Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security | cred-c.org Attack Resilient GPS Timing for PMUs using Multi-Receiver Direct Time Estimation Sriramya “Ramya” Bhamidipati and Grace Xingxin Gao University of Illinois Urbana-Champaign CREDC Industry Workshop March 27-29, 2017
23
Embed
Attack Resilient GPS Timing for PMUs using Multi-Receiver ... · PMUs using Multi-Receiver Direct Time Estimation ... USRP+WBX. MIMO ... Attack Resilient GPS Timing for PMUs using
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security | cred-c.org
Attack Resilient GPS Timing for PMUs using Multi-Receiver
Direct Time Estimation
Sriramya “Ramya” Bhamidipati and Grace Xingxin Gao University of Illinois Urbana-Champaign
CREDC Industry WorkshopMarch 27-29, 2017
cred-c.org | 2
GPS Timing for PMUs
GPS used for time synchronization
Power grid
PMU
GPS Antenna
Advantages DisadvantagesGlobal coverage Unencrypted structureFreely available Low signal power
𝜇𝜇𝜇𝜇-level accurate time Vulnerable to attacks
GPS clock
cred-c.org | 3
Outline
Background on GPS and Timing Attacks
Multi-Receiver Direct Time Estimation (MRDTE)
Experimental Verification and Validation
Summary
cred-c.org | 4
Traditional GPS Approach
• Methodology• Trilateration with min. 4 satellites• Track carrier frequency (𝑓𝑓𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐)
and code phase (𝜙𝜙𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐)
• Inputs• Center: 3D satellite position• Radius: Pseudoranges
• Unknowns to be estimated: • 3D position x, y, z , Clock bias cδt
Trilateration technique
[Larson GPS Research Group]
GPS Signal Structure
By computing clock bias, we can estimate UTC time with satellite
atomic clock level accuracy
cred-c.org | 5
GPS Timing Attacks
High-power noise signal
Power sub-station
Authentic GPS signals
Jamming: Makes timing unavailable for PMUs
Power sub-station
Replay signal with high power
Authentic GPS signals
9
Meaconing: Mislead PMU with wrong time
cred-c.org | 6
Our Objectives
• Demonstrate the impact of GPS timing attacks on power grid
• Mitigate the effect of external timing attacks
• Improve tolerance against noise and interference
10
cred-c.org | 7
Our Prior Work
• Position-Information Aided Vector Tracking [Chou, Heng and Gao ION GNSS 2014]
• Multi-Receiver Position-Information Aided Vector Tracking [Chou, Ng and Gao ION ITM 2015]
Tracking loop of the Traditional
approach Kalman filter: corrected navigation
solution
Known position of
the receiver
Position Information Aided code and
carrier corrections
Incoming GPS signal
Input to PMU
Across N satellites
𝑒𝑒𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐,𝑘𝑘 ,𝑒𝑒𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐,𝑘𝑘
𝜙𝜙𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐,𝑘𝑘 ,𝑓𝑓𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐,𝑘𝑘
𝑇𝑇𝑏𝑏,𝑘𝑘
𝑋𝑋𝑘𝑘 ,𝑉𝑉𝑘𝑘
𝑋𝑋𝑘𝑘𝑘𝑘𝑐𝑐𝑘𝑘𝑘𝑘,𝑉𝑉𝑘𝑘𝑘𝑘𝑐𝑐𝑘𝑘𝑘𝑘
cred-c.org | 8
Outline
Background on GPS and Timing Attacks
Multi-Receiver Direct Time Estimation (MRDTE)
Experimental Verification and Validation
Summary
cred-c.org | 9
MRDTE: Approach
• Multiple receivers• Geographical diversity
• Position Aiding• Static receiver location
• Direct Time Estimation (DTE)• Works with timing parameters• No intermediate pseudoranges
• Triggered by common external clock
12
Receiver Receiver
ReceiverReceiver
Reduction in no. of unknowns from [8 x, y, z, cδt, x, y, z, cδt × # of receivers] to 2 (cδt, cδt)
Power substation, Champaign, IL
cred-c.org | 10
MRDTE: Architecture
Direct Time Estimation
MRDTE Filter
1
3
4
2Raw GPS signals from
multiple receivers
Output from PMU: Synchronized phasor measurements
Time
MRDTE
All receivers triggered by a common clock
PMU
cred-c.org | 11
Direct Time Estimation
All satellites 3D position and velocity
Receiver 3D position and
velocity
Combined satellite signal replica
Across the candidates in search space
Incoming raw GPS signal
Maximum likelihood clock state
Vector Correlation
Clock Drift
Cloc
k Bi
as
cred-c.org | 12
DTE: Robustness
Strong signal environment
... ...
