# The use of digital twin for timing intrusion detection in synchrophasor systems

Taif Mohamed, Mladen Kezunovic, John Lusher Department of Electrical and Computer Engineering Texas A&M University College Station, TX, USA taif205@tamu.edu, kezunov@ece.tamu.edu, john.lusher@tamu.edu Jyh C. Liu Department of Computer Science and Engineering Texas A&M University College Station, TX, USA liu@cse.tamu.edu Jinfeng Ren Corporate Business Services Entergy The Woodlands, TX, USA renjinf@gmail.com

deployment Abstract—The rapid of synchrophasor measurement systems requires more thorough studies of their performance. One of the main concerns is timing intrusion (TI) attacks, which may target the ability to synchronize measurements from the power grid using global positioning system (GPS) time reference as one of the main features of these measurement systems. If TI occurs, many power system applications may be compromised. To detect these timing intrusions, a digital twin (DT) is developed to mirror a typical cyber-physical synchrophasor measurement system found in the field. Special attention is paid to the development of a flexible digital twin of the GPS timing receiver, PMU algorithm and communication channel to capture their sensitivity to TI attacks. Several use cases are designed to validate DT functionality, test the performance, and evaluate the impact of TI on an application.

# Keywords—Synchrophasor, digital twin, timing intrusion, smart grid, cybersecurity, fault location, phasor measurement units

# I. INTRODUCTION

Modern grids have a proven need for high-resolution monitoring and control systems. Therefore, wide-area monitoring systems (WAMS) based on synchrophasor measurements complement legacy supervisory control and data acquisition (SCADA) systems. Compared to SCADA measurements, synchrophasor measurements collected by phasor measurement units (PMUs) have a much higher measurement reporting rate, 30 frames per second (fps) or more, versus a SCADA scan rate of every few seconds. A high reporting rate allows the observation of power system events as short as hundreds of milliseconds [1][2]. The key to the timing synchronization utility is the ability to synchronize these measurements using a global positioning system (GPS) time reference. Using GPS clock receivers, PMUs and PDCs can synchronize their sampling clock and associate phasor measurements with accurate timestamps, allowing for systemwide correlated spatiotemporal event analysis [3]-[5].

The necessity of timing integrity makes synchrophasor systems vulnerable to cyber-physical attacks focused on timing intrusions (TIs). These attacks can occur at several nodes in the system, spanning from the GPS antenna, GPS clock receivers to the PMUs, PDCs, and communication channels carrying the data streams. The effect of these attacks can propagate through the system and eventually compromise the performance of applications that rely on synchronized measurements. Previous studies have focused on evaluating the impacts of timing intrusions on individual elements of measurement systems, including GPS clocks [6]-[8], PMUs, PDCs, and communication links [9]. The effects of timing intrusion on linear state estimation were addressed in [10]. For substation-level studies, we developed a digital twin of the synchrophasor system used in our large-scale testbed.

The term digital twin (DT) was first coined by NASA in 2010 [11]. The concept, however, had existed and evolved in several fields. It was introduced in Product Lifecycle Management (PLM) in 2002 [12]. DTs have been used by Dassault for civil engineering applications, Sim&Cure for healthcare applications, TESLA for modelling, GE for windfarm optimization, and Airbus, Boeing, AFRL, and NASA for aviation applications [13]. Reference [14] reports a DT to study the cybersecurity of smart grids, while [15] offered a comprehensive description of the DT for wind and hydropower plants, mainly focusing on the generators. More recently, DT was defined using three components: physical elements, virtual elements, and the connections and data flowing between them [16]. This flow of data between the physical and virtual versions of a system, coupled with the ability to manipulate the DT without disrupting the physical system, is the main reason for the success of this concept. A DT can be used to compare the input/output with that of the physical twin, and hence verify its performance.

The contributions of our study are twofold: a) we developed a DT of a synchrophasor system with an emphasis on the flexible representation of the timing features, and b) we used the DT to investigate the impacts of the timing intrusion attacks on the fault location application.

After the introduction, the development details of a DT and its subsystems are presented in Section II. Section III describes the methods used to verify the functionality. Section IV defines the use cases designed to test the performance of the DT and to quantify the impacts of TI attacks on synchrophasor measurements and the fault location application. Section V contains the conclusion followed by the References.

#### II. DIGITAL TWIN DEVELOPMENT

The DT system resembles the three elements that define the physical twin: hardware, software and communication links for dataflow. The basic configuration is shown in Fig. 1. The

purpose of the connection between the physical and digital twin is explained briefly below and elaborated in Section IV and depicted in Fig. 2. The physical and digital twin systems are interfaced through network connections that allow the exchange of data, and they send data to the user interface, which acts as the monitoring and control center for both.

# A. Timing reference

1) Physical Twin: An SEL-2488 device (satellitesynchronized network clock) is used as the timing source for the physical twin system. The SEL-2488, labelled "test time source," in Fig. 2 receives Global Positioning System (GPS) time signals through an antenna. It then sends out the required IRIG-B time signal to the connected devices.

2) Digital Twin: The Timing and GPS Signal (TAGS) monitoring module acts as the DT timing source. TAGS shares the same antenna and receives the same GPS signals as its physical twin and consists of a GPS receiver (for the recovery of navigation messages), a GPS-disciplined low-drift-rate oscillator (for short-term timing reference in events of GPS signal corruption), a field-programmable gate array (FPGA)-based circuit (for the generation and monitoring of IRIG-B signals being used by the physical twin synchrophasor devices), and a custom personal computer (PC) to supervise the TAGS operations as well as interaction with other DT components.

3) Purpose: The main purpose of TAGS in the DT is to assess the ability of the system to detect TIs in physical twin components. TAGS requires supervised system initialization to ensure that it receives good-quality GPS signals, and then it enters continuous, non-stop monitoring of its GPS signals and that of the physical twin receiver. The GPS signals are monitored for anomalous behavior. TAGS allows the user to specify the thresholds of anomalous behaviors to trigger alarms. When an anomaly occurs, the local hold-over oscillator in the DT can overtake the generation of the IRIG-B timing references. The effective stability of the local oscillator is dependent on the technology. When the GPS signals are normal, TAGS detects the TIs of the synchrophasor devices based on their IRIG-B and/or 1 PPS feeds. The alarm messages



Fig. 1. Digital Twin Configuration

are transmitted to higher-level LabView [17] applications for high-level decision-making.

# B. PMU

1) Physical Twin: An SEL-487E device is installed to represent the field PMU. This PMU, labelled "test PMU," in Fig. 2, receives its timing signal in the form of IRIG-B from the SEL-2488 (time source). The PMU also receives small-signal voltage and current waveforms from the Field Test Set (FTS), a device built for testing purposes. It provides the reference voltage and current waveforms that mimic those received from current and voltage transformers in the field [18] used to evaluate the performance of the physical twin in the lab setting to support the development of the DT. When installed in the field, the PMU receives the current and voltage waveforms from instrument transformers, computes the phasor streams of three-phase voltage and current according to the IEEE standard C37.118, and sends them to the phasor data concentrator (PDC) [3]-[5]. This data then loops back to the monitoring software built by the team in LabVIEW, which shows the stream of voltage and current phasor magnitudes and angles to the end-user.

2) Digital Twin: A PMU DT is built by the team using National Instrument's CompactRIO (cRIO) platform. This DT PMU, labelled the Gold PMU, is developed as the reference PMU with a highly accurate synchrophasor algorithm that encompasses many features described in [19]-[24]. Its hardware consists of several NI IO cards connected to the cRIO controller slots [18]. The software, developed in LabVIEW, allows the alteration of some of the parameters such as the initial phase angle for testing purposes. To verify the performance of the Gold PMU, it receives the voltage and current waveforms from the FTS to compute phasor streams and sends them to a commercial PDC (SEL-3537).

3) Purpose: The DT PMU is developed as a reference to evaluate the performance of commercial PMUs and calibrate them. In addition to having a lower bound on error levels, the Gold PMU is developed to be more flexible to allow a variety of tests. The Gold PMU allows the user to vary the computational aspects of waveform processing, while commercial PMUs may not provide such access.

