Interview with Grace Gao, Sriramya Bhamidipati, & Tara Yasmin Mina - "GPS Spoofing Detection for PMUs Using a Hybrid Network"

In this interview, the presenters questions from their webinar, "GPS Spoofing Detection for PMUs Using a Hybrid Network", originally presented on March 28h, 2019. For more details regarding these questions, please view the webinar on-demand on the IEEE SG Resource Center.

Dr. Rui YangGrace X. Gao is an assistant professor in the Aerospace Engineering Department at University of Illinois at Urbana-Champaign. She obtained her Ph.D. degree at Stanford University. Her research is on GPS/GNSS-based positioning, navigation and timing with applications to manned and unmanned aerial vehicles, robotics and power systems. Prof. Gao has won a number of awards, including the NSF CAREER Award, the Institute of Navigation Early Achievement Award and RTCA William E. Jackson Award. She has won Best Paper/Presentation of the Session Awards 14 times at ION GNSS+ conferences. She received the Dean's Award for Excellence in Research from the College of Engineering, University of Illinois at Urbana-Champaign in 2017. For her teaching, Prof. Gao has been on the List of Teachers Ranked as Excellent by Their Students at University of Illinois multiple times. She won the College of Engineering Everitt Award for Teaching Excellence in 2015, AIAA Illinois Chapters Teacher of the Year in 2016, and the Engineering Council Award for Excellence in Advising in 2017 and 2018.

Sriramya BhamidipatiSriramya Bhamidipati is a doctoral student in the Aerospace Engineering Department at the University of Illinois at Urbana Champaign. She received her M.S. degree in Aerospace Engineering from University of Illinois at Urbana-Champaign in 2017. She received her B.Tech. with honors in Aerospace Engineering and minor in Systems and Controls Engineering from Indian Institute of Technology Bombay, India in 2015. Tara Yasmin Mina is a graduate student in the Electrical and Computer Engineering Department at the University of Illinois at Urbana-Champaign. She received her B.S. with honors in Electrical Engineering from Iowa State University in 2017.

Tara Yasmin MinaTara Yasmin Mina is a graduate student in the Electrical and Computer Engineering Department at the University of Illinois at Urbana-Champaign. She received her B.S. with honors in Electrical Engineering from Iowa State University in 2017.

Are the spoofing signals generated by intention or were they available on free air by suspected source?

In our presented results, the spoofing signals were recorded during a government-sponsored live-sky spoofing test in a Western U.S. state.

Still trying to understand how can the GPS signals be spoofed? E.g., how did you do it for your experiment? How strong the signal has to be to override the actual GPS signals?

The spoofing signals from our presented results was from a government-sponsored spoofing test, broadcast in an open sky environment. Because civilian GPS signals are unencrypted, with publicly available signal structures clearly outlined in Interface Control Documents, anyone with the right equipment can generate a counterfeit GPS signal and broadcast it to the victim receiver in order to induce a false positioning and/or timing solution at the receiver. In fact, one could utilize a GPS signal simulator, commercially available for purchase or rent, in order to generate false signals for a malicious attack. With regards to the required relative strength of a spoofing signal, research has shown that a power advantage ratio of as small as 1.1 between the spoofed signal and the authentic GPS signal results in the reliable capture of the victim tracking loops (Humphreys, Bhatti, Shepard & Wesson, Radionavigation Laboratory Conference Proceedings, 2014).

Has this been implemented in any utility substation? Or just pure research?

Spoofing detection countermeasures have not yet been implemented in any utility stations, making these receivers vulnerable to even the simplest forms of GPS spoofing. Through our research, we have been speaking with stakeholders to determine the available communication resources as well as the bandwidth and latency requirements for implementation and have designed our algorithm to be compliant with these parameters. For bandwidth requirements, for example, our algorithm requires only about 23 kilobytes per second at each PMU station, corresponding to about 15% of the unused, available bandwidth specified by stakeholders in the current communication system structure. Additionally, for the future power grid network, where communication links will be largely replaced with fiber optic cables, this corresponds to only a small fraction of a percent of the total available bandwidth.

Could you describe your computer platform and software development environment used?

