Evaluation of Smart Grid and Civilian UAV Vulnerability to GPS Spoofing Attacks D. P. Shepard, J. A. Bhatti, T. E. Humphreys, The University of Texas at.

Slides:



Advertisements
Similar presentations
International Civil Aviation Organization
Advertisements

1 The Distributed Measurement Systems: a New Challenge for the Metrologists by Alessandro Ferrero and Roberto Ottoboni Politecnico di Milano – Dipartimento.
Modern Navigation Thomas Herring MW 11:00-12:30 Room A
Dead Reckoning Objectives – –Understand what is meant by the term dead reckoning. –Realize the two major components of a dead reckoning protocol. –Be capable.
Long RAnge Navigation version C
Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.
Protecting Civil GPS Receivers
GPS Spoofing & Implications for Telecom Kyle Wesson The University of Texas at Austin Sprint Synchronization Conference | September 18, 2013.
ION GNSS 2011, September 23 rd, Portland, Oregon Improving Security of GNSS Receivers Felix Kneissl University FAF Munich.
Frankfurt (Germany), 6-9 June 2011 Douglas Wilson Psymetrix Ltd, UK Douglas Wilson Psymetrix Ltd, UK D. Wilson – UK – Session 4 – Paper ID 0497 Connection.
Secure Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin LAAFB GPS Directorate | December 5, 2012.
Millimeter-accurate Augmented Reality enabled by Carrier-Phase Differential GPS Ken Pesyna, Daniel Shepard, Todd Humphreys ION GNSS 2012 Conference, Nashville,
STRIDE Introduction Increasing use for PNT applications:  Positioning  Navigation  Timing.
Imbedded SSR Mode-S Logic Control Unit University of Stellenbosch Department of Electrical & Electronic Engineering K. Gastrow 4 December 2009.
Ohio University Russ College of Engineering and Technology School of Electrical Engineering and Computer Science Avionics Engineering Center Ranjeet Shetty.
Team Dec13_11: Cole Hoven Jared Pixley Derek Reiser Rick Sutton Adviser/Client: Prof. Manimaran Govindarasu Graduate Assistant: Aditya Ashok PowerCyber.
Introduction to Phasor Measurements Units (PMUs)
Protection Values for VOR-Defined ATS Routes
Volkan Cevher, Marco F. Duarte, and Richard G. Baraniuk European Signal Processing Conference 2008.
Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.
GTECH 201 Session 08 GPS.
Direction Finding Positioning for
Per R. Bodin Global Posision System GPS. Per R. Bodin Litt historie 1960: nasA & DoD are Interested in developing a satellite based position system with.
UAV Integration: Privacy and Security Hurdles Todd Humphreys | Aerospace Engineering The University of Texas at Austin Royal Institute of Navigation UAV.
Characterization of Receiver Response to a Spoofing Attack Daniel Shepard DHS visit to UT Radionavigation Lab 3/10/2011.
Greenbench: A Benchmark for Observing Power Grid Vulnerability Under Data-Centric Threats Mingkui Wei, Wenye Wang Department of Electrical and Computer.
Thoughts on GPS Security and Integrity Todd Humphreys, UT Austin Aerospace Dept. DHS Visit to UT Radionavigation Lab | March 10, 2011.
D D L ynamic aboratory esign 5-Nov-04Group Meeting Accelerometer Based Handwheel State Estimation For Force Feedback in Steer-By-Wire Vehicles Joshua P.
Kyle Wesson, Mark Rothlisberger, and Todd Humphreys
Advanced Phasor Measurement Units for the Real-Time Monitoring
How Global Positioning Devices (GPS) work
ElectroScience Lab IGARSS 2011 Vancouver Jul 26th, 2011 Chun-Sik Chae and Joel T. Johnson ElectroScience Laboratory Department of Electrical and Computer.
Academic Experience with Wide Area Sensors by Virgilio Centeno Virginia Tech PSC, Distributed Generation, Advanced Metering and Communications March 9,
Department of Computer Science and Electrical Engineering GNSS Research Group – EIS Laboratory GNSS Bistatic Radar September 14, 2006 Tore Lindgren, Dennis.
APT: Accurate Outdoor Pedestrian Tracking with Smartphones TsungYun
