By Daniel P. Shepard, Todd E. Humphreys, and Aaron A. Fansler
Spoofing tests against phasor measurement units demonstrate their vulnerability to attack. A generator trip in an automatic control scheme could be falsely activated by the GPS spoofing, possibly leading to cascading faults and a large-scale power blackout.
As electric power grids continue to expand throughout the world and as transmission lines are pushed to their operating limits, the dynamic operation of the power system has become a serious concern and increasingly difficult to accurately model. More effective real-time system control is now seen as key to preventing wide-scale cascading outages like the 2003 Northeast Blackout.
For years, electric power control centers have estimated the state of the power system (the positive sequence voltage magnitude and phase angle at each network node) from measurements of power flows. But for improved accuracy in the so-called power system state estimates, it will be necessary to feed existing estimators with a richer measurement ensemble or to measure the grid state directly.
Alternating current (AC) quantities have been analyzed for over 100 years using a construct developed by Charles Proteus Steinmetz in 1893, known as a phasor. In power systems, the phasor construct has commonly been used for analyzing AC quantities, assuming a constant frequency. A relatively new synchronization technique which allows referencing measured current or voltage phasors to absolute time has been developed and is currently being implemented throughout the world. The measurements produced by this technique are known as synchronized phasor measurements or synchrophasors.
Synchrophasors provide a real-time snapshot of current and voltage amplitudes and phases across a power system, and so can give a complete picture of the state of a power system at any instant in time. This makes synchrophasors useful for control, measurement, and analysis of the power system.
A device used to measure synchrophasors is called a phasor measurement unit (PMU). In a typical deployment, PMUs are integrated in protective relays and are sampled from widely dispersed locations in the power system network. They are synchronized with respect to the common time source of a GPS clock. PMUs basically measure AC voltage (or current) and absolute phase angles at selected locations in an electric transmission or distribution system.
GPS spoofing is the act of producing a falsified version of the GPS signal with the goal of taking control of a GPS receiver’s position-velocity-time (PVT) solution. This is most effectively accomplished when the spoofer has knowledge of the GPS signal as seen by the target receiver so that the spoofer can produce a matched, falsified version of the signal. In the case of military signals, this type of attack is nearly impossible because the military signal is encrypted and therefore unpredictable. On the other hand, the civil GPS signal is publicly-known and readily predictable.
In recent years, civil GPS spoofing is becoming recognized as a serious threat to many critical infrastructure applications which rely heavily on the publicly-known civil GPS signal. A number of promising methods are currently being developed to defend against civil GPS spoofing attacks, but it will still take a number of years before these technologies mature and are implemented on a wide scale. Currently, there is a complete absence of any off-the-shelf defense against a GPS spoofing attack.
See “Generation, Transmission” sidebar at the end of this article for background on the following tests.
The Tests. The minimum threshold for success was to show that a GPS spoofer could force a PMU to violate the IEEE C37.118 Standard “Synchrophasors for Power Systems,” which defines accuracy as a vectorial difference between the measured and expected value of the phasor for the measurement at a given instant of time, called the total vector error (TVE). TVE blends three possible sources of error: magnitude, phase angle, and timing. An error in timing appears identical to an error in phase angle. Without timing and magnitude errors, a phase angle error of 0.573o corresponds to a 1 percent TVE, the maximum allowable by the IEEE C37.118 Standard. This phase angle error could be equivalently and indistinguishably caused by a timing error of 26.5 µs, which was chosen as the threshold for success in the spoofing tests.
The civil GPS spoofer used for these tests is an advanced version of the spoofer reported in “Assessing the Spoofing Threat,” GPS World, January 2009. A block diagram of the spoofer is shown in Figure 1. It is the same spoofer used in the tests described in “Drone Hack” in this issue of the magazine, and a detailed description is given in that article.
The spoofer can carry out a sophisticated spoofing attack in which no obvious clues remain to suggest that an attack is underway. The University of Texas spoofer and attack strategy have been tested against a wide variety of GPS receivers and has always been successful in commandeering the target receiver.
