Vulnerability experts recommend a holistic approach to securing vital positioning, navigation and timing data.
The vulnerability of the global positioning system, or GPS, is widely acknowledged. Radio frequency interference caused by jamming and spoofing is used to degrade a vital synchronization system providing positioning, navigation and timing (PNT) information for critical national infrastructure.
Much of this RF interference emanates from electronic devices, radio antennas or modems that are strong enough to drown out the relatively weak signals to Global Navigation Satellite System (GNSS) receivers. That vulnerability creates a tempting target for bad actors.
“The baddies are always coming up with more and more threats, so we have to come up with ways to analyze and address them,” said Rod Bryant, senior director of technology for positioning at wireless specialist U-Blox.
Those defenses range from navigation message authentication and signal encryption for the European Galileo system to anti-spoofing frameworks for GPS using similar message authentication schemes.
Before exploring those and other resiliency approaches, some perspective on the rising threats to GNSS along with a snapshot of the effects of GPS interference over the last several years.
Jamming and spoofing
Jamming a GPS signal requires little more than generating an RF signal strong enough to drown out GNSS transmissions. Typically, a small transmitter sends radio signals in the same frequency band as a GPS device. The resulting interference jams reception on GPS devices.
GPS jammers do not discriminate, usually resulting in collateral damage. GPS-dependent air traffic control, search and rescue operations, the electric grid and mobile phone services are all vulnerable to GPS jamming fallout.
While jammers simply block GNSS signals, making accurate positioning difficult or impossible, GPS spoofing involves deliberate transmission of signals similar to GPS, but with incorrect location information. By replicating GNSS signals, a spoofer can fool a receiver into thinking that it’s elsewhere in either time or location.
Spoofing creates all kinds of havoc. For example, it can be used to hijack autonomous vehicles and send them on alternate routes. Spoofing can alter the routes recorded by vehicle monitors, or break geofences used to guard operational areas. It also poses a risk to critical infrastructure, including power, telecommunication and transportation systems.
Jan van Hees, business development and marketing director for GNSS receiver maker Septentrio, provided this analogies: “Jamming involves making so much noise that the [satellite signal] disappears. Spoofing is like a phishing attack on the signal.”
GPS interference on the rise
The U.S. Coast Guard has recently tracked a growing number of high-profile incidents involving GPS interference. For example, the loss of GPS reception in Israeli ports in 2019 left GPS-guided autonomous cranes inoperable, collateral damage from the Syrian civil war. In 2016, more than 20 ships off the Crimean peninsula were thought to be the victim of a GPS spoofing attack which shifted the ships’ positions on electronic chart displays to land.
GNSS disruptions prompted the U.S. Department of Transportation’s Maritime Administration to issue a warning last year about GPS interference. It’s message to industrystressed the need for using alternative PNT systems. Fearing complacency, the agency highlighted interference sources, including multipath propagation, atmospheric conditions and GNSS segment issues such as erroneous data uploads.
Following GPS jamming incidents over Norway likely emanating from nearby Russia, the European aviation agency Eurocontrol a 2,000-percent rise in GNSS interference incidents since 2018. A report also stressed that RFI jamming is disproportionate: While the majority of RFI hotspots are in conflict zones, they also affect civil aviation at distances of up to 300 km, reflecting jammer overkill.
In another scenario, jammers were used to conceal the location of stolen luxury cars and fully loaded shipping containers. The FBI issued a bulletin in 2014, according to Guy Buesnel, a specialist in GNSS vulnerabilities at Spirent Communications.
Buesnel highlighted government efforts to raise awareness of GNSS vulnerabilities. For example, one report estimates the economic impact to the U.K. of a complete loss of GNSS at £5.2bn over a five-day period.
Those and parallel U.S. efforts have prompted efforts to boost the resilience of GNSS systems. “Accuracy is important, but it is important to guarantee trust in the system, and we need reliability and availability,” said Septentrio’s van Hees. “For example, can you receive signals under adverse conditions?”
Trust also requires steps like signal fingerprinting to distinguish spoofers from a satellite signal. For instance, signal strength and timing from a spoofer may be a giveaway, especially since the satellite transmission will have a lower signal strength. Signal encryption is another option, including a framework called open service navigation message authentication (OSNMA).
