Spoofing attack on PMU (Phasor measurement unit)

Introducing GPS Spoofing Attack on Power
Grids and Counteract Methods
Applied Control & Robotic Research Laboratory of Shiraz University
Shiraz, Iran
By: Sara Siamak

Contents
▣ Introduction
▣ Global Positioning System (GPS)
▣ PMU Overview
▣ GPS Spoofing Attack
▣ Attack Counteract Methods
▣ Literature Review
▣ Conclusion
▣ References
2

“ Many navigation systems and network synchronization equipment
rely on GPS signals to determine their location and time.
 The structure of GPS signals is well known to the public, so it is
possible to build a system that produces fake GPS signals.
 Sending fake signals to GPS receivers can make them look for
false signals and cause the receivers to find their location and time
through the fake signals. This is called GPS Spoofing Attack.
4

“
 In the power grid, time synchronization is very valuable because it
is a complex, interconnected and interdependent network.
 One of the most important things to do in a power grid is to
estimate the states of the power system.
 In the last decade, the use of PMU for real-time network estimation
has increased.
 PMUs depend on GPS for time synchronization. This dependency
makes them vulnerable to GPS spoofing attacks.
5

“
 The GPS signal contains location and time
information
 GPS satellites clock have not any offset from
the world clock
 The GPS receiver cannot find its exact position
simply by receiving this signal from the satellite
because the receiver has an uncertain offset
relative to the world clock.
7
Global Positioning System (GPS)

“
 GPS receiver position
 GPS receiver offset
It has 4 unknowns so 4 visible satellites are needed
 Trilateration process: The process of determining relative or
absolute position using geometry that is applicable to GPS.
With this process, the receiver calculates its position and time offset.
8
Unknowns for a GPS Receiver
3 unknowns
(x, y, z)
1 unknown (𝑡 𝑢)

“
GPS Receiver Offset: 𝑡 𝑢
Speed of light: 𝑐
The Pseudo-Distance between the
Receiver and the 1st Satellite: p1
Receiver Coordinates: x, y, z
𝑛th Satellite Coordinates: xn, yn, zn
Local Receiver Time: tl
Sending Time from 𝑛th Satellite:tl
9
Trilateration process

“
GPS satellites contain two important signals:
civilian signal, L1 and military signal, L2.
These signals must pass through the
ionosphere layer in their path to the ground,
causing a delay in them.
Because the frequencies of L1 and L2 are
different, they are delayed with different
values.
10
GPS Signals

“
These signals are modulated by the
pseudo-random noise sequence code
that is unique to each satellite. These
include civilian C/A and P military
codes.
The civilian C/A code is only sent at the
frequency of L1, while the military code
P is sent at the frequency of L1and L2
11
The Structure of Signals L1 and L2

“
 The PMU is a device that is installed
in the post and is able to measure the
voltage of the bus voltage and the
current of the branches connected to
the bus.
 The PMU uses a GPS receiver for
time synchronization.
 GPS signals provide the time labels
for the measured phasors.
13
Phasor Measurement Unit (PMU)

“
 The attacker simulates the actual GPS signal.
 In this attack, the attacker first causes excessive radio interference on the
L1frequency band.
 This interference is accomplished by sending noise signals in the GPS
frequency range.
 The attacker then sends spoofing signals to the receiver to lock the receiver
onto the fake signal. (With power slightly above the valid signals’ value)
16
GPS Spoofing Attack

“
1- GPS signal simulator
A GPS signal simulator is used to mimic valid GPS signals.
Attributes:
-They are simple
-They do not have GPS receivers, so they are not necessarily synchronized with
actual GPS signals
-They are easily identifiable
17
Techniques for making spoofing signals

“2- Receiver-based spoofers
Includes GPS receiver with spoofing transmitter.
Attributes:
They are more complex than GPS simulators
Synchronized with GPS signals
3. Complex receiver-based spoofers
Attributes:
The most sophisticated and effective type of spoofing classifications
Uses several transmission antennas and knows the exact information of the
target receiver antenna
It is very difficult to achieve these spoofers
18

“
 For a signal with frequency f Hz, the phase measurement error
corresponding to the offset of the receiver is obtained by the following
equation:
φ = 2πft
∈ = [2πf tu
∗
− tu ]
 Changes in the measurement phase can cause
- The generators to become unstable
- Normal showing operation of equipment while they are overloaded
- Overload show equipment while they are normal and so on.
19
The Effect of GPS Spoofing on the Power Grid
𝜑∗
= 𝜑+ ∈
φ: Signal phase before attack
𝜑∗
: Signal phase after attack
𝑡 𝑢: Receiver offset before attack
𝑡 𝑢
∗
: Receiver offset after attack

“
1) Signal processing defenses
2) Cryptographic defenses
3) Correlation with other timing sources
4) Radio spectrum and antenna defenses
21
Counteract GPS Spoofing Attack

