How to spoof proof your GPS timing network
Previously I’ve talked about things to consider when choosing a GPS clock. I also mentioned how to make a more reliable system using redundant power supplies, multi-constellation receivers and redundant clocks within a single installation.
There was an idea introduced to help protect against jamming and spoofing by adjusting the reference points your GPS clock follows. Jamming and spoofing are the main ways we'd expect to see a timing network compromised or hacked. I’ll expand on this idea to get people thinking about this concept, and how feasible it is to implement in a modern transmission network.
First let’s recap on the concept! In a typical transmission service operator (TSO) it’s common to have individual GPS clocks installed in every regional substation or transmission hub. This clock will reference GPS only, and may have a stable internal oscillator should GPS signals be unavailable. This oscillator allows the clock to stay accurate for several days before drifting to a point where the accuracy boundaries are exceeded i.e. > 1 ms. In most day to day situations this system works perfectly fine and will allow a TSO to operate 24/7.
But what happens in the event of a sustained GPS outage due to intentional jamming? Or worse, what happens when someone hijacks the GPS signal by slowly moving the reference time of a single clock in a network? Such an attack is known as GPS spoofing and has been an ever growing concern as we move towards digital substations.
How can you protect your system against such a deliberate attack?
This is where we can take a leaf from the telecoms industry and consider the concept of distributed time sync. In Figure 1 the idea behind distributed time sync is to install a PTP (IEEE1588 v2) grandmaster into a central location for accuracy – let’s say a control centre or an operations centre. This grandmaster (Rubidium or Caesium based) can then provide time to the entire transmission network via a PTP link across the communications backbone. In Figure 2 the clocks within the substations now act as boundary clocks (PTP Converters) syncing to this PTP signal and providing the required timing signals to the connected substation i.e. IRIG-B PTP Power Profile Pulses etc.
Figure 1 – Distributed time example between control centre and remote substation
Figure 2 – Example of a network wide time distribution (thanks Marcel for the image!)
These boundary clocks would still have a GPS antenna installed at each site (as you do now) so they can use the GPS signal as a backup during a network failure. You would need to set the syncing sources priority list so that the clock would sync to PTP as its primary signal, then move to a GPS backup signal (Figure 3).
Figure 3 – Change the clocks reference priority to reference PTP first and use GPS (GNSS) as a backup signal
What happens if your central grandmaster is targeted? Won’t this cause the whole network to go down?
This is a fair concern but the following needs to be considered:
For this idea to work correctly you would need to have a highly stable grandmaster installed at the control centre that can remain accurate over several days. A redundant set of Rubidium or Cesium clocks would be recommended to ensure long term stability. That way if the grandmasters were jammed they will be able to maintain accurate time sync to all connected nodes for several days (oscillator dependent). This would give the TSO time to respond to the jamming and neutralize the source. Should the source be localized (not country wide) then each of the clocks within the network can revert to the GPS source until the issue is resolved.
How about GPS spoofing? Wouldn’t this just move the time of the whole network?
Yes! The entire network time would move with the grandmaster should an attacker successfully spoof the master clock. This would mean that all the clocks in the field would move with the grandmaster slowly changing the time with regards to UTC.
The key point here is that the ENTIRE timing network moves as one – maintaining the same reference point (the grandmaster). Sure the time with regards to UTC may be incorrect but the entire network would report the same time! For event logs measurements and control the system should continue to work correctly.
The advantages of this design:
Using distributed time, you are changing the reference source for the clocks in the field from GPS to a PTP source. This helps to protect against localized jamming or spoofing.
The substation clocks can be simpler. With two reference signals (GPS & PTP) you are protected against GPS outages, meaning you may not have to install an OCXO or Rubidium based clock in remote sites to ride through short term GPS loss. (Assuming there is a network connection!)
For built up locations where it is difficult to get GPS reception it is possible to use the PTP signal only and a boundary clock to provide time sync within the substation.
And the disadvantages of this design:
This design would be expensive to implement if the communications network is not PTP ready.
As mentioned at the beginning of this article, this is a concept to help protect against GPS spoofing and jamming to make your timing network more resilient. It has not been widely adopted to date generally due to the cost. With this in mind I would welcome your thoughts on this idea and what advantages and disadvantages you see. Comment or email email@example.com - ask for Quentin!