Tag: spoofing

GNSS Lies, GNSS Truth
Photo: Mark L. Psiaki, Brady W. O’Hanlon, Steven P. Powell, Jahshan A. Bhatti, Todd E. Humphreys, and Andrew Schofield

Spoofing Detection with Two-Antenna Differential Carrier Phase

By Mark L. Psiaki, Brady W. O’Hanlon, Steven P. Powell, Jahshan A. Bhatti, Todd E. Humphreys, and Andrew Schofield

A new method detects spoofing attacks that are resistant to standard RAIM technique and can sense an attack in a fraction of a second without external aiding. The signal-in-space properties used to detect spoofing are the relationships of the signal arrival directions to the vector that points from one antenna to the other. A real-time implementation succeeded against live-signal spoofing attacks aboard a superyacht, the White Rose of Drachs shown above, cruising in international waters.

Read more about “Red Team, White Team, Blue Team” below.

Concerns about spoofing of open-service GNSS signals inspired early work on simple receiver-autonomous integrity monitoring (RAIM) methods based on the consistency of the navigation solution. Work on new classes of defense techniques began in earnest after the demonstration of a powerful spoofer that is undetectfable by simple pseudorange-based RAIM methods. There has been a sense of urgency to solve the spoofing problem since the Iranians captured a classified U.S. drone in 2011 and made unsubstantiated claims to have spoofed its GPS. Two dramatic field demonstrations of the spoofer developed by author Humphreys and colleagues at the University of Texas, Austin, heightened interest in spoofing detection: one involved deception of a small airborne unmanned autonomous vehicle (UAV), causing it to dive towards the ground; another sent a superyacht off course without raising any alarms on its bridge.

One class of spoofing detection methods uses encrypted signals, their known relationships to the open-service signals, and after-the-fact availability of encryption information. Such techniques require a high-bandwidth communication link between the potential victim of a spoofing attack and a trusted source of after-the-fact encryption information, and may involve significant latency between attack and detection.

Another class of methods uses advanced RAIM-type techniques. Instead of considering only pseudorange consistency, these RAIM techniques examine additional signal characteristics such as absolute power levels, distortion of the PRN code correlation function along the early/late axis, the possible existence of multiple distinct correlation peaks in signal-acquisition-type calculations, and other signal or receiver characteristics. Such methods are relatively simple to implement because they do not require much additional hardware, if any, but some of these strategies can have trouble distinguishing between multipath and spoofing or between jamming and spoofing.

A third class proposes the addition of Navigation Message Authentication bits. These are encrypted parts of the low-rate navigation data message. Such techniques require modification of the navigation data message and can allow long latencies between the onset of a spoofing attack and its detection.

A fourth class exploits the differing signal-in-space geometry of spoofed signals in comparison to true GNSS signals. All spoofed signals typically arrive from the same direction, but true signals arrive from a multiplicity of directions. Some of these methods use receiver antenna motion to achieve direction-of-arrival sensitivity. Others use an array of two or more receiver antennas.

The most powerful of these detection strategies exploit models of the effects on carrier-phase data of antenna motion or antenna-array geometry. This knowledge may be partial because an unknown antenna-array attitude may need to be determined as part of the detection calculation. Their power derives from the high degree of accuracy with which a typical GNSS receiver can measure beat carrier phase.

Goals. This research follows on moving-antenna/carrier-phase-based spoofing detection work. One of our goals has been to remove the necessity for moving parts by using two antennas and processing their carrier-phase data.

A second goal has been to achieve real-time operation. An earlier prototype moving-antenna system (see “GNSS Spoofing Detection,” GPS World, June 2013) used post-processing and completed its spoofing detection calculations days or weeks after the recording of wide-band RF data during live-signal attacks.

A third goal has been to test this system against actual live-signal spoofing attacks to prove its real-time capabilities and evaluate its performance during the two phases of an attack: the initial signal capture and the post-capture drag-off to erroneous position and timing fixes.

Two-Antenna System Architecture

The system consists of two GNSS patch antennas, GPS receiver hardware and software, and spoofing detection signal-processing hardware and software. Figure 1 shows two versions. The left-hand version connects its two patch antennas to an RF switch. The single analog RF output of the switch is input to a GNSS receiver that is standard in all respects, except for two features. First, it controls the RF switch or, at least, has access to the switching times. Second, it employs a specialized phase-locked loop (PLL) that can track the beat carrier phase of a given signal through the phase jumps that occur at the switching times. The right-hand version connects each antenna to an independent GPS receiver, likely connected to a common reference oscillator.

Figure 1. Two configurations:, the RF-switched-signal/single-receiver configuration (left) and the two-receiver configuration (right).