# C. Communication

1) Physical Twin: Communication links that connect the aforementioned devices constitute the physical twin. In the field, these communication links are contained within a secured local area network (LAN).

2) Digital Twin: The Rack Mount Server (RMS) and network Electronic Test Access Points (ETAPs), marked as ET in Fig. 2, make up the DT for communications. The network taps (ETAPS) are connected to a high-performance server that captures all packets from the physical and digital twin PMUs and PDCs and the corresponding time sources. Each captured packet is tagged with the current TAGS reference time. The TAGS reference time is captured by utilizing an IRIG-B receiver connected to the server. Each packet is then stored in an SQL database for asynchronous post-processing and analysis.

3) Purpose: The RMS can detect and raise alarms to differences between physical and digital twin C37.118 synchrophasor packets, IEEE 1588 Precision Time Protocol (PTP) packets, and the reported time. The ETAPs data is processed for various alarm types. The first alarm type is raised when receiving any malformed PTP or C37.118 synchrophasor packet, deviating from the expected standard. Packet delays where the reported time, specifically PTP, is mismatched, are captured by an alarm whose threshold is configurable with the TAGS time. The server's receipt of misconfigured phasors compared to a stored "white-list" also triggers an alarm. Phasor data streams from physical and digital twin PMUs are subjected to a comparison. If the error found by this comparison exceeds the configured threshold, a "phasor mismatch" alarm is raised. Any alarm generated is logged internally in the database, along with the data that created the alarm. A message is then sent to



Fig. 2. Detailed System Diagram

the user interface to alert the operator of possible suspicious activity on the network.

### III. VALIDATION OF DIGITAL TWIN FUNCTIONALITY

The testing approach described in parts A-C of this section includes the steps to verify the performance of each subsystem of the DT against its physical twin and the performance of the entire system.

The application chosen to demonstrate DT utilization is the fault location (FL). An FL algorithm based on electromechanical wave oscillations was developed by our group in MATLAB [25]. More details about this testing process are provided in Part B (2. Application Tests).

# A. TAGS Validation

Validation of the TAGS module requires subjecting it to timing intrusion attacks that directly influence the GPS signal. Two attack scenarios (GPS spoofing and jamming) are developed for this purpose.

1. GPS Spoofing: A Universal Software Radio Peripheral (USRP)Software Defined Radio (SDR) is used to spoof the GPS signal received by the GPS clock (SEL-2488). Once the TAGS module detects the resulting deviation in IRIG-B, it enters the holdover mode and sends an alarm message to the Rack Mount Server.

2. GPS Jamming: A USRP Software Defined Radio (SDR) is used to jam the GPS signal received by the GPS clock (SEL-2488). Once the TAGS module detects the jamming of the GPS signal, it enters the holdover mode and sends an alarm message to the Rack Mount Server.

#### B. Gold PMU Validation

Validation of the Gold PMU is two-fold: through design and application tests. These tests were set up in the user interface to run automatically:

1. Design Tests: Certain design tests are guided by the IEEE standard C37.118 to evaluate the performance of synchrophasor devices under normal operating conditions. These tests are also implemented in the FTS software such that the FTS can be used to evaluate and calibrate any PMU in the field. Two main types of design tests are defined by the standard.

- Steady-state tests: steady magnitude, steady phase, steady frequency, harmonic distortion, and out-of-band interference.
- Dynamic-state tests: amplitude modulation, phase modulation, frequency ramp, amplitude step, and phase step.

2. Application Tests: These include tests that evaluate the effect of timing intrusions on power system applications. Our DT is used to evaluate the FL application. However, the same logic and devices can be used to test other power system applications. Because the FL algorithm chosen here depends on an artificial neural network, as described in [25], fault recordings from field events are required to train the model. The benefit of the DT becomes obvious when any changes occur in the system. The DT then allows unlimited repetitions of

supervised training of the system using the field recordings without interrupting the application.

Reference signals are played back by the FTS, which are simulated in PSS/E using a system model made up of five lines with line attributes matching those in the field. The FL algorithm can then use phasor stream of the test PMU to calculate the FL as a percentage of the line length where the fault is expected. The resulting FL is compared against the actual scenario by calculating the absolute difference between the expected and resulting FL. Five fault scenarios at 20% intervals of each line are simulated, resulting in five fault scenarios per line. The resulting values of the absolute difference of the total cases are averaged and returned as a metric to confirm that the application is performing as expected. If the average absolute difference exceeds a pre-defined threshold (defined via calibration), an alarm is raised that this system has fallen out of calibration.

# C. RMS Validation

The most basic functionality of the communications subsystem (ETAPS and RMS) involves recognizing malformed data packets according to their respective standards. Four main alarms are configured for that function and can be validated as follows:

*1. C37.118 Packet Injection:* PMU packets (C37.118) are injected into the phasor stream using a man-in-the-middle (MitM) system. ETAPs are used to collect the phasor streams. The TIMER tap monitoring application then produces an alarm claiming "Invalid Flow Detected."

2. *C37.118 Packet Delay:* We use a MitM system to delay the PMU packets. ETAPs are used to collect the phasor streams. The TIMER tap monitoring application then produces an alarm claiming "Phasor Not Found."

3. PTP Packet Injection: 1588 PTP packets are injected into the phasor stream using a man-in-the-middle (MitM) system. ETAPs are used to collect the phasor streams. The TIMER tap monitoring application then produces an alarm claiming "PTP Invalid Flow."

*4. PTP Packet Delay:* We use a MitM system to delay the 1588 PTP packets. ETAPs are used to collect the phasor streams. The TIMER tap monitoring application then produces an alarm claiming "PTP Timecode Mismatch."

# IV. DIGITAL TWIN USE IN DETECTING TIMING INTRUSIONS

Two types of tests are utilized for this purpose: nested testing and application testing.

# A. Nested Testing during a Timing Intrusion

Nested testing can be performed to demonstrate the purpose of the DT system. In our approach, two streams of data are observed, starting from the GPS signal feeding into the time sources until the final streams of phasors are received by the RMS and user interface. The paths of these two streams at each step are shown in Fig. 2, which shows the details of each subsystem and its connections. A timing intrusion scenario is simulated at the GPS antenna connection using the GPS spoofing steps described in Section III (A).

1. *TAGS module vs. test time source:* The timing intrusion is first captured by the TAGS module, which then

switches into the "holdover" mode. Using the internal clock, TAGS continues to provide the correct time IRIG-B signal to the Gold PMU and FTS based on the time it detected an intrusion. Once the TAGS module enters the holdover, it sends an alarm to the Rack Mount Server. In the meantime, the test time source receives and sends the compromised time signal to the test PMU (PMU under test).

- 2. *Gold PMU vs. test PMU:* The Gold PMU uses the accurate IRIG-B time it receives from TAGS to calculate the phasor voltage and current based on the waveforms it receives from the FTS. The FTS also receives the correct IRIG-B time signal from the TAGS. On the other hand, the test PMU computes the voltage and current phasors based on the spoofed IRIG-B signal, giving the incorrect timestamp to the waveforms it receives from the field. This causes the phasor angles to drift apart.
- 3. *Reference PDC vs. test PDC (PDC under test):* The Reference PDC receives the phasor stream from the Gold PMU and sends them to the RMS and user interface as the reference phasor stream. The test PDC receives and sends phasor streams with altered timestamps.
- 4. *RMS and user interface:* The user interface displays these two streams to the system operator. If the system is supervised, the operator can recognize an obvious difference between the values in the two phasor streams and start the troubleshooting process. At each node, the ETAPs are responsible for pulling the phasor streams and running them through a comparison program on the RMS. The RMS can raise an alarm due to the total vector error (TVE) computation. The TVE computed for the two phasors is given as:

$$TVE = \sqrt{\frac{(x_r - X_r)^2 + (x_i - X_i)^2}{X_r^2 + X_i^2}} \times 100$$
 (1)

where  $x_r$  and  $X_r$  are the real parts of the test and reference phasor, respectively, and  $x_i$  and  $X_i$  are the imaginary parts of the test and reference phasor, respectively. Once the TVE exceeds 1%, based on the IEEE standard C37.118, an alarm is raised for the "phasor mismatch."

# B. Quantifying Timing Intrusion Impacts on Application:

This test routine is designed to quantify the impact of timing intrusion on the FL application. It starts with GPS spoofing. Once the TAGS module enters the holdover, the reference and test phasor streams will have different timestamps. This leads to inaccurate FL predictions by the algorithm when using the test phasor stream. The FL algorithm runs with two phasor streams in parallel. The first is the reference phasor stream from the FTS, which is generated using the uncompromised IRIG-B signal. The second is the phasor stream generated by the PMUunder test using the spoofed IRIG-B signal. The absolute difference between these two FLs is calculated to evaluate the impact of timing intrusion.



Fig. 3. Fault location result during timing intrusion attack

Fig. 3 shows the resulting FL determination during a spoofing attack. Even though the reference phasor streams are played back from the case of a line fault on line 3 at a distance of 40%, the algorithm predicts a line 3 fault at 71% distance. This huge FL error due to the TI spoofing attack has significant consequences in terms of transmission line inspection and repair time.

# V. CONCLUSION

Our work reported in this paper illustrates that:

- The development of a DT of synchrophasor systems is feasible and has many benefits, including accurately representing the timing features.
- The DT can be used to study the impacts of TI at the component and system levels, allowing such studies to be performed without altering the physical system.
- The study of the impact of TIs on FL application accuracy was illustrated using the DT, which can also be used for other power system applications.
- Our focus is on the use of DT to detect TI; hence, the elaborate development of the flexible DT of TAGS, the PMU algorithm, and communication protocols.

# ACKNOWLEDGMENT

This work was performed under the DOE/NETL CEDS program funding of the "Timing Intrusion Management for Enhanced Resiliency-TIMER" project. The authors would like to acknowledge our project collaborators: M. Papic and E. Schellenberg from Idaho Power Company; B. Johnson, S. Pal, and C. Bonebrake, from Pacific Northwest National Lab; I. Singh from Electric Power Group; Prof. A. Sprinston at the early project stages, and many students of Professors Kezunovic, Liu, and Lusher from Texas A&M University who participated in the project over the years.

#### REFERENCES

- M. Kezunovic, S.Meliopoulos, S. Venkatasubramanian, V. Vittal, "Application of Time-Synchronized Measurements in Power System Transmission Networks," Springer, ISBN 978-3-319-06218-1, 2014.
- [2] M. Patel, S. Aivaliotis, E. Ellen et al., "Real-time application of synchrophasors for improving reliability", *NERC Report*, Oct 2010.
- [3] IEEE Standard for Synchrophasor Measurements for Power Systems, IEEE Std. C37.118.1 - 2011.
- [4] IEEE Standard for Synchrophasor Measurements for Power Systems --Amendment 1: Modification of Selected Performance Requirements," in IEEE Std C37.118.1a-2014 (Amendment to IEEE Std C37.118.1-2011), vol., no., pp.1-25, April 30 2014.

- [5] IEEE Standard for Synchrophasor Data Transfer for Power Systems," in IEEE Std C37.118.2-2011 (Revision of IEEE Std C37.118-2005), vol., no., pp.1-53, Dec 28. 2011.
- [6] D. P. Shepard, T.E. Humphreys, and A. A. Fansler, "Evaluation of the vulnerability of phasor measurement units to GPS spoofing attacks," Int. J. Crit. Infrastruct. Protect., vol. 5, no. 3, pp. 146-153, Dec. 2012
- [7] X. Jian, J. Zhang, B. J. Harding, J. J. Makela, and A. D. DominguezGarcia, "Spoofing GPS receiver clock offset of phasor measurement units," IEEE Trans. Power Syst., vol. 28, no. 3, pp. 3253-3262, Aug. 2013.
- [8] G. Fu, T. Holmes, C. Riedel, J. C. Liu, "RAIM and SBAS based Detection of GNSS Spoofing by Timing and Content Consistency Rules," in Proc. of the 30th International Technical Meeting of the Satellite Division of the Institute of Navigation, pp. 2854-2868, Portland, OR, September 2017.
- C. T. Beasley. Electric Power Synchrophasor Network Cyber Security Vulnerabilities.[Online].Available:https://tigerprints.clemson.edu/cgi/ viewcontent.cgi?article=2995&context=all theses.
- [10] S. Barreto, M. Pignati, G. Dán, J. Le Boudec and M. Paolone, "Undetectable Timing-Attack on Linear State-Estimation by Using Rank-1 Approximation," in IEEE Transactions on Smart Grid, vol. 9, no. 4, pp. 3530-3542, July 2018.
- [11] Elisa Negri (2017). "A review of the roles of Digital Twin in CPS-based production systems". Procedia Manufacturing. 11: 939–948.
- [12] Grieves, M., Completing the Cycle: Using PLM Information in the Sales and Service Functions [Slides]. in SME Management Forum. October 2002. Troy, MI.
- [13] Q. Qi, F. Tao, T. Hu, N. Anwer, A. Liu, Y. Wei, L. Wang, and A. Y. C. Nee, "Enabling technologies and tools for digital twin," *Journal of Manufacturing Systems*, vol. 58, pp. 3–21, 2021.
- [14] N. K. Kandasamy, S. Venugopalan, T. K. Wong, and L. J. Nicholas, "EPICTWIN: An Electric Power Digital Twin for Cyber Security Testing, Research and Education," *Elsevier*, 2021.
- [15] A. Ebrahimi, "Challenges of developing a digital twin model of renewable energy generators," 2019 IEEE 28th International Symposium on Industrial Electronics (ISIE), 2019.
- [16] Grieves M. Digital twin: manufacturing excellence through virtual factory replication. White paper. Melbourne, FL: Florida Institute of Technology; 2014.
- [17] LabVIEW, [Online] Available: https://www.ni.com/enus/shop/labview.html?
- [18] M. Kezunovic, C. Qian, C. Seidl, and J. Ren, "Testbed for timing intrusion evaluation and tools for lab and field testing of synchrophasor system," 2019 International Conference on Smart Grid Synchronized Measurements and Analytics (SGSMA), 2019.
- [19] C. Qian, M. Kezunovic, "Synchrophasor Reference Algorithm for PMU Calibration System," 2016 IEEE PES Transmission & Distribution Conference and Exposition, Dallas, TX, pp. 1-5, May 2016.
- [20] C. Qian, M. Kezunovic, "A Power Waveform Classification Method for Adaptive Synchrophasor Estimation," IEEE Transactions on Instrumentation and Measurement, vol. 67, no. 7, pp. 1646-1658, July 2018.
- [21] P. Romano and M. Paolone, "Enhanced Interpolated-DFT for Synchrophasor Estimation in FPGAs: Theory, Implementation, and Validation of a PMU Prototype," in IEEE Transactions on Instrumentation and Measurement, vol. 63, no. 12, pp. 2824-2836, Dec. 2014.
- [22] T. Bi, H. Liu, Q. Feng, C. Qian, and Y. Liu, "Dynamic Phasor ModelBased Synchrophasor Estimation Algorithm for M-Class PMU," IEEE Trans. Power Delivery, vol.30, no.3, pp.1162-1171, June 2015.
- [23] C. Qian, M. Kezunovic "Dynamic Synchrophasor Estimation with Modified Hybrid Method," 2016 IEEE PES Conference on Innovative Smart Grid Technologies, Minneapolis, MN, pp. 1-5, September 2016.
- [24] C. Qian, M. Kezunovic, "Spectral Interpolation for Frequency Measurement at Off-Nominal Frequencies," 2017 IEEE PES General Meeting, Chicago, IL, pp. 1-5, July 2017.
- [25] A. Esmaeilian and M. Kezunovic, "Fault location using sparse synchrophasor measurement of electromechanical-wave oscillations," *IEEE Transactions on Power Delivery*, vol. 31, no. 4, pp. 1787–1796, 2016.