Surviving and Operating Through GPS Denial and Deception Attack. Nathan Shults Kiewit Engineering Group Aaron Fansler AMPEX Intelligent Systems

Similar documents
Jamming and Spoofing of GNSS Signals An Underestimated Risk?!

GNSS Jamming: A Short Survival Guide

Experience with Radio Navigation Satellite Service (RNSS)

Power Utilities Mitigating GPS Vulnerabilities and Protecting Power Utility Network Timing

HOW TO RECEIVE UTC AND HOW TO PROVE ACCURACY

Robust GPS-Based Timing for PMUs Based on Multi-Receiver Position-Information-Aided Vector Tracking

Future Dual Systems for Landing. The DGNSS PALS opportunity Marco Donfrancesco Intelligence & Cyber EW Sales & Mktg

SEL Serial Radio Transceiver. The industry-recognized standard for reliable, low-latency wireless communications

Protection Augmentation Toughness and Alternatives of GNSS. Melaha 2016 Concord Al-Salam Hotel Cairo, April 25,2016 Refaat Rashad

F6052 Universal Time Synchronizer

Extreme space weather: Geomagnetic storms, GNSS disruptions and the impact on vital functions in society

Mobile Security Fall 2015

Does Anyone Really Know What Time It Is? Dr. Michael L. Cohen, MITRE October 15, 2013

S a t e l l i t e T i m e a n d L o c a t i o n. N o v e m b e r John Fischer VP Advanced R&D

PHASOR TECHNOLOGY AND REAL-TIME DYNAMICS MONITORING SYSTEM (RTDMS) FREQUENTLY ASKED QUESTIONS (FAQS)

Phasor Measurement Unit and Phasor Data Concentrator test with Real Time Digital Simulator

Security of Global Navigation Satellite Systems (GNSS) GPS Fundamentals GPS Signal Spoofing Attack Spoofing Detection Techniques

Measurement tools at heart of Smart Grid need calibration to ensure reliability

In addition to wide-area monitoring systems, synchrophasors offer an impressive range of system benefits, including:

Developing a GNSS resiliency framework for timing receivers. By Guy Buesnel and Adam Price Spirent Communications, October 2017

SYNCHROPHASOR TECHNOLOGY GLOSSARY Revision Date: April 24, 2011

Canadian Coast Guard Review to Implement a Resilient Position, Navigation and Timing Solution for Canada. Mariners Workshop January 31 st, 2018

A Review of Vulnerabilities of ADS-B

The Effect of Radio Frequency Interference on GNSS Signals and Mitigation Techniques Presented by Dr. Tarek Attia

CLICK HERE TO KNOW MORE

TACOT Project. Trusted multi Application receiver for Trucks. Bordeaux, 4 June 2014

Galileo Aktueller Stand der Entwicklung

Energy Sector. Use of Positioning, Navigation and Timing (PNT) Services

Benefits and Limitations of New GNSS Signal Designs. Dr. A. J. Van Dierendonck AJ Systems, USA November 18, 2014

GNSS Threats at Airports and detecting them

White Paper. GPS Jamming. Increasing system resilience to counteract intentional and unintentional GPS signal interferences

European GNSS: Galileo and EGNOS for next generation Road Charging

GRID RELIABILITY MONITORING

State Estimation Advancements Enabled by Synchrophasor Technology

Applying Defence-in-depth to counter RF interferences over GNSS

A Multi-Layered, Multi-Receiver Architecture

Our Cyber Security History and Future

GPS Modernization and Program Update

Introduction to micropmu. PSL Australasian Symposium 2017 September 29 Thomas Pua Product Engineer

GNSS VULNERABILITY AND CRITICAL INFRASTRUCTURE

GPS Time Synchronization with World-Class Accuracy using a Few Selected Satellites

Wide Area Monitoring with Phasor Measurement Data

Three Wishes. and an elaboration. For Reception of. Professor Bradford Parkinson Stanford University. (these are my personal views)

What s new in satellite navigation for road. Fiammetta Diani, Deputy Head Market Development Department European GNSS Agency

Study and Simulation of Phasor Measurement Unit for Wide Area Measurement System

Current Challenges (and Solutions) in Satellite Navigation. Omar García Crespillo Institute of Communication and Navigation

Update from the United States Space-Based Positioning, Navigation, and Timing Advisory Board

GPS jamming

GNSS MONITORING NETWORKS

The Case for Recording IF Data for GNSS Signal Forensic Analysis Using a SDR

Analysis on GNSS Receiver with the Principles of Signal and Information

TCG 02-G FULL FEATURED SATELLITE CLOCK KEY FEATURES SUPPORTS

Time Firewall: Securing the GNSS receivers against Spoofing/Jamming. Shemi Prazot AccuBeat

GPS Jamming and its impact on maritime navigation

Experiences with Fugro's Real Time GPS/GLONASS Orbit/Clock Decimeter Level Precise Positioning System

Spoofing GPS Receiver Clock Offset of Phasor Measurement Units 1

Benefits of combining systems The Receiver s Perspective Dr Philip G Mattos

Experiences of Using Synchrophasors at Duke Energy

Practical PMU Applications for Utilities

TCG 02-G FULL FEATURED SATELLITE CLOCK KEY FEATURES SUPPORTS

Providing a Resilient Timing and UTC Service Using eloran in the United States. Charles Schue - ION PTTI Monterey, CA

Guidelines for Synchronization Techniques Accuracy and Availability

Robust GPS-Based Timing for Phasor Measurement Units: A Position-Information- Aided Approach

USB GPS Dongle 65 channels With AGPS Function User s Manual

PRINCIPLES AND FUNCTIONING OF GPS/ DGPS /ETS ER A. K. ATABUDHI, ORSAC

Why Industry Needs Time A Power Industry Case Study

January 16, 2011 Scott Burgett, Bronson Hokuf Garmin International, Olathe, Kansas

Wide Area Time distribution Via eloran. NASPI WG Meeting

Report of the Working Group B: Enhancement of Global Navigation Satellite Systems (GNSS) Services Performance

Navigation für herausfordernde Anwendungen Robuste Satellitennavigation für sicherheitskritische Anwendungen

Bring satellites into your lab: GNSS simulators from the T&M expert.

CAPRICA: A Testbed Demonstrating a Cyber-Secure Synchronous Power Island. Dr Kieran McLaughlin, Dr David Laverty, Prof Sakir Sezer

Three Wishes - Dr, Parkinson

Enabling Tomorrow s Technology Today

GPS P(Y) vs Galileo PRS interference field test. J.D. van Bruggen van Putten input from: Jan-Joris van Es, Henk Veerman

Dimov Stojče Ilčev. CNS Systems

Characterization of Receiver Response to Spoofing Attacks. Daniel Shepard

Uses of Synchrophasor BD NSF Workshop 2017

GNSS 5 click PID: MIKROE-2670

Webinar. 9 things you should know about centimeter-level GNSS accuracy

PHASOR MEASUREMENT UNIT: - A Revolution in Power System

Bring satellites into your lab

Timing & Synchronisation

Specifications subject to change without notice Heartbeat of the Smart Grid

GIDAS GNSS Interference Detection & Analysis System

Detection Techniques for Data-Level Spoofing in GPS-Based Phasor Measurement Units

New Standards for Test and Calibration of Phasor Measurement Units

Testing and Validation of Synchrophasor Devices and Applications

Accurate Synchrophasor Estimation to Support the Islanding Maneuver of Active Distribution Networks

Multi-Receiver Vector Tracking

Modernised GNSS Receiver and Design Methodology

RESPONSE TO THE HOUSE OF COMMONS TRANSPORT SELECT COMMITTEE INQUIRY INTO GALILEO. Memorandum submitted by The Royal Academy of Engineering

STRIKE3 Standardization of GNSS Threat reporting and Receiver testing through International Knowledge Exchange, Experimentation and Exploitation

HY448 Sample Problems

Civil GPS Systems and Potential Vulnerabilities

Addressing the Challenges of Radar and EW System Design and Test using a Model-Based Platform

Assessing & Mitigation of risks on railways operational scenarios

Sandboxing Wireless/RF Vulnerability Research of Connected Systems

Update on enhanced satellite navigation services empowering innovative solutions in Smart Mobility

