At UTC, Daniel Burch and Dustin Williams discussed the challenges posed by satellite-delivered PNT services, introduced alternative timing technologies and outlined best practices for establishing secure, future-proof and assured timing services. These innovations are not only necessary for the present, but they also meet the rigorous requirements of emerging private LTE/5G networks. Learn more about the urgent threats to critical energy infrastructure and the solutions being adopted to mitigate these risks.

1. 2023 UTC TELECOM &
TECHNOLOGY CONFERENCE
Fort Lauderdale, Florida
Making substation clocks and
private LTE/5G networks robust
against GPS/GNSS cyberattacks
Dustin Williams- Burns & McDonnell
Daniel B Burch- Oscilloquartz, Adtran

2. Can we all agree? Designated time
What time is it really?
Who decides?
1970’S- TIME AND TEMPERATURE PHONE NUMBER

3. Coordinated Universal time- UTC (formally Greenwich Mean Time- GMT)
French: temps universel coordonné
The “TRUTH”
YES! We all agree

4. Global Navigation Satellite Systems – GNSS
Low Earth Orbit (LEO) Satellites
+/- 30ns of UTC 90% of the time
Not Generate TRUTH;
Only Relay Truth

5. Making time useful – the GNSS (GPS) clock

6. What are the PNT* threats & GNSS vulnerabilities?
Jamming
RARE
GPS/GNSS
degradation
causes
Environmental
GPS/GNSS attacks
Adjacent-band
transmitters
Spoofing
External GPS/GNSS level
MORE FREQUENT
PNT
cyberthreats
sats
ground
*Position, navigation & timing
RARE
Cyberattacks
GPS/GNSS receiver
Core clocks
Internal network level
Network and
PNT device
failures
Boundary clocks
COMMON
NTP
PTP

7. What are DHS Resilient PNT guidelines?
Core functions PNT Resiliency levels
DHS Resilient PNT Conformance Framework
Level 1
Level 2
Level 3
Level 4
1 source 2 sources 3 sources multisource
next-gen
system
End goal
Levels = Number of Sources
*Holdover OSC is NOT a source*

8. Paths to resilient, assured PNT
SOLUTIONS
• ePRTC
• Low Earth Orbit (LEO)
• Terrestrial
• Timing over Fiber
• Local RF Relay
• eLORAN
• Timing as a Service over ETH
TaaS
• Timing Backup as a Service
TBaaS
ADVANTAGES
✓ Zero Trust Concept
✓ Risk Aversion
✓ Growing Markets
✓ availability
DISADVANTEGES
✓ Some are fee-based
✓ Any RF can be disrupted/jammed
✓ Fibers can be cut/damaged (routinely)
✓ Diversity requires 2x everything
✓ Including diverse routes
Capital vs Expense
❖ Capital-intensive businesses prefer asset purchases
❖ Assets increase company value (Depreciation is still an expense
but does not impact monthly cash flows)
❖ Recurring expenses come straight off the bottom line
❖ Expense budgets are shrinking
❖ Avoid recurring, incurred expenses

9. Cesium clock as time source
PRC/PRS*
(G.811)
Frequency
PRC : Cs or GNSS
NE NE NE
PRTC** (G.8272)
Frequency + Phase
PRTC : GNSS
NE NE NE
ePRTC*** (G.8272.1)
Frequency + Phase on steroids
GNSS
NE NE NE
Cs
Combiner
SSU Packet Master Clock (GM) Packet Master Clock (GM)
Sync Network
(TDM/SONET,
etc.)
Sync Network
(ETH, etc.)
Sync Network
(ETH, etc.)
SSU Packet Slave Clock (BC) Packet Slave Clock (BC)
Cs as backup
*Primary Reference Clock
Primary Reference Source
**Primary Reference Time Clock ***enhanced Primary Reference Time Clock

10. PPS/PPS+ToD
10 MHz
BITS
SyncE
PTP
How the ePRTC cesium backup to GPS works
GNSS MB
Receiver
Anti-jam
antenna
Multisource
clock combiner
ePRTC+ solution
(functional diagram)
Other sources
GPS + Combiner integrated into the grandmaster
GPS/GNSS
satellites
Time/Phase holdover if GPS/GNSS goes down
ePRTC+ solution: 100ns over 55 days
1µs over 4 months
14 days
Time error
100ns
30ns
✓
trusted PTP accuracy backup performance
trusted PTP holdover backup performance
Grandmaster
clock
Next-Gen Optical
Cesium clock

11. GNSS
Primary
Active
Using GNSS at the core for network UTC traceability
GNSS
Primary
Active
T
PTP G8275.2 PRS
PTP
Secondary PTP
Secondary
PTP G8275.2
Primary
Grand Master
Secondary
Grand Master
Install GNSS antennas at key core server sites
Add PTP Backup between GNSS Servers

12. GNSS
Primary
Active
Using GNSS at the core for network UTC traceability
GNSS
Primary
Active
T
PTP G8275.2 PRS
PTP
Secondary PTP
Secondary
PTP G8275.2
Primary
Grand Master
Secondary
Grand Master
Install GNSS antennas at key core server sites
Add PTP Backup between GNSS Servers

13. GNSS
Primary
Active
Using GNSS at the core for network UTC traceability
GNSS
Primary
Active
T
PTP G8275.2 PRS
PTP
Secondary PTP
Secondary
PTP G8275.2
Primary
Grand Master
Secondary
Grand Master
Primary and Secondary UTC Traceable PTP flows to each access server eliminates the need
for local GNSS antenna systems
Add PTP Backup between GNSS Antenna Sites
For Protection against local jamming

14. Protection against antenna failure and jamming
GNSS
Primary
Active
T
Routed Network
All Slaves remain locked to Primary GM.
GNSS still UTC traceable through PTP backup
PTP G8275.2 PRS
PTP
Secondary PTP
Secondary
PTP G8275.2
PTP G8275.2
PTP G8275.2
Active
PRS
PRS
Active
GNSS
Primary
Active
Primary
Grand Master
Secondary
Grand Master
Add PTP backup between servers

15. Protection against antenna failure and jamming
GNSS
Primary
Active
T
Routed Network
All Slaves remain locked to Primary GM.
GNSS still traceable through PTP backup
PTP G8275.2 PRS
PTP
Secondary
PTP
Secondary
PTP G8275.2
PTP G8275.2
PTP G8275.2
Active
PRS
PRS
Active
GNSS
Primary
Active
Primary
Grand Master
Secondary
Grand Master
GPS
Jammer

16. Protection against antenna failure and jamming
GNSS
Primary
Active
T
Routed Network
All Slaves remain locked to Primary GM.
GNSS still traceable through PTP backup
PTP G8275.2 PRS
PTP
Secondary
PTP
Secondary
PTP G8275.2
PTP G8275.2
PTP G8275.2
Active
PRS
PRS
Active
GNSS
Primary
Active
Primary
Grand Master
Secondary
Grand Master
GPS
Jammer

17. Protection against antenna failure and jamming
GNSS
Primary
T
Routed Network
All Slaves remain locked to Primary GM.
GNSS still traceable through PTP backup
PTP G8275.2 PRS
PTP
Secondary
Active
PTP
Secondary
PTP G8275.2
PTP G8275.2
PTP G8275.2
Active
PRS
PRS
Active
GNSS
Primary
Active
Primary
Grand Master
Secondary
Grand Master
Routed Network
All Slaves remain locked to Primary GM.
GNSS still traceable through PTP backup
GPS
Jammer

18. Protection against antenna failure and jamming
GNSS
Primary
T
Routed Network
All Slaves remain locked to Primary GM.
GNSS still traceable through PTP backup
PTP G8275.2 PRS
PTP
Secondary
Active
PTP
Secondary
PTP G8275.2
PTP G8275.2
PTP G8275.2
Active
PRS
PRS
Active
GNSS
Primary
Active
Primary
Grand Master
Secondary
Grand Master
Routed Network
All Slaves remain locked to Primary GM.
GNSS still traceable through PTP backup
GPS
Jammer

19. Protection against antenna failure and jamming
GNSS
Primary
T
Routed Network
All Slaves remain locked to Primary GM.
GNSS still traceable through PTP backup
PTP G8275.2 PRS
PTP
Secondary
Active
PTP
Secondary
PTP G8275.2
PTP G8275.2
PTP G8275.2
Active
PRS
PRS
Active
GNSS
Primary
Active
Primary
Grand Master
Secondary
Grand Master
Routed Network
All Slaves remain locked to Primary GM.
GNSS still traceable through PTP backup
GPS
Jammer

20. Protection against antenna failure and jamming
GNSS
Primary
Active
T
Routed Network
All Slaves remain locked to Primary GM.
GNSS still traceable through PTP backup
PTP G8275.2 PRS
PTP
Secondary
PTP
Secondary
PTP G8275.2
PTP G8275.2
PTP G8275.2
Active
PRS
PRS
Active
GNSS
Primary
Active
Primary
Grand Master
Secondary
Grand Master
GPS
Jammer

21. Spoofing detection
“Simplified with dual receiver technology”
RCVR#1
Fixed
Positioning
Mode
RCVR#2
Dynamic
Positioning
Mode
Known Coordinates

22. Spoofing detection
“Simplified with dual receiver technology”
RCVR#1
Fixed
Positioning
Mode
RCVR#2
Dynamic
Positioning
Mode
Known Coordinates
RCVR#1 Navigates to known
coordinates and locks them into
memory. RCVR#1 never navigates
again
RCVR#2 Also navigates to known
coordinates but continues
navigation routine

23. Spoofing detection
“Simplified with dual receiver technology”
RCVR#1
Fixed
Positioning
Mode
RCVR#2
Dynamic
Positioning
Mode
Known Coordinates
RCVR#1 Navigates to known
coordinates and locks them into
memory. RCVR#1 never navigates
again
RCVR#2 Also navigates to known
coordinates but continues
navigation routine

24. Spoofing detection
“Simplified with dual receiver technology”
RCVR#1
Fixed
Positioning
Mode
RCVR#2
Dynamic
Positioning
Mode
Known Coordinates
RCVR#1 Navigates to known
coordinates and locks them into
non-volatile memory and stops
navigation routine
RCVR#2 Also navigates to known
coordinates but continues
navigation routine

25. Spoofing detection
“Simplified with dual receiver technology”
RCVR#1
Fixed
Positioning
Mode
RCVR#2
Dynamic
Positioning
Mode
Known Coordinates
RCVR#1 Navigates to known
coordinates and locks them into
non-volatile memory and stops
navigation routine
RCVR#2 During normal operation
RCVR#2 coordinates will closely
hover over known coordinates

26. Spoofing detection
“Simplified with dual receiver technology”
RCVR#1
Fixed
Positioning
Mode
RCVR#2
Dynamic
Positioning
Mode
Known Coordinates
RCVR#1 Navigates to known
coordinates and locks them into
non-volatile memory and stops
navigation routine
RCVR#2 During normal operation
RCVR#2 coordinates will closely
hover over known coordinates

27. Spoofing detection
“Simplified with dual receiver technology”
RCVR#1
Fixed
Positioning
Mode
RCVR#2
Dynamic
Positioning
Mode
Known Coordinates
RCVR#1 Navigates to known
coordinates and locks them into
non-volatile memory and stops
navigation routine
RCVR#2 During normal operation
RCVR#2 coordinates will closely
hover over known coordinates

28. Spoofing detection
“Simplified with dual receiver technology”
RCVR#1
Fixed
Positioning
Mode
RCVR#2
Dynamic
Positioning
Mode
Known Coordinates
RCVR#1 Navigates to known
coordinates and locks them into
non-volatile memory and stops
navigation routine
RCVR#2 During normal operation
RCVR#2 coordinates will closely
hover over known coordinates

29. Spoofing detection
“Simplified with dual receiver technology”
RCVR#1
Fixed
Positioning
Mode
RCVR#2
Dynamic
Positioning
Mode
Known Coordinates
RCVR#1 Navigates to known
coordinates and locks them into
non-volatile memory and stops
navigation routine
RCVR#2 During normal operation
RCVR#2 coordinates will closely
hover over known coordinates

30. Spoofing detection
“Simplified with dual receiver technology”
RCVR#1
Fixed
Positioning
Mode
RCVR#2
Dynamic
Positioning
Mode
Known Coordinates
RCVR#1 Navigates to known
coordinates and locks them into
non-volatile memory and stops
navigation routine
When RCVR#2 drifts away from
known coordinates

31. Spoofing detection
“Simplified with dual receiver technology”
RCVR#1
Fixed
Positioning
Mode
RCVR#2
Dynamic
Positioning
Mode
Known Coordinates
RCVR#1 Navigates to known
coordinates and locks them into
non-volatile memory and stops
navigation routine
Spoofing Alarm is
Generated!

32. Best practice timing delivery for substations
… Today and Tomorrow
PTP
Telecom Profile
G.8265.1
G.8275.1
Event
Recorder
IRIG B
Protection Schemes
Remote
Terminal
Unit (RTU)
IRIG-B Bus
1PPS
ADM
DS1/E1
G.703
9/13
GNSS
Primary
Protection
Relay
PMU
Alarm
Annunciator
Substation
Gateway
QOS
Meter
Substation
Switch
61850 LAN
▪ PTP
IEEE C37.118
▪ NTP
RELAY ROOM
ePRTC GM
PTP
Secondary
PTP Telcom Profiles
work on
LAN or WAN
PTP Power Profile
works on
LAN only
(looking for TC)

33. The first fiber revolution
Typical legacy power utility network
SONET/SDH

34. Living in a TDM World
Legacy timing
SONET/SDH
PRS/PRC*
(GNSS)
Clock Distributor
Channel Bank
*Primary Reference Source
Primary Reference Clock
(GNSS)

35. Old things have not passed away
MPLS overlay
SONET/SDH
PRS/PRC
(GNSS)
Clock Distributor
Channel Bank
IP/MPLS
IP/MPLS
IP/MPLS
IP/MPLS
ePRTC
Boundary Clock
Boundary Clock
Boundary
Clock
Manage
Legacy &
New Clocks

36. HELP!
Complex hybrid networks

37. Application area for OTC*: aggregation network
*Optical Timing Channel
Core network
Single-digit number of locations for
large operator
ePRTC enabled, TE ≤ ±30ns
Aggregation network
Hundreds of locations for large
operator
PRTC enabled, TE ≤ ±100ns
Feeders to end application
Thousands of locations for large
operator
TE ≤ ±1100ns
Optical Timing
Channel
Optical Timing
Channel
70ns budget

38. Trusted timing management functions in secure smart grids
Neural AI/ML intelligence with multilevel fault-tolerance for
end-to-end control, visibility & self-survivability
geolocation site A & B alert
PTP backup assurance
from core
timing chain alert with ePRTC/ PTP
backup rearrangements
core GM-A alert with ePRTC (Cs)/PTP backup to substation
timing topology with
ePRTC/PTP backup
GNSS
attack
vendor-
agnostic
GNSS
analytics/
assurance
self-survivable timing chain with
trusted PNT assurance
ePRTC
backup
trusted PTP
backup
trusted PTP
backup
ePRTC backup
substation GM-B alert with
PTP backup from core
substation
core
substation
core
substation
substation core
core
substation
trusted
PTP
ePRTC (Cs)
core
GM-A
Trusted PNT
mgmt system
substation
GM-B
7
6
5
4
3
2
1
8
GNSS
attack
Grandmaster A
Grandmaster B

39. Real-World Deployment Needs
Requirement for anything in, anything out
SONET
DACS
CHANNEL
BANK
PACKET
TRANSPORT
GM
1
PTP
GM
2
PTP
PTP
BITS
A
BITS
B
BITS
A
BITS
B
BITS
INPUT
OPTIONS
OUTPUT
OPTIONS LOCAL
PTP
CLIENTS
PTP
CESIUM
LOCAL
IRIG
ELEMENTS
IRIG
BITS
A
BITS
B
5422 INPUT OPTIONS WHEN GNSS, CESIUM, BITS, PTP AVAILABLE
SONET
RADIO
BITS
A
BITS
B
SNMP
Jam/Spoof
Detection
NTP
SyncE
SyncE
SyncE
Multi-Band
Multi-Constellation

40. Wrapping It Up
Timing/sync trends
• Packet-only vs all-in-one clocks
Packet-only- 5G
All others all-in-one
• ePRTC now standard requirement
No longer a “hard sell”
Is a capital item
• Optical cesium the new norm
New RFQ’s demand optical cesium- no mags
Why?
Partnerships a must
• Universal management
Health of legacy & new clocks
Self & port probing
• Hybrid networks the norm
5 years
Manage sync during transitions

41. Thank you!
Dustin Williams PE ddwilliams@burnsmcd.com
Senior Technical Consultant Networks, Integration and Automation
Senior Technical Consultant Networks, Integration and Automation
Phone 816-782-6050
ddwilliams@burnsmcd.com burnsmcd.com
Senior Technical Consultant Networks, Integration and Automation
Phone 816-782-6050
ddwilliams@burnsmcd.com burnsmcd.com
Daniel B. Burch dburch@adva.com
Senior Business Development Manager, NA
Smart Grid/Energy, Transportation, Public Safety/E911
Dustin Williams, PE, is a Senior Technical Consultant in the Transmission & Distribution Group at Burns & McDonnell. He specializes
in telecommunications and network engineering with experience in MPLS WAN, substation LAN, and SONET network design and implementation.
Dustin earned a Bachelor of Science in electrical and computer engineering from the University of Missouri-Columbia.
Daniel B. Burch has enjoyed a 47-year, award-winning career in telecommunications, serving roles with national responsibility at GTE/Verizon
Communications, Director of Research & Development at Teradyne Broadband Test Division, and senior positions in multiple Silicon Valley
firms with expertise in timing & synchronization, portable and remote automated expert testing solutions, and developing new methods for
analyzing complex circuits and services. Burch is now responsible for Oscilloquartz business development in Federal, Smart Grid Transportation
& Public Safety/911 markets.