Evaluation of the Vulnerability of Phasor

Measurement Units to GPS Spoofing

AttacksDaniel P. Shepard (dshepard.ut@gmail.com) and Todd E. Humphreys

(todd.humphreys@mail.utexas.edu)The University of Texas at Austin

Aaron A. Fansler (aaron.fansler@ngc.com)Northrop Grumman Information Systems

ABSTRACT

Test results are presented from GPS spoofing tests against Phasor Measurement Units (PMUs) todemonstrate their vulnerability to spoofing attacks. A GPS spoofer can manipulate the timing of a PMUby broadcasting a falsified GPS signal and forcing the time reference receiver that is providing timingfor the PMU to track the falsified signal. This spoofer-induced timing offset creates a correspondingchange in the phase angle measured by the PMU.

A particular synchrophasor-based automatic control scheme currently implemented in Mexico is de-scribed. It is shown that a generator trip could be falsely activated by a GPS spoofing attack in thissystem, thus highlighting the threat of spoofing a PMU. A description of the events that led to the 2003northeast blackout is provided as an example of a potential worst case scenario where the legitimate orfalse tripping of a single generator or transmission line could lead to cascading faults and a large scaleblackout.

Copyright c© 2012 by Daniel P. Shepard,Todd E. Humphreys, and Aaron A. Fansler

Preprint of the Sixth Annual IFIP WG 11.10 InternationalConference on Critical Infrastructure Protection

Washington, DC, March 19-21, 2012

I. Introduction

The generation, transmission, and distribution ofelectric power make the power grid the most crit-ical of critical infrastructure in the United States.Past real-world events and numerous governmentdemonstrations have shown just how vulnerablethe electric power infrastructure can be, not onlyto natural disasters, but more importantly to ma-licious cyber activity which is on the rise. In thepast, the consequences of power disruption wereannoyance and some economic cost; future disrup-tions resulting from intentional malicious activitycould cascade into crippling failures.

Effective operation of a country’s energy infras-tructure (electric power, oil, and natural gas pro-duction, transmission, and distribution) is criticalto the health and safety, national security, andeconomic viability of that nation. Cyber threatshave become more of a concern because they nowrival the consequences of physical attacks.

Every element of critical infrastructure, includ-ing the electric power industry, originally oper-ated without an external time reference. However,over the past decade, industry has seen an explo-sion in the use of accurate, synchronized time in-corporated into their controlling networks. In theelectric power infrastructure, accurate timing sig-nals are being exploited in systems from the gen-eration plant down to the distribution substationand now down to individual smart grid compo-nent.

The value of time synchronization is best under-stood by recognizing that the power grid is a sin-gle, complex, interconnected and interdependentnetwork. What happens in one part of the grid af-fects operation elsewhere. Effects will also be feltin other systems reliant on stable power, much likewhat was observed in the 2003 Northeast Black-out [1].

With the transition to smart grid technologies anda unified synchronized “grid,” the potential forcatastrophic cascading failures increases if propercontrol measures are not implemented. Time-synchronized measurements are changing the way

electric power systems are controlled to protectagainst these events. Phasor measurement units(PMUs) have recently emerged as one technologywhich has the potential to one day anticipate fail-ures, making it possible to take remedial actionsbefore failures spread across the network [2].

PMUs rely on GPS to provide accurate, synchro-nized time across the power grid. This reliance ofPMUs on GPS for time synchronization createsa vulnerability to a particular type of maliciousattack called GPS spoofing [3]. In 2001, the U.S.Department of Transportation (USDOT) evalu-ated the transportation infrastructure’s GPS vul-nerability and first raised concern over the threatof GPS spoofers [4]. Spoofers generate counterfeitGPS signals that commandeer a victim receiver’stracking loops and induce spoofer-controlled timeor position offsets. The USDOT report notedthe absence of any off-the-shelf defense againstcivilian spoofing and recommended a study tocharacterize spoofing effects and observables. In2008, researchers demonstrated that an inexpen-sive portable software-defined GPS spoofer couldbe built from off-the-shelf components, againhighlighting the threat of spoofing [3].