1- Defense Based on Signal Processing
22
Correlation
Peak
Monitoring
Doppler Shift
Detection
Discrimination
of Time of
Arrival
Absolute
Power
Signal to
Interference
Plus Noise
Ratio
Receiver
Autonomous
Integrity
Monitoring
(RAIM)

Receiver Autonomous Integrity Monitoring (RAIM)
 Predict the location of each satellite using astronomical data from the signals
 Finding a conflict by comparing prediction results with the position reported in the
navigation message in the received signals can be caused by an attack.
Defect:
 Invalidity of this method when spoofing signals are in the majority
23

Signal to Interference Plus Noise Ratio
 SINR: Ratio of received signal power to noise power plus other signal interference
 A sudden change in the SINR rate could indicate an attack.
𝑺𝑰𝑵𝑹 =
𝑷
𝑰 𝑨𝒖𝒕𝒉
𝟐 + 𝑰 𝑺𝒑𝒐𝒐𝒇
𝟐
+ (
𝝈 𝟐
𝑵
)
24
𝑰 𝑨𝒖𝒕𝒉 : Interference term caused by correlation
with other valid signals
𝑰 𝑺𝒑𝒐𝒐𝒇: Interference term due to correlation with
fake signals
𝝈 𝟐
𝑵
: Filtered noise variance
P: Power of received signal

Absolute Power
 The spoofer sends its signals at slightly higher power than valid signals to force the
receiver to follow its own signals.
 Detection method: Comparison of the absolute power level of the received signal with
the valid signal power
Defects:
 Increased receiver hardware complexity
 Power of signal changes due to interference from the atmosphere and the sun's gravity
25

Doppler Shift Detection
 Relative motion between satellite and receiver creating detectable effects caused by
Doppler effect on signal frequency
 By simulating the motion of the satellites and comparing them to the real state, he
observed the Doppler collision and detected the attack.
Doppler Effect: Shortening the wavelength when moving to an object or increasing the wavelength
when moving away
26

Correlation Peak Monitoring
 In the absence of interference between the receiver and the satellite, the power for the
valid signals corresponds to a distribution of 𝜒2.
 The correlation peak power of valid signals can be used to detect an attack.
Defects :
 Spoofer attempts to approach its signal correlation peak to the peak of the GPS signal
correlation
 Invalidity of the distribution assumption 𝜒2
when there is a barrier between the
receiver and the satellite.
27

Discrimination of Time of Arrival
 The P code is sent at both frequencies 𝐿1and 𝐿2. Therefore, the correlation between
two versions of the P code can be used to calculate the delay.
 The delay between the two signals can be calculated for the receiver. And if there is a
conflict between computing and the real state, it could be an attack.
Defect:
 A professional spoofer can handle this delay.
28

2- Cryptographic Defense
 Using authentication techniques to detect spoofing threats
 Applicable for Military version of GPS signals and civilian version of GPS signals
 Requires changes to the GPS signal structure.
Bugs:
 Delay in diagnosis
 It's a costly way.
29

3- Detection based on Correlation Analysis with Other Time
Sources
 Received signals can be sent to other GNSS sources for validation.
Sources other than the Global Navigation Satellite System can be used for
validation.
Defects:
 Sending many signals to get authorities creates traffic and make them
unreliable.
 The accuracy of time sources is less than the global satellite navigation system
30

4- Defense Based on Radio Spectrum and Antenna
31
Discrimination
of Angle of
Arrival
Removable
Antenna

“
 The signals received from a spoofing
source have a different input angle than
the satellite signals.
 This method uses two antennas that
intersect at a certain distance and
calculate the angle of entry of the
signals.
Defect:
 This technique may fail in a multi-
antenna-based spoofing attack.
32
Discrimination of Angle of Arrival

“
 Moving a single antenna along a
random path
 For a model that is not under attack,
different effects of the antenna motion
on different satellites are predicted.
 The correlation between the received
signals in the spoofing attack mode
indicates the occurrence of the attack.
33
Removable Antenna

35
…
Dana
First came up
with the idea
of RAIM
McDowell et
al.
Introduces the
SINR
evaluation
method
Jovanovic et
al.
Validation of
the Doppler
effect change
observation
method
Montgomery
et al.
Applying the
angle of arrival
technique
Wesson et al.
Evaluation of
correlation
peak detection
method
1997 2007 2008 2009 2011

36
…
Zhang et al.
Using two
different
types of
antennas to
detect attack
Jiang et al.
Formulate a
GPS spoofing
attack on the
PMU with
solving a
maximization
problem
Psiaki et al.
Introducing
the idea of a
removable
antenna
Yu et al.
Using a set of
GPS receivers
to detect
spoofing attack
on power grids
Fan et al.
Applying the
mechanism of
cross-layer
detection of
physical layer and
upper layer of
network against
GPS spoofing
attack on PMUs
2012 2013 2014 2015
Konovaltsev
et al.
Use array
antenna and
angle of
arrival entry
technique