For our experimental results, we recorded GPS data with a USRP-N210 connected to a Novatel antenna. The raw GPS data was then post-processed using our research group’s software-defined receiver written in Python, called PyGNSS. We chose Python as the programming language since it is object-oriented, open source, and valuable tools for numerical computing, including the NumPy and SciPy libraries. More details about our software-defined receiver can be found at the following reference: (Wycoff, Ng & Gao, Python GNSS Receiver: An Object-Oriented Software Platform Suitable for Multiple Receivers, GPS World, 2015)

What do you anticipate the needed computing resources to be if this were adopted as a cybersecurity measure? Would these models require Big Data and analytics resources?

With latency requirements on the order of a few minutes as specified by stakeholders and with our ability to detect spoofing using short, 0.5-second signal fragments from each receiver station at a low sampling rate of 2.5 MHz, the data rate and processing rate can be significantly reduced with periodic checks and using shortened signal fragments. We do not anticipate the need for Big Data analytics resources for this spoofing detection architecture. For reference, for the receiver network of Illinois, Ohio, Colorado, and the Western U.S. state, the unoptimized and un-parallelized computation of all conditioned signal samples and pairwise cross-correlation is complete within about <20 seconds on my Lenovo Ideapad laptop.

How do you differentiate between spoofed and authentic signal using your approach?

In our approach, we leverage the multi-receiver communication structure available within the power grid network in order to compare the received GPS signals at multiple PMU stations. In the L1 frequency band, the encrypted, military P(Y) GPS signal is present at the same frequency as the civilian L1 C/A signal, but in the orthogonal signal channel; thus, a down-sampled version of the encrypted military P(Y) GPS signal is present in the recorded signals at each PMU station. Because non-military users do not have access to the encryption key, this orthogonal signal establishes a type of signature in the background of all authentic GPS signals. By receiving a strong correlation of the conditioned GPS signal with multiple receivers in the power grid network, we can verify the authenticity of the received GPS signal.

Can you quantify on how vulnerable are PMUs in today's scenario against attacks (not just spoofing)?

PMU devices currently are not equipped with any spoofing detection countermeasures, making these receivers vulnerable to even the simplest forms of GPS spoofing. PMUs are also vulnerable to GPS jamming attacks, where the jammer makes GPS timing unavailable to PMUs by broadcasting a high-powered signal in frequency bands allocated to GPS (L1 at 1575.42 MHz, L2 at 1227.60 MHz, and L5 at 1176.45 MHz). Precise time-stamping of voltage and current measurements is critical to accurately represent the state of the power grid network to system operators. The maximum timing uncertainty by the IEEE standard for synchrophasors (IEEE C37.118.1) is specified to be 26.5 microseconds, with the suggested maximum timing uncertainty of 1 microsecond, which can easily be induced by a spoofer within a few minutes (Shepard, Humphreys & Fansler, International Journal of Critical Infrastructure Protection, 2012). Once spoofing is detected by our algorithm, the PMUs can rely on local oscillators to maintain accurate timing. For Oven-Controlled Crystal Oscillators (OCXO), which are commonly used in more demanding power grid timing applications, the holdover time is between 1 and 8 hours for the recommended timing accuracy of 1 microsecond (Time Synchronization in the Electric Power System, Technical Report PNNL-26331, NASPI Time Synchronization Task Force, 2017), allowing for ample time to contact law enforcement officials upon detection of the spoofing attack.

Can you catch a spoofing event before it can cause damage? Did I hear correctly that you will be doing this once per minute?

Our algorithm only requires pairwise checks between fragments of received GPS signals for a handful of communicating PMUs, allowing us to compute a spoofing decision within the latency requirement specified by stakeholders of about 1 minute.

What was the response time when spoofing started and until it entered the system and made it unstable?

The government sponsored GPS spoofing test attack started with about a 10-minute period of GPS jamming, making the victim receiver unable to track the authentic GPS satellites. However, once the spoofing signals were broadcast and being tracked by the receiver, our algorithm immediately detects the GPS spoofing attack occurring at that station.

Did you try GNSS or this was GPS only test?

Our experimentation only used the GPS signals, however the approach we used can be generalized for other GNSS constellations with encrypted signals as well.

To view past interviews, please visit the IEEE Smart Grid Resource Center.