Northrop Grumman Information Systems (NGIS)and the University of Texas (UT) conducted afunctional test and evaluation (FT&E) of the ef-fects a spoofed GPS timing signal would have onsynchrophasors. GPS spoofing attacks were per-formed, both through cable and over-the-air in-side an RF shielded tent, against a GPS timereference receiver which provided timing for aPMU. The goal was to determine if adverse effectscould be produced on a sensitive timing-signal-dependent network such as a Supervisor Controland Data Acquisition (SCADA) network and thenetwork devices such as PMUs.

The minimum threshold for success was to showthat a GPS spoofer could force a PMU to violatethe IEEE C37.118 Standard “Synchrophasors forPower Systems” [5]. The Standard defines accu-racy as a vectorial difference between the mea-sured and expected value of the phasor for themeasurement at a given instant of time, called thetotal vector error (TVE). TVE blends together

2

three possible sources of error: magnitude, phaseangle, and timing. An error in timing appearsidentical to an error in phase angle. Without tim-ing and magnitude errors, a phase angle error of0.573◦ corresponds to a 1% TVE, which is themaximum allowable TVE by the IEEE C37.118Standard [6]. This phase angle error could beequivalently and indistinguishably caused by atiming error of 26.5 µs, which was chosen as thethreshold for success in the spoofing tests.

II. Background

A. Synchrophasors

As electric power grids continue to expandthroughout the world and as transmission linesare pushed to their operating limits, the dynamicoperation of the power system has become more ofa concern and more difficult to accurately model.More effective real-time system control is nowseen as a key to preventing wide-scale cascadingoutages like the 2003 Northeast Blackout [1].

For years, electric power control centers have es-timated the state of the power system (the posi-tive sequence voltage and angle at each networknode) from measurements of power flows. But forimproved accuracy in the so-called power systemstate estimates, it will be necessary to feed exist-ing estimators with a richer measurement ensem-ble or to measure the grid state directly.

Alternating current (AC) quantities have been an-alyzed for over 100 years using a construct de-veloped by Charles Proteus Steinmetz in 1893,known as a “phasor” [7]. In power systems,the phasor construct has commonly been usedfor analyzing AC quantities, assuming a con-stant frequency. A relatively new synchroniza-tion technique which allows referencing measuredcurrent or voltage phasors to absolute time hasbeen developed and is currently being imple-mented throughout the world. The measurementsproduced by this technique are known as “syn-chronized phasor measurements” or “synchropha-sors.” Synchrophasors provide a real-time snap-shot of current and voltage amplitudes and phases

across a power system, and so can give a com-plete picture of the state of a power system atany instant in time. This makes synchrophasorsuseful for control, measurement, and analysis ofthe power system.

In a typical deployment, synchrophasors are inte-grated in protective relays and are sampled fromwidely dispersed locations in the power systemnetwork. They are synchronized with respect tothe common time source of a global positioningsystem (GPS) clock. Synchrophasors are basicallymeasurements of AC voltage (or current) and ab-solute phase angle, made at any selected point inan electric transmission or distribution system [2].

B. GPS Spoofing

GPS spoofing is the act of producing a falsifiedversion of the GPS signal with the goal of takingcontrol of a GPS receiver’s position-velocity-time(PVT) solution. This is most effectively accom-plished when the spoofer has knowledge of theGPS signal as seen by the target receiver so thatthe spoofer can produce a matched, falsified ver-sion of the signal. In the case of military signals,this type of attack is nearly impossible becausethe military signal is encrypted and therefore un-predictable. On the other hand, the civil GPSsignal is publicly-known and readily predictable.

In recent years, civil GPS spoofing is becomingrecognized as a serious threat to many critical in-frastructure applications which rely heavily on thepublicly-known civil GPS signal. A number ofpromising methods are currently being developedto defend against civil GPS spoofing attacks, butit will still take a number of years before thesetechnologies mature and are implemented on awide scale. Currently, there is a complete absenceof any off-the-shelf defense against a GPS spoof-ing attack.

