GPS spoofing
A cyber thread over EPES assets

The control and automation in EPES assets rely on precise and reliable time information.  Current solution is to use a local NTP server using as reference GPS signal receiver. The GPS (GNSS) signal can be spoofed easily now and the GPS receiver can be placed on the cyber-attack surface of the EPES assets.

GPS System

The GPS Global Positioning system is a satellite-based system for radio-navigation owned and developed by United States Space Force [1]. There are also another similar systems in operation. The GPS system is providing geolocation and time information using a constellation of specialized satellites with a known position. The satellites are constantly broadcasting a time information from a local very stable atomic clock synchronized one another satellite and ground clocks. Since the speed of radio waves is constant a GPS receiver is using visible satellites from its location to determine from TOF (time of flight) the distance from the satellites and its own position and time synchronization. It must be mentioned that a GPS device is only receiving digital signals in radio frequency band of 1100 MHz, 1200MHz, 1500 Mhz. The GPS provides critical positioning capabilities to military, civil, and commercial users around the world. The United States government created the system, maintains it, and makes it freely accessible to anyone with GPS receiver [2]. The GPS service is provided by the United States government, which can selectively deny access to the system, as happened to the Indian military in 1999 during the Kargil War, or degrade the service at any time [3].

GPS Satellites constellation over the Earth [4]

GPS uses in EPES

GPS Satellites constellation over the Earth [4]
The EPES (Electrical Power Energy Systems) assets that are using GPS are High Voltage distribution and transport stations, renewables production stations and other devices. All this asset are nodes in in the power grid that is a spread over large areas with long powerlines connecting them.  Even the power frequency is low as 50 or 60 Hz there are transmission lines long enough to consider phase shifts. For monitoring the grid status and electronic protection devices the time synchronization between the substations is crucial. The substation Protection system, the SCADA system and metering system need all to have an absolute time reference with a resolution of less than 1ms.   Normally in the substation control system are more than one NTP (Network Time Protocol) servers, redundant that provides time reference in the system. Due the fact that the substation LAN are separated from internet considering the cyber security, the time reference used by NTP server synchronization is the GPS signal receiver.  In future the recommendation is to have a TCP/IP network including most of HV substations NTP servers to create a most secure NTP servers pool.

Effects of GPS spoofing on EPES

The GPS receiver is a multi-channel radio receiver that is receiving weak radio signals from GPS satellites, decodes them and based on Time of Flight of radio waves can determine local time with a good resolution and atomic clock stability.  The GPS receiver becomes in this case a high stability and resolution, time reference for NTP servers.     The GPS spoofing attack is an attack using a radio transmitter located near the target substation that is broadcasting signals used to interfere with legitimate signals from satellites. The attacker is closer to the target so replacing the legitimate signals with fake ones it is not a technical problem.  An attacker can interfere with the time synchronization function causing a time shift in station time servers of some seconds that will affect the substation control and automation systems causing problems in grid stability

The GPS receivers into the substation should be considered an open gate on a possible attack surface over a quite “hermetically” closed system as there are the SCADA and control systems of high voltage substations.

GPS spoofing attacks in real world

Now the SDR ( Software Defined Radios ) becomes cheaper and more accessible and portable  allowing a wide range of technical enthusiasts and even hacker to generate fake  GPS signals . There are video tutorials on YouTube using commercial and easy available hardware and software for GPS spoofing [5]

Recent GPS spoofing attacks that are presented in media

In March 2019 , at the Geneva Motor Show in Switzerland, an attack from an unknown source affected the GPS systems of Audi, Peugeot, Renault, Rolls-Royce, Volkswagen, Daimler-Benz and BMW cars. Instead of showing the accurate location, the cars were reporting that they were in Buckingham, England, in the year 2036. [6]

These kinds of attacks are still common, with Russia, for example, reportedly frequently interfering with location data near politically sensitive targets such as Syria or Crimea or in the vicinity of Russian President Vladimir Putin. Today, GNSS spoofing can be accomplished with cheap, commercially available and portable software-defined radios running open source software and costing under $300. [6]

In 2019, an Washington DC research group, C4ADS, published a report [7]   documenting about nearly 10000 instances of GPS spoofing attacks in Russia and Syria interfering with the satellite navigation of more than 1300 civilian vessels.

International Civil Aviation Organization issued an report [8]. According the document  GNSS interference has been reported throughout the Middle East, with 65 incidents in the region in the last two years.

Ray DeMeo, COO at Virsec Systems, a cybersecurity company declares : “GPS touches everywhere we go and everything we do,”

Romanian Energy Center
Eng. Paul Lacatus

References

[1] https://en.wikipedia.org/wiki/United_States_Space_Force

[2] Real Engineering (June 19, 2017). “Why The US Military Made GPS Free-To-Use”. Archived from the original on December 31, 2018. Retrieved August 16, 2018 – via YouTube.

[3] Srivastava, Ishan (April 5, 2014). “How Kargil spurred India to design own GPS”. The Times of India. Archived from the original on December 15, 2016. Retrieved December 9, 2014.

[4] https://www.space.com/19794-navstar.html

[5] GPS SPOOFING with HACKRF  You Tube Video https://www.youtube.com/watch?v=3NWn5cQM7q4

[6] What is GPS spoofing? And how you can defend against it.  https://www.csoonline.com/article/3393462/what-is-gps-spoofing-and-how-you-can-defend-against-it.html

[7] Above us only stars https://www.c4reports.org/aboveusonlystars

[8] International Civil Aviation Organisation about the GNSS vulnerabilities https://www.icao.int/MID/Documents/2019/CNS%20SG9/CNS%20SG9-WP12-%20GNSS%20Issues.pdf


This project has received funding from the European Union’s Horizon 2020 research and Innovation programme under grant agreement N°832989. All information on this website reflects only the authors’ view. The Agency and the Commission are not responsible for any use that may be made of the information this website contains.

Sign up to our newsletter