systems

– New opportunities in protection and control

• GPS receivers used as a timing source for synchronization

– GPS timing signals are nanosecond accurate – GPS signal freely available

• GPS receiver clock offset will cause error in the PMU’s

phase angle measurements

• Error will be passed through PMU dependent algorithms

– Voltage stability algorithm – Fault impedance computation – Fault location algorithm

3

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

GPS VULNERABILITY

• The civilian GPS signal is unencrypted and highly

predictable

• Simulated GPS signal can be generated that has the

same signal structure as the authentic signals

• Development of attacks allows for better understanding of

vulnerabilities – Design effective detection and mitigation techniques

4

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

TYPES OF GPS RECEIVER ATTACKS

• Signal level attack / replay attack

– Change timing of signal, causing error in range measurements – Receiver position & clock offset not easily specified

• Data level attack to cause crash

– Induce divide by zero, increment week number irreversibly – Non-stealth attack

• Subtle data level attack

– Cause error in timing while still appearing to function normally – All encoded data remain realistic values – Receiver position change bounded to value of normal variation – Motivates the development of a more comprehensive, multi-layer detection scheme

5

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

OVERVIEW OF VULNERABILITY EXPLOITATION

• 1. Calculate the changes to the data contained in

the GPS signals that will:

• Induce the maximum possible receiver clock offset
• Not cause a significant change to the calculated

receiver location

• 2. Take over tracking loops of the GPS unit using

spoofed signals

• PMUs are at known locations, making the attack

easier than for a dynamic target

• Demonstrated by Humphreys et al.
• 3. Inject rogue data into the GPS unit and have it

accepted as legitimate data

• Introduce the calculated clock offset

6

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

OVERVIEW OF VULNERABILITY EXPLOITATION

• 1. Calculate the changes to the data contained in

the GPS signals that will:

• Induce the maximum possible receiver clock offset
• Not cause a significant change to the calculated

receiver location

• 2. Take over tracking loops of the GPS unit using

spoofed signals

• PMUs are at known locations, making the attack

easier than for a dynamic target

• Demonstrated by Humphreys et al.
• 3. Inject rogue data into the GPS unit and have it

accepted as legitimate data

• Introduce the calculated clock offset

7

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

MAXIMIZING RECEIVER CLOCK OFFSET

• A nonlinear optimization problem that maximizes

the receiver clock offset (phase measurement error) through perturbation of the satellite ephemerides

• Decision variables

– satellites’ ephemeris

• Objective function

– receiver clock offset

• Constraints

– bounds on the satellites’ ephemerides – bounds on change to the computed receiver position

8

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

GPS CLOCK BIAS SIMULATION

Clock offset

(objective function)

Perceived position

(constraint) Time of attack

Phase angle

(impact)

9

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

MAXIMIZING RECEIVER CLOCK OFFSET

• A nonlinear optimization problem that maximizes

the receiver clock offset (phase measurement error) through perturbation of the satellite ephemerides

• Decision variables

– satellites’ ephemeris

• Objective function

– receiver clock offset

• Constraints

– bounds on the satellites’ ephemerides – bounds on change to the computed receiver position

10

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

MAXIMIZING RECEIVER CLOCK OFFSET

• A nonlinear optimization problem that maximizes

the receiver clock offset (phase measurement error) through perturbation of the satellite ephemerides

• Decision variables

– satellites’ ephemeris

• Objective function

– receiver clock offset

• Constraints

– bounds on the satellites’ ephemerides – bounds on change to the computed receiver position User defined!

11

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

OVERVIEW OF VULNERABILITY EXPLOITATION

• 1. Calculate the changes to the data contained in

the GPS signals that will:

• Induce the maximum possible receiver clock offset
• Not cause a significant change to the calculated

receiver location

• 2. Take over tracking loops of the GPS unit using

spoofed signals

• PMUs are at known locations, making the attack

easier than for a dynamic target

• Demonstrated by Humphreys et al.
• 3. Inject rogue data into the GPS unit and have it

accepted as legitimate data

• Introduce the calculated clock offset

12

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

IMPLEMENTATION TESTBED

Oscilloscope NI Signal Generator Desktop CPU GPS receiver

Spoofed signal Signal control Position data 1 PPS Timing (Spoofed) 1k PPS Timing (True) GPS simulator Receiver data

13

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

RESULTS – PASSING FALSE EPHEMERIS

• True ephemeris

received at t = -120 s

• Modified ephemeris

values at t = 0 s

• Modified ephemeris

accepted by receiver

• New values result in

change in perceived receiver position

14

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

RESULTS – INDUCING CLOCK OFFSET

8 3

• 2
• 7

x position (m)

• 100
• 200
• 300
• 400
• 500

Clock offset (µs)

• No jump in position
• Meets bounding

constraints from derivation Time of attack

• Clock offset: 500 µs
• Phase offset: 10.8o

15

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

EFFECT OF SPOOFING

• Applications dependent on PMUs are vulnerable to spoofing

– Fault identification algorithms – Equivalent network calculations – Stability monitoring algorithms

• Theoretical demonstration of voltage stability monitoring

algorithm

𝑎 𝑢ℎ = 𝑊 𝑢2 − 𝑊 𝑢1 𝐽 𝑢1 − 𝐽 𝑢2 𝑎 𝑢ℎ = 𝑊 𝑢2 𝑓𝑘ε𝜄 − 𝑊 𝑢1 𝐽 𝑢1 − 𝐽 𝑢2 𝑓𝑘ε𝜄 True Spoofed

16

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

MITIGATION

• Software

– Check position against known PMU location – Monitor signal power, quality – Intelligent filtering of the PMU data – Check time against reference clock

• Network

– Check ephemerides against external archives (e.g., IGS) – Cross-correlation of military P(Y) code amongst GPS receiver.

• Hardware

– Narrow-band tracking loop, since PMUs are static – Multi-receiver vector tracking loops – Reverse-calculate satellite positions by trilateration from multiple receivers, compare to received ephemerides

Complexity