PMU Time Source Security

Similar documents
Robust GPS-Based Timing for Phasor Measurement Units

Semantic Security Analysis of SCADA Networks to Detect Malicious Control Commands in Power Grids

GPS cyber-security work

Spoofing GNSS Timing Receivers

Assessing the Civil GPS Spoofing Threat

Failure Diagnosis and Cyber Intrusion Detection in Transmission Protection System Assets Using Synchrophasor Data

Nimbra - communication platform for the SmartGRID

Cyber Security of Power Grids

WHITE PAPER. Eliminating GPS Dependency for Real-Time Wide-Area Syncrophasor Applications. White paper by Net Insight

Analysis of Attacks and Defense Mechanisms for QoS Signaling Protocols in MANETs

Denial of Service, Traceback and Anonymity

Evolution of Control for the Power Grid

University of Strathclyde

1 Descriptions of Function

Aranya Chakrabortty. North Carolina State University. Department of Electrical and Computer Engineering. March 23, 2017

GPS Spoofing Effect on Phase Angle Monitoring and Control in an RTDS-based Hardware-In-The-Loop Environment

Alarming and Operations of openpdc at ISO-NE

Synchrophasor Implementation Experience and Integration Challenges in Indian Grid

IEEE 1588/PTP: The Future of Time Synchronization in the Electric Power Industry

Synchrophasor Technology and Systems

University of Strathclyde

10X: Power System Technology 10 Years Ahead of Industry International Standards- Based Communications

Annual Industry Workshop March 27-29, Session Abstracts

Smart Grid Security Illinois

Cyber Security Analysis of State Estimators in Electric Power Systems

Trustworthy Cyber Infrastructure for the Power Grid (TCIPG)

SCE WASAS Combined Disturbance Fault Recorder (DFR) and Phasor Measurement Unit (PMU) Specifications. Anthony Johnson

Integrated Smart Grid Performance Testing: NIST Research and SG Testbed

Vulnerability Assessment in Smart Grids. Jinyuan Stella Sun UTK Fall 2016

Phasor Technology Research Road Map to Improve Grid Reliability and Market Efficiency. Presented to TAC on April 5, 2005 and PAC on April 22, 2005

Applications of PTP in non-telecom networks. Anurag Gupta November 1 st -3 rd 2011, ITSF 2011

Chapter 2 State Estimation and Visualization

SPREE: A Spoofing Resistant GPS Receiver

Never replicate a successful experiment. -Fett's law.

CEER Cyber-Physical Testbeds (a generational leap)

AUTOMATED SECURITY ASSESSMENT AND MANAGEMENT OF THE ELECTRIC POWER GRID

Global Synchronized Phasor Measurement Standards

Christos Papadopoulos

IN TODAY S power grid, phasor measurement

Bob Braden Alison Silverstein Dick Willson Dan Lutter

GPS Spoofing Susceptibility Testing

IP/MPLS PERFORMANCE AND PATH ANALYTICS FOR TELEPROTECTION IN POWER UTILITIES

Synchrophasor Data Communications Questionnaire. NASPI D&NMTT October Co-chairs Jim McNierney NYISO Dan Brancaccio Bridge Energy Group

Toward Open Source Intrusion Tolerant SCADA. Trevor Aron JR Charles Akshay Srivatsan Mentor: Marco Platania

Sleep/Wake Aware Local Monitoring (SLAM)

Distributed Agent-Based Intrusion Detection for the Smart Grid

Synchrophasor Project Updates

Smart Grid Implementation Lessons Learned

9 th Electricity Conference at CMU

The Virginia Tech Phasor Data Concentrator Analysis & Testing System

Dmitry Ishchenko/Reynaldo Nuqui/Steve Kunsman, September 21, 2016 Collaborative Defense of Transmission and Distribution Protection & Control Devices

Cutting the Cord: A Robust Wireless Facilities Network for Data Centers

Implementation of phasor measurement technology at Eskom

Luca Schenato Workshop on cooperative multi agent systems Pisa, 6/12/2007

Ad hoc and Sensor Networks Time Synchronization

Optimizing IP Networks for Acquisition. Presented by Henry Quintana, Director of Solutions TVU Networks

CSC 774 Advanced Network Security

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Improving data quality in PSE&G s synchrophasor network PING YE PHD PSE&G ZACHARY HARDING PSE&G (IBRIDGE)

Cyber Threat Assessment and Mitigation for Power Grids Lloyd Wihl Director, Application Engineering Scalable Network Technologies

The Timed Asynchronous Distributed System Model By Flaviu Cristian and Christof Fetzer

SEE Tolerant Self-Calibrating Simple Fractional-N PLL

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

Time Synchronization and Logical Clocks

1588v2 Performance Validation for Mobile Backhaul May Executive Summary. Case Study

Tales from the Base Station to the Substation. Delivering Phase ITSF 2013

Critical networking using mesh Wi-SUN technology Dr Simon Dunkley

WEI Conference SDG&E TCRI Project April 25, 2018 Mark Fowler, CISSP

Wireless Sensor Networks: Clustering, Routing, Localization, Time Synchronization

14th ANNUAL WORKSHOP 2018 A NEW APPROACH TO SWITCHING NETWORK IMPLEMENTATION. Harold E. Cook. Director of Software Engineering Lightfleet Corporation

Network Protocols What is a stateless Network Protocol?

