GPS World

Tag: infrastructure

  • Topcon invests in virtual reality company for construction, infrastructure

    Topcon Positioning Group has acquired a significant share of holdings a company that assists customers in virtual design and construction (VDC).

    Viasys VDC — based in Espoo, Finland — has developed a suite of tools and services to assist customers in building virtual models for infrastructure and site-work projects. Using building information modeling (BIM) technologies, its solutions create VDC models that optimize the construction process throughout the project’s lifecycle, creating enhanced quality, higher efficiencies and reduced costs, Topcon said.

    “Viasys VDC solutions allow for the import of virtually any BIM or non-BIM design model, offering seamless interoperability with open design standards currently in the market — which provides the contractor or engineer with full control and visibility of the entire design throughout the entire project,” said Heikki Halttula, CEO and president, Viasys VDC Ltd. “With advanced simulation tools and communication functions, design-build issues can be detected before actual work starts, or at any time during the process.”

    Accurate 5D simulation allows for optimal planning and execution, Topcon said in a news release. Other significant features include cloud-based collaboration functions as well as mobile access to models and information on-site.

    Topcon currently offers various BIM and remote site management/visibility solutions aimed at many of the markets served by Viasys VDC.

    “Now, with our investment in Viasys VDC, we have partnered with the technology leader to allow us to offer an expanded platform for the future generation of advanced Topcon VDC solutions with seamless BIM interoperability for our partners and customers,” said Ewout Korpershoek, Topcon executive vice president for mergers and acquisitions.

    “Partnering with Topcon is an exciting step forward to help advance our industry-leading VDC solutions, while also expanding their reach to a global audience,” Halttula said. “With Viasys VDC offices in Finland, California and Vietnam, we are also well positioned geographically to work directly with existing Topcon operations in Europe, North America and Asia.”

    In addition to a full suite of BIM-based mobile workforce solutions, Viasys VDC offers an operational asset management solution as a basis for lifetime maintenance of the VDC managed projects.

  • Hexagon and Huawei partner to deliver smart city solutions

    Hexagon AB has entered a strategic partnership with Huawei, an information and communications technology (ICT) company, to deliver smart city solutions.

    With most of the world’s population living in cities, safety and infrastructure challenges are at an all-time high. Hexagon and Huawei are working together to meet this global challenge by integrating Huawei’s communications hardware with Hexagon’s safety and infrastructure software solutions.

    The combined solution improves inter-agency collaboration and leverages big data analytics to better predict, prepare for, and respond to urban area challenges.

    Safety is a primary focus of the combined solution, offering cities connected command centers with integrated systems that maximize efficiencies in all preparedness and response areas. Huawei’s contributions include technologies from its Safe City portfolio such as high-definition video surveillance, broadband trunking and IP-based conference calling systems. Hexagon’s emergency response, utilities management and transportation software solution portfolio, which includes computer-aided dispatch, will provide the visibility and decision-support backbone to enable customers to think and act more nimbly.

    “Huawei’s technologies, expertise and global coverage, especially in emerging market areas, nicely complement our ability to deliver smart city solutions to law enforcement, government, security personnel and other public service agencies around the world,” said Ola Rollén, Hexagon president and CEO.

    “Safety, including efficient response to crisis management, will continue to be a key challenge for urban management, especially in developing economies that are stimulating population movement into these areas,” said Yan Lida, president of Huawei Enterprise Business Group. “Together with Hexagon, the global authority on safety and infrastructure solutions, our extensive ICT technologies that help architect safe city infrastructure will help make societies safer.”

  • Loctronix Advances GNSS Integrity Monitoring with HGX Interference Detection System

    Loctronix Corporation, a provider of positioning, navigation, and timing (PNT) solutions for GNSS-challenged environments, has unveiled the HGX Interference Detection System (IDS) for identifying and monitoring intentional and unintentional interference sources. The IDS is being demonstrated September 10-11 at ION GNSS+ 2014, in Tampa, Florida.

    “The IDS can detect sources of interference ranging between 5 dB and 60 dB GNSS jamming to signal (J/S) ratio. Featuring a novel profiling function, the IDS not only detects, but can identify the type of interference given a database of known/previously recorded profiles,” stated Michael Mathews, Loctronix’ CEO and founder.

