Vulnerability of Synchrophasor-based WAMPAC Applications’ to Time-Synchronization Spoofing
Download as PPTX, PDF2 likes260 views
The paper explores the vulnerability of synchrophasor-based Wide Area Measurement and Control (WAMPAC) applications to time-synchronization spoofing, particularly through GPS and IRIG-B systems. It emphasizes the importance of conducting real-time experiments to understand the impact of such spoofing, which can lead to significant errors in phase angle computation and degrade the functioning of power system monitoring and control systems. The findings indicate that synchronization loss or spoofing can result in corrupted monitoring results and delayed protection activation, highlighting the risks associated with the reliance on external time signals for precise measurements.
More Related Content
Similar to Vulnerability of Synchrophasor-based WAMPAC Applications’ to Time-Synchronization Spoofing (20)
Vulnerability of Synchrophasor-based WAMPAC Applications’ to Time-Synchronization Spoofing
- 1. Vulnerability of Synchrophasor-based WAMPAC Applications’ to Time-Synchronization Spoofing Authors: M. Shoaib Almas, L. Vanfretti, R.S. Singh and G. M. Jonsdottir 1 Paper No: 17PESGM0194 L. Vanfretti Rensselaer Polytechnic Institute (RPI) [email protected] G. Jonsdottir University College Dublin (UCD) [email protected]
- 2. Background • Spoofing of Time-Synchronization (e.g. GPS, IRIG-B, etc.) can affect synchrophasors, and consequently, their applications. • We need to understand and quantify the impact of time- synchronization spoofing: – Although, traditional simulation-based studies have attempted to determine this impact… – … to fully understand something, we need to reproduce it we need to do experiments! • This paper shows how to lawfully conduct experiments related to GPS spoofing, and to, • Experimentally characterizes the mechanisms that jeopardize PMU applications and, consequently, the grid, using real-time HIL simulation experiments with real-life PMU apps. 2
- 3. Background: The threat is real! 3 04/09/18 04/09/18 IEEE Spectrum August 2016 (GPS Lies) 07/29/15 http://geoawesomeness.com/gps-spoofing-and-jamming- how-grave-is-the-threat/ 07/29/13 https://www.wsj.com/articles/china-installed-military-jamming-equipment-on-spratly-islands-u-s-says-1523266320 https://www.nbcnews.com/news/military/russia-has-figured-out-how-jam-u-s-drones-syria-n863931 Pic. Source: Megadeth
- 4. Background: The threat is real! 4 04/09/18 04/09/18 IEEE Spectrum August 2016 (GPS Lies) 07/29/15 http://geoawesomeness.com/gps-spoofing-and-jamming- how-grave-is-the-threat/ 07/29/13 https://www.wsj.com/articles/china-installed-military-jamming-equipment-on-spratly-islands-u-s-says-1523266320 https://www.nbcnews.com/news/military/russia-has-figured-out-how-jam-u-s-drones-syria-n863931
- 5. Background: Interdependency of Synchrophasor Measurements and Time Synchronization • PMU Accuracy Requirement: IEEE C37.118.1-2011 specifies a Total Vector Error (TVE) limit of 1% i.e. 0.5730 (degrees) or 31.8 µs at 50 Hz. – Blue: reference (perfect) • Interdependency: PMU apps depend on the accuracy of the PMUs, and thus, on the input time signals. • Vulnerability: The GPS system can be interfered both intentionally and/or cosmically. 5 GPS Receiver Antenna CT Input Module VT Input Module PMU Power Supply PMU Serial and Ethernet Interface Binary I/Os IRIG Input Settings Reset Power Off Esc Ia = 1500 A Ib = 1499 A Ic = 1501 A Va = 60.01 kV Vb = 60.00 kV Vc = 59.99 kV Date: 01/11/2015 Time: 21:08:19.30 Frequency = 50.00 Hz Phasor Measurement Unit G1 Bus 1 External Grid Bus 2 Bus 3 3-ɸ voltage Substation Clock 3-ɸ currents CT VT Transmission Line GPS GPS IRIG-B Network clock GPS GPS PTP GPS signals arrive to a substation clock or directly. A clock may distribute timing in a specific time-code format. Most of the commercial PMUs use IRIG-B signals for time synchronization GPS signals from GPS antenna PTP from Network Clock 0 0.01 0.02 0.03 0.04 0.05 0.06 -100 -50 0 50 100 Reference Waveform 50 Hz Synchronized to GPS 0 0.01 0.02 0.03 0.04 0.05 0.06 -100 -50 0 50 100 Measured Waveform 0.019 0.0195 0.02 0.0205 0.021 0.0215 0.022 80 85 90 95 100 105 X: 0.02 Y: 100 Phase Angle Difference with respect to Reference X: 0.02056 Y: 100 08:00:00.000000 08:00:00.020000 08:00:00.040000 08:00:00.060000
- 6. TSSA Through IRIG-B Signal Loss and Spoofing 1 1.05 1.1 1.15 1.2 1.25 1.3 0 5 10 Simulation Time (sec) WidthModulatedOutputVoltage(IRIG-B) Real-Time IRIG-B Signal Generation (1 sec simulation showing one complete frame of IRIG-B Time Code) Simulation was carried out on 14th April 2015 1.3 1.35 1.4 1.45 1.5 1.55 1.6 1.65 0 5 10 1.7 1.75 1.8 1.85 1.9 1.95 2 0 5 10 P6 P9 P0 P1 P2 P3 P5P4 P7 P8 1 2 4 8 10 20 40 P0 1 2 4 8 10 201 2 4 8 10 20 40 100 2001 2 4 8 10 20 40 80 1 2 4 8 10 20 40 80 Logical 1 (50 %, 5ms) Logical 0 (20 %, 2ms) Ref. Marker (80 %, 8ms) Control Functions Days Years Seconds Minutes Hours Time of Day Binary Seconds (51601 seconds) Control Functions 1 PPS • It is possible to interfere with GPS through a GPS jammer, however, this is illegal! We propose a lawful approach! • The TSSA is modeled through real-time IRIG-B signal generator, within the RT simulator. • Possible to delay the time synchronization signals from microseconds to milliseconds. https://github.com/ALSETLab/IRIG-B_for_RT
- 7. Experiment on SVC WAPOD Control 7 G1 G2 Area 1 900 MVA 900 MVA 900 MVA 20 kV / 230 kV 25 Km 10 Km 900 MVA 20 kV / 230 kV Local Loads 967 MW 100 MVAR (Inductive) -387 MVAR (Capacitive) 220 Km Parallel Transmission Lines Power Transfer Area 1 to Area 2 10 Km 25 Km G3 900 MVA 900 MVA 20 kV / 230 kV G4 900 MVA 20 kV / 230 kV 900 MVA Local Loads 1767 MW 100 MVAR (Inductive) -537 MVAR (Capacitive) Area 2 Bus1 Bus2 SVC Isvc Vmeasure Vref ΔVPODVerror Synchrophasors from PMU-A POD S3 DK Unwraps PDC stream and provides raw measurements to NI-cRIO POD C37.118.2 V+ PMU-1 , I+ PMU-1 PPMU-1 , QPMU-1 V+ PMU-2 , I+ PMU-2 PPMU-2 , QPMU-2Synchrophasors from PMU-B SEL-PDC 5073 C37.118.2 C37.118.2 PMU-A (Reference) PMU-B (Spoofed) This WAPOD deployed in National Instrument’s cRIO real-time embedded control platform: • Receives remote synchrophasors as inputs from PMU-A (ref) and PMU-B (Spoofed) • Control Algorithm Implemented in the controller’s FPGA: • Separates the controller input signal into average and oscillatory content • Oscillatory content of the signal is phase shifted to create the damping signal • This damping signal is provided as a supplementary control signal to the SVC https://github.com/alSETLab/audur
- 8. Results: TSSA Spoofing Attack - Impact on Phase Angle Computation 8 • With the WAPOD disabled, the 0.64 Hz inter-area oscillation is not damped. • WAPOD’s performance degrades as the GPS disconnection time for PMU-2 increases 55 60 65 70 3 3.5 4 4.5 5 5.5 x 10 8 Time (s) ActivePowerTransfer(MW) WAPOD: Voltage Phase Angle Difference as an Input No Spoofing PMU-B Spoofing: 1000 s PMU-B Spoofing: 1500 s PMU-B Spoofing: 2000 s PMU-B Spoofing: 3000 s55 60 65 70 3 3.5 4 4.5 5 5.5 x 10 8 Time (s) ActivePowerTransfer(MW) WAPOD: Voltage Phase Angle Difference as an Input No Spoofing PMU-B Spoofing: 1000 s PMU-B Spoofing: 1500 s PMU-B Spoofing: 2000 s PMU-B Spoofing: 3000 s Spoofing Attack • As the time synchronization error in PMU-B increases, its error in phase angle computation escalates. • As the TSSA increases beyond 1500 µs, the WAPOD introduces a negative damping. Signal Loss 0 50 100 150 200 250 300 0 0.2 0.4 0.6 0.8 1 5th Step 50 micro second error 3rd Step 30 micro second error 2nd Step 20 micro second error 1st Step 10 micro second error 4th Step 40 micro second error Positive Sequence Voltage Phase Angle Phase Error Limit for TVE = 1 % (0.573 degrees) Phase Error in Measured Positive Sequence Voltage Phasor as Computed by PMU PhaseAngleError(Degrees) Time (sec) a b c Time Error 0 µs Time Error 1000 µs Each 10 µs time synchronization error due to TSSA results in a phase angle error of 0.1790 in PMU-B TSSA results in an error in voltage phase angle computation beyond 0.5730 mark as soon as the time error increases beyond 30 µs, thus breaching the maximum allowable TVE limit. The actual synchrophasors as computed by the PMU before and after time spoofing by 1000 µs, thus resulting in a phase angle error of about 180 Results: TSSA Spoofing Attack - Impact on WAPOD The paper includes additional experiments and results on phase angle monitoring, islanding protection, assessment of the PMU’s internal clock behavior, and undetectable spoofing attacks.
- 9. 60 65 70 75 80 85 -90 -85 -80 PhaeAngle (Degrees) Impact of TSSA on PMU's Internal Oscillator 60 65 70 75 80 85 0 5 10 X: 65.82 Y: 2.914e-016 PhaseAngleDifference (Degrees) Phase Angle Computation Error Time (s) X: 79.4 Y: 0.8922 PMU-A : Reference PMU-B: TSSA 8.0230 Conclusions • Loss / Spoofing of time-synchronization signal results in corrupted power system monitoring results, delayed / faulty protection activation, and degradation of WAPOD controls. • When the GPS signal is lost, the PMUs rely on their local oscillator to compute synchrophasors. – Each PMU has a different internal oscillator and therefore results in different phase angle computation error when its external time synchronization signal is lost or spoofed. 9 • When subjected to a TSSA instantly, the internal oscillator of the PMUs needs to resynchronize to the spoofed time synchronization signal which requires additional time. • During this period, the PMUs report a large phase angle computation error, which can result in degradation & mal- operation of the associated monitoring, protection and control applications 0 5 10 15 0 0.5 1 Time (s) PhaseAngleDifference (Degrees) Modified TSSA : Jamming Followed by Spoofing 1.0630 1.0530 0.9980 Jamming = 3 s Jamming = 5 s Jamming = 14 s More importantly: undetectable attacks can be designed (see paper for details).
Editor's Notes
- #7: The TSSA is modeled through real-time IRIG-B signal generator, within the RT simulator. Possible to delay the time synchronization signals from microseconds to milliseconds.