Synchrophasor: Implementation,Testing & Operational Experience
1 SMART ANTENNAS FOR WIRELESS COMMUNICATIONS JACK H. WINTERS AT&T Labs - Research Red Bank, NJ September 9, 1999.
Introduction to Sensor Networks Rabie A. Ramadan, PhD Cairo University 3.
Lessons Learned from the Texas Synchrophasor Network by Presented at the North American Synchrophasor Initiative (NASPI) Meeting Toronto, Ontario Thursday,
VISUALIZATION WHY WE NEED SYNCHROPHASOR TECHNOLOGY IN OPERATIONS John Ballance – EPG Presented to ERCOT Phasor Technology Workshop – November 16, 2012.
1 S ystems Analysis Laboratory Helsinki University of Technology Kai Virtanen, Raimo P. Hämäläinen and Ville Mattila Systems Analysis Laboratory Helsinki.
Modern Navigation Thomas Herring MW 11:00-12:30 Room A
Different options for the assimilation of GPS Radio Occultation data within GSI Lidia Cucurull NOAA/NWS/NCEP/EMC GSI workshop, Boulder CO, 28 June 2011.
10/7/ Innovative Solutions International Satellite Navigation Division ION NTM 01 Capabilities of the WAAS and EGNOS For Time Transfer SBAS, an Alternate.
Antenna Techniques to Optimize Pseudorange Measurements for Ground Based Ranging Sources Jeff Dickman Ohio University Avionics Engineering Center The 29.
An Evaluation of the Vestigial Signal Defense for Civil GPS Anti-Spoofing Kyle Wesson, Daniel Shepard, Jahshan Bhatti, and Todd Humphreys Presentation.
Riding out the Rough Spots: Scintillation-Robust GNSS Carrier Tracking Dr. Todd E. Humphreys Radionavigation Laboratory University of Texas at Austin.
Complete Pose Determination for Low Altitude Unmanned Aerial Vehicle Using Stereo Vision Luke K. Wang, Shan-Chih Hsieh, Eden C.-W. Hsueh 1 Fei-Bin Hsaio.
By Andrew Y.T. Kudowor, Ph.D. Lecture Presented at San Jacinto College.
Location Estimation in Ad-Hoc Networks with Directional Antennas N. Malhotra M. Krasniewski C. Yang S. Bagchi W. Chappell 5th IEEE International Conference.
Jake Forsberg An environment for research and automation system development.
Power PMAC Tuning Tool Overview. Power PMAC Servo Structure Versatile, Allows complex servo algorithms be implemented Allows 2 degree of freedom control.
GPS: Everything you wanted to know, but were afraid to ask Andria Bilich National Geodetic Survey.
Characterization of Receiver Response to a Spoofing Attack
A Trust Based Distributed Kalman Filtering Approach for Mode Estimation in Power Systems Tao Jiang, Ion Matei and John S. Baras Institute for Systems Research.
Global Positioning System Overview
Performance of Adaptive Beam Nulling in Multihop Ad Hoc Networks Under Jamming Suman Bhunia, Vahid Behzadan, Paulo Alexandre Regis, Shamik Sengupta.
GPS Spoofing Detection System Mark Psiaki & Brady O’Hanlon, Cornell Univ., Todd Humphreys & Jahshan Bhatti, Univ. of Texas at Austin Abstract: A real-time.
Roshene McCool SKADS Workshop 2007 DS3 – T1 Network Infrastructure and Data Transmission Roshene McCool Simon Garrington University of Manchester.
Secure Civil Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin MITRE | July 20, 2012.
Characterization of Receiver Response to a Spoofing Attack Daniel Shepard Honors Thesis Symposium 4/21/2011.
Doc.: IEEE /0632r0 Submission May 2015 Intel CorporationSlide 1 Experimental Measurements for Short Range LOS SU-MIMO Date: Authors:
Navy GPS GPS Users Conference 02 November 2000 LCDR Drew Williams SSC-SD, Code D315 GPS Division GPS Vulnerability.
Secure positioning in Wireless Networks Srdjan Capkun, Jean-Pierre Hubaux IEEE Journal on Selected area in Communication Jeon, Seung.
Protection of Power Systems
SEMINAR PRESENATATION ON WIDEAREA BLACKOUT (AN ELECTRICAL DISASTER) BY:Madhusmita Mohanty Electrical Engineering 7TH Semester Regd No
The Global Positioning System
Utility Applications of TSN
Bistatic Systems: Preparing for Multistatic
Counter-UAV Challenges: Is GNSS Spoofing Effective?
Presentation transcript:

Evaluation of Smart Grid and Civilian UAV Vulnerability to GPS Spoofing Attacks D. P. Shepard, J. A. Bhatti, T. E. Humphreys, The University of Texas at Austin A. A. Fansler, Northrop Grumman Information Systems ION GNSS Conference, Nashville, TN | September 21, 2012

Outline GPS Spoofing Attack Spoofing Exercises – PMUs – Civilian UAV

Civil GPS Spoofing Goal: influence a specific GPS receiver’s Position-Velocity- Time (PVT) solution The proximity spoofing attack looks like this The spoofer was recently modified to allow spoofing at a distance

University of Texas Spoofing Testbed

PMU Spoofing Exercise Goals Demonstrate that the IEEE C Standard “Synchrophasors for Power Systems” can be broken by a spoofer – Defines required accuracy as <1% Total Vector Error (TVE), where – Violated once the timing has been altered by 26.5 µs (0.573 o phase angle error) Show that spoofing can affect PMU-based control schemes

PMU Spoofing Exercise Setup

PMU Spoofing Exercise Results Phase angle difference should nominally be 0, since the PMUs were in the same room Points 1-5 on the plot indicate benchmarks in the test The phase angle difference is greater than 70 degrees after half an hour

Test Results (cont.)  Point 1: Start of the test shows time and phase alignment between PMUs  Left plot shows Pulse-Per-Second output from receivers with the reference in yellow  Right plot shows phase angle from the PMUs with the reference in red

Test Results (cont.)  Point 2: 620 seconds into the test  2 µs time offset has been introduced  Receiver is considered fully captured at this point  Spoofer-induced time rate begins accelerating

Test Results (cont.)  Point 3: 680 seconds into the test  Spoofer has broken the IEEE C Standard  A 26.5 µs timing offset and a degree phase angle offset have been introduced

Test Results (cont.)  Point 4: 870 seconds into the test  A 400 µs timing offset and a 10 degree phase angle offset have been introduced  Spoofer has reached final induced time rate of 1000 m/s (i.e µs/s)

Test Results (cont.)  Point 5: 1370 seconds into the test  A 2 ms timing offset and a 45 degree phase angle offset have been introduced  Spoofed signals removed  The receiver’s time offset continued to increase anyways

Smart Grid Vulnerability Conclusions A spoofing attack can cause PMUs to violate the IEEE C Standard Large phase angle offsets can be induced in a matter of minutes (>10 degrees) These effects can have significant impacts on PMU-based power grid control systems PMUs were created to help prevent blackout events, but spoofing could make them the cause

Civilian UAV Spoofing Exercise Motivation Iranian claims of UAV capture – Possible jamming of communications link and/or military GPS signals could allow UAV capture through civilian GPS spoofing. FAA Modernization and Reform Act of 2012 – Requires the government to develop a plan to safely accelerate the integration of civil UAVs into the national airspace by 9/30/2015.

WSMR Test Setup

Internet or LAN Receive AntennaExternal Reference Clock Control Computer GPS Spoofer UAV coordinates from tracking system Transmit Antenna Spoofed Signals as a “Virtual Tractor Beam” Target UAV Commandeering a UAV via GPS Spoofing

Time Alignment Before Spoofing Attack

Time Alignment During Spoofing Attack

UAV Video

Surprises RAIM was helpful for spoofing: we couldn’t spoof all signals seen by UAV due to our reference antenna placement, but the Hornet Mini’s uBlox receiver rejected observables from authentic signals, presumably via RAIM Overwhelming power is required for clean capture: A gradual takeover leads to large ( m) multipath- type errors as the authentic and counterfeit signals interact The UAV’s heavy reliance on altimeter for vertical position was easily overcome by a large vertical GPS velocity

Surprises Not possible even to station keep with a captured UAV based on visual position estimates: GPS capture breaks flight controller’s feedback loop; now spoofer must play the role formerly assumed by GPS. Implication: An accurate radar or LIDAR system would be required for fine “control” of UAV via spoofing Compensating for all system and geometric delays to achieve meter-level alignment is challenging but quite possible

radionavlab.ae.utexas.edu

Civil GPS Spoofing A discrete spoofing attack typically involves four phases: 1)Alignment of the authentic and spoofed GPS signals at the target receiver 2)Increase the power of the spoofed signals above the authentic 3)Move the spoofed signals slowly away from the authentic signals 4)Once the spoofed and authentic signals no longer interfere, the spoofer has complete control of the target receiver’s PVT solution Spoofer-imposed dynamics are limited only by the bandwidth of the target receiver’s tracking loops and it’s quality indicators No receiver we’ve tested has ever successfully defended against this type of attack

Implications of Results PMUs are being pushed for both automated and human-in-the-loop power grid control Currently operational system in Mexico using automated PMU-based control on the Chicoasen-Angostura transmission line: – Connects large hydroelectric generators to large loads – kV lines and kV line – Protects against generator instability during double fault by shutting down generators if phase angle difference exceeds 10 degrees Spoofing could this system to falsely trip in a matter of minutes

Implications of Results Implications could extend beyond shutting down a single transmission line or generator Illustrated by the 2003 Northeast Blackout, which begun with the tripping of a single transmission line As interconnectivity and complexity of the power grid increase, the risk of massive blackouts due to inappropriate control actions increases PMUs were created to help prevent these events, but spoofing could make them the cause