Figure 2 shows a schematic of the setup used for the open-air tests. The signals received at the roof were routed into the spoofer for use in producing the counterfeit signals and into the RF shielded tent for rebroadcasting. The counterfeit signals were also routed into the tent for broadcasting. In addition to the antennas broadcasting the authentic and counterfeit signals, a third antenna was setup inside the tent to receive the combination of authentic and spoofed signals. This setup is representative of an actual attack scenario where the malefactor does not have physical access to the victim receiver’s antenna input but rather broadcasts the spoofed signals over-the-air. For cable-only tests, the entire setup inside the tent was replaced with a signal combiner that summed the authentic and spoofed signals.
The combined authentic and spoofed signals were fed to the victim GPS time reference receiver. The output timing signal from the victim receiver was used as the synchronization reference for one PMU, whereas a second PMU was given timing from a separate GPS time reference receiver that was tracking only authentic GPS signals. Since the PMUs were in the same room and measured the local voltage and carrier phasors, both PMUs would report roughly the same phasor measurements under normal circumstances. Thus, any significant differences in the phase angle measurements between the two PMUs could be attributed to the effects of spoofing.
Both the cable-only and the over-the-air spoofing attacks were successful in leading the PMU phase measurements off from the truth. Figure 3 shows the measured phase angle difference between the reference PMU, which was fed the true GPS signal, and the spoofed PMU throughout one entire test. This value would normally be less than a few degrees in the absence of spoofing, since the two PMUs are co-located. After the initial ten minute capture-and-carry-off, which proceeds slowly to avoid detection, the spoofer accelerates its carry-off and the reference and spoofed phase angles quickly diverge.
Figure 4 shows pictures of an oscilloscope and the Synchrowave screen at the start of the test. The oscilloscope shows two pulse-per-second (PPS) signals, with the upper yellow pulse coming from a reference clock being fed true GPS and the lower blue pulse coming from the spoofed timing receiver. Both PPS signals are initially aligned with each other. The Synchrowave screen displays the PMU phase angle data in real-time as phasors with the nominal 60 Hz operating frequency subtracted from the phase angle. The red and green phasors show the phase data from the reference and spoofed PMUs respectively. These phasors are within a few degrees of each other at the beginning of the test.
Figure 5 shows pictures of the Oscilloscope and the Synchrowave screen at about 620 seconds into the test. At this point, the spoofer has moved the victim receiver 2 µs off in time and has completely captured the receiver. The delicate initial capture-and-carry-off is performed at a slow rate to suppress any evidence of the spoofer’s presence. However, this process could be done quicker because the receiver was not looking for such evidence of foul play. At this stage of the test, there is not yet any significant difference between the two phasors on the Synchrowave screen, since the spoofed time offset remains relatively small. The oscilloscope, however, reveals that the PPS output from the victim receiver has moved by about 2 µs relative to the reference PPS. At this point, the spoofer begins to accelerate the victim receiver’s time solution at a distance-equivalent rate of 4 m/s2 until it reaches a final distance-equivalent velocity of 1000 m/s. Distance-equivalent velocity can be converted into the actual time rate of change of time by dividing by the speed of light.
The acceleration segment of the attack must be tailored to the individual receiver’s ability to track the spoofer-induced dynamics. Otherwise, the spoofer risks losing control of the victim receiver’s tracking loops by moving too quickly for the receiver to track or by raising alarms. Alternatively, a malefactor could survey possible GPS time reference receivers that might be used and tailor the spoofing attack such that any of the receivers would track and believe the spoofed signals. This would place severe limits on the spoofer’s ability to manipulate timing, but would not make the attack impossible or implausible.
Figure 6 shows the oscilloscope and Synchrowave screen at about 680 seconds into the test. At this point, the spoofer has broken the IEEE C37.118 Standard for PMUs, which requires accuracy in the measured phase angle of 0.573o. This demonstrates a significant vulnerability for PMU-based monitoring and control, since these applications leverage the accuracy supposedly guaranteed by the standard. There is yet no noticeable difference on the Synchrowave screen, but the oscilloscope clearly shows that the victim receiver has now been offset in time by about 20 µs.
