Detecting GPS Spoofing via a Multi-Receiver Hybrid ... monitoring of power grid through a widely dispersed network of Phasor Measurement Units (PMUs) ... Matthew Peretic, and Cara

University of Illinois at Urbana-Champaign 0

Detecting GPS Spoofing via a Multi-Receiver

Hybrid Communication Network for Power Grids

Tara Mina, Sriramya Bhamidipati, and Grace Xingxin Gao

University of Illinois at Urbana-Champaign

1

1

Goals for Power Grid Modernization

• Automatic control of power grid

• Reduce failures or large-scale

blackouts (Ex: NE Blackout 2003)

• Improve visualization of power flow

• Continuously monitor state of

U.S. power grid network

• Install robust network of monitoring devices across the grid


2

Synchronizing Data in Power Grid Network

Real-time monitoring of power grid through a widely dispersed

network of Phasor Measurement Units (PMUs)

− PMUs measure voltage and current phasors

− Provides measurement with precise time-stamp, via GPS

− Significant timing inaccuracies can induce a generator to trip [1]

2

GPS used for synchronization of

PMU measurements

Power grid

PMUGPS clockGPS

Antenna

[1] Shepard, et al, GPS World, 2012


3

Global Positioning System (GPS)

• Number of satellites: 31 operational

• Orbit: ≈ 20,200 𝑘𝑚 in altitude ( ≈ 12 ℎ𝑟 period orbit )

• Each satellite:

− Carries several atomic clocks (Cesium and/or Rubidium)

− Continuously sends precisely timed signals to Earth

3

Block IIF

Satellite

(Boeing)


4

How GPS Enables Navigation

• Precise satellite position (𝑿𝑺, 𝒀𝑺, 𝒁𝑺) provided to user

• After receiver obtains the satellite signal:

− Deciphers exact time of transmission 𝒕𝑻𝑿 of received signal

− Notes user’s received time 𝒕𝑹𝑿, and compares to

compute distance from the satellite

4


5







4

But, user’s clock is not accurate…


6







4

But, user’s clock is not accurate…

→ 𝑡𝑅𝑋 is inaccurate


7






roughly approximate distance from the satellite

4


8







4

“Pseudo” because:

Receiver clock is inaccurate

→ 𝑡𝑅𝑋 is inaccurate

→ 𝑐 𝑡𝑅𝑋 − 𝑡𝑇𝑋 ≠ 𝑑 (true range)

computed pseudorange 𝝆


9







4

receiver clock bias correction


10


5

• User has 4 unknowns:

− 3D Position 𝑿𝑹, 𝒀𝑹, 𝒁𝑹− Clock bias 𝚫𝒕

• Require at least 4 equations,

or satellites in view(usually ≥ 6 in open environments)

• For each satellite signal, we

have 1 equation:

𝜌 = 𝑐(𝑡𝑅𝑋 − 𝑡𝑇𝑋) = 𝑑 − 𝑐 Δ𝑡

= 𝑋𝑆 − 𝑿𝑹2 + 𝑌𝑆 − 𝒀𝑹

2 + 𝑍𝑆 − 𝒁𝑹2 − 𝑐 𝚫𝒕


11

Civilian GPS and its Vulnerability

6

• Commercial (non-military) users utilize civilian GPS signal

• Civilian GPS signal (C/A) in L1 band:

− Center frequency: 1575.42 MHz

− Bandwidth: 2.046 MHz

− Available to all users


12

Military Signals for Authentication

Encrypted Military P(Y) GPS signal

− Orthogonal to civilian GPS signals, with same center frequency

− Because of encryption, cannot be generated by spoofer

− Presence of P(Y) signal in quadrature phase component

indicates authentic GPS signal [2-3]

7

[2] Lo, et al, Inside GPS, 2009

[3] Psiaki, et al, ION GNSS, 2011[3]


13

Prior Work and Main Challenges

• Shown handful of receivers (2-8) can be authenticated [4]

• Utilized centralized framework approach [5]

• Must extend to entire widespread network of PMUs

8

[4] Heng, Work & Gao, IEEE ITS, 2015

[5] Bhamidipati, Mina & Gao, ION PLANS, 2018

[6] Hazra, et al, IEEE PES ISGT, 2014[6]


