By Nino De Falcis, Senior Director of Business Development, ADVA
Today’s critical network infrastructure relies heavily on positioning, navigation and timing (PNT) services. Power grids, financial markets, transportation, data centers, communications – all have become more complex and interconnected, while the threats to the PNT on which they depend have increased in frequency and sophistication. PNT systems are so vulnerable to the activities of cybercriminals that attacks could soon become global in scale and significance, with potential costs of billions of dollars.
Utilities are an important example of risky infrastructure. In the past, electricity grids were passive systems where everything was simple, centralized, and where energy only flowed in one direction as AC power was supplied to consumers. However, the growth of renewables and distributed energy resources has led to market diversification and a new paradigm of bidirectional AD and DC energy production and distribution has emerged: the smart grid.
Today, many smaller producers generate power from multiple sources. The electricity grid has become a decentralized system and the flow of energy is now bidirectional. Energy from, for example, solar panels (microgrids) can be generated by private individuals and stored or supplied back to the grid. Electric vehicles (EVs) are also becoming more common, and like all other nodes in the smart grid, charging points require accurate timestamps of the vast amount of data they generate to balance power demand and supply.
Accurate timing is also essential for redirecting power flows away from transmission outages, locating power grid faults, and synchronizing distributed control and protection systems. Without highly accurate timing and synchronization, power grids are vulnerable to partial and even full blackouts.
Therefore, the accuracy requirements of data timestamps are more stringent than ever. In effect, they are moving from legacy Network Timing Protocol (NTP) timestamps, which require millisecond accuracy, to Precision Timing Protocol (PTP) timestamps, which require sub-microsecond accuracy. The syncrophaser now requires an accuracy of better than 1 microsecond.
We are now at 100 nanoseconds for error location. The micro phasor measurement unit (PMU) is less than 1 microsecond and substation LAN communication protocols must be timestamped as little as 100 microseconds for GOOSE IEC 61850 and 1 microsecond for IEC 61850 sample values. This is a big change from just five years ago, when accuracy in all of these categories was firmly in the millisecond range, and it’s a high bar to be maintained by next-generation redundant systems, should GPS or ground-based timing is compromised.
Guidelines for making PNT infrastructure completely obsolete are being pushed by governments around the world. In the United States, regulation is guided by Executive Order 13905 whereby the Department of Homeland Security (DHS) provides a framework for how insured PNT (aPNT) should work. It states that the PNT infrastructure must fulfill three core functions: prevent, respond and recover. The infrastructure must be able to prevent atypical PNT errors and corruption of PNT resources. If prevention fails, networks must be able to respond to detected errors or anomalies and then recover from those errors.
The DHS framework outlines four levels of resilience. Level 1 has only one source that provides PNT, while Level 4 is a next-generation system that uses multiple sources to derive and distribute PNT data. At level 4, systems must be able to survive on their own. This means they must function for long periods in the absence of a GPS time source, or when ground-based time sources are otherwise compromised. There is even an IEEE P1952 resilient PNT standard in development that will use this DHS framework.
There are two categories of threats to PNT: external and internal. External threats include jamming (equipment that can block GPS is available off-the-shelf for as little as $20) and spoofing, the sending of fake GPS signals that trick receivers into calculating a false position. Sophisticated cyber-attacks can take the form of either and spoofing (especially synchronous) is the most complex to detect.
The two main internal PNT threats come from attacks on NTP and PTP network timing and from active GPS receivers connected to the network.
Older power grids have traditionally used NTP to distribute timing to substations, including IRIG, and this has already shown it to be vulnerable to attack because it can be hacked through a process called NTP amplification.
Today, power grids are increasingly migrating to PTP as it provides the sub-microsecond accuracy required for modern applications. PTP hasn’t been hacked yet either, but that doesn’t mean it won’t be any time soon. If an attack does occur on ill-prepared critical infrastructure, the consequences can be catastrophic.
Secure Smart Grid Timing Components
There are two components in the smart grid: telecom connectivity to transport data, and grid protection with a different generation of grid control, transmission and management. On the telecom side, there is the edge telecom network and sometimes there are data centers. There are core or edge data centers and these are also equipped with very good timing. An important concept in the data center is time-as-a-service and GPS backup as a service when the GPS fails. The smart grid can also use this service as it provides even more robust protection and security against threats to PNT. See schedule 1.
A resilient and insured PNT solution
As with other aspects of cybersecurity strategy, smart grids should use a zero-trust framework of PNT resources. This approach never assumes that a PNT source can be trusted. Instead, it uses a multi-source approach, where sources are verified and compared against each other in real time to get the most accurate timing possible.
To prevent and mitigate GPS disruptions, smart grid operators must deploy a resilient and reliable PNT solution. This means it is based on three integrated technologies: multi-layer discovery, multi-source backup, and multi-level fault-tolerant mitigation.
Multi-layer detection is performed through timing devices – single or redundant – that have jamming and spoofing detection and monitoring capabilities. GNSS devices can also compare resources, such as PTP timing from the network, and can be equipped with standalone GNSS backup clocks that use rubidium or cesium oscillators to obtain the most reliable timing information from other timing sources on the network.
Multi-source backup comes in the form of a cesium or rubidium oscillator that can provide longer storage. Backup can be further enhanced with other sources such as eLORAN, NIST and LEO.
A neural network management system is an intelligent platform that connects everything from self-executing recovery and assurance software to alerting users to problems in the network-wide timing infrastructure. It provides visibility and control over all aspects of prevention, mitigation and backup. The management system provides detailed operational data about the smart grid, showing the locations of the faults, the types of faults and how PTP backup guarantee is performing. Through capabilities powered by artificial intelligence and machine learning, the management and control system provides end-to-end control, visibility, and trusted, assured PNT. It has all the intelligence to reveal threats and also take action against them, quickly restoring the timing distribution capacity of the network while keeping the network timing self-surviving. See schedule 2.
Mitigate cyberattacks with a defense-in-depth approach
So let’s imagine there’s a major attack on a smart grid. A jamming device was used to block GPS reception on an edge grandmaster used on a substation, while at the core of the network an ePRTC’s ability to receive GNSS signals was also compromised. GPS is no longer viable as a source of timing in the smart grid.
The intelligent software monitoring and management system is the first line of defense, detecting and alerting operators to the two or more attacks on GPS: one at the core of the network and one at the substation. The network timing capability of the entire smart grid is compromised.
Upstream of the substation, the core-enhanced PRTC (ePRTC) has become an unreliable source of timing. However, it is equipped with a cesium clock that steps in to distribute trusted PNT backup to the substation and the rest of the network. The cesium clock has no antenna, no RH signal, and is a stratum 1 clock that can distribute highly accurate timing (accurate to 1 microsecond over four months) throughout the network. It has now become the trusted source of timing until GPS can be recovered.
Time for Multi-Source Protection
The most crucial element of PNT is timing. Without timing there is no positioning or navigation – it enables both – and so the distribution of accurate timing should be our main concern when we build systems.
To ensure that smart grids and any other critical infrastructure that depends on PNT function, the cornerstone for secure and self-sustaining timing networks is the concept of zero-trust. A multi-source approach to building timing networks enables critical infrastructure operators to leverage a combination of intelligent management software and timing devices equipped with sufficient PTP holdover to respond to all threats to PNT.
Check out the DOE DarkNet program to see a real-life example of this approach in action.