    According to Mathews, “The greater dependence of GNSS within critical infrastructure — including, transportation, communications, finance and the growing availability of jammers — requires new tools to respond to potential threats. The IDS is the first tool to combine the powerful capabilities of Loctronix Spectral Compression Positioning (SCP) technology for identification and characterization of signals with traditional GNSS signal processing to provide full situational awareness of GPS/GNSS operations. The IDS system will benefit government, military, and commercial/industrial applications wherever there is a critical dependence upon quality GNSS data.”

    The IDS was developed using the Loctronix HGX hybrid sensor toolkit along with the company’s ASR-2300 ASR Workbench software defined radio platform. The standard implementation supports L1 GNSS bands and measurement rates of 10 measurements per second. Partner-licensed custom/solutions can support multiple bands (such as L2, L5) with greater bandwidths and measurement rates. Multiple sensitivity modes enable monitoring of sub-thermal and high-power interference.

    The HGX toolkit API will be available for specialization of the system for custom/embedded applications and adaptation to other hardware platforms. Visit Loctronix in Booth 422.

  • Locata Warns: Lessons to Be Learned from GLONASS Spasm

    Locata Warns: Lessons to Be Learned from GLONASS Spasm

    Calling it an “unprecedented and deeply worrying total disruption . . . [that] shook the industry,” Locata Corporation reiterated its call for redundant terrestrial systems to back up GNSS in the wake of the April 1 11-hour GLONASS system outage.

    Nunzio Gambale, Locata CEO, said “We have been telling the industry for years that you cannot have a critically important capability like GPS without also having a backup! What is Plan B if the satellite systems fail? What replaces the space signal when there is a problem? If anyone needed a sign to understand why Locata has spent years inventing and developing the world’s first local terrestrial equivalent of the GPS system, then last week’s meltdown of a complete global satellite navigation system is it. This event should terrify every nation, government, and company that depends on navigation satellites for their business or, in some cases, their very lives.”

    The navigation and timing functions of the global positioning systems underpin the world’s banking systems, stock exchanges, digital TV and Internet, cell phone networks, and, in some cases, the national electricity supply, Locata pointed out. GPS, in particular, plays a crucial role in transportation, shipping, and logistics, serving as the enabling technology for critical functions like air traffic control. Reliability is therefore not just important; it is essential across all applications. Locata, the Resilient Navigation and Timing Foundation (RNTF) in Washington, D.C., and others have persistently called attention to the need for redundant terrestrial systems that will back up expensive, vulnerable, and aging global satellite navigation constellations while simultaneously providing the local control and resiliency that satellite-based systems cannot deliver.

    Professor Chris Rizos of the School of Civil and Environmental Engineering at the University of New South Wales stated that “This catastrophic failure of one of the world’s two global satellite navigation constellations is a wakeup call for all of us. We ignore the possibility of these ‘Black Swan’ events at our own peril.”

    The GLONASS disruption was felt around the world, immediately upon its origination, especially in professional applications, such as tractor automation for farming, machine control and robotics in mining and heavy industry, and in the national infrastructure used by surveyors and industry across many countries.

    “This shows just how interlinked the physical and cyber worlds have now become,” added Professor Brett Biddington, a space and cybersecurity expert from the School of Computer and Security Science at Edith Cowan University, Australia. “The prospect of a software glitch, whether unintentional or intentional, seems highly likely [as a cause for the failure]. If it was a deliberate attack, however, it points to a changing face of warfare where the real enemy may be impossible to detect and deter until very damaging strikes, such as an attack on the GPS system, have already taken place.

    “The vital point here is that this is no longer just a question for scientists and technologists. A locally controlled backup system for this essential signal is a national policy question of the highest order.”

    Locata Corporation and other industry authorities have long testified on global satellite navigation vulnerabilities and the need for diverse technology options to strengthen and back up GPS, GLONASS, and other systems. Locata developed a robust solution and has been awarded a sole-source contract by the U.S. Air Force (USAF) to provide its terrestrially based alternative positioning for military applications where GPS has been completely jammed. The first wide-area Locata system is being deployed now at the White Sands Missile Range in New Mexico. The USAF demonstrated that the White Sands Locata network delivers what has been extremely high accuracy over a 2,500-square mile area, positioning aircraft flying up to 35 miles away to an accuracy of better than six inches.

    A pair of LocataLite transmit antennas overlook a section of the White Sands Missile Range blanketed by the Locata high-precision ground-based positioning system.
    A pair of LocataLite transmit antennas overlook a section of the White Sands Missile Range blanketed by the Locata high-precision ground-based positioning system.