Importance of Interoperability in High Speed Seamless Redundancy (HSR) Communication Networks

Avnu Alliance Introduction

2012 EMS User's Group. MISO Synchrophasor Project

Exposing vulnerabilities in electric power grids: An experimental approach

Features. HDX WAN optimization. QoS

Managing Data Center Interconnect Performance for Disaster Recovery

Cutting the Cord: A Robust Wireless Facilities Network for Data Centers

NASPI Reliability Coordinator Data Quality Survey Summary. Alison Silverstein NASPI Project Manager March 21, 2016

The Modern Manufacturer s Guide to. Industrial Wireless Cisco and/or its affiliates. All rights reserved.

Toward Intrusion Tolerant Cloud Infrastructure

Metrology and Tools for Interoperability Testing of Precision Time Protocol (PTP) in Power Systems Communication Networks

Toward Intrusion Tolerant Clouds

Application of Monitoring Standards for enhancing Energy System Security

SEVONE DATA APPLIANCE FOR EUE

Time Synchronization and Logical Clocks

Perry. Lakeshore. Avon. Eastlake

Improving Mobile Backhaul Network Reliability with Carrier-Class IEEE 1588 (PTP) WHITE PAPER

FLIGHT TERMINATION COMMAND AUTHENTICATION USING BLOCK ENCRYPTION

WP 14 and Timing Sync

Authors: Mark Handley, Vern Paxson, Christian Kreibich

OTSDN What is it? Does it help?

UNIVERSITY OF CENTRAL FLORIDA DEPARTMENT OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE HEC 406 NANO/MEMS LABORATORY

Specifications for the Power Grid Simulator

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

ERCOT Synchrophasor Data Quality Study

Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks

Iowa State University

ELEC 691X/498X Broadcast Signal Transmission Winter 2018

Transcription:

PMU Time Source Security Erich Heine <eheine@illinois.edu> Information Trust Institute Authors: Erich Heine, Tim Yardley, Dr. Alejandro Dominguez-Garcia, Daniel Chen 1

Overview PMU time synchronization and it s vulnerabilities TCIPG work in: GPS spoofing Bad Data Detection for PMU Measurements Testbed tools for understanding time attacks Future directions and concerns on this topic 2

Background: PMU Synchronized Data PMUs report data at time t 0 Data delivered to dependent systems PMUs send data via IP network to PDC PDC sends collated (time aligned) data to other systems Time synchronized data used in: Wide Area Monitoring Systems System Visualization Enhanced State Estimation Event analysis 3

Time Synchronization Considerations Data delivery over IP networks takes a non-deterministic amount of time Time alignment must happen somewhere (usually PDC) Necessitates a data arrival window (t w ) Late data is dropped or only used in historical contexts (e.g. post event analysis) Clock accuracy considerations Real world means tolerances, in the case of PMUs +/- 1us Synchronized accurate clocks are expensive so use a common external source 4

Background: Consequences Inaccurate Time A PMU reports data based on its understanding of the time Inaccurate time on a single PMU will result in: Incorrect point on wave values Incorrect computed relationships between point in the system Data discrepancies which are difficult to trace Broader consequences can include: False alarms to operators Incorrect control actions Slower event response times 5

Attack Surface Analysis Can a time source be compromised? Yes: GPS spoofing Network attacks spoofing or breaking time daemons What constraints does a time attack have? (How much can my clock be offset without detection via side-effect?) Maximum window defined by: (t 0 + t w ) t d (t d is the time it takes most packets to transit PMU->PDC) Time must not offset reported values past target system sanity check thresholds. 6

Attack Surface Analysis Cont. d What protections already exist? Most time protocols have provisions for sudden time changes (PMUs may or may not report this) Some spoofing may be catchable with advanced error correction in receivers Advanced network monitoring may catch packets from a PMU being consistently late as an odd network latency Overall assessment: potentially exploitable vulnerabilities exist. 7

TCIPG Work to Address This Overview of TCIPG work on Time Source Security GPS spoofing Bad Data Detection for PMU Measurements Testbed tools for studying and understanding Time Source Security Work with industry towards a more resilient timesynchronization framework. 8