Spirent’s Buesnel stressed the need for auditing and risk assessments as essential components of PNT security, resilience and robustness. “Testing to gain a quantitative understanding of how existing systems react to real-world threats, and to evaluate proposed mitigation schemes is an essential part of this,” he said. “Often, unexpected behaviour or consequences are the result of a lack of thorough testing and risk assessment being carried out before a system has been deployed.”
The OSNMA anti-spoofing service developed for the European GNSS system, enables secure transmissions from Galileo satellites to encryption-enabled GNSS receivers. In the midst of final testing, OSNMA will soon be available free to users.
OSNMA secures Galileo signals by enabling authentication of navigation data, which carries satellite location data. It uses a hybrid symmetric/asymmetric cryptography technique. A secret key on the satellite is used to generate a digital signature. Both the signature and key are appended to navigation data and transmitted to the receiver. OSNMA is designed to be backward-compatible, so that positioning without OSNMA still works.
The European GNSS Agency said OSNMA test signals are being broadcast by the Galileo constellation using the spare bits from current navigation messages, leaving legacy open-service unaffected. Initial testing last November involved eight Galileo satellites. Tests will continue over the next few months.
Septentrio said its receiver has authenticated navigation data from the first OSNMA-encrypted GNSS satellite signal. Still, even secure authentication via OSNMA carries potential vulnerabilities. “With OSNMA, there is a vulnerability in the way the key is provided,” said Bryant of U-Blox. “If you are a clever spoofer, you could delay your signals to capture the key.” Still, Bryant believes OSNMA will likely become mandatory in Europe for some applications.
He also thinks the GPS authentication system could potentially overcome this vulnerability. The proposed Chimera system for securing GPS signals inserts encrypted digital signatures and watermarks that are encoded into the satellite signal. The signal authentication enhancement jointly authenticates both the navigation data and the spreading code of the civilian GPS signal.
Chimera employs the concept of time-binding, in which the spreading code is punctuated by markers that are cryptographically generated using a key derived from the digitally-signed navigation message. The navigation message and the spreading code cannot be independently generated. Bit commitment ensures that a spoofer cannot generate the correct markers until after they have been broadcast.
Two variations are specified: a “slow” channel for standalone users and a “fast” channel for more rapid authentication when out-of-band information is available. In the latter case, the binding is accomplished by delaying disclosure of the cryptographic keys.
NIST, DHS on the case
Earlier this year, the U.S. National Institute of Standards and Technology (NIST) released its final cybersecurity guidance for PNT services. The guidance recognizes the cybersecurity risks confronted by PNT and GPS services along with national and economic security implications.
“Many efforts to secure PNT services were underway before we began developing this profile, but there wasn’t a formal reference for risk mitigation that everyone could use,” said NIST’s Jim McCarthy, a co-author of the guidance.
The US. Department of Homeland Security’s (DHS) Science and Technology Directorate also weighed in earlier this year with resources designed to protect critical infrastructure against GPS spoofing. These free tools include a PNT integrity library and Epsilon algorithm suite, both intended to increase PNT resilience
The increasing reliance on GPS for military, civil and commercial applications adds to PNT system vulnerable, according Space Policy Directive-7, issued in January. “GPS users must plan for potential signal loss and take reasonable steps to verify or authenticate the integrity of the received GPS data and ranging signal, especially in applications where even small degradations can result in loss of life,” the directive warns.
The PNT integrity library and Epsilon algorithm suite both address this issue by providing users a method to verify the integrity of received GPS data. The new tools will help “improve resiliency against potential GPS signal loss,” said Brannan Villee. PNT program manager at DHS.
“Since GPS signals can be jammed or spoofed, critical infrastructure systems should not be designed with the assumption that GPS data will always be available or will always be accurate,” added Jim Platt, chief of strategic defense initiatives at the Cybersecurity and Information Security Agency’s National Risk Management Center.
“Application of these tools will provide increased security against GPS disruptions. However, DHS also recommends a holistic defense strategy that considers the integrity of the PNT data from its reception through its use in the supported system,” Platt said.
GNSS signals are increasingly vulnerable, and resilience efforts continue to address interference and spoofing threats. The OSNMA architecture is well advanced in terms of testing and is close to becoming more widely adopted in Europe. The Chimera specification for GPS remains in the early testing stages.
Ultimately, GNSS signal security must be viewed holistically, experts agree, taking many factors into account, including signal diversity, fingerprinting and encryption. Only then can the output from PNT systems be trusted.
This article was originally published on EE Times.