For our March 2025 issue, Professor Washington Ochieng proposed the following question to members of our editorial advisory board: When we discuss the security of GNSS/PNT systems, we nearly always focus on interference — i.e., meaconing, intrusion, jamming or spoofing. However, GNSS/PNT systems are embedded in systems of systems that also offer many other opportunities for cyberattacks. What should we do about it?
Miguel Armor
“As a GNSS receiver manufacturer and correction service provider, cyber attacks are a risk we must consider seriously that arises from our customers’ integration of our solutions into complex systems. At the receiver level, it is important to make risk assessments to identify vulnerabilities across all components and implement a robust, multi-layered security strategy that includes physical, network and software components. At the core, our strategy incorporates cybersecurity considerations into our product/service development processes. We utilize the ASPICE framework for our engineering processes and we layer into that process the ISO21434 standard to ensure that we take steps all along the development path to consider cybersecurity. We selected this standard from the automotive industry due to the connected car use case, which is now in the front of cybersecurity development. ISO21434 covers the entire development life cycle — from system, to hardware and software, to verification and validation — in a way that many other standards do not. As a correction service provider, we ensure our data streams are secure and reliable, maintaining the highest standards of accuracy and availability. We also use ISO27001 as an IT framework for our correction network infrastructure. Continuous monitoring and iterative improvements are crucial to maintaining a secure and resilient GNSS/PNT infrastructure. It is key also to prioritize redundancy and backup systems to ensure continuity and resilience, to develop a comprehensive incident response plan that allows for rapid action in case of a breach and to conduct regular employee training to promote cybersecurity awareness across all products and platforms.” – Miguel Amor, Hexagon Positioning Intelligence
Alison Brown
“Cyberattacks are a credible threat to all existing GNSS systems and certainly need to be taken into account when considering alternative resilient PNT solutions. In fact, Goal 3 of the recently released U.S. Department of Transportation PNT Strategic Plan identifies PNT cybersecurity as a critical element of PNT resilience. The National Institute of Standards and Technology (NIST) provided a report titled Foundational PNT Profile: Applying the Cybersecurity Framework for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services. This cybersecurity framework was created for both users of PNT services to manage risks when using PNT signals or data, and for operators of alternative PNT services to leverage when providing PNT signals or services. It was created by applying the NIST Cybersecurity Framework (CSF) and provides approaches for cybersecurity for PNT by continuously monitoring for attacks (e.g., denial of service, jamming), false data, and other malicious behavior within the systems and across the PNT services, using data-driven methods and solutions. This Cybersecurity Framework should be routinely adopted by both users and providers of PNT services.” – Alison Brown, NAVSYS Corp.
When we discuss the security of GNSS/PNT systems, we nearly always focus on interference — i.e., meaconing, intrusion, jamming or spoofing. However, GNSS/PNT systems are embedded in systems of systems that also offer many other opportunities for cyberattacks.
What should we do about it?
Ellen Hall
“The key is platform architecture, specifically ensuring robust spatial and temporal partitioning between safety-critical and non-safety-critical functions. Safety-critical functions, such as navigation and autopilot, must be isolated from non-safety-critical functions, such as mission compute, where artificial intelligence typically operates. This partitioning minimizes the scope and effort required to produce design assurance artifacts for airworthiness certification. Additionally, it enhances security by reducing potential attack vectors through the isolation of safety-critical and mission-critical capabilities.”
— Ellen Hall Imminent Federal
Mitch Narins
“An old mariner’s proverb is: ‘The prudent mariner never relies solely on any single aid to navigation.’ A more recent statement offers: ‘With so many pieces of sophisticated electronic equipment at our beck and call it would seem some are lulled into complacency and are ignoring basic seamanship.’ In September 2018, the U.S. Naval Institute published an article titled, ‘Professional Mariners Cannot Rely on Electronics Alone.’ The recent news that the U.S. ITAR restrictions on multi-element antenna arrays will be lifted (thanks to many in our community who have lobbied hard for this for many, many years) is excellent news. It will help and was a necessary change — but it is not sufficient. It certainly does not remove the need to pursue complementary, PNT solutions that will ensure the safety, security, and economic well-being of PNT users and their PNT-dependent systems worldwide. From a basic systems engineering perspective, incorporating multiple solutions with independent failure mechanisms is ultimately the end product that we in the PNT community should all be seeking. We must not forget, however, a key element of many of these systems: the human in the loop, who, if continually provided the opportunity to train in PNT-challenged environments, often can be the ultimate system safety element. This will require the design of our PNT services to ensure that the human factors designed into these systems include sufficient information for the human component to understand an off-normal situation and have the training and skills to take the appropriate corrective actions.”
The solar storm in May that produced a beautiful aurora borealis as far south as Mallorca, Spain, also stopped GNSS-based precision agriculture for a couple of days. The same month, articles in major U.S. newspapers detailed aspects of a growing confrontation between the United States, Russia and China —vying for dominance in near-Earth space, now part of the military fighting domain — that could lead to far greater disruption. Nearly all satellites are highly vulnerable to cyberattacks, ground- or space-based lasers, high-powered microwaves, the debris field from a destroyed satellite and the radiation produced by a nuclear explosion in space. The last one would disable by far the greatest number of satellites because of its range and because commercial satellites, which constitute more than 90 percent of all satellites in orbit, are not hardened against such radiation.