14

Key Objectives

• Develop spoofing detection architecture for coordinated

authentication of all PMUs, with existing resources

• Provide defense against coordinated spoofing attacks

• Demonstrate successful operation of algorithm during

government-sponsored, real-world spoofing scenario

9


15

Outline• GPS: How it Works

• Hybrid Network Architecture Framework

• Spoofing Detection Approach

− Pairwise Check and Preliminary Statistic Computation

− Regionally Representative Snippet

• Implementational Considerations

− Communication Protocol

− Spoofing Risk Assessment

− Subset Selection Algorithm

• Experimental Setup and Results

• Summary

10


16

NASPInet Communication Structure

• North American

Synchrophasor

Initiative network

(NASPInet) [9]

• Regional utility

networks connected

via Data Bus

• Resources

prioritized in regional

sub-networks

11

[9] Hu, Yi, NASPInet Technical Specifications, U.S. DOE, 2009


17

Hierarchical Architecture Network

• Utilize communication to compare received GPS signals

• Proposed hybrid architecture network will overlay NASPInet

12


18

High-level Process Diagram

13


19

Outline

14

• GPS: How it Works










• Summary


20

Typical Correlation Observed (Authentic)

15

Typical correlation (authentic): single peak above noise floor


21

Typical Correlation Observed (Spoofed)

16

Typical correlation (spoofed): no peak above noise floor


22

Pairwise Statistic for Cross-Checking

17

• Correlation result 𝑃𝑟𝑖𝑟𝑗,𝑘 between receivers 𝑟𝑖 and 𝑟𝑗 for PRN 𝑘:

− Authentic: 𝑃𝑟𝑖𝑟𝑗,𝑘 ∼ 𝑝0 = 𝒩 𝜇, 𝜎2 where 𝜇 > 0

− Spoofed: 𝑃𝑟𝑖𝑟𝑗,𝑘 ∼ 𝑝1 = 𝒩 0, 𝜎2

• Pairwise statistic 𝛾𝑟𝑖𝑟𝑗,𝑘 :

− Indicates amount of signal match for PRN 𝑘 between receivers 𝑟𝑖 and 𝑟𝑗− Consists of 2 terms:

○ Thresholded correlation result: 𝑃𝑟𝑖𝑟𝑗,𝑘𝑇 = 𝑃𝑟𝑖𝑟𝑗,𝑘𝟙 𝑃𝑟𝑖𝑟𝑗,𝑘 ≥ 𝜏𝑝𝑎𝑖𝑟

○ Pairwise weight 𝑤𝑟𝑖𝑟𝑗,𝑘, accounts for signal quality, receiver reliability, etc.

𝛾𝑟𝑖𝑟𝑗,𝑘 = 𝑤𝑟𝑖𝑟𝑗,𝑘 𝑃𝑟𝑖𝑟𝑗,𝑘𝑇


23

18

Authentication within Regional Network


24

Incorporate Representative Snippets

19


25

Outline

20











• Summary


26

Data Required for Communication Protocol

21

Data items to be sent by each PMU:

− Raw GPS signal fragment

− Signal tracking parameters for each visible satellite PRN

○ Time of transmission start index

○ Doppler Frequency

○ Carrier phase


27

Communication Protocol Structure

22

• Data block: data for

each authentication

time

• Data Packet: ~1 KB

of specific data with

header information

• Data Frame:

organizes data into

segments, includes

check sum

Segmented data structure allows for:➢ Isolation of corrupted/missing data ➢ Optimized rate of data transfer and storage


28

Bandwidth Requirements

23

• Reducing communication bandwidth requirements:

− Raw GPS signal fragment sent from PMU devices to PDC

− Appropriate signal tracking parameters sent for processing

• Main factors affecting overall bandwidth:

− Signal fragment length (500 milliseconds)

− Sampling rate (2.5 MHz)

− Data sample resolution (8-bit samples)

− Tracking parameter resolution (32-bit samples)

− Number of visible satellite PRNs (about 6)

− Desired rate of authentication (assuming 1 per minute)

• Bandwidth computed: ~23 KB per second

• Fiber optic cable: ~10 GB per second ( < 0.001% bandwidth)