Figure 7 shows pictures of the oscilloscope and the Synchrowave screen at about 870 seconds into the test. At this point, the spoofer has reached its final velocity of 1000 m/s. A phase angle offset of 10o has also been introduced in a matter of minutes. As expected, there is a marked difference in the phasors on the Synchrowave screen. The oscilloscope also shows a time offset of 400 µs has been induced in the victim receiver.
Figure 8 shows pictures of the oscilloscope and the Synchrowave screen at about 1370 seconds into the test. At this point, the spoofed signal was heavily attenuated and instantly realigned with the authentic signals. This was intended to be the end of the test, but when this particular receiver lost lock on the signal it continued to send out a valid time signal to the PMU while fly-wheeling off its internal clock. This caused an alarm to issue on the front panel of the time reference receiver indicating loss of GPS signal lock. The downstream PMU, however, was oblivious to this loss of lock. This state persisted for about half an hour before the clock finally reacquired the authentic signal and instantly realigned its time output, which caused the phasors to realign. Figure 3 does not show the phase angle data for this entire period, but does show that the phase angle difference exceeds at least 70o before the time reference receiver reacquires the authentic signal.
Synchrophasor data provides a clear picture of the state of the power system in real-time. As the size of the power grid grows and stability margins are reduced (to provide more efficient distribution of power), it will become desirable to use synchrophasors for control purposes. PMU manufacturers are currently selling PMUs capable of implementing automated control schemes that offer response times less than 4 cycles. Such swift response times are seen as necessary to prevent grid instability or damage to equipment.
Control schemes based on synchrophasors rely on phase angle differences between two nodes as an indicator of a fault condition. One example of a currently operational synchrophasor-based control system is the Chicoasen-Angostura transmission link in Mexico. This transmission line links together large hydroelectric generators in Agostura to large loads in Chicoasen through two 400-kV transmission lines and one 115-kV transmission line. If a fault occurs in which both of the 400-kV lines are lost, then the hydroelectric generators may experience angular instability. In order to prevent this, a PMU was set up at each end of the transmission lines with a direct communications link between them. It was found that under nominal and single-fault (only one 400-kV line lost) conditions, the phase angle difference between the two locations was less than 7o, whereas a double-fault (both 400-kV lines lost) produced a phase angle difference of 14o. Based on this finding, the PMUs were configured so that if the phase angle difference exceeded 10o, the hydroelectric generators would be automatically tripped.
If a spoofer were to attack this system in Mexico or a similar implementation elsewhere, then the spoofer could cause a generator trip. In the test described in the previous section, a 10o offset, the threshold for the Chicoasen-Angostura link, was induced by the spoofer about 250 s after capturing the target receiver, as seen in Figures 3 and 7. A malefactor could even lead the phase angle off in the opposite direction (say 7o) before cutting both 400-kV transmission lines. Instead of causing a generator to unnecessarily trip, this would prevent PMUs from tripping the generator when required and potentially cause damage to the generator or remaining transmission lines.
Beyond tripping a single generator, there is potential for the effects of the attack to propagate through the grid and cause cascading faults across the grid. One example of this type of cascading failure is the 2003 Northeast blackout. Although this blackout did not involve PMUs or a spoofing attack, it demonstrates how an appropriately targeted attack against PMUs used for control on the power grid could cause large scale blackouts that originate with a single generator or transmission line trip.
On August 14, 2003, at 3:05 p.m., a 345-kV transmission line in Ohio began to sag from increased flow of electric power. When the line sagged too close to a tree, it caused a short-to-ground and tripped offline. This is something that happens fairly frequently on the massive U.S. electrical grid and is usually easily dealt with. However, the tripping of that line in northern Ohio began a cascade of failures that, in a little more than an hour, led to a near total power loss for more than 50 million people in the northeastern U.S. and parts of Canada.
The blackout is estimated to have cost approximately $6 billion for only four days of power loss. This led the Department of Energy and the North American Electric Reliability Corporation (NERC) to fund and push for an improved “smart grid” with synchrophasor technology as a major component.