Luccio
A May 16 article in The Wall Street Journal titled “Russia Launched Research Spacecraft for Antisatellite Nuclear Weapon Two Years Ago, U.S. Officials Say,” reported that in February 2022, shortly before it invaded Ukraine, Russia launched Cosmos-2553, “designed to test components for a potential antisatellite weapon that would carry a nuclear device.” It linked the launch to a continuing Russian nuclear antisatellite program and said that, if deployed, the weapon “would give Moscow the ability to destroy hundreds of satellites in low-Earth orbit (LEO) with a nuclear blast.”
“The Pentagon,” the article pointed out, “has become increasingly reliant on commercial satellites.” In LEO, it reported, there are almost 6,700 U.S. satellites, while China has 780 and Russia only 149. Therefore, the Russians would have a lot less to lose should they choose to explode a nuclear weapon in LEO.
A May 17 article in The New York Times was titled “New Star Wars Plan: Pentagon Rushes to Counter Threats in Orbit.” The subhead read: “Citing rapid advances by China and Russia, the United States is building an extensive capacity to fight battles in space.” It said that, in a major shift in military operations, the Defense Department “is looking to acquire a new generation of ground- and space-based tools that will allow it to defend its satellite network from attack and, if necessary, to disrupt or disable enemy spacecraft in orbit.” Meanwhile, “both Russia and China have already tested or deployed systems such as ground-based high-energy lasers, antisatellite missiles or maneuverable satellites that could be used to disrupt [U.S.] space assets.”
The decision to strengthen U.S. warfighting capacity in space, it said, is driven mostly by China’s expanding fleet of military tools in space, which threatens to prevent U.S. Navy operations in the Western Pacific. “The Pentagon is separately working to launch a new generation of military satellites that can maneuver, be refueled while in space or have robotic arms that could reach out and grab — and potentially disrupt — an enemy satellite.”
These are all reasons to quickly develop and deploy a wide mix of complementary PNT solutions that would lessen reliance on GNSS satellites and, therefore, make them less of a target.
By Nino De Falcis, Senior Director of Business Development, ADVA
Today’s critical network infrastructure is heavily reliant on positioning, navigation and timing (PNT) services. Power grids, financial markets, transportation, data centers, communications — all have become more complex and interconnected, while the threats to the PNT on which they depend have grown in frequency and sophistication. PNT systems are so vulnerable to the activities of cybercriminals that attacks may soon become global in scale and significance, with potential costs of billions of dollars.
Utilities are a key example of infrastructure at risk. In the past, power networks were passive systems with everything simple and centralized, and with energy flowing in one direction only as AC power was provided to consumers. However, the growth in renewables and distributed energy resources has spurred diversification of the market, and a new paradigm of bidirectional AD and DC energy production and distribution has emerged: the smart grid.
Timing Challenges
Today, many smaller producers are generating power from multiple sources. The power grid has become a decentralized system and the flow of energy is now bidirectional. Energy from solar panels (microgrids), for example, can be generated by private individuals and either stored or fed back into the grid. Electric vehicles (EVs) are also becoming more common, and like all other nodes across the smart grid, charging points require precise timestamping of the massive amount of data they generate to balance power demand and supply.
Precise timing is also key to rerouting power flows away from transmission outages, to locating power line faults, and for synchronizing distributed control and protection systems. Without highly accurate timing and synchronization, power grids are vulnerable to partial outages and even complete blackouts.
That is why accuracy requirements of data timestamping are tighter than ever. In fact, they are shifting from legacy Network Timing Protocol (NTP) timestamping, which has millisecond accuracy needs, to Precision Timing Protocol (PTP) timestamping, requiring sub-microsecond accuracy. The syncrophaser now demands accuracy better than 1 microsecond.
For fault location, we’re now at 100 nanoseconds. The micro-phasor measurement unit (PMU) is at less than 1 microsecond and substation LAN communication protocols have to be time-stamped at as low as 100 microseconds for GOOSE IEC 61850 and at 1 microsecond for IEC 61850 sample values. This is a big change from just five years ago when accuracy in all these categories was firmly in the millisecond range, and it’s a high bar that needs to be maintained by next-generation redundant systems, should GPS or ground-based timing become compromised.
Guidelines for making PNT infrastructure fully redundant are being pushed by governments across the world. In the United States, regulations are being driven by Executive Order 13905 with the Department of Homeland Security (DHS) providing a framework for how assured PNT (aPNT) should operate. It states that PNT infrastructure must perform three core functions: prevent, respond and recover. Infrastructure must have the ability to prevent atypical PNT errors and corruption of PNT sources. If prevention fails, networks must be able to respond to detected errors or anomalies and then recover from those errors.
The DHS framework outlines four resiliency levels. Level 1 has only one source providing PNT, while level 4 is a next-generation system leveraging multiple sources to derive and distribute PNT data. At Level 4, systems need to be self-survivable. This means they must function for long periods in the absence of a GPS timing source, or when ground-based timing sources have been otherwise compromised. There is even an IEEE P1952 resilient PNT standard in progress that will use this DHS framework.