III. The Spoofer

The civil GPS spoofer used for these tests, shownin Fig. 1, is an advanced version of the spooferreported in [3]. It is the only spoofer reported in

3

Fig. 1. The Civil GPS Spoofer.

open literature to date that is capable of preciselyaligning the spreading codes and navigation dataof its counterfeit signals with those of the authen-tic GPS signals. Such alignment capability allowsthe spoofer to carry out a sophisticated spoofingattack in which no obvious clues remain to sug-gest that an attack is underway. The spoofer isimplemented on a portable software-defined radioplatform with a digital signal processor (DSP) atits core. This platform comprises:

• A Radio Frequency (RF) front-end that down-mixes and digitizes GPS L1 and L2 frequencies

• A DSP board that performs acquisition andtracking of GPS L1 C/A and L2C signals, calcu-lates a navigation solution, predicts the L1 C/Adatabits, and produces a consistent set of up to10 spoofed GPS L1 C/A signals with a user-controlled fictitious implied navigation and timingsolution.

• An RF back-end with a digital attenuator thatconverts the digital samples of the spoofed signalsfrom the DSP to analog output at the GPS L1frequency with a user-controlled broadcast power.

• A Single Board Computer (SBC) that handlescommunication between the spoofer and a remotecomputer over the Internet.

The spoofer works by first acquiring and trackingGPS L1 C/A and L2C signals to obtain a naviga-tion solution. It then enters its “feedback” mode,in which it produces a counterfeit, data-free feed-

back GPS signal that is summed with its own an-tenna input. The feedback signal is tracked bythe spoofer and used to calibrate the delay be-tween production of the digitized spoofed signaland output of the analog spoofed signal. This isnecessary because the delay is non-deterministicon start-up of the receiver, although it stays con-stant thereafter.

After feedback calibration is complete and enoughtime has elapsed to build up a navigation data bitlibrary, the spoofer is ready to begin an attack. Itproduces signals that are initially nearly perfectlyaligned with the authentic signals but with lowenough power that they remain far below the vic-tim receiver’s noise floor. The spoofer then raisesthe power of the spoofed signals slightly abovethat of the authentic signals. At this point, thespoofer has taken control of the victim receiver’stracking loops and slowly leads the spoofed signalsaway from the authentic signals, carrying the re-ceiver’s tracking loops with it. Once the spoofedsignals have moved more than 600 m in positionor 2 µs in time away from the authentic signals,the victim receiver has been completely captured.

The spoofer and attack strategy have been testedagainst a wide variety of GPS receivers and hasalways been successful in spoofing the target re-ceiver. Several of the receivers that have beenspoofed are highlighted in Ref. [8].

IV. Test Setup

Figure 2 shows a schematic of the setup used forthe open-air tests. The signals received at the roofwere routed into the spoofer for use in producingthe counterfeit signals and into the RF shieldedtent for rebroadcasting. The counterfeit signalswere also routed into the tent for broadcasting. Inaddition to the antennas broadcasting the authen-tic and counterfeit signals, a third antenna wassetup inside the tent to receive the combination ofauthentic and spoofed signals. This setup is rep-resentative of an actual attack scenario where themalefactor does not have physical access to thevictim receiver’s antenna input but rather broad-casts the spoofed signals over-the-air. Figure 3

4

Fig. 2. Schematic of the test setup.

Fig. 3. Picture of the outside of the RF shielded tent withcables for the antennas.

shows the outside of the tent where the cables forthe transmit and receive antennas were being fedinto the tent. Figures 4 and 5 show the transmitand receive antennas respectively as they were setup at opposite ends inside the tent. For cable-onlytests, the entire setup inside the tent was replacedwith a signal combiner that summed the authenticand spoofed signals.

The combined authentic and spoofed signals werefed to the victim GPS time reference receiver.The output timing signal from the victim receiverwas used as the synchronization reference for onePMU, whereas a second PMU was given timingfrom a separate GPS time reference receiver thatwas tracking only authentic GPS signals. Sincethe PMUs were in the same room and measuredthe local voltage and carrier phasors, both PMUswould report roughly the same phasor measure-ments under normal circumstances. Thus, any

Fig. 4. Picture of the transmit antennas inside the RFshielded tent with one repeating the authentic signal andthe other broadcasting the spoofed signal.

Fig. 5. Picture of the receive antenna inside the RFshielded tent which was pulling in both the authentic andspoofed signals to feed to the victim receiver.

significant differences in the phase angle measure-ments between the two PMUs could be attributedto the effects of spoofing.