The last element of each system is a spoofing detection signal-processing unit. Its inputs are the single-differenced beat carrier phases of all tracked signals, with differences taken between the two antennas. In the switched antenna system, each difference is deduced by the specialized PLL. In the two-receiver system, the single-differences are calculated explicitly from each receiver’s beat carrier-phase observables.

Except for the final spoofing detection unit, the two-receiver system on the right-hand side of Figure 1 is already available commercially. Typical applications are CDGPS-based attitude/heading determination. Thus, this is the easiest version to implement.

This system could include more than two antennas. A multi-antenna system could have a dedicated RF front-end and a dedicated set of receiver channels for each antenna, as on the right of Figure 1. Alternatively, a multi-antenna system could include an RF switch between any one of the multiple antennas at the command of the receiver. The latter design would entail a slight modification to the specialized PLL to track multiple independent phase jumps for the independent antenna switches.

Principles. The principles used to detect spoofing can be understood by considering and comparing the signal-in-space and antenna geometries shown in Figure 2, the two-antenna system and three GNSS satellites for a typical non-spoofed case, and Figure 3, a spoofed case. The salient difference is that the different GNSS signals arrive from different directions for the non-spoofed case, namely and . They all arrive from the same direction, the direction of the spoofer , for the spoofed case. For detection purposes, the important geometric feature is the projection of each direction of arrival onto the known separation vector between the two antennas, b_BA. This projection has a direct effect on the beat carrier-phase difference between the two antennas. In the non-spoofed case, this effect will vary between the different received signals in ways consistent with the attitude of the vector. In the spoofed case, all of these carrier-phase differences will be identical. The spoofing detection algorithm decides between two hypotheses about the carrier-phase differences, one conjecturing a diversity consistent with authentic signals and the other conjecturing the sameness that is characteristic of spoofed signals.

Figure 2. Geometry of two-antenna spoofing detection system and GNSS satellites for non-spoofed case.

Figure 3. Spoofed-case geometry of two-antenna spoofing detection system and GNSS spoofer.

Hypothesis Test

The PDF paper on which this article is based presents the non-spoofed and spoofed signal models that form the basis of a hypothesis test, develops optimal estimation algorithms that fit the observed differential beat carrier phases to the two models, and shows how these estimates and their associated fit error costs can be used to develop a sensible spoofing detection hypothesis test. Download the PDF here.

Offline and Live-Signal Testing

We tested a prototype version of the two-antenna system as depicted on the righthand side of Figure 1. The antennas connect to two independent RF front-ends that run off of the same reference oscillator. These RF front-ends provide input to two independent receivers that track each signal using a delay-lock loop (DLL) and a PLL. Figures 4 and 5 show system elements: two GPS patch antennas mounted on a single ground plane with a spacing of 0.14 meters, two RF front-ends — universal software radio peripherals (USRPs) — with a common ovenized crystal oscillator. Digital signal-processing functions are implemented in real-time software radio receivers (SWRX) running in parallel on a Linux laptop, written in C++. Spoofing detection calculations are performed on the same laptop using algorithms encoded in Matlab.

Figure 4. The two antennas of the prototype spoofing detection system mounted on a common ground plane.

Figure 5. Signal processing hardware of the prototype spoofing detection system.

A key feature of this architecture is the ability of its real-time software radios’ C++ code to call the spoofing detector’s Matlab tic function and to pass carrier-phase and other relevant data to the tic function. This feature served to shorten the implementation and test cycle for the prototype system by eliminating the need to translate the original Matlab versions of the spoofing detection algorithms into C++. This enabled rapid re-tuning and redesign of the spoofing detection calculations, exploited during the course of live-signal testing.

The Matlab package displays real-time signal authentication information. Figure 6 shows the version of the display used for this study’s culminating live-signal tests. All displays are updated in real time. The upper left, upper right, and lower left plots scroll along their horizontal time axes to keep the most recent 4.5 minutes of data available. The lower right compass updates each time a new spoofing detection calculation is performed. The green dots in the upper left plot indicate that the time between spoofing detections, Δt_spf, is nominally 1 second, though sometimes the gap is longer due to lack of a sufficient number of validated single-differenced carrier phases to carry out the calculation. Thus, the nominal update time for all of the plots in this display is 1 second. Faster updates are possible with the Matlab software, but Δt_spf was deemed sufficiently fast for this study’s experiments.

The most important panel in Figure 6 is the upper left spoofing detection statistic time history. The magenta plus signs on the plot show the spoofing detection threshold chosen for this case, γ_th. The computed γ values are plotted as green o’s if they lie above γ_th and as red asterisks if they lie below. If γ is above γ_th, the message “GPS Signals Authenticated” is displayed on the plot; if below, the message switches to the spoofing alert: “GPS SPOOFING ATTACK DETECTED!”