Configuring the Global Navigation Satellite System

Transcription:

Surviving and Operating Through GPS Denial and Deception Attack Nathan Shults Kiewit Engineering Group Aaron Fansler AMPEX Intelligent Systems

How GPS Works GPS Satellite sends exact time (~3 nanoseconds) and 3D location GPS receiver computes your location from multiple satellite signals 1 nanosecond time error roughly equals 12 inches distance error Ranging from the time and location of the satellite allows: Three Satellites locates you on the Earth s surface and another point Fourth Satellite gives your location, all additional satellites refine your position

GPS Jamming Power of GPS Signal received on Earth measured in Femtowatts, ~ -155 dbw http://www.jammerfromchina.com/products/3_antenna_portable_gps_and_mobile_phone_multi-functional_jammer.html

GPS Jamming FCC Fines GPS Jammer Operator $31,875, Affected Newark Airport (August 2013) On August 4, 2012, the FCC identified a pickup truck emanating harmful interference to Newark Airport Jamming purpose by driver: intentional misguided privacy to derive personal gain from blocking his employer s tracking scheme Inside GNSS- Newark Airport experiences ~five interference events from personal privacy devices each day from vehicles travelling on the nearby turnpike Simple Overpowering of GPS receiver is simple Loss of GPS causes time for GPS receivers

Greater Danger-Spoofing 22 ships affected by GPS Spoofing attack in Russian port of Novorossiysk (JUN2017) GPS position off by 32+ kilometres inland GPS system reported position "Safe within 100m" 32000m position error = ~ 100milliseconds What affect would 100 milliseconds cause? What about 48+/- hours and 100 milliseconds?

DHS Assessment at MUTC Event held April 17-21, 2017 at the Muscatatuck Urban Training Center (MUTC) in Butlerville, Indiana Provided industry an opportunity to test GPS equipment in unique livesky environments DHS S&T created live-sky test scenarios focused on spoofed GPS signals DHS Plans to conduct more Tests planned in the future

Operating Through Disruptions #1---Reliable local time source built into GPS receiver Purchase Oscillator clock backup timing source Set alarms for time variances on reporting arrival Configure alarms where available in GPS Receiver for location shifts #2 ---Utilize Secondary timing source, less optimal Computer network timing Cell phone towers Dual / multi-gnss systems (Glonass, Galileo, etc) #3 ---Protect your antenna from ground based interference, custom solution can be the cheapest

AMPEX INTELLIGENT SYSTEMS Cyber Security Solutions Overview This Briefing is Proprietary and Competition Sensitive January 2017

Overview The generation, transmission, and distribution of electric power make the power grid the most critical of critical infrastructure in the United States. Past real-world events and numerous government demonstrations have shown just how vulnerable the electric power infrastructure can be, not only to natural disasters, but more importantly malicious to cyber activity which is on the rise. In the past, the consequence of power disruption were annoyance and some economic cost; future disruptions resulting from intentional malicious activity could cascade into crippling failures. With the transition to smart grid technologies and a unified synchronized grid, the potential for catastrophic cascading failures increases if proper control measures are not implemented. Time synchronized measurements are changing the way electric power systems are controlled to protect against these events. Phasor measurement units (PMUs) have recently emerged as one technology which has the potential to one day anticipate failures, making it possible to take remedial actions before failures spread across the network. 9

What are Synchrophasors Precise grid measurements now available from monitors called phasor measurement units (PMUs) Measurements are taken at high speed (~30 observations per second compared to one every 4 seconds using conventional SCADA) Measurements time-stamped according to a common time reference such as GPS Time stamping allows synchrophasors from different utilities to be time-aligned (or synchronized ). Allows direct measurement of relative phase angles from different parts of the grid Enable a better indication of grid stress, and can be used to trigger corrective actions to maintain reliability. Current grid technology, SCADA/State Estimator >>> X-Ray Future smart grid Phasor Technology >>> MRI 10