    “There is no other technology that can do this, and it’s delivered in the complete absence of GPS,” continued Gambale. “What is being demonstrated at White Sands is that Locata supplies precisely the same function as GPS, even when there is no GPS available. That’s exactly what you need if the satellites fail.

    “If this event had been a GPS failure instead of a GLONASS failure – and it could very easily have been – then the entire world would have plunged into a catastrophe. This event is the navigation equivalent of a ‘close call moment,’ and from here on out no one can even question that this is a really serious problem that must be addressed. Another industry expert recently told me, ‘If there was a sustained GPS outage, it would cause a global financial nuclear winter from which it would take us decades to recover.’”

    Gambale concluded, “We need action to develop local backups like Locata around places like airports and other strategically important areas – now! We must not wait until we are faced with another seemingly impossible event like a complete satellite constellation failure. We may not dodge this bullet a second time.”

    Locata terrestrial positioning technologies complement GPS by setting up ground-based transmitters, called LocataLites, to create a local constellation called a LocataNet. Once properly deployed, Locata’s unique nanosecond-accurate TimeLoc system synchronizes the network, which allows it to replicate the positioning capabilities of GPS, locally. LocataNets operate today in environments ranging from small warehouses to open-cut mines, wide-area aircraft approach-and-landing systems, and wider areas for aircraft and unmanned aerial vehicle (UAV) uses.

  • Symmetricom Introduces Small Cells Category to SyncWorld Ecosystem Program

    Symmetricom, Inc., today launched a new small cells-focused category within its SyncWorld Ecosystem Program. Developed to support the integration with Symmetricom’s SCr/SCe NTP/ PTP and sGPS SoftClocks and interoperability between Symmetricom Grandmaster clocks and other small cells solutions, the category aims to facilitate validated deployments of timing and synchronization with various small cells products in 3G and 4G/LTE architectures. Current partners in the program include leading small cell players Alcatel-Lucent, Broadcom, Cavium, Contela, CS Corporation, Mindspeed, Node-H, Qualcomm Atheros, and Rakon.

    Small cells are a key component of 3G and 4G architectures as they add capacity to the mobile network and allow service providers the maximum leverage of scarce spectrum resources. Successful HetNet deployments require small cells to synchronize seamlessly with the macro base stations irrespective of backhaul type. Also, small cell design cycles need to be short to meet the fast evolving market needs. SyncWorld brings together all players in the ecosystem including semiconductors, oscillators, software, test equipment and system vendors to drive cost effective and shortened design cycles by enabling architectural harmony and interoperability.

    Analyst firm Infonetics forecasts the global small cell market to grow to $2.1 billion in 2016 as small cells have emerged as a key solution to deliver increased network capacity. Symmetricom has delivered a number of solutions with partners along with the introduction of the industry’s first small cell synchronization solution, SCr/SCe NTP/ PTP and sGPS SoftClocks for residential and enterprise small cells. The small cells segment within the SyncWorld Ecosystem Program will ensure that interoperability needs are met as service providers accelerate their deployment plans.

    “The small cells category represents leaders across the entire value chain,” said Manish Gupta, vice president of marketing and business development for Symmetricom. “Working together, SyncWorld small cell members will be able to give service providers a comprehensive, integrated and simplified solution that is interoperable and supports the specifications required to support 4G/LTE networks.”

    The SyncWorld Ecosystem Program enables vendors to cooperate with the goal of providing complete solutions that interoperate with the most recognized timing and synchronization solution provider in the industry. Vendors that produce silicon, small cell access point, software and oscillators are invited to apply for the program online.

    With solutions deployed globally in more than 150 networks, Symmetricom is committed to partnering with trusted end-to-end technology providers which deploy and maintain networks on behalf of operators.

  • Going Up Against Time: The Power Grid’s Vulnerability to GPS Spoofing Attacks

    By Daniel P. Shepard, Todd E. Humphreys, and Aaron A. Fansler

    Spoofing tests against phasor measurement units demonstrate their vulnerability to attack. A generator trip in an automatic control scheme could be falsely activated by the GPS spoofing, possibly leading to cascading faults and a large-scale power blackout.

     

    As electric power grids continue to expand throughout the world and as transmission lines are pushed to their operating limits, the dynamic operation of the power system has become a serious concern and increasingly difficult to accurately model. More effective real-time system control is now seen as key to preventing wide-scale cascading outages like the 2003 Northeast Blackout.

    For years, electric power control centers have estimated the state of the power system (the positive sequence voltage magnitude and phase angle at each network node) from measurements of power flows. But for improved accuracy in the so-called power system state estimates, it will be necessary to feed existing estimators with a richer measurement ensemble or to measure the grid state directly.

    Alternating current (AC) quantities have been analyzed for over 100 years using a construct developed by Charles Proteus Steinmetz in 1893, known as a phasor. In power systems, the phasor construct has commonly been used for analyzing AC quantities, assuming a constant frequency. A relatively new synchronization technique which allows referencing measured current or voltage phasors to absolute time has been developed and is currently being implemented throughout the world. The measurements produced by this technique are known as synchronized phasor measurements or synchrophasors.

    Synchrophasors provide a real-time snapshot of current and voltage amplitudes and phases across a power system, and so can give a complete picture of the state of a power system at any instant in time.  This makes synchrophasors useful for control, measurement, and analysis of the power system.

    A device used to measure synchrophasors is called a phasor measurement unit (PMU). In a typical deployment, PMUs are integrated in protective relays and are sampled from widely dispersed locations in the power system network. They are synchronized with respect to the common time source of a GPS clock. PMUs basically measure AC voltage (or current) and absolute phase angles at selected locations in an electric transmission or distribution system.

    GPS Spoofing

    GPS spoofing is the act of producing a falsified version of the GPS signal with the goal of taking control of a GPS receiver’s position-velocity-time (PVT) solution. This is most effectively accomplished when the spoofer has knowledge of the GPS signal as seen by the target receiver so that the spoofer can produce a matched, falsified version of the signal. In the case of military signals, this type of attack is nearly impossible because the military signal is encrypted and therefore unpredictable. On the other hand, the civil GPS signal is publicly-known and readily predictable.

    In recent years, civil GPS spoofing is becoming recognized as a serious threat to many critical infrastructure applications which rely heavily on the publicly-known civil GPS signal. A number of promising methods are currently being developed to defend against civil GPS spoofing attacks, but it will still take a number of years before these technologies mature and are implemented on a wide scale. Currently, there is a complete absence of any off-the-shelf defense against a GPS spoofing attack.

    See “Generation, Transmission” sidebar at the end of this article for background on the following tests.

    The Tests. The minimum threshold for success was to show that a GPS spoofer could force a PMU to violate the IEEE C37.118 Standard “Synchrophasors for Power Systems,” which defines accuracy as a vectorial difference between the measured and expected value of the phasor for the measurement at a given instant of time, called the total vector error (TVE).  TVE blends three possible sources of error: magnitude, phase angle, and timing. An error in timing appears identical to an error in phase angle. Without timing and magnitude errors, a phase angle error of 0.573o corresponds to a 1 percent TVE, the maximum allowable by the IEEE C37.118 Standard. This phase angle error could be equivalently and indistinguishably caused by a timing error of 26.5 µs, which was chosen as the threshold for success in the spoofing tests.

    The Spoofer

    The civil GPS spoofer used for these tests is an advanced version of the spoofer reported in “Assessing the Spoofing Threat,” GPS World, January 2009. A block diagram of the spoofer is shown in Figure 1. It is the same spoofer used in the tests described in “Drone Hack” in this issue of the magazine, and a detailed description is given in that article.

    The spoofer can carry out a sophisticated spoofing attack in which no obvious clues remain to suggest that an attack is underway. The University of Texas spoofer and attack strategy have been tested against a wide variety of GPS receivers and has always been successful in commandeering the target receiver.

    Figure 1. Block diagram of the University of Texas spoofer used to attack the phasor unit.
    Figure 1. Block diagram of the University of Texas spoofer used to attack the phasor unit.
    Test Setup

    Figure 2 shows a schematic of the setup used for the open-air tests. The signals received at the roof were routed into the spoofer for use in producing the counterfeit signals and into the RF shielded tent for rebroadcasting. The counterfeit signals were also routed into the tent for broadcasting. In addition to the antennas broadcasting the authentic and counterfeit signals, a third antenna was setup inside the tent to receive the combination of authentic and spoofed signals. This setup is representative of an actual attack scenario where the malefactor does not have physical access to the victim receiver’s antenna input but rather broadcasts the spoofed signals over-the-air. For cable-only tests, the entire setup inside the tent was replaced with a signal combiner that summed the authentic and spoofed signals.

    Figure 2. Schematic of the test setup.
    Figure 2. Schematic of the test setup.

    The combined authentic and spoofed signals were fed to the victim GPS time reference receiver. The output timing signal from the victim receiver was used as the synchronization reference for one PMU, whereas a second PMU was given timing from a separate GPS time reference receiver that was tracking only authentic GPS signals. Since the PMUs were in the same room and measured the local voltage and carrier phasors, both PMUs would report roughly the same phasor measurements under normal circumstances. Thus, any significant differences in the phase angle measurements between the two PMUs could be attributed to the effects of spoofing.

    Test Results

    Both the cable-only and the over-the-air spoofing attacks were successful in leading the PMU phase measurements off from the truth. Figure 3 shows the measured phase angle difference between the reference PMU, which was fed the true GPS signal, and the spoofed PMU throughout one entire test. This value would normally be less than a few degrees in the absence of spoofing, since the two PMUs are co-located. After the initial ten minute capture-and-carry-off, which proceeds slowly to avoid detection, the spoofer accelerates its carry-off and the reference and spoofed phase angles quickly diverge.

    Figure 2. Schematic of the test setup.
    Figure 3. A plot of the phase angle difference between the reference and the spoofed PMUs. Normally the phase angle difference would be nearly zero in the absence of a spoofing attack. Point 1 marks the start of the test. Point 2 marks the point at which the spoofer has completely captured the victim receiver. Point 3 marks the point at which the IEEE C37.118 Standard has been broken. Point 4 marks the point at which the spoofer-induced velocity has reached its maximum value for the test. Point 5 marks the point at which the spoofed signal was removed.

    Figure 4 shows pictures of an oscilloscope and the Synchrowave screen at the start of the test. The oscilloscope shows two pulse-per-second (PPS) signals, with the upper yellow pulse coming from a reference clock being fed true GPS and the lower blue pulse coming from the spoofed timing receiver. Both PPS signals are initially aligned with each other. The Synchrowave screen displays the PMU phase angle data in real-time as phasors with the nominal 60 Hz operating frequency subtracted from the phase angle. The red and green phasors show the phase data from the reference and spoofed PMUs respectively. These phasors are within a few degrees of each other at the beginning of the test.

    Figure 4. Oscilloscope (left) and Synchrowave (right) screen at the start of the test, which is marked as point 1 in Figure 3.
    Figure 4. Oscilloscope (left) and Synchrowave (right) screen at the start of the test, which is marked as point 1 in Figure 3.

    Figure 5 shows pictures of the Oscilloscope and the Synchrowave screen at about 620 seconds into the test. At this point, the spoofer has moved the victim receiver 2 µs off in time and has completely captured the receiver.  The delicate initial capture-and-carry-off is performed at a slow rate to suppress any evidence of the spoofer’s presence. However, this process could be done quicker because the receiver was not looking for such evidence of foul play. At this stage of the test, there is not yet any significant difference between the two phasors on the Synchrowave screen, since the spoofed time offset remains relatively small. The oscilloscope, however, reveals that the PPS output from the victim receiver has moved by about 2 µs relative to the reference PPS. At this point, the spoofer begins to accelerate the victim receiver’s time solution at a distance-equivalent rate of 4 m/s2 until it reaches a final distance-equivalent velocity of 1000 m/s. Distance-equivalent velocity can be converted into the actual time rate of change of time by dividing by the speed of light.

    Figure 5. Oscilloscope and Synchrowave screen at about 620 seconds, point 2 in Figure 3.
    Figure 5. Oscilloscope and Synchrowave screen at about 620 seconds, point 2 in Figure 3.

    The acceleration segment of the attack must be tailored to the individual receiver’s ability to track the spoofer-induced dynamics. Otherwise, the spoofer risks losing control of the victim receiver’s tracking loops by moving too quickly for the receiver to track or by raising alarms. Alternatively, a malefactor could survey possible GPS time reference receivers that might be used and tailor the spoofing attack such that any of the receivers would track and believe the spoofed signals. This would place severe limits on the spoofer’s ability to manipulate timing, but would not make the attack impossible or implausible.

    Figure 6 shows the oscilloscope and Synchrowave screen at about 680 seconds into the test. At this point, the spoofer has broken the IEEE C37.118 Standard for PMUs, which requires accuracy in the measured phase angle of 0.573o. This demonstrates a significant vulnerability for PMU-based monitoring and control, since these applications leverage the accuracy supposedly guaranteed by the standard. There is yet no noticeable difference on the Synchrowave screen, but the oscilloscope clearly shows that the victim receiver has now been offset in time by about 20 µs.

    Figure 6. Oscilloscope and Synchrowave screen at about 680 seconds, point 3 in Figure. 3.
    Figure 6. Oscilloscope and Synchrowave screen at about 680 seconds, point 3 in Figure. 3.

    Figure 7 shows pictures of the oscilloscope and the Synchrowave screen at about 870 seconds into the test. At this point, the spoofer has reached its final velocity of 1000 m/s. A phase angle offset of 10o has also been introduced in a matter of minutes. As expected, there is a marked difference in the phasors on the Synchrowave screen. The oscilloscope also shows a time offset of 400 µs has been induced in the victim receiver.

    Figure 7. Oscilloscope and Synchrowave screen at about 870 seconds, point 4 in Figure 3.
    Figure 7. Oscilloscope and Synchrowave screen at about 870 seconds, point 4 in Figure 3.

    Figure 8 shows pictures of the oscilloscope and the Synchrowave screen at about 1370 seconds into the test. At this point, the spoofed signal was heavily attenuated and instantly realigned with the authentic signals. This was intended to be the end of the test, but when this particular receiver lost lock on the signal it continued to send out a valid time signal to the PMU while fly-wheeling off its internal clock. This caused an alarm to issue on the front panel of the time reference receiver indicating loss of GPS signal lock. The downstream PMU, however, was oblivious to this loss of lock. This state persisted for about half an hour before the clock finally reacquired the authentic signal and instantly realigned its time output, which caused the phasors to realign.  Figure 3 does not show the phase angle data for this entire period, but does show that the phase angle difference exceeds at least 70o before the time reference receiver reacquires the authentic signal.

    Figure 8. Oscilloscope and Synchrowave screen at about 1370 seconds, point 5 in Figure 3.
    Figure 8. Oscilloscope and Synchrowave screen at about 1370 seconds, point 5 in Figure 3.
    Implications

    Synchrophasor data provides a clear picture of the state of the power system in real-time. As the size of the power grid grows and stability margins are reduced (to provide more efficient distribution of power), it will become desirable to use synchrophasors for control purposes. PMU manufacturers are currently selling PMUs capable of implementing automated control schemes that offer response times less than 4 cycles.  Such swift response times are seen as necessary to prevent grid instability or damage to equipment.

    Control schemes based on synchrophasors rely on phase angle differences between two nodes as an indicator of a fault condition. One example of a currently operational synchrophasor-based control system is the Chicoasen-Angostura transmission link in Mexico. This transmission line links together large hydroelectric generators in Agostura to large loads in Chicoasen through two 400-kV transmission lines and one 115-kV transmission line. If a fault occurs in which both of the 400-kV lines are lost, then the hydroelectric generators may experience angular instability. In order to prevent this, a PMU was set up at each end of the transmission lines with a direct communications link between them. It was found that under nominal and single-fault (only one 400-kV line lost) conditions, the phase angle difference between the two locations was less than 7o, whereas a double-fault (both 400-kV lines lost) produced a phase angle difference of 14o. Based on this finding, the PMUs were configured so that if the phase angle difference exceeded 10o, the hydroelectric generators would be automatically tripped.

    If a spoofer were to attack this system in Mexico or a similar implementation elsewhere, then the spoofer could cause a generator trip. In the test described in the previous section, a 10o offset, the threshold for the Chicoasen-Angostura link, was induced by the spoofer about 250 s after capturing the target receiver, as seen in Figures 3 and 7. A malefactor could even lead the phase angle off in the opposite direction (say 7o) before cutting both 400-kV transmission lines. Instead of causing a generator to unnecessarily trip, this would prevent PMUs from tripping the generator when required and potentially cause damage to the generator or remaining transmission lines.

    Beyond tripping a single generator, there is potential for the effects of the attack to propagate through the grid and cause cascading faults across the grid. One example of this type of cascading failure is the 2003 Northeast blackout. Although this blackout did not involve PMUs or a spoofing attack, it demonstrates how an appropriately targeted attack against PMUs used for control on the power grid could cause large scale blackouts that originate with a single generator or transmission line trip.

    On August 14, 2003, at 3:05 p.m., a 345-kV transmission line in Ohio began to sag from increased flow of electric power. When the line sagged too close to a tree, it caused a short-to-ground and tripped offline. This is something that happens fairly frequently on the massive U.S. electrical grid and is usually easily dealt with. However, the tripping of that line in northern Ohio began a cascade of failures that, in a little more than an hour, led to a near total power loss for more than 50 million people in the northeastern U.S. and parts of Canada.

    The blackout is estimated to have cost approximately $6 billion for only four days of power loss. This led the Department of Energy and the North American Electric Reliability Corporation (NERC) to fund and push for an improved “smart grid” with synchrophasor technology as a major component.

    As previously pointed out, PMUs are high-speed, real-time synchronized measurement devices used to diagnose the health of the electricity grid. With synchrophasor data, electric utilities can use existing power more efficiently and push more power through the grid while reducing the likelihood of power disruptions like blackouts. Synchrophasor measurements are being looked at to reduce the likelihood of false and inappropriate triggers of transmission system circuit breakers that protectively shut down electrical flow and contribute to cascading blackouts. However, GPS spoofing poses a significant threat to these objectives for PMUs and can make synchrophasor-based control the cause for these events instead of the cure.

    Conclusions

    Spoofing poses a threat to the integrity of synchrophasor measurements. A spoofer can introduce a time offset in the time reference receiver that provides the timing signal for a PMU without having physical access to the receiver itself. This produces a corresponding phase offset in the synchrophasor data coming from that PMU. Tests demonstrated that a PMU could be made to violate the IEEE C37.118 Standard for synchrophasors in about 11 minutes from the start of a spoofing attack.

    As PMU usage continues to grow throughout the world, PMUs will increasingly be used for automatic control purposes instead of just grid monitoring. The tests described here demonstrate that a spoofer could cause control schemes to falsely trip a generator.  In the presence of other exacerbating factors, this could lead to a cascade of faults and a large scale blackout.

    Daniel P. Shepard is pursuing M.S. and Ph.D. degrees in aerospace engineering at the University of Texas at Austin. He is a member of the Radionavigation Laboratory.

    Todd E. Humphreys is an assistant professor of aerospace engineering and engineering mechanics at the University of Texas at Austin and director of the Radionavigation Laboratory. He received a Ph.D. in aerospace engineering from Cornell University.

    Aaron A. Fansler serves as cyber critical infrastructure protection (CCIP) program manager for Northrop Grumman Information System. He obtained a Master’s degree from Capitol College in information assurance and is currently working on a Ph.D. in that field.

     

    Generation, Transmission

    The generation, transmission, and distribution of electric power make the power grid the most critical of critical infrastructures in the United States. Past events and numerous government demonstrations have shown just how vulnerable the power grid can be, not only to natural disasters, but more importantly to malicious cyber activity, which is on the rise.  Past consequences of power disruption were annoyance and some economic cost; future disruptions from intentional malicious activity could cascade into crippling failures. Cyber threats now rival the consequences of physical attacks.

    Over the past decade, the power industry has seen an explosion in the use of accurate, synchronized time incorporated into its controlling networks. Accurate timing signals are exploited in power systems from the generation plant down to the distribution substation and now down to individual smart grid component.

    The value of time synchronization is best understood by recognizing that the power grid is a single, complex, interconnected, and interdependent network. What happens in one part of the grid affects operation elsewhere, and in other systems reliant on stable power, as was observed in the 2003 Northeast Blackout.

    With the transition to smart technologies and a unified, synchronized grid, the potential for catastrophic cascading failures increases if proper control measures are not implemented. Time-synchronized measurements are changing the way electric power systems are controlled to protect against these events. Phasor measurement units (PMUs) have recently emerged as one technology which has the potential to one day anticipate failures, making it possible to take remedial actions before failures spread across the network.

    PMUs rely on GPS to provide accurate, synchronized time across the power grid. This reliance creates a vulnerability to a particular type of malicious attack: GPS spoofing. Spoofers generate counterfeit GPS signals that commandeer a victim receiver’s tracking loops and induce spoofer-controlled time or position offsets. The 2001 USDOT Volpe Report noted the absence of any off-the-shelf defense against civilian spoofing. In 2008, researchers demonstrated that an inexpensive portable software-defined GPS spoofer could be built from off-the-shelf components.