Rising Threats
There are two categories of threat to PNT: external and internal. External threats include jamming (equipment that can block GPS is available off the shelf for as little as $20) and spoofing, which is the act of transmitting false GPS signals that trick receivers into calculating an erroneous position. Sophisticated cyberattacks can be in the form of either of these and spoofing (especially synchronous) is the most complex to detect.
The two main internal PNT threats come from attacks on NTP and PTP network timing as well as active GPS receivers connected to the network.
Legacy power grids have traditionally used NTP to distribute timing to substations, including IRIG, and this has already shown itself to be vulnerable to attack because it can be hacked by a process called NTP amplification.
Today, power grids are increasingly migrating to PTP because it provides the sub-microsecond accuracy needed for modern applications. PTP also has not yet been hacked, but that does not mean it soon will not be. If an attack did occur on ill-prepared critical infrastructure, the results could be catastrophic.
Secure Smart Grid Timing Components
There are two components in the smart grid: telecom connectivity to transport data, and grid protection that has different level generation grid control, transmission and management. On the telecom side, there is the edge telecom network and sometimes there are data centers. There are either core or edge data centers and these are also equipped with very good timing. A key concept in the data center is time as a service and GPS backup as a service when GPS goes down. The smart grid can also leverage this service as it gives even more robust protection and security against threats to PNT. See Diagram 1.
Diagram 1. A key concept in the data center is time as a service. (Image: ADVA)
A Resilient and Assured PNT Solution
As with other aspects of cybersecurity strategy, smart grids must employ a zero-trust framework of PNT sources. This approach never assumes that any one PNT source can be trusted. Instead, it uses a multi-source approach, verifying sources and comparing them to each other in real time to get the most accurate timing possible.
To prevent and mitigate interruptions to GPS, smart grid operators should deploy a resilient and assured PNT solution. This means it’s based around three integrated technologies: multi-layer detection, multi-source backup and multi-level fault-tolerant mitigation.
Multi-layer detection is performed through timing devices – either single or redundant – that have jamming and spoofing detection and monitoring capabilities. GNSS devices are also capable of comparing sources such as network PTP timing and they can be equipped with standalone, GNSS-backup clocks that leverage rubidium or cesium oscillators to obtain the most reliable timing information from other timing sources in the network.
Multi-source backup comes in the form of a cesium or rubidium oscillator that can provide extended holdover. Backup can be further bolstered with other sources such as eLORAN, NIST and LEO.
A neural network management system is an intelligent platform that ties everything together, from self-actionable recovery and assurance software to alerting users of issues in the network-wide timing infrastructure. It provides visibility and control of all aspects of prevention, mitigation and backup. The management system gives detailed operational data on the smart grid, showing the locations of the faults, the types of faults, and how PTP backup assurance is performing. Through capabilities powered by artificial intelligence and machine learning, the management and control system provides the end-to-end control, visibility, and trusted, assured PNT. It has all the intelligence to reveal threats and also take action against them, quickly recovering the network’s timing distribution capability, while keeping the network timing self-survivable. See Diagram 2.
Mitigating Cyberattacks with a Defense-in-Depth Approach
So, let us imagine there is a major attack on a smart grid. A jamming device has been used to block GPS reception on an edge grandmaster being used at a substation, while at the core of the network an ePRTC’s ability to receive GNSS signals has also been compromised. GPS is no longer viable as a source for timing in the smart grid.
The intelligent software monitoring and management system is the first line of defense, detecting and alerting operators to the two or more attacks on GPS: one at the core of the network and one at the substation. The network timing capability of the whole smart grid has been compromised.
Upstream from the substation, the core enhanced PRTC (ePRTC) has become an unreliable source of timing. However, it is equipped with a cesium clock that steps in to propagate trusted PNT backup into the substation and throughout the rest of the network. The cesium clock has no antenna, no RH signal, and is a stratum 1 clock that can propagate highly accurate timing (accurate to 1 microsecond over four months) throughout the network. It has now become the trusted source of timing until GPS can be re-established.
The most crucial element of PNT is timing. Without timing there is no positioning or navigation — it is the enabler of both — and so the distribution of accurate timing must be our top concern when we build systems.
For smart grids and all other critical infrastructure dependent on PNT to function, the cornerstone for secure and self-survivable timing networks is the concept of zero-trust. A multi-source approach to building timing networks will allow operators of critical infrastructure to leverage a combination of intelligent management software and timing devices equipped with adequate PTP holdover to respond to all threats to PNT.
To see a real-world example of this approach in action, check out the DOE DarkNet program.
Ukraine’s hacker underground named GLONASS as one of its top priorities, according to media reports that cite a post on the “IT army” Telegram channel.
The IT army, formed on Saturday, is a collective of volunteer hackers. “We need to mobilize and intensify our efforts as much as possible,” the IT army posted.
Besides GLONASS, hackers are focusing on Russian telecom companies and the railway network in Belarus — a key staging area for Russia’s invasion of Ukraine.
The Belarusian Cyber Partisans, a hacking team focused on Belarus, told Reuters it had disabled railway traffic systems in Belarus. Another target is the electrical grid.
With the rise in public unrest from COVID-19 and increasing numbers of remote operations, the susceptibility and vulnerability of a cyber attack has never been greater.
On a regular basis, we hear intelligence experts proselytize an eventual cyber doomsday where our critical infrastructure (CI) — communications systems, information technology (IT) capabilities and financial networks — are compromised or disabled. These kinds of attacks could devastate our national and economic security and even disrupt basic day-to-day activities like turning on lights or buying groceries with a debit card. Even worse, a significant cyber event could escalate to the point of military actions between nation-states.
In 2012, Defense Secretary Leon Panetta warned about a potential “Cyber Pearl Harbor.” These threats were echoed by then head of Cyber Command, Gen. Keith Alexander, with hope the public, private and CI sectors would take notice of the broad, detrimental impacts of cyber threats.
Geoff Hella, Centauri Corp.
In kind, the Obama administration took aggressive steps to protect CI networks, and the Trump White House followed suit by enacting measures to strengthen the resilience of other technologies integral to our CI.
The latest White House Executive Order specifically addresses our reliance on position, navigation and timing (PNT) services and directs agencies to work in close coordination with the private sector to identify, secure and continue to improve the resilience of these technologies.
PNT services, such as GPS, are an extension of our IT systems, but despite this, PNT has been a relatively invisible utility and is oftentimes unknowingly utilized by most CI owners and operators. In the coming years, our reliance on PNT will only increase, making now a critical time to foster close collaboration between public and private sectors and determine which systems, networks and assets are dependent on PNT services. Identifying these dependencies will allow us to verify appropriate resilient PNT services being used, determine downstream effects of the disruption and manipulation of PNT services, and manage the associated risks to dependent systems.
The new directive is fast paced — outlined in 90-, 180- and 360-day increments — and instructs agencies to utilize existing public-private sector cybersecurity and CI information sharing relationships, such as Sector Specific Agencies (SSA), to share threat data, educate stakeholders and promote a responsible use of PNT.
What’s the rush?
So, why is this happening right now? PNT systems are crucial to American life, and successfully securing them requires a coordinated response and sooner rather than later. In fact, malicious nation-states, such as Russia, are spreading their wings into new threat vectors to inflict damage and are shifting their attention to PNT.
Because of these risks, we must do more as a country to establish safeguards around these technologies. That being said, agencies and organizations cannot expect their current workforce to become PNT security experts overnight. Rather, business owners and operators would be better served bringing in third-party experts that have been building security into PNT even prior to this directive.
These private-sector partners can map out a systematic approach to prioritize PNT security in a three-step plan:
Find. Identify PNT systems and “profile” them — establish point A.
Fix. Find and correct vulnerabilities — many can be non-material/tactics, technique and procedures (TTP) solutions.
Fortify. Develop TTPs, timelines and guidance for users to upgrade CI where needed — the path to Point B.
When PNT services were first developed, the systems could be openly used by anyone and security was not built into the original PNT architecture — similar to when the internet was created. This has made it easy for adoption into almost everyday life and revolutionized the world. Likewise, it has also made it easy for bad actors to access and compromise it, forcing the country to scramble, backtrack and implement cybersecurity best practices.
The good news is that we aren’t completely starting from scratch. The Department of Defense has been working to secure its PNT systems and will be updating its processes and practices as part of the recent White House directive.
The security community can also look to best practices in assessing risk of vital systems and model PNT security measures on existing guidelines such as Federal Information Processing Standards (FIPS) and NIST Special Publication 800 Series.
Path Forward
Per the Executive Order, lead agencies such as the Department of Transportation and the Department of Commerce will work in concert with the private sector to define “PNT profiles” and share these attributes with stakeholders. The coalition of partners will then be able to account for where and how PNT is used by CI owners and operators and will promote the responsible use of PNT services moving forward.
Beyond defining PNT profiles, the EO allocates new research and development funding for Commerce to develop an alternative to GNSS, which provides real-time PNT data to planes, trains, ships and automobiles that transport vital goods and resources — all in an effort to reduce the level of acceptable risk.
The White House also requires the public and private sectors to develop vulnerability testing and incident response plans and, simultaneously, encourage the private sector to use and develop more robust PNT services in anticipation of new Federal Acquisition Regulatory Council (FARC) contract requirements.
While these changes may seem like a fast moving and overwhelming process, there are many cases where CI owners and operators will not be required to integrate material solutions, but rather procedural training and behavioral adjustments. The information sharing processes already exist to provide improved situational awareness, coordination among the public and private sectors, increased reporting, solidified baseline risk assessments and a broader understanding of how systems rely on PNT. The challenge is facilitating widespread adoption across all stakeholders, increasing collaboration and education among and across the CI groups.
For this effort to be successful, it will require a whole-community, multi-pronged approach to operating in a new “threat top-of-mind” paradigm that is grounded on cross-sector information sharing, training and education. Both public and private sectors should also outsource expertise and leverage existing models like the DoD PNT doctrine, NIST standards and incident response capabilities.
Gregory Gerten is director of PNT Operations at Centauri, supporting the PNT enterprise through innovative use of modeling and simulation, hardware-in-the-loop and field testing, and process automation. He earned his master’s degree in electrical engineering from the University of Dayton, and has completed post-graduate courses in GPS from the Air Force Institute of Technology. He has more than 20 years of experience in system design, development and integration in the areas of communications, navigation, electronic warfare tactics and weapon systems.
Geoffrey Hella is a senior engineer for Centauri assigned to a Space Command contract through the Joint Navigation Warfare Center (JNWC). He has worked to achieve a Master of Aeronautical Science (MAS) from Embry-Riddle Aeronautical University in 1994. During his 40 years of experience, he has been a leader in product development and system design to successfully carry out a vast range of assignments in multiple engineering disciplines. His assignments include: aircrew member of the United States Air force (USAF); National Air Space (NAS) engineer for the Federal Aviation Administration (FAA); Special Nuclear testing and safeguards engineer for the Department of Energy/Sandia National Laboratories; and Supervisory Control and Data Acquisition (SCADA) engineer for both public and private Industry, electric and gas utility companies. Hella currently holds a six-sigma certification and a general radio operator license from the Federal Communication Commission (FCC) and a remote pilot operator certificate from the Federal Aviation Administration (FAA).
In a 50-page report to the U.S. Senate Armed Services Committee, the government’s General Accounting Office (GAO) finds that U.S. weapons systems are, almost across the board, highly vulnerable to cyber-attack. Furthermore, the Department of Defense (DoD) has gotten off to “a late start” in prioritizing cybersecurity, and has only “a nascent understanding” of how to develop more protected weapons systems. The October 2018 report, “Weapons Systems Cybersecurity,” is subtitled “DoD Just Beginning to Grapple with Scale of Vulnerabilities.”
[Image above: Figure 2 from the GAO report: Embedded Software and Information Technology Systems Are Pervasive in Weapon Systems, represented via Fictitious Weapon System for Classification Reasons). Source: GAO analysis of Department of Defense information, GAO-19-128.]
GPS can figure to be among these threatened systems, and GPS guidance aboard many munitions and almost all platforms vastly expands the danger. The satnav system is not mentioned by name in the report (“To present information in an unclassified format, we do not disclose details regarding weapon system vulnerabilities, which program offices we interviewed, or which cybersecurity assessments we reviewed.”), and the word navigation surfaces only once, but it’s an alarming appearance:
“Weapon systems are dependent on external systems, such as positioning and navigation systems and command and control systems in order to carry out their missions—and their missions can be compromised by attacks on those other systems. A successful attack on one of the systems the weapon depends on can potentially limit the weapon’s effectiveness, prevent it from achieving its mission, or even cause physical damage and loss of life.”
The latter scenario could occur if a GPS-guided armament were hacked and rerouted to a civilian target, for example.
The GAO states that it warned as far back as 2015, and in repeated instances since that date, that federal and contractor systems face an evolving array of cyber-based threats, including criminals, hackers, adversarial nations, and terrorists. “Threats can range from relatively unskilled “script kiddies” who only use existing computer scripts or code to hack into computers, to well-resourced and highly skilled advanced threats who not only have sophisticated hacking skills, but also normally gather detailed knowledge of the systems they attack.”
Networks, Computers Increase Vulnerabilty
The increasingly computerized and networked nature of the U.S. military’s weapons contributes to their vulnerability. As weapon systems become more software- and IT-dependent and more networked, they actually become more vulnerable to cyber-invasion. Networks can be used as a pathway from one accessed weapon to attack other systems.
“Nevertheless,” the report adds, “until recently, DOD did not prioritize cybersecurity in weapon systems acquisitions. . . . DOD is in the early stage of trying to understand how to apply cybersecurity to weapon systems.”
As the GPS constellation — the satellites themselves as well as the ground control system — become more software-reliant, including the ability to modify signals by remote software command, this has to be a growing concern for the U.S. Air Force. Difficulties with cyber-proofing the next-generation ground control system, OCX, have been suspected as a leading cause of extended delivery delay in that program.
DoD officials reportedly confided that it will take time — and possibly some missteps — to learn what does and does not work in combatting cyber-attacks on weapon systems.
Separately, a UK defense expert consultant stated that Russia had “stolen a march on using cyber-capabilities at a tactical level on the battlefield.” As reported last year in GPS World, Black Sea spoofing incidents aroused suspicion that Russia was testing a new counter-combat technique.
Another spoofing expert said at the time, “It’s long been assumed that Russia, China and other nations (including the U.S.) have the technology to carry out a spoofing attack. What’s surprising is Russia’s willingness to use it openly and somewhat indiscriminately. It does fit nicely into what has been called Russian disinformation technology.”
Figure 3 from the GAO report: Weapons Include Numerous Interfaces That Can Be Used as Pathways to Access the System (Represented via Fictitious Weapon System for Classification Reasons) Source: GAO analysis of Department of Defense information, GAO-19-128.
The amount of software embedded in weapon systems and subsystems has increased exponentially, expanding the respective weapons’ vulnerable surfaces. According to the military’s Director of Operational Test and Evaluation, “any exchange of information is a potential access point for an adversary. Even “air gapped” systems that do not directly connect to the Internet for security reasons could potentially be accessed by other means, such as USB devices and compact discs. Weapon systems have a wide variety of interfaces, some of which are not obvious, that could be used as pathways for adversaries to access the systems, as is shown in Figure 3.”
If attackers can access one of those systems, they may be able to reach any of the others through connecting networks.
Figure 4 from the GAO report: Weapon Systems Are Connected to Networks That May Connect to Many Other Systems (Notional Depiction for Classification Reasons)
Further, the DOT&E found that some networks were not survivable — that is, able to maintain critical capabilities under applicable threat — in a cyber-contested environment. The Defense Science Board concluded in 2013 that “the adversary is in our networks.”
The GAO adds that it and other organizations have been sounding off about such threats since the early 1990s — around the time that GPS itself became operational.
Tests of major military programs conducted between 2012 and 2017 revealed mission-critical cyber vulnerabilities that adversaries could compromise. “Test teams were able to gain unauthorized access and take full or partial control of these weapon systems in a short amount of time using relatively simple tools and techniques. . . . Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system.”
Figure 5: Vulnerabilities that the Department of Defense Is Aware of Likely Represent a Small Amount of Actual Vulnerabilities Due to Limitations in Cybersecurity Testing. Source: GAO analysis of Department of Defense information, GAO-19-128.
Beginning Steps
The Department of Defense is “still learning” how to address weapon system security and “still determining” what steps it may take. Implementation, once identified, will surely occupy an extended period. Complicating the picture, if DOD is able to make its newer systems more secure, yet connects them to older, vulnerable systems, the newer systems come into jeopardy.
Pass the Hash
A report appendix lists several different types of attacks with such pictorial names as: Man-in-the middle, Pass-the-hash, War driving, and Zero day exploit.
Respectively, these types of attacks connote:
• An eavesdropping attack in which the attacker intercepts to read or modify data communications to masquerade as one or more of the entities involved.
• Capturing an encrypted version of a username and password in order to authenticate to a server or service. The attacker does not have to decrypt the username and password (i.e., they do not actually know what they are), yet can still use them to log in to a system.
• Driving through cities and neighborhoods with a wireless-equipped computer — sometimes with a powerful antenna — searching for wireless networks potentially to exploit.
• Taking advantage of a security vulnerability previously unknown to the general public. In many cases, the exploit code is written by the same person who discovered the vulnerability. By writing an exploit for the previously unknown vulnerability, the attacker creates a potent threat since the compressed timeframe between public discoveries of both makes it difficult to defend against.
November has certainly been a busy month, and I’ve been lucky enough to be involved in a number of standout events where defense PNT was discussed.
The National Space-Based Positioning, Navigation, and Timing (PNT) Advisory Board met in California; GPS World hosted a webinar on military PNT technology; and the International Navigation Conference took place in the U.K. Check out a brief roundup of what’s been taking place.
Next-generation GPS takes steps in the right direction
The December issue of GPS World magazine has an excellent update from Col. Steven Whitney. GPS itself is often referred to as the “gold standard” by which other GNSS and PNT solutions are benchmarked. And GPS is undergoing a fairly monumental modernization program, in order to stay current and provide the right services to the military. There are broadly three aspects to this: the next-generation ground segment, the space segment, and the user equipment.
It’s fair to say that the ride hasn’t been a particularly smooth one, and the Next Generation Operational Control System (OCX) has been plagued by delays and challenges. Following a Nunn-McCurdy breach in 2016, the future of the OCX development program looked to be hanging on a knife edge, but the program was recertified and continued.
At the PNT Advisory Board meeting on Nov. 15, Col. Gerry Gleckel (deputy director, GPS Directorate, Space & Missile Systems Center) gave an upbeat presentation on the status of GPS modernization. Describing the current status of OCX as “working through program challenges,” he described how the first integrated launch rehearsal between GPS III and OCX Block 0 had been completed in August.
The GPS III satellites themselves are in full production flow, with five satellites at various stages of assembly.
Figure 1. Five GPS III satellites are in production flow. (Credit: Gerry Gleckel, Nov. 15, 2017).
The next-generation military receivers, known as Military GPS User Equipment (MGUE), are also under development by a range of vendors, of which L-3 Technologies was the first vendor to receive security certification in 2016. A number of equipment form factors are being developed to address land, sea and air platforms, and great progress is being made.
Figure 2. Military GPS User Equipment (MGUE) will address a range of platforms. (Credit: Gerry Gleckel, Nov. 15, 2017)
The U.S. Air Force recently completed a number of successful test flights of a prototype M-code receiver on board a B-2 stealth bomber, which marks an important milestone for the GPS modernization effort. Let’s remind ourselves what M-code is, and what it does for us.
The promise of M-code
Until now, the military has relied on the encrypted P(Y) code to provide advantage on the battlefield. Compared to the civilian C/A code, the P(Y) offered improved accuracy, ionospheric correction, resistance to spoofing and a marginal level of jamming resistance.
M-code is quite a different picture. Rather than the traditional BPSK modulation schemes used by legacy signals, M-code utilizes a type of binary offset carrier (BOC) signal. In the case of M-code, the signal is a BOCsin(10,5) modulation, which has a power spectral density given by:
This power spectral density can be seen in the figures below, along with legacy C/A and P(Y) codes (and also the new L2C signal on L2). The M-code BOC signal has a number of important properties; I won’t describe all of them, but I will pick out a couple.
Firstly, the signal is able to support navigation warfare activities. Because the energy in the signal is spread in two lobes away from the center, it allows for the C/A code to be selectively jammed without affecting the military receivers. This is often referred to as “blue force jamming” or “blue on blue jamming,” where friendly forces might wish to perform jamming in an environment in which they are themselves operating. Currently, such blue force jamming is not possible with P(Y) code receivers, without also degrading the friendly force’s receiver.
Another promise of M-code is the ability to use spot-beam transmissions from Block III satellites. This is where a high-gain antenna on the satellites aims the M-code signal at a specific region of the earth, with much greater received satellite power in that region. The received signal from the spot beam is expected to be around 20-dB more powerful than the conventional full-Earth coverage beam. This means that, in a given conflict region, military GPS receivers should be able to benefit from a large increase in jamming resistance.
Figure 3a. M-code signal compared to traditional L1 GPS signal. (Image: Michael Jones)Figure 3b. M-code signal compared to traditional L2 GPS signal. (Image: Michael Jones)
Shortly after the GPS Advisory Board meeting in California, on the other side of the Atlantic a range of defense PNT technologies was also discussed.
International PNT experts gather in the UK
The International Navigation Conference (INC 2017) is now in its third year, and has been steadily growing in prominence. This year’s event, which took place Nov. 27-30, focused on the themes of resilient PNT, autonomy, and sensor and data fusion. As usual, there was a substantial defense presence.
I had the pleasure of chairing a few sessions, including a panel discussion on resilient PNT. The event began with a cross-government meeting, where representatives from across the UK government met to discuss PNT issues concerning defense and national security.
What I loved about this conference is the sheer diversity of PNT topics that were discussed. In the military domain, it wasn’t just the traditional subjects of GNSS, inertial, visual and signals-of-opportunity that were discussed. Also considered was cognitive navigation — how does a soldier’s brain work when in an unfamiliar battlefield? And how will quantum technology benefit defense PNT in the medium to long term?
The promise of quantum
Quantum technology has for some time been touted as the future of PNT: clocks so accurate that you’ll never need to worry about timing again. Inertial measurement units that have so little drift, you’ll never need anything else for navigation.
If you’re not familiar with quantum technology, let me explain. Quantum technology exploits science that cannot be explained by classical physics, such as Newtonian mechanics, thermodynamics and Maxwell’s electromagnetism.
As atoms get colder, they have lower energy levels and move more slowly. Taking this argument all the way down to absolute zero, the atoms would stop moving. By using lasers to cool atoms to very near absolute zero, the atoms are essentially placed under precise control, and hence are sensitive to changes in the local magnetic and gravitational fields. What does this mean for navigation?
An excellent INC 2017 session on quantum navigation revealed some of the answers. Dr. Tim Freegarde of the University of Southampton gave the keynote “Navigator’s Introduction to Quantum Technologies,” which was followed by sessions on quantum/classical combined navigation, and quantum technology for performing gravity gradient map matching.
Quantum sensors rely on a phenomenon known as entanglement, where two physically separated systems are linked in such a way that a measurement of one affects the results of the other. Once atoms have been cooled, they can be made to travel in opposite directions around a loop, where the interference pattern generated allows rotation to be sensed.
But the atoms can also be sensitive to gravitational and magnetic fields, and frequency. So, amongst many other things, quantum technology allows for more accurate atomic clocks, and rotational and gravitational sensors.
A huge amount of money has been poured into quantum research in recent years and, whilst it’s clear there is still a long way to go, progress is certainly being made. At the UK National Quantum Technology Hub in Sensors and Metrology, the focus is on achieving sensors that are useful, and not necessarily to look for the highest possible precision. This is essential if quantum sensors for PNT are to be adopted by governments and industry.
Cyber takes center stage
At the end of the conference, I had the pleasure of chairing a lively panel discussion on resilient PNT, where I put a number of questions to both the panel and the audience.
Coming back to satellite navigation, my first question was, “What is the greatest threat to GNSS over the next three years?” You may be forgiven for thinking that “jamming” or “spoofing” was the top answer because, no, the top answer was in fact “cyber attack”.
Figure 4. At the International Navigation Conference, the audience voted “cyber attack” as the greatest threat to GNSS. (Photo: Michael Jones)
But what exactly do we mean by “cyber attack”? The word “cyber” is a pretty loose word, which is often misused as a catch-all phrase to cover anything that’s not RF related. Let’s quote the NIST definition of cyber attack:
“An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.”
How does this apply to military PNT? Well, a key theme from the conference was the trend towards more complex PNT systems. No longer do we have a simple GPS receiver, but an ever-increasing mix of different PNT sensors, and a system more comparable to a computer than a traditional GPS receiver.
What this means is that modern and future military PNT will be susceptible to the full range of cyber attacks currently associated with computing environments. Guy Buesnel from Spirent Communications gave an excellent keynote presentation where he covered this topic. Describing the “attack surface” for GNSS, he noted how many GNSS receivers currently run embedded operating systems such as VxWorks or Linux, and many support standard protocols such as TCP/IP and USB, all of which leaves them vulnerable to cyber attacks.
But let’s not despair. The good news is that there is an awful lot to learn from the computing domain. After all, when computers first became vulnerable to cyber attacks, we quickly learned to make use of virus checkers, firewalls and other such mechanisms available to us. And now the domain of cyber security gives us an arsenal of defensive measures to combat cyber-space risks.
I’ll finish by returning to the PNT Advisory Board meeting in California on Nov. 15, where Harold Martin, director of the National Coordination Office for Space-Based PNT, said “GPS is more computer than radio… GPS receivers lack cyber resilience. This is a national issue.”
Mitigating intentional interference for satellites is addressed in a new white paper released by Intelsat General.
The white paper details interference mitigation on the Intelsat EpicNG platform. Intelsat General is a wholly owned subsidiary of Intelsat and operator of the worldwide Globalized Network.
The whitepaper validates the ability of the Intelsat EpicNG platform to mitigate attempts by adversaries to intentionally interfere with signals operating on Intelsat’s multi-spot, high-frequency reuse, high-throughput satellites. This is particularly important for U.S. and allied military forces in hostile theaters throughout the globe.
“U.S. DoD (Department of Defense) satellite communication systems are critical for collecting and disseminating video and data that give the military real-time information about a hostile environment,” said Skot Butler, president of Intelsat General. “Our Interference Resolution demonstration showcases the capability of the Intelsat EpicNG system, and its advanced digital payload, to work around efforts to interfere or jam the signals being transmitted via our satellites.”
https://youtu.be/B0rhVk4MYY0
Demonstration. The Interference Resolution demonstration used a remote terminal transmitting video to a hub Earth station over the Intelsat 29e satellite. During the validation process, technicians transmitted an interference signal on the same channel used to transmit the video.
Once the interference was detected, technicians were able to reconfigure the satellite and the remote terminal, thereby re-establishing video transmissions. The reconfigurations
terminated the interferer at the satellite thereby clearing the downlink,
provided a new, interference-free uplink channel, and
connected the new video uplink channel to the original, now clear, downlink channel.
Intelsat 29e, launched in January 2016, was the first of Intelsat’s fleet of high-throughput satellites. Five Intelsat EpicNG satellites are now in orbit with one more planned for launch in 2018.
The Pentagon’s Defense Advanced Research Projects Agency, better known as DARPA, has awarded Raytheon multiple contracts to research and develop technologies that will detect and respond to cyber attacks on the U.S. power grid infrastructure.
The contracts, which total $9 million, were awarded under DARPA’s Rapid Attack Detection, Isolation and Characterization Systems program.
“During the last two decades, industrial control systems have evolved so that most are now connected to the Internet, making them vulnerable to cyber attack,” said Jason Redi, vice president for the Raytheon BBN Technologies Networking and Communications unit. “A significant power disruption would have profound economic and human costs in the U.S, so our goals are to prevent attacks and to reduce the time required to restore power after an attack.”
Raytheon BBN will create technologies to enhance situational awareness by providing early warning of an impending attack and detecting adversary spoofing of power grid data collection and communication. These technologies will also maintain situational awareness in the immediate aftermath of an attack.
The company will also examine methods to maintain secure emergency communication networks in the aftermath of an attack. Raytheon BBN’s approach seeks to isolate affected organizations from the internet and establish a secure emergency network to coordinate power restoration without depending on external networks.
Raytheon BBN Technologies is a wholly owned subsidiary of Raytheon Company.
INC 16 will address cutting-edge issues in positioning, navigation and timing. Of global importance, INC 16 will feature the latest developments in topics such as GNSS, indoor positioning, autonomous transport, security against cyber attack, resilience and quantum technology. Booking for the conference is now open.
The conference will include both peer-reviewed and non peer-reviewed tracks, and will cater to academic, industrial and end-user interests. The conference proceedings will be made available online in a digital repository in the weeks following the conference.
The abstract submission process varies depending on whether the paper is for the peer-reviewed or non peer-reviewed track:
Those wishing to submit a non-peer-reviewed paper for the conference should submit an abstract through the “Submit abstract” option on the conference home page, and can submit a paper for publication in the proceedings of any length. Non peer-reviewed submissions are due March 14.
Those wishing to submit a peer-reviewed paper should submit by March 14 a four-page short paper first, using the “submit short paper option” on the website’s home page. Following a selection process by the conference committee, successful authors will be invited to submit a longer paper (up to 10 pages) by June 15 for further peer review.
The Royal Institute of Navigation is launching a new international conference series, tackling some of the biggest issues across the domains of modern navigation: land, sea, air and space.
The RIN is now accepting abstracts for the conference.
The International Navigation Conference 2015, set for February 24-26, 2-15, is planned as a first event in a new series of world-class conferences. The first conference will highlight the state of the art in fields such as GNSS and Galileo, indoor positioning, autonomous transport, security and resilience of navigation in the world of cyber attacks, and new quantum technologies. The event will be of special interest to the maritime, aviation, PNT, transport, research and development and security communities.
Speakers, and the topics they will discuss, include:
Privacy In Tracking (smartphones and indoor navigation) – Google
Security and resilience — Dana Goward, president and executive director, U.S .Resilient Navigation and Timing Foundation
Multi-Constellation GNSS — Gian Gherado Calini, GSA
Multi-Sensor Integration — Professor Dorota Grejner-Brzezinska, The Ohio State University
Quantum Technologies — Sir Peter Knight, professor of Quantum Optics and Senior Research Investigator, Imperial College London
Emerging Trends and Current Challenges — Colin Beatty FRIN, CBiL
Autonomy in transport — BAE, ASTREA
Legal Aspects of Navigation — Professor Frans von der Dunk, Institute of Space Law, Leiden University