37
…
Fan et al.
Spoofing-matched
algorithm using signal
processing techniques and
estimation of power
system modes based on
synchronous phasers (this
method detects an attack
on a PMU and corrects its
data)...
Yasinzadeh and Akhbari
- Providing a method based on
power Grid Infrastructure using
measured phase analysis and
state estimation
This method is compatible with
other available anti-spoofing
methods
In addition to detecting an
attack, it also corrects false data
2017 2018

“ Research suggests that GPS-based networks are
vulnerable to GPS spoofing attack.
 Power grids are also vulnerable to cyberattacks, and GPS
spoofing is part of the danger.
 A spoofer can cause network operators to perform
improper or unnecessary control actions.
 Therefore, protection of these damages is essential in
modern power networks.
39

41
[1] Kaplan, E. D., Leva, J. L., & Pavloff, M. S. (1996). Fundamentals of satellite navigation. Understanding GPS-
Principles and applications(A 96-41027 11-17), Norwood, MA, Artech House, 1996,, 15-57.
[2] Infrastructure, T. (2001). Vulnerability assessment of the transportation infrastructure relying on the global positioning
system. Technical Report, Center, John A. Volpe National Transportation Systems
[3] McDowell, C. E. (2007). U.S. Patent No. 7,250,903. Washington, DC: U.S. Patent and Trademark Office.
Papadimitratos, P., & Jovanovic, A. (2008, November). GNSS-based positioning: Attacks and countermeasures. In
Military Communications Conference, 2008. MILCOM 2008. IEEE (pp. 1-7). IEEE.
[4] Montgomery, P. Y., Humphreys, T. E., & Ledvina, B. M. (2009). A multi-antenna defense: Receiver-autonomous GPS
spoofing detection. Inside GNSS, 4(2), 40-46.
[5] Humphreys, T., Bhatti, J., & Ledvina, B. (2010). The GPS Assimilator: a method for upgrading existing GPS user
equipment to improve accuracy, robustness, and resistance to spoofing.
[6] Wesson, K. D., Shepard, D. P., Bhatti, J. A., & Humphreys, T. E. (2011, September). An evaluation of the vestigial
signal defense for civil GPS anti-spoofing. In Proceedings of the ION GNSS Meeting.
[7] Jafarnia-Jahromi, A., Broumandan, A., Nielsen, J., & Lachapelle, G. (2012). GPS vulnerability to spoofing threats and a
review of antispoofing techniques. International Journal of Navigation and Observation, 2012.
[8] Shepard, D. P., Humphreys, T. E., & Fansler, A. A. (2012). Evaluation of the vulnerability of phasor measurement units
to GPS spoofing attacks. International Journal of Critical Infrastructure Protection, 5(3-4), 146-153.

42
[9] Jafarnia-Jahromi, A., Daneshmand, S., & Lachapelle, G. (2013). Spoofing countermeasure for GNSS receivers–a
review of current and future research trends. Proc. on the 4th Intern Colloquim on Scientific and Fundamental Aspects of
the Galileo Programme, 1-8.
[10] Psiaki, M. L., Powell, S. P., & O’hanlon, B. W. (2013, September). GNSS spoofing detection using high-frequency
antenna motion and carrier-phase data. In Proceedings of the ION GNSS+ Meeting (pp. 2949-2991).
[11] Yu, D. Y., Ranganathan, A., Locher, T., Capkun, S., & Basin, D. (2014, July). Short paper: detection of GPS spoofing
attacks in power grids. In Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile
networks (pp. 99-104). ACM.
[12] Konovaltsev, A., Caizzone, S., Cuntz, M., & Meurer, M. (2014, September). Autonomous spoofing detection and
mitigation with a miniaturized adaptive antenna array. In Proceedings of the 27th Technical Meeting of Satellite Division
of The Institute of Navigation ION GNSS+ 2014 (pp. 2853-2861). The Institue of Navigation, USA.
[13] Fan, Y., Zhang, Z., Trinkle, M., Dimitrovski, A. D., Song, J. B., & Li, H. (2015). A cross-layer defense mechanism
against GPS spoofing attacks on PMUs in smart grids. IEEE Transactions on Smart Grid, 6(6), 2659-2668.
[14] Schmidt, D., Radke, K., Camtepe, S., Foo, E., & Ren, M. (2016). A survey and analysis of the gnss spoofing threat
and countermeasures. ACM Computing Surveys (CSUR), 48(4), 64.
[15] Fan, X., Du, L., & Duan, D. (2017). Synchrophasor data correction under gps spoofing attack: A state estimation
based approach. IEEE Transactions on Smart Grid.
[16] Yasinzadeh, M., & Akhbari, M. (2018). Detection of PMU spoofing in power grid based on phasor measurement
analysis. IET Generation, Transmission & Distribution, 12(9), 1980-1987.

“
Thank you
Any questions?
43

Sara Siamak
You can find me at s.siyamak@shirazu.ac.ir
44

Spoofing attack on PMU (Phasor measurement unit)

More Related Content

What's hot (20)

Similar to Spoofing attack on PMU (Phasor measurement unit) (20)

More from Mohammad Sabouri (15)

Recently uploaded (20)

Spoofing attack on PMU (Phasor measurement unit)