Surviving and Operating Through GPS Denial and Deception Attack Nathan Shults Kiewit Engineering Group Aaron Fansler AMPEX Intelligent Systems
How GPS Works GPS Satellite sends exact time (~3 nanoseconds) and 3D location GPS receiver computes your location from multiple satellite signals 1 nanosecond time error roughly equals 12 inches distance error Ranging from the time and location of the satellite allows: Three Satellites locates you on the Earth s surface and another point Fourth Satellite gives your location, all additional satellites refine your position
GPS Jamming Power of GPS Signal received on Earth measured in Femtowatts, ~ -155 dbw http://www.jammerfromchina.com/products/3_antenna_portable_gps_and_mobile_phone_multi-functional_jammer.html
GPS Jamming FCC Fines GPS Jammer Operator $31,875, Affected Newark Airport (August 2013) On August 4, 2012, the FCC identified a pickup truck emanating harmful interference to Newark Airport Jamming purpose by driver: intentional misguided privacy to derive personal gain from blocking his employer s tracking scheme Inside GNSS- Newark Airport experiences ~five interference events from personal privacy devices each day from vehicles travelling on the nearby turnpike Simple Overpowering of GPS receiver is simple Loss of GPS causes time for GPS receivers
Greater Danger-Spoofing 22 ships affected by GPS Spoofing attack in Russian port of Novorossiysk (JUN2017) GPS position off by 32+ kilometres inland GPS system reported position "Safe within 100m" 32000m position error = ~ 100milliseconds What affect would 100 milliseconds cause? What about 48+/- hours and 100 milliseconds?
DHS Assessment at MUTC Event held April 17-21, 2017 at the Muscatatuck Urban Training Center (MUTC) in Butlerville, Indiana Provided industry an opportunity to test GPS equipment in unique livesky environments DHS S&T created live-sky test scenarios focused on spoofed GPS signals DHS Plans to conduct more Tests planned in the future
Operating Through Disruptions #1---Reliable local time source built into GPS receiver Purchase Oscillator clock backup timing source Set alarms for time variances on reporting arrival Configure alarms where available in GPS Receiver for location shifts #2 ---Utilize Secondary timing source, less optimal Computer network timing Cell phone towers Dual / multi-gnss systems (Glonass, Galileo, etc) #3 ---Protect your antenna from ground based interference, custom solution can be the cheapest
AMPEX INTELLIGENT SYSTEMS Cyber Security Solutions Overview This Briefing is Proprietary and Competition Sensitive January 2017
Overview The generation, transmission, and distribution of electric power make the power grid the most critical of critical infrastructure in the United States. Past real-world events and numerous government demonstrations have shown just how vulnerable the electric power infrastructure can be, not only to natural disasters, but more importantly malicious to cyber activity which is on the rise. In the past, the consequence of power disruption were annoyance and some economic cost; future disruptions resulting from intentional malicious activity could cascade into crippling failures. With the transition to smart grid technologies and a unified synchronized grid, the potential for catastrophic cascading failures increases if proper control measures are not implemented. Time synchronized measurements are changing the way electric power systems are controlled to protect against these events. Phasor measurement units (PMUs) have recently emerged as one technology which has the potential to one day anticipate failures, making it possible to take remedial actions before failures spread across the network. 9
What are Synchrophasors Precise grid measurements now available from monitors called phasor measurement units (PMUs) Measurements are taken at high speed (~30 observations per second compared to one every 4 seconds using conventional SCADA) Measurements time-stamped according to a common time reference such as GPS Time stamping allows synchrophasors from different utilities to be time-aligned (or synchronized ). Allows direct measurement of relative phase angles from different parts of the grid Enable a better indication of grid stress, and can be used to trigger corrective actions to maintain reliability. Current grid technology, SCADA/State Estimator >>> X-Ray Future smart grid Phasor Technology >>> MRI 10
Where They Are in the U.S. 20-Mar-2015 Commercial-in-Confidence 11
Not a Threat Yet U.S. Grid is not under PMU automated control Other countries are Today, the Indian power system is one of the largest synchronous grids in the world Italy takes the next step towards the European Supergrid In a future scenario where PMU data play a significant role in power system operations, an attacker might disturb or bring down a system by attacking the GPS receivers attached to PMUs Can it be done? 20-Mar-2015 Commercial-in-Confidence 12
Issues Even without being jammed or spoofed, a GPS receiver does not always yield correct position and time solutions due to accidental receiver malfunctions A variety of countermeasures have been proposed to enhance civil GPS receivers robustness against jamming and spoofing attacks and accidental receiver errors. external assistance signal features redundant measurements encryption 20-Mar-2015 Commercial-in-Confidence 13
Initial Test Environment - Baseline HMI Control Center Concentrator PMU PMU Substation 1 Substation 2
System Under Test (SUT) - Overview The System Under Test (SUT) capable of precisely aligning the spreading codes and navigation data of its counterfeit signals with those of the authentic GPS signals. The SUT implemented on portable software-defined radio platform with a digital signal processor (DSP) at its core. This platform comprises: A Radio Frequency (RF) front-end that down-mixes and digitizes GPS L1 and L2 frequencies. A DSP board that performs acquisition and tracking of GPS L1 C/A and L2C signals, calculates a navigation solution, predicts the L1 C/A databits. Consistent set of up to 10 spoofed GPS L1 C/A signals with a user-controlled fictitious implied navigation and timing solution. A RF back-end with a digital attenuator that converts the digital samples of the rogue signals from the DSP to analog output at the GPS L1 frequency with 15a user-controlled broadcast power.
Preparation & Attack Process 1. Acquires and tracks GPS L1 C/A and L2C signals to obtain a navigation solution. 2. Enters into feedback mode Produces a counterfeit, data-free feedback GPS signal that is summed with its own antenna input. 3. Feedback signal is tracked by the SUT and used to calibrate the delay between production of the digitized rogue signal and output of the analog spoofed signal Necessary because the delay is non-deterministic on start-up of the receiver, although it stays constant thereafter 4. After feedback calibration is complete and navigation data bit library has been built, the SUT is ready to begin an attack 5. Initial signals are initially nearly perfectly aligned with the authentic signals With low enough power that they remain far below the victim receiver s noise floor 6. SUT then raises the power of the spoofed signals slightly above that of the authentic signals The SUT has taken control of the target receiver 16
Phase-I Results SUCCESS! Verified both through direct cable connection and more importantly over-the-air spoofing attacks were successful in leading the synchrophasor phase measurements off from the truth. Spoof GPS signal on separate synchrophasors to cause the phase angle between synchrophasors to increase more than.573 O which is the IEEE standard (1 O Total Vector Error -TVE) Caused the phase angle between synchrophasors to increase more than 90 O which violated the IEEE standard 17
System Under Test (SUT) - Test Environment Rooftop Antenna Authentic Signal Repeater Concentrator Spoofed Signal Transmit Antenna RF Shielded Tent PMU Substation 1 PMU Substation 2 System Under Test
Phase-I Results Pictures of the Oscilloscope (left) and Synchrowave (right) Phase angles screen at the start of the test Pictures of the Oscilloscope (left) and Synchrowave (right) screen at approx 20 minutes into the test 19
All networks need accurate timing What we have demo d Industrial Control System (ICS) have inherit cyber security vulnerability which can be exploited via non-traditional cyber attack means Demonstrations have proven the capable of precisely aligning the spreading codes and navigation data of its counterfeit signals with authentic GPS signals. Also demonstrated on: UAVs Shipborne navigation components Ship s control systems 20
Is that it?? 21
PHASE II Results.successful Phase II Results: The PL attack software (on both the transmit and receive sides) has been designed and implemented. The first milestones of the project are complete in their design and implementation and have been tested. Files of up to 204.8 MB in size can be transferred and received with a probability of correct reconstruction greater than or equal to 99.8%, assuming a 0.1% chance that any one bit is not received. Files can be given names up to ten characters in length, which enables multiple files to be transferred. Files can be either simply transferred to the target receiver or executed on the receive end once received. Files are verifiable upon receipt without the need to communicate with the transmit side. Typical data rates are around 150 bps 22
Questions?