As previously pointed out, PMUs are high-speed, real-time synchronized measurement devices used to diagnose the health of the electricity grid. With synchrophasor data, electric utilities can use existing power more efficiently and push more power through the grid while reducing the likelihood of power disruptions like blackouts. Synchrophasor measurements are being looked at to reduce the likelihood of false and inappropriate triggers of transmission system circuit breakers that protectively shut down electrical flow and contribute to cascading blackouts. However, GPS spoofing poses a significant threat to these objectives for PMUs and can make synchrophasor-based control the cause for these events instead of the cure.
Spoofing poses a threat to the integrity of synchrophasor measurements. A spoofer can introduce a time offset in the time reference receiver that provides the timing signal for a PMU without having physical access to the receiver itself. This produces a corresponding phase offset in the synchrophasor data coming from that PMU. Tests demonstrated that a PMU could be made to violate the IEEE C37.118 Standard for synchrophasors in about 11 minutes from the start of a spoofing attack.
As PMU usage continues to grow throughout the world, PMUs will increasingly be used for automatic control purposes instead of just grid monitoring. The tests described here demonstrate that a spoofer could cause control schemes to falsely trip a generator. In the presence of other exacerbating factors, this could lead to a cascade of faults and a large scale blackout.
Daniel P. Shepard is pursuing M.S. and Ph.D. degrees in aerospace engineering at the University of Texas at Austin. He is a member of the Radionavigation Laboratory.
Todd E. Humphreys is an assistant professor of aerospace engineering and engineering mechanics at the University of Texas at Austin and director of the Radionavigation Laboratory. He received a Ph.D. in aerospace engineering from Cornell University.
Aaron A. Fansler serves as cyber critical infrastructure protection (CCIP) program manager for Northrop Grumman Information System. He obtained a Master’s degree from Capitol College in information assurance and is currently working on a Ph.D. in that field.
The generation, transmission, and distribution of electric power make the power grid the most critical of critical infrastructures in the United States. Past events and numerous government demonstrations have shown just how vulnerable the power grid can be, not only to natural disasters, but more importantly to malicious cyber activity, which is on the rise. Past consequences of power disruption were annoyance and some economic cost; future disruptions from intentional malicious activity could cascade into crippling failures. Cyber threats now rival the consequences of physical attacks.
Over the past decade, the power industry has seen an explosion in the use of accurate, synchronized time incorporated into its controlling networks. Accurate timing signals are exploited in power systems from the generation plant down to the distribution substation and now down to individual smart grid component.
The value of time synchronization is best understood by recognizing that the power grid is a single, complex, interconnected, and interdependent network. What happens in one part of the grid affects operation elsewhere, and in other systems reliant on stable power, as was observed in the 2003 Northeast Blackout.
With the transition to smart technologies and a unified, synchronized grid, the potential for catastrophic cascading failures increases if proper control measures are not implemented. Time-synchronized measurements are changing the way electric power systems are controlled to protect against these events. Phasor measurement units (PMUs) have recently emerged as one technology which has the potential to one day anticipate failures, making it possible to take remedial actions before failures spread across the network.
PMUs rely on GPS to provide accurate, synchronized time across the power grid. This reliance creates a vulnerability to a particular type of malicious attack: GPS spoofing. Spoofers generate counterfeit GPS signals that commandeer a victim receiver’s tracking loops and induce spoofer-controlled time or position offsets. The 2001 USDOT Volpe Report noted the absence of any off-the-shelf defense against civilian spoofing. In 2008, researchers demonstrated that an inexpensive portable software-defined GPS spoofer could be built from off-the-shelf components.
Northrop Grumman Information Systems (NGIS) and the University of Texas (UT) conducted a functional test and evaluation of the effects a spoofed GPS timing signal would have on synchrophasors, to determine if adverse effects could be produced on a sensitive timing-signal-dependent network such as a Supervisor Control and Data Acquisition (SCADA) network and the network devices such as PMUs. This article describes the test.