GPS Spoofing Researchers Dr. Alejandro Dominguez-Garcia Xichen Jiang Brian Harding Dr. Jonathan Makela Summary: It is possible to spoof GPS signals such that receivers report a nearly correct position but incorrect time. 9

How GPS works: GPS Spoofing Cont. d Receiver monitors signals broadcast from n >= 4 satellites Signals contain: Time information Satellite location and motion information (known as: ephemerides) Receivers compute time and location: Comparing satellite location and transmission time against an internal reference clock Iterating over the n signals to account for reference clock biases and errors 10

GPS Spoofing Cont. d The attack: Broadcast a GPS signal from a spoofing device Gradually overpower GPS signals Receiver locks to spoofed signal rather than the satellite being spoofed Signal modifications Changes to ephemerides Must be within a defined range Must result in receiver calculated location within a bound Chosen to maximize offset used to correct for receiver reference clock bias. 11

GPS Spoofing cont d Experiments Attack simulated in Matlab Small ephemerides change bounds to prevent detection* 15m bound on computed location. Results: Able to achieve a maximum 52 phase shift in a particular PMU with 4 satellites visible, ephemerides bound to within 2% of original values, and receiver computing a location within 15m of previously computed location. 12

GPS spoofing countermeasures and mitigation Receivers instrumented to handle sudden changes to ephemerides data Multiple antenna setups to verify signal angle of arrival Comparison of ephemerides data against external source (e.g. the internet) Extra signal processing to search for the original signal as well as the spoofed signal. 13

GPS Spoofing related and future work TCIPG researchers implementing spoofing algorithm using a commercial GPS spoofing device for testing real receivers UT-Austin researchers have been testing GPS receivers and PMUs against various GPS spoofing attacks 14

Bad Data Detection for PMU Measurements Researchers Daniel Chen Jiangmeng Zhang Dr. Zbigniew Kalbarczyk Summary Using data available from SCADA systems and other PMUs, straightforward detection of bad angles from PMUs is demonstrable. 15

Bad Data Detection for PMU Measurements cont. d Problem description A PMU is reporting an incorrect (bad) angle, potentially as a result from a time source attack SCADA measurements not affected Assume time source attacks can only be carried out against a subset of measurements Targeted GPS spoofing Time server for a single substation or utility 16

Bad Data Detection for PMU Measurements Cont. d Approach Use available redundant data from Other PMUs SCADA system Use traditional state estimation to provide a baseline estimated angle Use the baseline and gathered measurements in a chisquared test to determine bad or potentially bad data points 17

Bad Data Detection for PMU Measurements Cont. d Experimental Setup in TCIPG testbed RTDS simulation Provided SCADA values Drove PMUs Inline angle data modifier Custom adaptor for OpenPDC to modify one PMU s reported angle as in a time source attack Implementation of State-estimation and Chi-squared detection algorithm 18

Bad Data Detection for PMU Measurements Cont. d Results Able to detect bad measurement and identify offending PMU Use of the testbed helped rapidly iterate algorithm improvements, find bugs, etc. Hardware in the loop allows us to extend this form of experimentation to real devices experiencing real spoofing (future work) 19

Testbed Tools for Time Source Security Researchers Erich Heine Nathan Edwards Jeremy Jones Tim Yardley Dr. Alejandro Dominguez-Garcia Summary Direct testing the effects of time source spoofing can cause problems so create tools and devices to emulate it. 20

Overview Testbed Tools for Time Source Security Direct GPS spoofing outside of an isolated room is can affect legitimate devices and cause problems Fully emulated or isolated time source environments are expensive and difficult to properly calibrate Emulated or simulated PMU streams don t allow for device testing or easy verification 21

Approach Testbed Tools for Time Source Security Create devices and software to modify legitimate inputs to real time sources. Focus on techniques that modify signals on wires rather than broadcast radio signals Flexible use tools for broad range of experimental setup and reusability 22

Testbed Tools for Time Source Security Example: GPS spoofing Uses a relatively inexpensive GPS signal spoofer Output feeds directly into antenna feed of GPS clock Implements the GPS spoofing work outlined above Multiple GPS clocks in the TCIPG lab allow for some spoofed some un-spoofed signals. 23

Testbed Tools for Time Source Security Example: IRIG-B signal delay IRIG-B is a simple 1KHz amplitude modulated digital signal. Time synch comes from PPS over phase locked loop Signal from clock delayed by a series of op-amp phase shifters Delay controllable by interfacing a computer to the board and digital potentiometers. 24

Future Directions for TCIPG Detection of time source attacks Further testbed integration of tools Investigation of secure time source techniques Integrate research to improve time synchronization for a more resilient power grid. 25

26 Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback