ANNUAL INDUSTRY WORKSHOP NOVEMBER 6-7, 2013 UNDERSTANDING AND MITIGATING THE IMPACTS OF GPS/GNSS VULNERABILITIES NOVEMBER 2013 T.W. GEHRELS J.J. MAKELA, X. JIANG, A. DOMINGUEZ-GARCIA,G. GAO, R. BOBBA UNIVERSITY OF ILLINOIS AT URBANA CHAMPAIGN TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG 1 UNIVERSITY OF ILLINOIS | DARTMOUTH COLLEGE | UC DAVIS | WASHINGTON STATE UNIVERSITY FUNDING SUPPORT PROVIDED BY DOE-OE AND DHS S&T
ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G MOTIVATION • PMUs are increasingly prevalent in power systems – New opportunities in protection and control • GPS receivers used as a timing source for synchronization – GPS timing signals are nanosecond accurate – GPS signal freely available • GPS receiver clock offset will cause error in the PMU’s phase angle measurements • Error will be passed through PMU dependent algorithms – Voltage stability algorithm – Fault impedance computation – Fault location algorithm 2
ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G GPS VULNERABILITY • The civilian GPS signal is unencrypted and highly predictable • Simulated GPS signal can be generated that has the same signal structure as the authentic signals • Development of attacks allows for better understanding of vulnerabilities – Design effective detection and mitigation techniques 3
ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G TYPES OF GPS RECEIVER ATTACKS • Signal level attack / replay attack – Change timing of signal, causing error in range measurements – Receiver position & clock offset not easily specified • Data level attack to cause crash – Induce divide by zero, increment week number irreversibly – Non-stealth attack • Subtle data level attack – Cause error in timing while still appearing to function normally – All encoded data remain realistic values – Receiver position change bounded to value of normal variation – Motivates the development of a more comprehensive, multi-layer detection scheme 4
ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G OVERVIEW OF VULNERABILITY EXPLOITATION 1. Calculate the changes to the data contained in the GPS signals that will: • Induce the maximum possible receiver clock offset • Not cause a significant change to the calculated receiver location 2. Take over tracking loops of the GPS unit using spoofed signals • PMUs are at known locations, making the attack easier than for a dynamic target • Demonstrated by Humphreys et al. 3. Inject rogue data into the GPS unit and have it accepted as legitimate data • Introduce the calculated clock offset 5
ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G OVERVIEW OF VULNERABILITY EXPLOITATION 1. Calculate the changes to the data contained in the GPS signals that will: • Induce the maximum possible receiver clock offset • Not cause a significant change to the calculated receiver location 2. Take over tracking loops of the GPS unit using spoofed signals • PMUs are at known locations, making the attack easier than for a dynamic target • Demonstrated by Humphreys et al. 3. Inject rogue data into the GPS unit and have it accepted as legitimate data • Introduce the calculated clock offset 6
ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G MAXIMIZING RECEIVER CLOCK OFFSET • A nonlinear optimization problem that maximizes the receiver clock offset (phase measurement error) through perturbation of the satellite ephemerides • Decision variables – satellites’ ephemeris • Objective function – receiver clock offset • Constraints – bounds on the satellites ’ ephemerides – bounds on change to the computed receiver position 7
ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G GPS CLOCK BIAS SIMULATION Clock offset Time of attack (objective function) Phase angle (impact) Perceived position (constraint) 8
ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G MAXIMIZING RECEIVER CLOCK OFFSET • A nonlinear optimization problem that maximizes the receiver clock offset (phase measurement error) through perturbation of the satellite ephemerides • Decision variables – satellites’ ephemeris • Objective function – receiver clock offset • Constraints – bounds on the satellites ’ ephemerides – bounds on change to the computed receiver position 9
ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G MAXIMIZING RECEIVER CLOCK OFFSET • A nonlinear optimization problem that maximizes the receiver clock offset (phase measurement error) through perturbation of the satellite ephemerides • Decision variables – satellites’ ephemeris User defined! • Objective function – receiver clock offset • Constraints – bounds on the satellites’ ephemerides – bounds on change to the computed receiver position 10
ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G OVERVIEW OF VULNERABILITY EXPLOITATION 1. Calculate the changes to the data contained in the GPS signals that will: • Induce the maximum possible receiver clock offset • Not cause a significant change to the calculated receiver location 2. Take over tracking loops of the GPS unit using spoofed signals • PMUs are at known locations, making the attack easier than for a dynamic target • Demonstrated by Humphreys et al. 3. Inject rogue data into the GPS unit and have it accepted as legitimate data • Introduce the calculated clock offset 11
ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G IMPLEMENTATION TESTBED NI Signal Generator GPS simulator Spoofed signal Signal control Oscilloscope GPS receiver Receiver data Position data Desktop CPU 1 PPS 1k PPS Timing Timing (Spoofed) (True) 12
ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G RESULTS – PASSING FALSE EPHEMERIS • True ephemeris received at t = -120 s • Modified ephemeris values at t = 0 s • Modified ephemeris accepted by receiver • New values result in change in perceived receiver position 13
ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G RESULTS – INDUCING CLOCK OFFSET 8 Time of attack x position (m) • 3 No jump in position • Meets bounding constraints from derivation -2 -7 0 -100 Clock offset (µs) • Clock offset: 500 µs -200 • Phase offset: 10.8 o -300 -400 14 -500
ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G EFFECT OF SPOOFING • Applications dependent on PMUs are vulnerable to spoofing – Fault identification algorithms – Equivalent network calculations – Stability monitoring algorithms • Theoretical demonstration of voltage stability monitoring algorithm 𝑢 2 − 𝑊 𝑢 1 𝑎 𝑢ℎ = 𝑊 True 𝐽 𝑢 1 − 𝐽 𝑢 2 𝑢 2 𝑓 𝑘ε 𝜄 − 𝑊 𝑢 1 𝑎 𝑢ℎ = 𝑊 𝐽 𝑢 1 − 𝐽 𝑢 2 𝑓 𝑘ε 𝜄 Spoofed 15
ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G MITIGATION • Software – Check position against known PMU location – Monitor signal power, quality – Intelligent filtering of the PMU data – Check time against reference clock • Network Complexity – Check ephemerides against external archives (e.g., IGS) – Cross-correlation of military P(Y) code amongst GPS receiver. • Hardware – Narrow-band tracking loop, since PMUs are static – Multi-receiver vector tracking loops – Reverse-calculate satellite positions by trilateration from multiple receivers, compare to received ephemerides 16
Recommend
More recommend