V. Test Results

Both the cable-only and the over-the-air spoofingattacks were successful in leading the PMU phasemeasurements off from the truth. Figure 6 showsthe measured phase angle difference between thereference PMU, which was fed the true GPS sig-nal, and the spoofed PMU throughout one en-tire test. This value would normally be less thana few degrees in the absence of spoofing, since

5

Fig. 6. A plot of the phase angle difference between thereference and the spoofed PMUs. Normally the phase an-gle difference would be nearly zero in the absence of aspoofing attack. Point 1 marks the start of the test. Point2 marks the point at which the spoofer has completelycaptured the victim receiver. Point 3 marks the point atwhich the IEEE C37.118 Standard has been broken. Point4 marks the point at which the spoofer-induced velocityhas reached its maximum value for the test. Point 5 marksthe point at which the spoofed signal was removed.

the two PMUs are co-located. After the initialten minute capture-and-carry-off, which proceedsslowly to avoid detection, the spoofer acceleratesits carry-off and the reference and spoofed phaseangles quickly diverge.

Figure 7 shows pictures of an oscilloscope and theSynchrowave screen at the start of the test. Theoscilloscope shows two pulse-per-second (PPS)signals, with the upper yellow pulse coming froma reference clock being fed true GPS and the lowerblue pulse coming from the spoofed timing re-ceiver. Both PPS signals are initially aligned witheach other. The Synchrowave screen displays thePMU phase angle data in real-time as phasorswith the nominal 60 Hz operating frequency sub-tracted from the phase angle. The red and greenphasors show the phase data from the referenceand spoofed PMUs respectively. These phasorsare within a few degrees of each other at the be-ginning of the test.

Figure 8 shows pictures of the Oscilloscope andthe Synchrowave screen at about 620 seconds into

the test. At this point, the spoofer has movedthe victim receiver 2 µs off in time and has com-pletely captured the receiver. The delicate initialcapture-and-carry-off is performed at a slow rateto suppress any evidence of the spoofer’s presence.However, this process could be done quicker be-cause the receiver was not looking for such evi-dence of foul play. At this stage of the test, thereis not yet any significant difference between thetwo phasors on the Synchrowave screen, since thespoofed time offset remains relatively small. Theoscilloscope, however, reveals that the PPS out-put from the victim receiver has moved by about 2µs relative to the reference PPS. At this point, thespoofer begins to accelerate the victim receiver’stime solution at a distance-equivalent rate of 4m/s2 until it reaches a final distance-equivalentvelocity of 1000 m/s. Distance-equivalent veloc-ity can be converted into the actual time rate ofchange of time by dividing by the speed of light.

The acceleration segment of the attack must betailored to the individual receiver’s ability to trackthe spoofer-induced dynamics [8]. Otherwise, thespoofer risks loosing control of the victim re-ceiver’s tracking loops by moving too quickly forthe receiver to track or raising alarms. Alter-natively, a malefactor could survey possible GPStime reference receiver’s that might be used andtailor the spoofing attack such that any of thereceivers would track and believe the spoofedsignals. This would place severe limits on thespoofers ability to manipulate timing, but wouldnot make the attack impossible or implausible.

Figure 9 shows pictures of the oscilloscope andthe Synchrowave screen at about 680 seconds intothe test. At this point, the spoofer has broken theIEEE C37.118 Standard for PMUs, which requiresaccuracy in the measured phase angle of 0.573◦

[6]. This demonstrates a significant vulnerabil-ity for PMU-based monitoring and control, sincethese applications leverage the accuracy suppos-edly guaranteed by the standard. There is yet nonoticeable difference on the Synchrowave screen,but the oscilloscope clearly shows that the victimreceiver has now been offset in time by about 20µs.

6

Fig. 7. Pictures of the Oscilloscope (left) and Synchrowave (right) screen at the start of the test, which is marked aspoint 1 in Fig. 6.

Fig. 8. Pictures of the Oscilloscope (left) and Synchrowave (right) screen at about 620 seconds into the test, which ismarked as point 2 in Fig. 6.

Figure 10 shows pictures of the oscilloscope andthe Synchrowave screen at about 870 seconds intothe test. At this point, the spoofer has reachedits final velocity of 1000 m/s. A phase angle offsetof 10◦ has also been introduced in a matter ofminutes. As expected, there is a marked differencein the phasors on the Synchrowave screen. Theoscilloscope also shows a time offset of 400 µs hasbeen induced in the victim receiver.

Figure 11 shows pictures of the oscilloscope andthe Synchrowave screen at about 1370 secondsinto the test. At this point, the spoofed signalwas heavily attenuated and instantly realigned

with the authentic signals. This was intendedto be the end of the test, but when this partic-ular receiver lost lock on the signal it continuedto send out a valid time signal to the PMU whilefly-wheeling off its internal clock. This caused analarm to issue on the front panel of the time ref-erence receiver indicating loss of GPS signal lock.The downstream PMU, however, was oblivious tothis loss of lock. This state persisted for abouthalf an hour before the clock finally reacquired theauthentic signal and instantly realigned its timeoutput, which caused the phasors to realign. Fig-ure 6 does not show the phase angle data for this

7

Fig. 9. Pictures of the Oscilloscope (left) and Synchrowave (right) screen at about 680 seconds into the test, which ismarked as point 3 in Fig. 6.

Fig. 10. Pictures of the Oscilloscope (left) and Synchrowave (right) screen at about 870 seconds into the test, which ismarked as point 4 in Fig. 6.

entire period, but does show that the phase an-gle difference exceeds at least 70◦ before the timereference receiver reacquires the authentic signal.

VI. Implications for Synchrophasor-Based

Control

Synchrophasor data provides a clear picture of thestate of the power system in real-time. As thesize of the power grid grows and stability marginsare reduced (to provide more efficient distributionof power), it will become desirable to use syn-chrophasors for control purposes [9]. PMU man-ufacturers are currently selling PMUs capable of

implementing automated control schemes that of-fer response times less than 4 cycles. Such swiftresponse times are seen as necessary to preventgrid instability or damage to equipment.

Control schemes based on synchrophasors rely onphase angle differences between two nodes as anindicator of a fault condition. One example ofa currently operational synchrophasor-based con-trol system is the Chicoasen-Angostura transmis-sion link in Mexico [10]. This transmission linelinks together large hydroelectric generators inAgostura to large loads in Chicoasen through two400-kV transmission lines and one 115-kV trans-

8

Fig. 11. Pictures of the Oscilloscope (left) and Synchrowave (right) screen at about 1370 seconds into the test, which ismarked as point 5 in Fig. 6.

mission line. If a fault occurs in which both ofthe 400-kV lines are lost, then the hydroelectricgenerators may experience angular instability. Inorder to prevent this, a PMU was set up at eachend of the transmission lines with a direct com-munications link between them. It was found thatunder nominal and single-fault (only one 400-kVline lost) conditions, the phase angle difference be-tween the two locations was less than 7◦, whereasa double-fault (both 400-kV lines lost) produceda phase angle difference of 14◦. Based on thisfinding, the PMUs were configured so that if thephase angle difference exceeded 10◦ the hydroelec-tric generators would be automatically tripped.

If a spoofer were to attack this system in Mexicoor a similar implementation elsewhere, then thespoofer could cause a generator trip. In the testdescribed in the previous section, a 10◦ offset, thethreshold for the Chicoasen-Angostura link, wasinduced by the spoofer about 250 s after capturingthe target receiver, as seen in Figs. 6 and 10. Amalefactor could even lead the phase angle off inthe opposite direction (say 7◦) before cutting both400-kV transmission lines. Instead of causing agenerator to unnecessarily trip, this would preventPMUs from tripping the generator when requiredand potentially cause damage to the generator orremaining transmission lines.

Beyond tripping a single generator, there is po-

tential for the effects of the attack to propagatethrough the grid and cause cascading faults acrossthe grid. One example of this type of cascadingfailure is the 2003 Northeast Blackout. Althoughthis blackout did not involve PMUs or a spoof-ing attack, it demonstrates how an appropriatelytargeted attack against PMUs used for control onthe power grid could cause large scale blackoutsthat originate with a single generator or trans-mission line trip. On Aug. 14, 2003 at 3:05 p.m.,a 345-kV transmission line in Ohio began to sagfrom increased flow of electric power. When theline sagged too close to a tree, it caused a short-to-ground and tripped offline. This is something thathappens fairly frequently on the massive U.S. elec-trical grid and is usually easily dealt with. How-ever, the tripping of that line in northern Ohio be-gan a cascade of failures that, in a little more thanan hour, led to a near total power loss for morethan 50 million people in the northeastern U.S.and parts of Canada. The blackout is estimatedto have cost approximately 6 billion U.S. dollarsfor only four days of power loss [1]. This led theDepartment of Energy and the North AmericanElectric Reliability Corporation (NERC) to fundand push for an improved “smart grid” with syn-chrophasor technology as a major component.