Figure 6. Spoofing detector real-time display. Clockwise from top left: the spoofing detection statistic time history γ(t); four diagnostic time histories that include time histories of the number of satellites used for spoofing detection L(t) (blue asterisks), their corresponding GDOP(t) values (magenta o’s), the time increment between spoofing detection tests Δt_spf(t) (green dots), and the compass heading ψ(t) as determined from the two-antenna non-spoofed-case solution (black dots); Compass display; and time history of GPS PRN number availability.

The other three panels proved helpful in diagnosing system performance. A low L value (near 4) or a high GDOP value in the upper right panel indicated poorer reliability of the spoofing detection calculations. A correct compass heading in the absence of spoofing provided a check on the system. During spoofing attacks, the compass heading became jumpy, thereby providing another possible indicator of inauthentic signals.

The vertical scale of the lower left panel lists the possible GPS PRN numbers. The presence of a green or red dot at the level corresponding to a given PRN number indicates that one or both receivers is seeing something from that satellite at the corresponding time. If the dot is red, then the returned data are incomplete or are deemed to be insufficiently validated for use in the spoofing detection calculation. If the dot is green, then the data from that PRN have been used in the detection that has been carried out at that time.

Another feature of the prototype spoofing detection system is its ability to record the wide-band RF data from its two antennas. For each spoofing scenario, the raw samples from both USRPs were recorded while the real-time software receiver was performing its signal-processing operations and while the real-time spoofing detector was doing its calculations. These recorded data streams will allow off-line analysis and testing of a re-tuned or completely redesigned spoofing detection system.

Red Team Receiver/Spoofer. The UT Austin spoofer’s attack strategy overlays the spoofed signal on top of the true signals, ramps up the power to capture the receiver tracking loops, and finally drags the pseudorange, beat carrier phase, and carrier Doppler shift off from their true values to spoofed values. Figure 7 shows the pseudorange part of a spoofing attack: cross-correlation of the receiver’s PRN code replica with the total received signal (blue solid curve); the receiver’s early, prompt, and late correlations (red dots); and the spoofer signal (black dash-dotted curve). In the top plot, the spoofer has zero power, and the receiver sees only the true signal. The second and third plots show the spoofer ramping up its power while maintaining its false signal in alignment with the true signal. The spoofer power in the middle/third plot is sufficient to capture control of the three red dots of the receiver’s DLL. In the fourth and fifth plots, the spoofer initiates and continues a pseudorange drag-off, an intentional falsification of the pseudorange as measured by the victim receiver’s DLL.

Figure 7. Receiver/spoofer attack sequence as viewed from a channel’s code offset cross-correlation function. Spoofer signal: black dash-dotted curve; sum of spoofer and true signals: blue solid curve; receiver early, prompt, and late correlation points: red dots.

The spoofer performs drag-off simultaneously on all spoofed channels in a vector spoofing attack that maintains consistency of all spoofed pseudoranges. After the initiation of drag-off, the victim receiver computes a wrong position, a wrong true time, or both, but the residual pseudorange errors in its navigation solution remain small. Therefore, this type of attack is not detectable by traditional pseudorange-based RAIM calculations.

The receiver spoofer hardware consists of a GNSS reception antenna, the receiver spoofer signal-processing unit, and the spoofer transmission antenna (Figure 8).

Figure 8a. Receiver/spoofer hardware: GPS reception antenna on ship’s rear upper deck.

Figure 8b. Receiver/spoofer hardware: directional transmission antenna pointed at the ship’s GPS antenna and the detector antenna pair near the defended ship’s antenna. The orientation of the spoofing transmission antenna, combined with its remote location from the receiver/spoofer’s reception antenna, ensured that the spoofer did not self-spoof.

Figure 8c. Receiver/spoofer hardware: spoofer electronics, located amidships.

The receiver/spoofer requires tuning of its transmission power levels. If the power is too high, its spoofing attacks will be too obvious. A very high transmitted power could also saturate the front-end electronics of the intended victim, causing it to jam the system rather than spoof it. If transmitted power is too low, it will not capture the victim’s tracking loops, and its spoofing attack will fail. The proper power level depends on the gain patterns of the spoofer transmission antenna and the victim receiver antenna and on their relative geometry.

Attack Test Scenarios. Three sets of tests were conducted to develop and evaluate the spoofing detection system. The first tests started by recording wideband RF GPS L1 data using USRPs. These data were post-processed in two software receivers that recorded the outputs of their signal tracking loops. Afterwards, the Matlab spoofing detection calculations were run using the recorded tracking loop data as inputs. These preliminary tests at Cornell and Austin proved the efficacy of the spoofing detection algorithms. They did not, however, test system performance during the transition from non-spoofed to spoofed signals that takes place at the initiation of a spoofing attack.