Weak signal environment
Direct Time Estimation
Direct Time Estimation more robust than
Traditional GPS algorithm
Acro
ss th
e sa
telli
tes
Traditional GPS algorithm
cred-c.org | 13
Outline
Background on GPS and Timing Attacks
Multi-Receiver Direct Time Estimation (MRDTE)
Experimental Verification and Validation
Summary
cred-c.org | 14
Timing Attack Setup
IEEE C37.118: Without timing and magnitude errors, max allowable phase angle error is 0.573° (~time error of 26.5 µ𝜇𝜇)
Supplies commercial timing
GPS signals under meaconing attack
Timestamped voltage and current Commercial
GPS clock
Real Time Digital Simulator (RTDS)
IRIG-BPMU-1
IRIG-BPMU-2
Commercial GPS clock
Authentic GPS signals
cred-c.org | 15
Effect of Meaconing on Power Grid
Meaconing signals are tracked by conventional GPS algorithms.
Meaconing signals
Authentic signals
cred-c.org | 16
GPS Validation Setup
• 4 receivers on the rooftop of Talbot Lab, Urbana, Illinois• Mimic the setup of a original power substation• All the receivers triggered by a common external Chip Scale
Atomic Clock (CSAC)
cred-c.org | 17
Jamming: Carrier Frequency (𝑓𝑓𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐)
MRDTE Traditional Approach
MRDTE (loses track at 17dB added jamming) offers 5dB more noise tolerance than
Traditional approach (loses track at 12dB added jamming)
cred-c.org | 18
Jamming: Different Levels
At 12𝑑𝑑𝑑𝑑 added jamming, MRDTE maintains a residual in clock bias of < 100𝑛𝑛𝜇𝜇 and clock drift of < 1.5𝑛𝑛𝜇𝜇/𝜇𝜇
Clock bias Clock drift
cred-c.org | 19
Meaconing: Carrier Frequency
Traditional approach is operational until 2dB of added meaconed signal while MRDTE is operational till 5dB
MRDTE Traditional Approach
cred-c.org | 20
Power Grid Stability Analysis
• GPS signals with added timing attacks are supplied to compare Traditional method Vs DTE using RTDS testbed
• PMU Performance Analyzer (PPA) is used for power grid stability analysis
Supplies commercial timing
Our Timing
GPS signals
USRP+WBX
MIMO cable
Timestamped voltage and current
Commercial GPS clock
Real Time Digital Simulator (RTDS)
Our DTEdriven clockExternal
clock
IRIG-BPMU-1
IRIG-BPMU-2
USRP+LFTX
cred-c.org | 21
Summary
• Demonstrated the impact of GPS timing attacks on the stability of the power grid
• Proposed a novel GPS-based Multi-Receiver Direct Time Estimation (MRDTE) algorithm
• Verified the increased noise tolerance and successful mitigation of meaconing attack using MRTDE
Timing Attack MRDTE ScalarJamming 17dB 12dB
Meaconing 5dB 2dB
cred-c.org | 22
Thank You
Special Thanks to:
Alfonso Valdes for the insightful discussions. Prosper Panumpabi, Jeremy Jones, David Emmerich and Timothy Yardley for helping with the experimental setup of RTDS and post-processing PMU data
40
@credcresearch
facebook.com/credcresearch/
http://cred-c.org
Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security