29

Evaluation of Spoofing Risk

24

Historical

data

Pseudorange

residuals

SNR

values

Clock

residuals

Known

position

Bernoulli

distribution

Local

oscillator

Chi-squared

distribution

Empirical

distribution

Weighted

average

Spoofing risk

𝑝 𝑟𝑡 𝑟𝑡−1:𝑡−𝑊𝑝 𝑟𝑡 𝑆𝑁𝑅1:𝑁

𝑝 𝑟𝑡 Δ𝜌1:𝑁 𝑝 𝑟𝑡 Δ𝑇

𝑝(𝑟𝑡)


30

Optimization: Subset Selection

• For cross-checking:

− Utilizing all PMUs, quite

computationally expensive

− Optimal subset of PMUs

• Cost function:

𝑓 Ω =

𝑖,𝑗 ∈ Ω; i≠j

𝑔 𝑖 𝑔(𝑗)ℎ(𝑖, 𝑗)

25

• 𝑔 𝑖 = 1 − spoofing risk ∗ comm. link ∗ security

• ℎ 𝑖, 𝑗 = 𝑑𝑖𝑠𝑡(𝑖, 𝑗): Larger the separation, lesser

likelihood of both spoofed


31

Outline

26











• Summary


32

Experimental Setup

Recorded GPS signal during live-sky spoofing event

27

Sample rate: 2.5 𝑀𝐻𝑧

Snippet length: 500 𝑚𝑠

Post-process: PyGNSS [10]

Spoofing Data

Collection Setup

Rooftop

Antenna

Setup

[10] Wycoff & Gao, GPS World, 2015


33

Preliminary Threshold Determination

28

Threshold chosen to maximize authentic / spoofed conditional probabilities

Authentic:

𝛼 = 27.2𝑐 = 0.517𝛽 = 1.82𝑙 = 486

Spoofed:

𝛼 = 11.3𝑐 = 0.370𝛽 = 0.346𝑙 = 0

Generalized Gamma pdf:

𝑓 𝑥, 𝛼, 𝑐, 𝛽, 𝑙 =𝑐 𝑦𝑐𝛼−1exp(−𝑦𝑐)

𝛾(𝛼)

𝑦 = 𝛽(𝑥 − 𝑙)


34

Preliminary Statistics – Regional Networks

29

Spoofed

Authentic

Threshold

Threshold Authentic


35

Secondary Threshold Determination

30

Threshold chosen to maximize authentic / spoofed conditional probabilities

Authentic:

𝛼 = 1.53𝑐 = 1.74𝛽 = 33.7𝑙 = 20.0

Spoofed:

𝛼 = 1.18𝑐 = 2.69𝛽 = 5.80𝑙 = 13.7

Generalized Gamma pdf:

𝑓 𝑥, 𝛼, 𝑐, 𝛽, 𝑙 =𝑐 𝑦𝑐𝛼−1exp(−𝑦𝑐)

𝛾(𝛼)

𝑦 = 𝛽(𝑥 − 𝑙)


36

Final Statistic – Representative Snippets

31

• U.S. representative snippet matches that of South America

• Snippet at Western U.S. receiver (spoofed) has poor match

ThresholdSpoofed

Signal from

Authentic

Receivers


37

Summary

• Proposed hybrid architecture to detect spoofing at each PMU

− Provides a defense against coordinated attacks on regional networks

− Uses regionally representative snippets to reduce bandwidth/processing

• Demonstrated algorithm successfully operates on wide-spread

network during government-sponsored, real-world spoofing attack

− Detects signal manipulation on victim receiver

− Simultaneously authenticates other receivers in hybrid network

32


38

Acknowledgements

Special thanks to:

Prof. Jade Morton and Mr. Steve Taylor

for collecting data at the Peru, Chile, Colorado, and Ohio sites.

Additionally, thanks to our lab members:

Craig Babiarz, Arthur Chu, Matthew Peretic, and Cara Yang

for assisting with the experimental setup and data collection at the

Illinois site and the Western U.S. spoofing location.

33


39

34

Thank You!

Tara Yasmin Mina

Electrical and Computer Engineering

Email: [email protected]

Sriramya Bhamidipati

Aerospace Engineering

Email: [email protected]

mailto:[email protected]

mailto:[email protected]

Documents

Detecting GPS Spoofing via a Multi-Receiver Hybrid ... monitoring of power grid through a widely dispersed network of Phasor Measurement Units (PMUs) ... Matthew Peretic, and Cara