    Northrop Grumman Information Systems (NGIS) and the University of Texas (UT) conducted a functional test and evaluation of the effects a spoofed GPS timing signal would have on synchrophasors, to determine if adverse effects could be produced on a sensitive timing-signal-dependent network such as a Supervisor Control and Data Acquisition (SCADA) network and the network devices such as PMUs. This article describes the test.

  • Trimble NetR9 Reference Receiver Aimed at Infrastructure, Scientific, and Network Apps

    Trimble NetR9 Photo: Trimble
    Trimble NetR9. Photo: Trimble

    Trimble has introduced an innovative Global Navigation Satellite System (GNSS) reference receiver for infrastructure, precise scientific, and network applications. The Trimble NetR9 GNSS reference receiver is a Continuously Operating Reference Station (CORS) receiver that can support the demanding applications for the earth science community and for the surveying, construction, mapping, and agricultural industries, Trimble said, adding that the NetR9 was designed to provide the user with maximum features and functionality from a single receiver.

    The Trimble NetR9 reference receiver offers 440 channels for robust GNSS constellation tracking. The receiver supports a wide range of satellite signals, including GPS and GLONASS signals. In addition, Trimble is committed to providing Galileo-compatible products in advance of Galileo system availability, the company said. In support of this plan, the Trimble receiver is capable of tracking the experimental Galileo GIOVE-A and GIOVE-B test satellites for signal evaluation and test purposes.

    The Trimble NetR9 reference receiver can be used as a standalone receiver or as part of a network solution. Specific applications include high-accuracy positioning as part of a Trimble VRS network, as a mobile field base station or CORS for real-time kinematic (RTK) corrections, as a scientific reference station collecting information for specialized studies, as a field campaign receiver for post-processing applications, and as support for Differential Global Positioning System (DGPS) coastal beacons. In addition, the Trimble NetR9 reference receiver can be used for monitoring the integrity of VRS networks as well as the deformation of physical infrastructure such as bridges, dams, mines, oil platforms, and other natural and manmade structures.

    The Trimble NetR9 reference receiver’s large internal memory (8 GB) allows post-processed results for base stations to be computed after survey completion, improving the accuracy of the survey. The highly compressed secure internal memory allows for more than 20 years of 15-second dual-frequency GPS data storage. In addition, the NetR9 also has USB logging capability for additional storage capacity, Trimble said.

    The receiver supports the new CMRx communications protocol, which provides correction compression for optimized bandwidth and full utilization of all satellites in view. This gives the customer more robust positioning data and reliable positioning performance, Trimble said.

    Optimized for field use with built-in rechargeable batteries, the NetR9 reference receiver consumes very little power and can be used for projects with remote connectivity and in extreme weather conditions. It has an IP67 rating, which means it is sealed against dust and can survive immersion in up to a meter of water for approximately 30 minutes. It also meets MIL-STD 810F standard for drops, vibration, and temperature extremes.

    The Trimble NetR9 has its physical memory built into the circuit board, providing greater protection of data, particularly under extreme conditions. Multiple built-in serial ports supply communications and power to support field use, whether connecting to a radio for RTK surveys, direct communication with a satellite phone for remote operations, or for ancillary input devices such as inclinometers and meteorological sensors, and it offers Bluetooth communication with a cell phone for real-time data streaming. In addition, both power and Ethernet can be supplied over a single cable using Power over Ethernet (PoE) technology.

  • Innovation: Assisted GPS: A Low-Infrastructure Approach (PDF)

    Innovation: Assisted GPS: A Low-Infrastructure Approach (PDF)

    By Jimmy LaMance, Javier DeSalas, and Jani Järvinen

    Published: March 2002 GPS World

    Have you ever tried to use a GPS receiver indoors? Chances are, unless you were on the top floor of a wood-frame house and using a receiver with ample antenna gain, you couldn’t get a position fix. GPS is a marvelous positioning tool but it does have some weaknesses, one of which is low signal power. And unlike cellular telephones, conventional GPS receivers do not work well, if at all, unless their antennas have a clear view of the sky. Although future GPS satellites will transmit signals with higher power, it will be a decade or more before the current constellation of satellites is fully replaced. In the meantime, how can GPS be used in skyscraper canyons, inside office buildings, and even in underground parking garages? Assisted GPS comes to the rescue! In this month’s column, a team of researchers from the United States and Finland describe their approach for assisted GPS — one which does not require a huge infra- structure investment for service providers.