As previously pointed out, PMUs are high-speed,real-time synchronized measurement devices usedto diagnose the health of the electricity grid. With

9

synchrophasor data, electric utilities can use ex-isting power more efficiently and push more powerthrough the grid while reducing the likelihood ofpower disruptions like blackouts. Synchrophasormeasurements are being looked at to reduce thelikelihood of false and inappropriate triggers oftransmission system circuit breakers that protec-tively shut down electrical flow and contributeto cascading blackouts. However, GPS spoofingposes a significant threat to these objectives forPMUs and can make synchrophasor-based controlthe cause for these events instead of the cure.

VII. Conclusions

Test results presented herein demonstrate thatGPS spoofing poses a threat to the integrity ofsynchrophasor measurements. A spoofer can in-troduce a time offset in the time reference receiverthat provides the timing signal for a PMU withouthaving physical access to the receiver itself. Thistiming offset produces a corresponding phase off-set in the synchrophasor data coming from thatPMU. It was demonstrated that a PMU could bemade to violate the IEEE C37.118 Standard forsynchrophasors in about 11 minutes from the startof a spoofing attack.

As PMU usage continues to grow throughout theworld, PMUs will increasingly be used for auto-matic control purposes instead of just grid mon-itoring. An example of this is a currently op-erational system in Mexico which automaticallytrips a generator if the phase angle difference be-tween PMUs at two particular locations exceeds10◦. The tests discussed in this paper demon-strate that a spoofer could cause control schemessuch as the one in Mexico to falsely trip a genera-tor. In the presence of other exacerbating factors,this could lead to a cascade of faults and a largescale blackout.

References

[1] “Final Report on the August 14, 2003 Blackout in theUnited States and Canada: Causes and Recommenda-tions,” Tech. rep., U.S.-Canada Power System OutageTask Force, April 2004.

[2] Phadke, A. G. and Thorp, J. S., editors, Synchronized Pha-sor Measurements and Their Applications, Springer, NewYork, 2008.

[3] Humphreys, T. E., Ledvina, B. M., Psiaki, M. L.,O’Hanlon, B. W., and Kintner, Jr., P. M., “Assessing thespoofing threat: development of a portable GPS civilianspoofer,” Proceedings of the ION GNSS Meeting , Instituteof Navigation, Savannah, GA, 2008.

[4] Anon., “Vulnerability assessment of the transportation in-frastructure relying on the Global Positioning System,”Tech. rep., John A. Volpe National Transportation Sys-tems Center, 2001.

[5] “IEEE Standard for Synchrophasors for Power Systems,”2005, IEEE Std. C37.118 Revision 1344–1995.

[6] Martin, K. E., Hamai, D., Adamiak, M. G., Anderson, S.,Begovic, M., Benmouyal, G., Brunello, G., Burger, J., Cai,J. Y., Dickerson, B., Gharpure, V., Kennedy, B., Karlsson,D., Phadke, A. G., Salj, J., Skendzic, V., Sperr, J., Song,Y., Huntley, C., Kasztenny, B., and Price, E., “Explor-ing the IEEE Standard C37.118–2005 Synchrophasors forPower Systems,” IEEE Transactions on Power Delivery ,Vol. 23, No. 4, Oct. 2008, pp. 1805–1811.

[7] “Charles P. Steinmetz,” http://www.britannica.com/EBchecke-d/topic/565056/Charles-Proteus-Steinmetz.

[8] Shepard, D. and Humphreys, T. E., “Characterization ofReceiver Response to a Spoofing Attack,” Proceedings ofthe ION GNSS Meeting , Institute of Navigation, Portland,Oregon, 2011.

[9] Giri, J., Sun, D., and Avila-Rosales, R., “Wanted: Amore intelligent grid,” IEEE Power & Energy , April 2009,pp. 34–40.

[10] Schweitzer, E. O., Guzman, A., Altuve, H. J., and Tziou-varas, D. A., “Real-Time Synchrophasor Appliactions forWide-Area Protection, Control, and Monitoring,” Tech.rep., Schweitzer Eng. Laboratories, 2009.

10