President Trump yesterday directed federal agencies to promote stronger cybersecurity defenses for the Global Positioning System (GPS) satellite data relied on by grid operations, electric vehicles and other energy systems.
The order has far-reaching implications for the grid. GPS signals, for example, are essential input for several thousand phasor measurement units (PMUs) on U.S. power grids that monitor millisecond-level changes in electric power flows, providing advance warning of when grid stability is eroding.
GPS and other "positioning, navigation and timing" (PNT) signals feed driver assistance technologies such as lane-keeping controls. They are a key contributor to safe, efficient operations of road, rail, waterway and air travel operations, as the Transportation Department noted yesterday.
The future of autonomous, self-driving vehicles depends on instantaneous location signals that would come from GPS or a land-based alternative, experts note (Energywire, April 11, 2019).
"This is a good thing. It's overdue," said Alison Silverstein, an energy analyst and former head of the North American SynchroPhasor Initiative, the federally supported programs to integrate PMU signals into grid operations.
Last August, the Government Accountability Office warned that electric utilities are more vulnerable than previously thought to cyberattacks, in part due to the susceptibility of exploiting GPS devices.
Silverstein said a successful cyberattack on GPS sources could not directly take down U.S. power networks today, because operators use the technology to diagnose issues, not to run the grid. Grid operators still rely on older, slower supervisory control and data analysis technology to track and react to power flow fluctuations, she said.
The same conclusion was reached by a Department of Homeland Security report in 2012, but it added, "However, as the electricity subsector becomes increasingly reliant on phasor measurement units as part of the smart grid evolution, vulnerability to GPS disruption could increase."
Lior Frenkel, CEO and co-founder of industrial cybersecurity firm Waterfall Security Solutions, praised the executive order and said that GPS devices can be used as an infection point to connect to other devices within a network such as the operational technology that controls physical aspects of a facility.
"A GPS is such an external entity. Built from a computer, a radio receiver and a network interface, this device [is] a gateway into the network it is servicing. A GPS can be manipulated to inject rough commands or malicious code into the OT network, or in some cases to extract sensitive information," Frenkel said.
Kevin Coggins, vice president at Booz Allen Hamilton and leader of their position, navigation and timing service, called the order a "great step" in making the electric grid resilient. Coggins said that unprotected GPS receivers pose a "huge vulnerability" on the electric grid due to the potential vulnerability to jamming and spoofing these systems.
Chris Morales, head of security analytics at cybersecurity firm Vectra, called GPS spoofing a "real threat" that "is a reality in global warfare," warning that Russian hackers have "advanced capabilities to disrupt GPS." There are no public cases where GPS systems on the grid have been hacked and disrupted.
"I was really happy to see this," said Michael Morgan, an attorney based in Silicon Valley with McDermott Will & Emery, specializing in cybersecurity and data privacy issues. Morgan said strong cyberdefenses and alternatives to GPS signals are top requirements for the introduction of self-driving vehicles, which will rely on massive, two-way data flows to navigate streets safely and respond to sudden traffic emergencies.
"The companies engaged in this are taking cybersecurity seriously," Morgan said.
The executive order instructs the Commerce Department to inventory networks and systems that depend on PNT services and create guidelines for detecting threats and risks to the systems.
Within 90 days, the guidelines should be included in federal procurement contracts where appropriate, with the goal of leading private-sector companies to do the same. In one year, the Department of Homeland Security is to create a plan to test vulnerabilities of energy systems and other critical infrastructure to the disruption or manipulation of PNT services.
Adoption of defensive strategies resulting from vulnerability testing would be voluntary, the administration said.
In the past decade, the U.S. military has tested anti-spoofing and anti-jamming technology that could be used to attack GPS signals, Silverstein said. A key question is the willingness of the Defense Department to share defensive technology with critical infrastructure operators, she added.
"If this stays behind the military curtain, that's not helpful," she said.
Smart grid backing
The deployment of PMUs in grid systems was largely funded by President Obama's Smart Grid Investment Grant Program. The units record precise data stamped in milliseconds, mainly through GPS signals, enabling synchronized grid conditions in distant areas to be combined into a single picture of regional power flows, giving operators a much wider view of conditions.
Had GPS signals been available in 2003, operators could have seen the beginnings of the disruptions that led to the North American power blackout that year and acted to head it off, DOE experts have concluded.
The executive order calls for the development of a national plan within a year to research and test additional PNT services that are not dependent on GPS signals.
"A lot of what this is saying is to assure there are multiple ways to access time-stamped data instead of only relying on GPS for critical infrastructure," Silverstein said.
"PNT professionals across the government are ready to move out on this effort, and this is an important step in standing up a systematic way to find out what everyone needs when it comes to PNT so we can establish a resilient and affordable backup to GPS," Coggins said.