Where They Are in the U.S. 20-Mar-2015 Commercial-in-Confidence 11

Not a Threat Yet U.S. Grid is not under PMU automated control Other countries are Today, the Indian power system is one of the largest synchronous grids in the world Italy takes the next step towards the European Supergrid In a future scenario where PMU data play a significant role in power system operations, an attacker might disturb or bring down a system by attacking the GPS receivers attached to PMUs Can it be done? 20-Mar-2015 Commercial-in-Confidence 12

Issues Even without being jammed or spoofed, a GPS receiver does not always yield correct position and time solutions due to accidental receiver malfunctions A variety of countermeasures have been proposed to enhance civil GPS receivers robustness against jamming and spoofing attacks and accidental receiver errors. external assistance signal features redundant measurements encryption 20-Mar-2015 Commercial-in-Confidence 13

Initial Test Environment - Baseline HMI Control Center Concentrator PMU PMU Substation 1 Substation 2

System Under Test (SUT) - Overview The System Under Test (SUT) capable of precisely aligning the spreading codes and navigation data of its counterfeit signals with those of the authentic GPS signals. The SUT implemented on portable software-defined radio platform with a digital signal processor (DSP) at its core. This platform comprises: A Radio Frequency (RF) front-end that down-mixes and digitizes GPS L1 and L2 frequencies. A DSP board that performs acquisition and tracking of GPS L1 C/A and L2C signals, calculates a navigation solution, predicts the L1 C/A databits. Consistent set of up to 10 spoofed GPS L1 C/A signals with a user-controlled fictitious implied navigation and timing solution. A RF back-end with a digital attenuator that converts the digital samples of the rogue signals from the DSP to analog output at the GPS L1 frequency with 15a user-controlled broadcast power.

Preparation & Attack Process 1. Acquires and tracks GPS L1 C/A and L2C signals to obtain a navigation solution. 2. Enters into feedback mode Produces a counterfeit, data-free feedback GPS signal that is summed with its own antenna input. 3. Feedback signal is tracked by the SUT and used to calibrate the delay between production of the digitized rogue signal and output of the analog spoofed signal Necessary because the delay is non-deterministic on start-up of the receiver, although it stays constant thereafter 4. After feedback calibration is complete and navigation data bit library has been built, the SUT is ready to begin an attack 5. Initial signals are initially nearly perfectly aligned with the authentic signals With low enough power that they remain far below the victim receiver s noise floor 6. SUT then raises the power of the spoofed signals slightly above that of the authentic signals The SUT has taken control of the target receiver 16

Phase-I Results SUCCESS! Verified both through direct cable connection and more importantly over-the-air spoofing attacks were successful in leading the synchrophasor phase measurements off from the truth. Spoof GPS signal on separate synchrophasors to cause the phase angle between synchrophasors to increase more than.573 O which is the IEEE standard (1 O Total Vector Error -TVE) Caused the phase angle between synchrophasors to increase more than 90 O which violated the IEEE standard 17

System Under Test (SUT) - Test Environment Rooftop Antenna Authentic Signal Repeater Concentrator Spoofed Signal Transmit Antenna RF Shielded Tent PMU Substation 1 PMU Substation 2 System Under Test

Phase-I Results Pictures of the Oscilloscope (left) and Synchrowave (right) Phase angles screen at the start of the test Pictures of the Oscilloscope (left) and Synchrowave (right) screen at approx 20 minutes into the test 19

All networks need accurate timing What we have demo d Industrial Control System (ICS) have inherit cyber security vulnerability which can be exploited via non-traditional cyber attack means Demonstrations have proven the capable of precisely aligning the spreading codes and navigation data of its counterfeit signals with authentic GPS signals. Also demonstrated on: UAVs Shipborne navigation components Ship s control systems 20

Is that it?? 21

PHASE II Results.successful Phase II Results: The PL attack software (on both the transmit and receive sides) has been designed and implemented. The first milestones of the project are complete in their design and implementation and have been tested. Files of up to 204.8 MB in size can be transferred and received with a probability of correct reconstruction greater than or equal to 99.8%, assuming a 0.1% chance that any one bit is not received. Files can be given names up to ten characters in length, which enables multiple files to be transferred. Files can be either simply transferred to the target receiver or executed on the receive end once received. Files are verifiable upon receipt without the need to communicate with the transmit side. Typical data rates are around 150 bps 22

Questions?

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback