Thales Alenia Space has been awarded a grant under the European GNSS Agency’s (GSA) Fundamental Elements funding mechanism for the development of the GIANO (Galileo-based TIming Receiver for CriticAl INfrastructure Robustness) receiver, which aims to make critical infrastructure more robust against interference, jamming and spoofing.
In an increasingly complex GNSS environment in which there is both unintentional and deliberate disruption of satellite signals, the GSA is funding the development of a timing receiver for professional applications to address the needs of the critical infrastructure user community, mainly energy generation and distribution, telecommunications and financial operators.
Improved resilience
The GIANO receiver will leverage Galileo and EGNOS-driven innovation to improve the resilience of the receiver against interference, jamming and spoofing and increase the accuracy and reliability of the time transfer service. The timing platform prototype to be developed and validated will integrate all the latest innovative technologies, including professional products from Thales Alenia Space, paving the way for future Galileo-based timing receivers that offer improved resilience and accuracy at a reasonable cost.
“Critical infrastructure operators use GNSS for timing and synchronisation and are an important target segment for GSA Market Development because Galileo can make a difference. By funding the development of the GIANO receiver, the GSA aims to provide technological solutions to this community for robust and reliable timing,” said GSA head of market development Fiammetta Diani.
Toward this goal, outreach activities have been conducted among potential final users in the main commercial target groups to collect and analyse their needs. Then, following the definition and consolidation of stakeholders’ needs and the platform specifications, the project conducted a preliminary design review at the end of November 2019.
Europe-wide cooperation
The two-year project, funded under a GSA grant related to the Development of a Galileo-based timing receiver for critical infrastructures (GSA/GRANT/05/2017), will be coordinated by Thales Alenia Space in Italy, in collaboration with four European partners: Business Integration Partners S.p.A (BIP, Italy), PIKTime Systems (Poland), Space Research Centre of the Polish Academy of Science (SRC PAS, Poland) and DEIMOS (Portugal).
The project will also benefit from the support of the European Commission’s in-house science service – the Joint Research Centre (JRC) and the Italian National Metrology Institute (INRIM), which will make available its test facilities for verification activities on the developed equipment.
The Geospatial Management Office (GMO) is the designated coordinator of geospatial activities throughout the core of the Department of Homeland Security headquarters and its component agencies.
Part I described how and why the GMO was formed and some of the early activities when resources were limited and expectations were low. Following the devastation along the Gulf States from Hurricane Katrina, the efforts to coordinate and empower the GMO gained focus and energy.
Image: USDHS
Needed: Better coordination
The magnitude of devastation caused by Hurricane Katrina, the uneven response and the inability for all levels of government to act in a unified manner prominently showed the gaping hole in the nation’s geospatial coordination mechanisms. The irony in this lack of coordinated government action, and the blame placed on President Bush’s administration, was that the lack of a geographic framework had been identified as a vulnerability since the late 1800s following the Civil War and never fully addressed.
A patchwork of Executive Orders and other stop-gap actions were in place, but action was needed by the Legislative Branch to finally address this, and, as is too often the case, it took a major disaster to cut through the politics and make this happen, resulting in the Geospatial Data Act. For a more in depth analysis of the Geospatial Data Act read the November 2018 Geospatial Solutions article “Geospatial Data Act Will Bring Huge Changes to America and the World.”
Hurricane Katrina had a sobering influence on federal agencies, providing renewed focus to find new ways to share information, and communicate openly and effectively using a common standard and language.
Dan Cotter, director of the GMO from 2005 through 2007, understood this challenge. Following his predecessor, Ryan Cast (the first director of the GMO), Cotter furthered the relationship with the Federal Geographic Data Committee (FGDC), establishing a Homeland Security Working Group with several sub-groups to advance DHS’s mission. Heavy lifting began on the symbol standards, data model and the U.S. National Grid (USNG).
This collaborative effort was furthered when the GMO secured funding for the first agency-wide enterprise license agreement (ELA) with Esri for GIS applications, training and services. The ELA reduced the cost and administrative difficulties surrounding procurement of GIS software. This dramatically increased the number of GIS practitioners seeking to partner with DHS, FEMA and the GMO.
Cotter was tapped to be the DHS chief technological officer in March 2007, passing leadership to Jeff Booth, who advanced the portfolio and led significant efforts to optimize the geospatial toolset of DHS while migrating it into the federal data-center environment.
Establishing a culture of trust does not come easy in bureaucracies, and this was no different for DHS. Being a relatively new agency, agility and eagerness were key traits, especially with a very fast-paced and high-stakes environment. People would volunteer to take on requested tasks, but that blurred the lines of responsibility.
The launch of GeoCONOPS
The HSE GeoCONOPS is a strategic roadmap to understand and improve the coordination of geospatial activities across the entire spectrum of the Nation. Updated on July 22, 2019, (Graphic: GeoPlatform.gov)
The FGDC and other working groups helped make introductions for the DHS GMO, which furthered the need to clarify each department’s role in the bigger geospatial picture. Defining these various operational roles and responsibilities led to the creation of the Geospatial Concept of Operations, or GeoCONOPS.
GeoCONOPS was a multi-year initiative, and is a playbook for a range of disaster-related events. Though initially limited to the disaster response and FEMA’s mission, GeoCONOPS was a structured community effort to clarify the types and timing of critical geospatial data and analysis needed in a disaster and continues to grow to address other DHS mission areas.
GeoCONOPS was initially published annually as a book, but changes were made too often and it is now only maintained as a website. GeoCONOPS describes the use of geospatial technology in the five mission areas of DHS:
Prevent
Protect
Mitigate
Respond
Recover
It also contains a curated inventory of geospatial resources available to the homeland security enterprise. The final version of the book (v.6, 2015) is available for download. Though often seen as a product, it is likely that the process behind the GeoCONOPS development was of equal or more value as it helped to define the lanes and build much-needed trust among the federal geospatial actors.
Cover of HSE GeoCONOPS resource book, v.4. (Image: Geoplatform.gov)
Through this effective collaboration model, the GMO benefitted from other significant advances elsewhere in the agency and the broader geospatial community. The development of the Homeland Security Information Network (HSIN) delivered value as a portal for the exchange of information and geospatial products on a common operating network among DHS member partners. If there is a major event taking place, such as political conventions, the Super Bowl, or the Boston Marathon, HSIN is sure to be part of the event’s command and control.
Its value was further proven by leveraging HSIN’s user-authentication capability, providing a trusted access-control mechanism for HSIN and other web-hosted geospatial capabilities. These access controls greatly reduced the deployment burden on the Geospatial Information Infrastructure (GII), which is an on-premises version of Esri’s ArcGIS Online suite.
The GII allows for trusted partners to gain access to hosted data, create working groups, and develop and share maps and geospatial applications. The GII also provides access to customized Common Operational Picture (COP) applications providing geospatial situational awareness for a number of operational partners.
These COPs are a result of their own evolutionary pathway, leveraging technology developed by and for the National Geospatial-Intelligence Agency (Palenterra) and through a first-generation viewer called the Infrastructure Critical Asset Viewer (iCAV). Now, with the tools in the GII, highly customized COPs and dashboards are developed for specific events and incidents and shared on an as-needed basis with the full range of stakeholders.
Where NGA and DHS intersect
DHS’s development of a national geospatial dataset put NGA and DHS on intersecting paths. The National Geospatial-Intelligence Agency (NGA) only focused on foreign threats and supporting the warfighter, but after the attacks of September 11, 2001, homeland defense was added to its mission.
NGA’s proven success internationally allowed it to quickly focus on acquiring and developing the best available sources of data. This conventional mission for NGA led to the formation of a new stakeholder group; hence, the creation of the Homeland Foundation Level Data (HIFLD) committee, which developed the first national dataset designed for homeland security and critical infrastructure protection, the Homeland Security Infrastructure Program (HSIP).
Having been initiated in the intelligence community, HSIP’s distribution was strictly limited, which inhibited its adoption across the mission space. To broaden its use, plans were developed to migrate all or much of the program to DHS and to shift the burden of restriction from the need-to-justify sharing to the need-to-justify restricting. With this new emphasis on sharing and openness, HSIP evolved to the current HIFLD Open and HIFLD Secure versions.
The GMO solidified its mission and purpose with the elements of community, transparency, security, technology and data falling into place. Through the leadership of the former GMO directors, the foundation they laid established the GMO as a respected and strong advocate throughout the agency and its partners, from local governments up to the federal level, becoming known as the Homeland Security Enterprise (HSE).
The HSE established a very real link extending from the on-scene first responder to the White House. By the time David Alexander, Ph.D., passed the baton to David Lilley in 2016, the GMO could deliver on its promises and was ready to expand outward. Lilley focused on realigning efforts to match DHS’s policy supporting National Special Security Events (NSSE) and community outreach through its network of 78 fusion centers.
Shortly after Lilley departed DHS, Hurricane Harvey’s torrential downpours and historic deluge began. Acting Director Michael Donnelly agreed to an innovative HIFLD solution to support FEMA operations to help mitigate the flood of data and requests that typically accompanies events of this magnitude.
Hurricane Harvey was Donnelly’s initiation. Following this and storms that followed, Donnelly focused on steadily maturing the GMO through deliberate outreach efforts and strengthening partnerships, building on outreach to regional fusion centers and non-traditional mission areas such as cybersecurity.
While not typically an operational player, the DHS Geospatial Management Office has become a trusted partner to those on the front lines, providing expertise, data, insights and architecture. The GMO is a foundational resource for operators, elevating their capabilities as a force multiplier.
While we can only hope against another cataclysmic natural disaster or major attack, when one does occur, the nation’s geospatial community is better prepared to respond to and recover from whatever comes.
As the saying goes, the better one strives to become, the greater becomes one’s enemies; so, as threats continue to evolve, our investments into geospatial technologies and critical infrastructure will pay dividends now and in the future helping to secure America’s safety here and abroad.
Remember, next time you are watching a large, national level sports game or a big storm approaching, know that others are watching, too. Behind the scenes another game is being played — one with much higher stakes. The players, you’ll not see, and the names, you’ll never know, but safety is their mission and GIS one of their primary tools.
Nate Smith — co-author and main contributor because of his work with the GMO — gave the following presentation to GeoDC, Washington, D.C.’s, geospatial community of interest on GeoCONOPS.
Epilogue
An inspiration for this article was to recognize the DHS GMO and its partners for their growth and utility as demonstrated during Hurricane Harvey, on the assumption that it was not otherwise acknowledged by the community. Well, awkwardly, in between this two-part drama, recognition did come from the Federal Geographic Data Committee in the form of the 2018 Doug D. Nebert National Spatial Data Infrastructure (NSDI) Champion of the Year Award.
Nate Smith has worked at the confluence of geospatial information and disaster management in both the domestic (U.S.) and international domains since 1992. He has been an innovator and pioneer in this discipline through his work supporting USAID’s Office of Foreign Disaster Assistance, FEMA’s GIS Solutions Branch and the DHS Geospatial Management Office.
He refined his knowledge of requirements through work as an emergency first responder and international humanitarian, and has shared his knowledge and experience through courses delivered at a number of Universities. His background includes deployments to disaster locations around the world in support of operations and coordination efforts for events ranging from insect infestation to conflicts.
He is currently an independent consultant affiliated with the Florida International University Extreme Events Institute and FIU’s Academy for International Disaster Preparedness. He earned a BA in Geography from UMBC and a Masters in Urban and Regional Planning from Virginia Tech.
When a Pennsylvania county’s 911 system suddenly went down without warning, garbled messages across the network impacted fire and police agencies’ ability to respond to emergency messages. The issue was traced to a firmware malfunction on communications equipment, related to provision of GPS timing. The firmware had not been updated for 19-1/2 years. Why should it have been? Everything was working fine — until it didn’t.
Test lab set-up. Photo: Orolia
In addition to increased jamming and spoofing threats, GPS has a “week rollover event” set to happen in April 2019. If the GPS receivers found at the heart of many critical systems do not handle this properly, any number of failures can occur.
Without GPS timing, everything slows down, has less capacity and becomes more dangerous.
This Thursday, a complimentary webinar outlines test plans for GNSS equipment used in critical timing applications, discusses the need for assured access to accurate timing across financial institutions, industrial automation, telecommunications, transportation, the power grid and elsewhere — and defines just what “assured” access means and how crucial the “assured” part is — and finally reviews some recent mishaps and near-disasters caused by interrupted or inaccurate timing.
Speaking on the 1-hour webinar are Lisa Perdue, product manager and applications engineer, Orolia; Stefania Römisch, leader, the Atomic Standards Group at the National Institute of Standards and Technology; and Dana Goward, president, Resilient Navigation and Timing Foundation.
Following each speaker’s 12- to 15-minute slide presentation, a live Q&A period with the audience will explore particular issues and concerns.
A free lesson for those in charge of critical infrastructure systems such as the power grid, communications, financial markets, emergency services, and industrial control.
Many of these systems have functioned smoothly and efficiently for years, thanks to the precise timing provided by GPS receivers. That could change, suddenly and without warning, if predictive and preventative steps are not taken.
The GPS receivers somewhere near the hearts of these critical systems, if not thoroughly vetted, tested and checked for up-to-dateness, could constitute a vulnerability — a vulnerability that would be catastrophically exposed on April 6, 2019. In 6 months’ time.
Image: Orolia
The GPS constellation transmits the proper date and time to all receivers, worldwide, by supplying the current week and the current number of seconds into the week. This enables the receiver to translate the date and time into a more typical format: day, month, year, and time of day. Infrastructure systems use the precise timing to synchronize many complex operations across their respective networks. Critically, the field that contains the week number is a 10-bit binary number. This limits the range of the week number to 0 – 1023, or 1024 total weeks.
GPS week zero started January 6, 1980. The 1,024 weeks counter ran out and rolled over on August 21, 1999. The week counter then reset to zero, and it has been recounting ever since. The next time the counter will reach week 1,023 and roll over to zero is on April 6, 2019.
If the GPS receiver is new or has received firmware updates, it can accommodate and adjust for this change. But do you know for sure? Only if you test. Otherwise, your critical systems may go into a time warp, 19.7 years out of date. Visualize that discrepancy rippling outward from the core component of a critical timing system throughout your infrastructure. Or, simply not working at all.
It is incumbent upon all managers to verify that such an issue will not occur — well before its possibility arises. At a minimum, experts recommend consulting your receiver manufacturer to confirm that the issue has been fully tested and will not occur. Many manufacturers have already issued compliance statements, and are expected to continue doing so over the next year, up until the event occurs.
To be sure that your system will not experience any failures related to this issue, it is possible to test for this event using a GPS/GNSS simulator. The requirements for the simulator are straightforward. The basic yet key information necessary to undertake such testing will be communicated in a free webinar on Thursday, November 15.
The panel of expert speakers includes Lisa Perdue, product manager and applications engineer, Orolia; Stefania Römisch, leader, the Atomic Standards Group at the National Institute of Standards and Technology; and Dana Goward, president, Resilient Navigation and Timing Foundation.
You may register for this free webinar here, to attend it live or download it for later viewing at your convenience.
Here is a useful reference from the last time the rollover occurred, with a mention of the next one.
Photo: Technical University of Eindhoven
Eindhoven, the Netherlands, is home to the Eindhoven University of Technology, an incubator for technology startups where many scientists active in GPS research and in the direction of the Galileo satellite navigation program have trained.
Tectonics is the study of plates in the Earth’s crust that move in different directions and speeds. To study plate motion, GPS instruments are anchored firmly in bedrock to measure how it moves, infinitesimally yet measurably, thanks to the nanosecond timing provided by the GPS constellation and interpreted by properly calibrated and updated instruments.
The signals transmitted from GPS and other GNSS constellations can be a threat vector that, if disrupted, could harm key critical infrastructure sectors including telecommunications, energy, transportation, emergency services and data centers.
The susceptibilities of the GPS signal to attack, whether intentional or not, are viewed similarly as a cybersecurity threat.
In recent months, there has been a dramatic increase in the number of reported GPS incidents, causing critical infrastructure providers to evaluate the security, reliability and resiliency of their GPS-based PNT dependency.
The new BlueSky GNSS Firewall from Microsemi Corporation, a wholly owned subsidiary of Microchip Technology Inc., enables critical infrastructure providers to harden the security of their operations from GPS threats and deliver a more reliable and secure service, the company said.
The security-hardened system provides protection against GPS threats such as jamming, spoofing and complete outage. It also supports a range of precision timing technologies, including atomic clocks, to enable continuous operation when GPS may be completely denied for extended periods.
In addition, Microsemi is expanding the GNSS portfolio with the introduction of a BlueSky option to its TimePictra software management suite, providing centralized control and visibility of GPS reception across regional, national and global geographic areas.
“At last year’s ION GNSS+ show we launched the BlueSky GPS Firewall Evaluation Kit to help customers understand GNSS vulnerabilities and how a firewall approach could provide protection,” said Randy Brudzinski, vice president and manager of Microsemi’s Frequency and Timing business unit. “We received valuable feedback from customers as a result of those evaluations and have incorporated new features in our second-generation BlueSky GNSS Firewall. In addition to expanded monitoring and reporting capabilities, this robust, future-proof platform is now equipped with atomic clock technology to provide security-hardened resiliency, including the ability to operate in a GNSS-denied environment for more than 30 days.”
Microsemi has applied the same principles of a firewall used for network security to defend against GPS threats coming from the sky. Within the new BlueSky GNSS Firewall, the incoming GPS signal is analyzed in real time to detect a wide range of threats before connected GPS receivers and related systems are affected.
The BlueSky GNSS Firewall incorporates an optional internal rubidium miniature atomic clock (MAC) enabling continuous output of the GPS signal to the downstream GPS receiver in case of complete loss of live-sky GPS reception.
Alternatively, Microsemi’s cesium clocks, such as the 5071A or TimeCesium 4400/4500, can be connected to the device, enabling UTC traceable time for more than 30 days.
BlueSky GPS Firewall platform features optional BlueSky software incorporated into its TimePictra management system.
To ensure the BlueSky GNSS Firewall is equipped to defend against an ever-evolving threat, Microsemi updates and continuously tracks GPS signal manipulation, spoofing threats, jamming attacks, multipath signal interference, atmospheric activity and many other issues which can create GPS signal anomalies, disruptions and outages.
These updates are available through a BlueSky subscription service. To learn more about Microsemi’s GPS threat protection and security solutions, including videos demonstrating how the product provides secure and resilient protection, visit the website.
The U.S. Department of Homeland Security (DHS) has released a memorandum about a GPS rollover event coming in April 2019.
The memorandum, U.S. Owners and Operators Using GPS to Obtain Time, is intended to provide an understanding of the possible effects of the April 6, 2019, GPS Week Number Rollover on Coordinated Universal Time (UTC) derived from GPS devices.
DHS recommends that critical infrastructure and other owners and operators prepare for the rollover. They should:
investigate and understand their possible dependencies on GPS for obtaining UTC;
contact the GPS manufacturers of devices they use to obtain UTC;
understand the manufacturers’ preparedness for the ollover;
understand actions required by CI and other owners and operators to ensure proper operation through the ollover, and
ensure that the firmware of such devices is up to date.
The memorandum is sponsored by the Department of Homeland Security’s National Cybersecurity and Communications Integration Center in coordination with the Department of Homeland Security’s Science and Technology Directorate, the Department of Homeland Security’s National Protection and Programs Directorate Office of Infrastructure Protection and the National Coordination Office for Space-Based Positioning, Navigation and Timing.
GPS World discussed in-depth the previous rollover event in an Innovation column.
We’ve heard a lot in the news recently about GPS spoofing, mostly centred on the story of ship spoofing in the Black Sea. Between June 22-24, a number of ships in the Black Sea reported anomalies with their GPS-derived position, and found themselves apparently located at an airport.
What happened is open to educated conjecture. In this column, I’ll briefly cover the history of spoofing, its basic techniques, some spoofing tests that we conducted, and then return to the infamous Black Sea incident.
As part of my day-to-day work in navigation warfare, I do a fair amount of work in defensive anti-spoofing. Naturally, in order to test anti-spoof technology, it is necessary to also perform spoofing. It’s a delicate subject and, as with any topic involving defense or national security or critical infrastructure, there’s a balance to strike between responsible disclosure, how much information is released into the public domain, and so on.
In this article, I will stick firmly to information available in the public domain, lest I be accused of proliferating the threat, but this still gives us enough material to tiptoe around the subject for the benefit of our readers. I could have included more details about the spoofing attacks, but was advised to hold some back — it makes governments nervous. You can read some of the background in an excellent article by Norwegian broadcaster NRK and a Resilient Navigation and Timing Foundation press release. Similar GPS anomalies still continue to occur at various locations.
Let’s start with basic spoofing background, and we’ll return to the Black Sea incident at the end of the article.
A brief history of spoofing
Spoofing isn’t a new threat — it’s been around for decades. But only in recent years has it received so much public attention. As with jamming and anti-jamming technology, and most other topics in the GPS domain, spoofing finds its roots back in the days of Cold War radar. In those times, it was often known as “deception jamming,” where you would transmit fake radar returns to paint an incorrect picture on your adversary’s radar screen.
When GPS came along, it was understood at the time that the C/A code would be vulnerable to spoofing. It’s an open code, so anyone is free to reproduce it. That is, after all, what a GPS simulator is: a GPS spoofer. We legitimately test our GPS receivers by fooling them with fake signals from a GPS simulator.
Of course, this is precisely why legacy GPS satellites also transmit the military P(Y)-code, and continue to do so. The P-code offers improved accuracy, and some other benefits, but more importantly, it is modulated with the W encryption sequence to give us the encrypted P(Y)-code. Ever since the anti-spoofing module was set to the “on” state, unless you have the key, you are unable to directly spoof the P(Y)-code. (You can still perform a meaconing attack, though, where you simply record the transmitted satellite signals and retransmit them again. Although this kind of attack can’t be used to impose a particular scenario on a GPS receiver, it might still cause havoc in unwary receivers).
So. in the early days it can be argued that the spoofing threat was solved. It wasn’t until GPS became ubiquitous in the commercial and civilian domain that spoofing really raised its head again. The fact that the vast majority of GPS receivers in the world relied solely on the unencrypted C/A code became a cause for concern — especially where those GPS receivers were essential to critical infrastructure.
The threat of GPS spoofing was discussed at many conferences and behind many closed doors and, although most people agreed that spoofing was a theoretical threat, some people argued that in reality it was “simply too hard” to conduct a realistic spoofing attack. And therefore we should not worry ourselves about it.
It wasn’t until a couple of high-profile demonstrations were carried out by the University of Texas Radionavigation Laboratory that spoofing became front-page news once again. In 2012, the lab staff carried out an exercise at White Sands Missile Range where a GPS-guided drone was spoofed from a distance. The drone was fooled into thinking its altitude was increasing, causing it to compensate by dropping straight down. Then in 2013, the same team demonstrated how an $80 million yacht could be steered off course by means of a spoofing attack.
These exercises publicly demonstrated that spoofing was indeed a real threat, and could be done. But many people still believed that it was very hard to build the complex equipment necessary to perform the attack, and thus spoofing was out of reach for most potential criminals or terrorists.
Fast forward another two or three years, to when a new mobile phone game appeared. Pokemon GO became the game craze of the moment, where players would travel around the country with their phones, getting points by collecting creatures in an augmented reality world. It didn’t take long for people to dream up new ways of earning points in the game, without having to go to the effort of traveling around the world.
What if you could make your phone think it was somewhere else, without ever having to leave your bedroom? And thus, bizarrely, it was a mobile phone game that brought GPS spoofing into the mainstream.
The rise of the low-cost software-defined radio (SDR) has enabled “spoofing for everyone.” Today, the tool of choice for the casual user is often the HackRF or bladeRF. Couple small SDRs that cost around $200 with open-source GPS simulation software, and you have a basic spoofer. Plenty of websites detail how to perform basic spoofing, and at hacker gatherings, people can present how they spoofed a drone. These may not be the most sophisticated setups, but it’s good enough to do the job in many cases. With a better setup, which I won’t describe here, it’s possible to achieve a much more realistic attack, which will fool even the most shrewd and wary GPS receivers.
Spoofing basics
Let’s take a quick look at what it means to spoof GPS. A receiver searches for a satellite over a two-dimensional surface to find a correlation peak, and it must examine a range of Doppler frequencies and code offsets. An example is shown in Figure 1. Once the receiver finds the peak, the satellite is acquired, and it will then track the satellite as it moves and can demodulate the navigation data message.
When a spoofer comes along, it tries to recreate this peak. By doing so, and usually with little more power than the real satellites, the receiver will begin to track the spoofed signal. Once the spoofed signal is being tracked, the spoofer can begin to manipulate reality by slowly modifying the properties of the signal.
Figure 1. GPS correlation surface. (Image: Michael Jones)
A poor spoofer doesn’t always align itself very well with reality, which essentially creates a second peak on the correlation surface. But a gullible receiver can still be fooled by this, and may lock on to false peaks.
The reality of spoofing and anti-spoofing
To understand the reality of spoofing and anti-spoofing, we carried out outdoor experiments at one of the Roke Manor trials areas (thanks go to my colleague Mike Wells for letting me use some of his results here).
In the first experiment (Figure 2), we spoof a commercially available mass-market receiver. The receiver is outside, reporting its correct location at Roke Manor. When we commence the spoofing attack, we are able to take control of the receiver. Once captured, we can then make the receiver appear to follow an arbitrary course. Here we make it wander off into the forest, spelling the word “roke” as it goes.
Figure 2. Spoofed GPS receiver appears to follow a course, whilst in reality being stationary. (Image: Michael Jones)
In the next experiment (Figure 3), we place a conventional anti-jam antenna (a CRPA) on the receiver. What we observe, as you might expect, is that the basic CRPA offers no protection against the spoofing attack.
Figure 3. A GPS receiver is still successfully spoofed when protected by a conventional CRPA. (Image: Michael Jones)
Now let’s make the experiment more interesting. We’ll move away from the basic commercial receiver, and replace it with a unit that contains not only a GPS receiver, but also a 3-axis accelerometer, 3-axis gyro, 3-axis magnetometer and a barometric sensor. An Extended Kalman Filter (EKF) performs an optimal fusion of the various sensors to yield the position solution.
The result, when we again try our spoofing attack, is shown in Figure 4. In short, the receiver is still successfully spoofed, despite the additional sensor inputs it offers.
Figure 4. A GPS receiver with integrated inertial sensors is still spoofed. (Image: Michael Jones)
Before everyone gets too depressed by the ease at which GNSS, and even GNSS fused with other sensors, can be spoofed, there are answers to this problem. Some decent, modern GNSS receivers contain a whole host of algorithms for detecting and ignoring spoof signals. The issue is that many legacy receivers are still in the field, and these can be extremely vulnerable indeed.
Another option is to use a more advanced CRPA, which offers anti-spoof capabilities. These adaptive antennas are able to correlate on the spoof signals, and then remove them based on direction of arrival. So, in our final experiment here, we use our commercial mass-market receiver again, and protect it with an anti-spoofing CRPA.
The result is shown in Figure 5. You can see that the receiver is briefly spoofed, and starts to wander off course. When the anti-spoof is enabled and kicks in, the position quickly drifts back to the true location and stays there. Good job.
Figure 5. With an anti-spoof CRPA, the GPS receiver detects the spoofer and quickly returns to its true location. (Image: Michael Jones)
Back to the Black Sea
Let’s finish by returning to the hot topic of the day. Did spoofing occur in the Black Sea back in June? Or was it a different form of interference? Could it have been a low-level jamming incident, causing the GPS receivers to report misleading information?
Without resorting to SIGINT (signals intelligence) data, and basing this discussion solely on public domain information and anecdotal evidence, I would say this was almost certainly a spoofing incident. A number of factors lead to this conclusion, and I’ll share some of them.
Firstly, it didn’t happen to one ship – it happened to over 20 separate vessels. So it wasn’t a malfunctioning GPS unit; it was an external incident of some kind.
Secondly, a large number of ships in the area reported identical or very close locations. This is a symptom of a large-scale spoofing attack. If it was a low-level jamming attack, then any misleading positions reported by vessels would typically have some randomness to them.
Thirdly, ships reported that their positions would periodically “jump” from the true location to the incorrect location. Again, this is very typical behavior in some spoofing experiments: For various reasons, GPS receivers may temporarily lose lock on a spoof set of satellites, and then reacquire the real ones, and vice versa. This causes the characteristic random flipping between two well-defined locations.
If we accept that a GPS spoofing attack did occur, it brings us to the million-dollar question.
Who did the spoofing, and why?
What I’ll do here is a bit of a lightweight analysis exercise using public information and basic physics, and you can formulate your own conclusions.
Let’s start by placing a ship, located in the Black Sea at 44°14.0’N 037°43.1E, which is the actual position of one of the reported spoofed vessels. For this example, I have placed a representative GPS antenna on the ship’s mast, with its antenna pattern shown.
Figure 6. Victim ship in the Black Sea, with GPS antenna pattern shown. (Image: Michael Jones)
To get a rough handle on the scenario, consider the possible propagation of the spoofing signal. As a first-order approximation, let’s assume a standard 4/3 Earth refraction model, with obstruction by terrain. That’s a reasonable assumption at this frequency: Any obscuration by terrain will block the spoof signal. Let’s also initially assume that our GPS antenna on the ship is mounted 38 meters above sea level, and our spoofing equipment is mounted on a mast 20 meters aboveground. From this information, we can plot a map of possible spoofer locations for this particular incident (Figure 7).
Figure 7. Possible spoofing source locations. (Image: Michael Jones)
The first thing we might conclude from this is that the spoofing indeed originates from Russian territory, close to the Black Sea coast. To spoof the ship from further afield would require a much higher antenna, or even an airborne antenna. Which, of course, is possible, but then we would also expect vessels over a much wider area to report interference.
To me, it’s fairly conclusive that spoof GPS signals are being transmitted from this area, to make GPS receivers in the area think they are at an airport. The final question is: “Why would someone do this?” To answer this question, we must resort to educated speculation. Why would you want to spoof GPS receivers into thinking they are at an airport?
There’s one explanation that fits very nicely: drone defense. Many drones, especially those operated by casual users, have geofencing rules that prevent flights over airports and other restricted areas. So, if you were trying to perform aerial surveillance of the Russian border, your drone may suddenly think it was over an airport, and take action accordingly. The action taken depends, of course, on how the drone is programmed, but often includes “land immediately” or “return to launch point.” Certainly some of the drones we operate will immediately attempt to land if they find themselves in restricted airspace.
So if your drones are falling into the sea, you now have one idea why.
In a technical report titled GPS Vulnerability released Sept. 15, the Alliance for Telecommunications Industry Standards (ATIS) renewed its call for an eLoran system to support telecom and other critical infrastructure in the United States.
As part of its “Recommendations to Assure Time for Telecom” the report says:
“An eLoran system (or equivalent) should be developed and implemented in the U.S. to provide a near-term alternative to GPS for the telecom system and other critical infrastructure. The physical and cyber security of eLoran transmission stations should be a consideration in their operation.”
ATIS termed its report “a major resource to help better understand and address a formidable telecommunications industry challenge: the vulnerabilities in the Global Positioning System (GPS).”
Requirements for precise time delivery have driven the industry toward the increased use of GPS and GPS-dependent technologies, it says. Yet this dependency has left the industry vulnerable to disruptions and manipulations of the GPS signal.
GPS Vulnerability (ATIS-0900005) provides insight into the sources of the most common problems with GPS and their impacts. The report also covers several mature proposed solutions that would satisfy telecommunications sector timing requirements.
“GPS disruptions have economic, financial and service impacts to carrier network operators, suppliers, cellular services as well as adjacent industries and government agencies that depend on a functioning wireless communications sector,” said ATIS President and CEO Susan Miller. “We believe that our report on this topic will contribute to solutions to help secure the delivery of time — a function critical to many sectors in our economy.”
Known vulnerabilities to deliver GPS time to a system include environmental phenomena, malicious interference and spoofing, incidental interference, adjacent band interference, poor antenna installations and rare but present GPS segment errors.
GPS Vulnerability discusses techniques to address these vulnerabilities as well as alternatives to GPS timing, with the goal of mitigating GPS vulnerabilities for the timing receivers used in the critical infrastructure.
Alternatives covered in the report include Navigational Message Authentication on modernized GPS civil signals, atomic clock time holdover, sync over fiber, eLoran, WWVB, terrestrial beacons and more.
Putin shows taste for spoofing
For several days in June, more than 20 ships reported problems with GPS reception in the Black Sea (see Expert Opinion column, August GPS World). Experts concluded the problems were probably the result of a spoofing attack in the area.
Norwegian journalist Henrik Lied of NRKbeta compared this with accounts of similar episodes near the Kremlin complex in Moscow, where tourists have reported their smartphones showing them at an airport outside the city.
Lied interviewed University of Texas professor Todd Humphreys about his theory that this is an effort to keep drones from flying in the area: “Several of us [researchers in GNSS] have concluded the Kremlin spoofing was likely trying to trigger UAV geo-fencing, which prevents UAVs from flying near airports,” Humphreys said.
A Moscow correspondent for the Norwegian Broadcasting Company reports that these GPS problems only tend to occur when President Vladimir Putin is in town.
Several of the ships spoofed in the Black Sea were sailing in the vicinity of the Russian premier’s Black Sea vacation home. Putin was actually in the area when the incidents occurred. This may indicate that Russian authorities are spoofing wherever the Russian president is located.
Humphreys said, “It’s long been assumed that Russia, China and other nations (including the U.S.) have the technology to carry out a spoofing attack. What’s surprising is Russia’s willingness to use it openly and somewhat indiscriminately. It does fit nicely into what has been called Russian disinformation technology.”
Organizations work together to fight cyber attacks with innovations to visualize threats.
Esri and the U.S. Department of Energy’s Idaho National Laboratory (INL) have entered into a cooperative research and development agreement (CRADA) to collaboratively research and create prototype concepts with a specific focus on location intelligence solutions for the protection of critical infrastructure and critical missions.
The work will also estimate the impacts on critical infrastructure caused by exploited cyber vulnerabilities and targeted attacks.
Esri provides geospatial analysis and visualization capabilities across infrastructure industries like water, electric, oil and transportation, as well as in support of federal, state and local governments charged with the mission of protecting those industries.
These capabilities, combined with INL’s knowledge and capabilities for securing these systems from physical and cybersecurity threats, make this cooperative research and development effort truly unique in addressing crucial gaps in cyber/physical analysis and situational awareness technologies.
INL is the nation’s leading center for nuclear energy research and development, working in energy, national security, science, and the environment. Esri and INL have worked together for more than three years.
“We are looking forward to working closely with INL in this capacity,” said Brian Biesecker, technical director, Esri intelligence community. “As the government continues to embrace new technologies, CRADAs provide a great way for private and public partnerships to continue moving our country forward.”
Rockwell Collins and QinetiQ have signed a global alliance agreement to collaborate on the development of next-generation, multi-constellation open-service and secure GNSS receivers.
The effort will support the mission needs of military, government and critical national infrastructure.
The family of receivers being developed will provide military, government and professional users the flexibility of selecting relevant GNSS capability to meet operational, geographical or budgetary needs and provide GNSS accuracy and timing.
This will improve safety, increase mission effectiveness and reduce operational costs for ground troops, vehicles and high-dynamics GNSS-guided weapons, Rockwell Collins said.
Rockwell Collins is major contractor for secure military GPS receivers and QinetiQ is an expert in the field of open-service solutions with access to critical satellite navigation system technologies that enable the development of multi-constellation solutions.
“This alliance agreement with QinetiQ is a great opportunity to bring together our strengths,” said Colin Mahoney, senior vice president of international and service solutions for Rockwell Collins. “Working together, our customers will experience unprecedented levels of availability, accuracy and assurance of positioning, navigation and timing for conducting their missions.”
“As we move into the era of multi-constellation satellite receivers, this market-leading agreement and the investments of both companies sends a clear message to our customers and shareholders that QinetiQ and Rockwell Collins are taking every step necessary to stay at the forefront of GNSS technical development and product delivery,” said Steve Wadey, CEO of QinetiQ. “The development will be centered in Europe, led from the U.K., supporting the global market.”
In early January, a new U.S. Department of Homeland Security (DHS) document appeared: “Improving the Operation and Development of Global Positioning System (GPS) Equipment Used by Critical Infrastructure.”
The document focuses on receivers used in critical infrastructure, with an emphasis on timing receivers. It provides owners, operators, researchers, designers and manufacturers with information to improve the security and resilience of PNT equipment across the spectrum of equipment development, deployment and use.
Specifically, its recommendations address:
installation and operation strategies that can be implemented for current equipment,
strategies that can result in more robust and resilient new and/or improved products based on existing technology and knowledge,
research and development that can lead to improved future capabilities.
It introduces clear definitions of different categories of threats and hazards, including the new term “data spoofing.” It recommends some creative ways to install receive antennas, such as using decoy antennas and obscuring the location of the actual antennas being used, presumably to foil some spoofing attacks. It also points out that modern GNSS receivers are computers, and need to be operated and maintained with good cyber hygiene, just like other computers.
The extensive list of recommended development strategies will challenge manufacturers while informing purchasers about the features they can seek in new equipment.
Implementing these recommendations will lead to increased competence — that is, equipment that is better able to accommodate imperfect or faulty inputs, intentional or not.
The document reflects the recognition that many reported problems or difficulties with GPS could be prevented or mitigated by improvements in GPS user equipment and how it is installed and operated. It is encouraging to see DHS taking steps to remedy this situation, and important that manufacturers of timing receivers, as well as critical infrastructure owners and operators that use timing receivers, follow through on these recommendations.
The document is posted on the website for DHS’ National Cybersecurity & Communications Integration Center, National Coordinating Center for Communications-Computer Emergency Readiness Team.
The U.S. Department of Transportation is seeking feedback on the potential use by the federal government of one or more positioning, navigation and timing (PNT) technologies to back up GPS signals and ensure resiliency of PNT for critical infrastructure (CI).
A Federal Register notice was published Nov. 30, with a deadline for comments of Jan. 30, 2017.
The Transportation Department also said it is interested in “leveraging PNT service technology initiatives under consideration or currently undertaken by industry.”
“The federal government is presently documenting civil requirements for PNT capabilities to serve as the basis for potential future acquisition activity. The initial objective is to support sustainment of domestic CI timing continuity with the capability to extend service(s) in the future to provide positioning/navigation continuity as well.”
The “Presidential Policy Directive on Critical Infrastructure Security and Resilience” (PPD-21; Feb. 12, 2013) designates 16 CI sectors: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; and Water and Wastewater Systems. To support the initial objective, CI sectors need access to timing information for both nationwide applications and, in some cases, for more stringent regional and local applications.
The document focuses on receivers used in critical infrastructure, with an emphasis on timing receivers. It provides owners, operators, researchers, designers and manufacturers with information to improve the security and resilience of PNT equipment across the spectrum of equipment development, deployment and use.