Spoofing of Electrical Power Grid: It�s Easier Than You Think

Abstract

Potential threat for GPS spoofing is as old as GPS itself. Numerous studies are dedicated to the impact of GPS receiver’s spoofing as well as on the ideas of how to protect them. Spoofing is no longer a special exotic case that needs dedicated and expensive equipment. In fact, with the advancement of software-defined radio (SDR) and the proliferation of the open-source software in the field of GPS, spoofing can be performed with little knowledge of GPS and by using inexpensive equipment. The goal of this paper is to bring the spoofing problem to the GNSS community’s attention once again because many GPS receivers that play a key role in time measurements are still unprotected. This paper will describe a potential threat to the electrical power grid by simulating a spoofing attack on an emerging technology – Phasor Measurement Unit (PMU). A PMU’s primary function is to measure the magnitude and phase of voltages and currents at key positions on the power grid, such as electrical substations and grid interconnections. The measurements are timestamped using synchronization signals obtained from GNSS clock receivers and are then transmitted via a communication network to servers, which aggregate the data based on their timestamps. This form of data commonly referred to as synchrophasors, is currently used to provide near-real-time monitoring and situational awareness to operators across a wide-area power system. Synchrophasors are also used to record and observe events occurring on the grid and have become an important tool in post-fault analysis. The motivation for this technology originated primarily from the North American blackout of 2003, which was deemed caused by a lack of situational awareness. While PMUs and synchrophasors are currently primarily used for power system monitoring, protection and control applications are being researched and may be implemented in the future. Such applications would make PMUs and synchrophasor systems critical assets within the power grid, and, due to their temporally-precise nature, GNSS vulnerabilities cannot be ignored. In this paper, an experiment is presented where a commercially available GPS receiver is spoofed, causing time synchronization to be offset by several milliseconds. This event generates erroneous synchrophasor measurements, which can potentially impact the operation of the power grid. For this experiment, we’ll use only low cost, off-the-shelf equipment available on the market: 1) laptop, 2) software-defined radio ‘BladeRF’ from Nuand and 3) low-cost GPSDO. The cost of the hardware setup is expected to be under 3000$. The software-defined GPS simulator from Skydel is used to generate the spoofing GPS signal. For the purpose of this paper, the timing receiver will be spoofed when operating with real GPS signal. The GPSDO kit supplies 1PPS and 10MHz clock to synchronize the BladeRF with the live-sky GPS signal. Also, the NMEA message is used to align the simulator start time with UTC time. The SDX simulator will control the timing offset and the simulated signal power to take control of the timing receiver. To avoid the radiation outside the setup, the simulated signal is combined with the live signal from the PMU’s GPS antenna prior to the timing receiver’s antenna input. We assume that mixing the spoofing signal in this way is equivalent to radiated approach, as there is no spatial diversity used in the timing receiver in the PMU. The power system is simulated using HYPERSIM on an OPAL-RT Technologies real-time digital simulator. The OPAL-RT system is capable of simulating large-scale and detailed electrical networks in real time at frequencies ranging between 20-50kHz. This range of frequencies allows for the electromagnetic phenomena within a power system to be simulated with high fidelity. In this paper, voltage and current signals generated within the simulator are then passed via analog outputs to two commercially available PMUs. The PMUs stream synchrophasor data via the C37.118 protocol back to the simulator, which employs a hypothetical phasor-based differential protection scheme. With this setup, it is demonstrated that the GPS spoofing of one of the PMU’s receivers can cause this protection algorithm to falsely operate. The results show that existing technology under spoofing attacks can misoperate. Thus, it is important for the power industry to consider GNSS vulnerabilities in their assessment and implementation of synchrophasor technologies. Furthermore, countermeasures to prevent such behaviours must be developed and tested within a realistic environment. This paper demonstrates how two effective and cost-efficient real-time simulation technologies can be used to perform such tests.