The second set of tests was carried out using the first real-time version of the system, after the Matlab spoofing detection calculations were repackaged into a tic function and linked to the C++ real-time software receivers. This set of tests also was unable to probe the system’s performance at the onset of a spoofing attack, before the signal drag-off.

The final set of tests was conducted aboard the White Rose of Drachs in the Mediterranean’s international waters.

The power adjustment tests on June 27 needed a means to decide whether a given attack had captured the tracking loops of the ship’s GPS receiver. The strategy for confirming capture was to perform a noticeable drag-off after the initial attack. We settled on a vertical drag-off as providing the most obvious indication of a successful capture. Successful attacks dragged the receiver’s reported altitude as high as 5,000 meters.

The tests that evaluated spoofer and spoofing detector antenna placements relative to the ship’s GPS antenna were also important to achieving sensible results. Various placements were tried. The most successful relative geometry is depicted in Figure 8.

The placement of the detector antennas relative to the defended antenna is atypical of likely real-world detection scenarios. It is expected that a real-world spoofing detector will be integral with the defended GNSS receiver.

The culminating live-signal attack involved a 50-minute spoofing scenario in which the attacker took the ship — apparently — from the Adriatic to the coast off of Libya. The scenario’s long distance and short duration required a mid-course speed in excess of 900 knots. This spoofing scenario was designed in the simplest possible way, by taking a straight-line course in WGS-84 Cartesian coordinates from the true location to the spoofed location off of Libya. This course took the spoofed yacht position across the Italian and Sicilian land masses and below the Earth’s surface to a maximum depth of more than 23 kilometers.

Obviously, the White Rose was physically unable to execute this maneuver. Its crew would not have needed spoofing detection to realize that its GPS receiver was returning false readings. The main points of this last test were to dramatize the potential errors that can be caused by a spoofer and to check whether the spoofing detector could continue to function under these drastic conditions.

Figure 9 highlights this unusual scenario with two displays from the ship’s bridge, photographed during the attack. The GPS display shows the speed, 621 kn (knots), and the altitude, 7376 m. The chart display shows the yacht on (or rather, below) dry land and halfway across the “insole” of Italy’s boot. It also shows a tremendously long velocity vector, extending beyond the chart.

Figure 9a. The ship’s bridge GPS receiver display during the Libya spoofing scenario.

Figure 9b. The GPS-driven chart during the Libya spoofing scenario.

Spoofing Detection Test Results

Various signal output time histories (Figure 10) illustrate the attack sequence and suggest means to evaluate the spoofing detection system. The upper panel plots the fractional portions of the two-antenna spoofing detector’s single-differenced beat carrier-phase time histories, Δϕ¹_BA, …, Δϕ^L_BA for the L = 7 tracked PRN numbers 16, 18, 21, 22, 27, 29, and 31. The middle panel plots the amplitude time history of the 100 Hz prompt [I;Q] accumulation vector for PRN 16, as received at Antenna A of the detection system. The bottom panel plots the PRN 16 carrier Doppler shift time history.

Figure 10. Indicators of initial capture and drag-off during Libya spoofing attack, as measured by the spoofing detection receiver.

This was a strong attack in which the spoofer power was 10.7 dB higher than the power of the real signal for PRN 16. The other spoofed signals had power advantages over their corresponding true signals that ranged from 3.3 dB to 13.6 dB, and the spoofer’s mean power advantage was 10.4 dB. Therefore, the onset of the spoofing attack at 196.1 sec is clearly indicated by the sudden jump in (I²+Q²)^0.5 on the middle panel. The upper panel shows a corresponding sudden coalescing of the single-differenced beat carrier phases, which implies that the spoofing detection algorithm should have been able to detect this attack.

The spoofer drag-off started at 321.5 sec, as evidenced by the sudden change in the slope of the carrier Doppler shift time history on the lower panel. The period after the initial attack and before the drag-off is delimited by the vertical magenta and cyan dash-dotted lines. During this interval the spoofer waited to capture the receiver’s tracking loops.

The single-differenced phase time histories in the upper plot appear somewhat noisier during the interim pre-drag-off period of the attack than after the start of the drag-off at 321.5 sec. The grey dotted curve for PRN 27 is an exception because it becomes noisy again starting at about 450 sec due to decreased signal power. The increased noisiness of the differential phase time histories during the interim period is probably the result of interference between the true and spoofed signals, which are likely beating slowly against each other. The response of the spoofing detection algorithm during this phase is uncertain because this multipath-like beating between the two signals is not modeled.

Figure 11 demonstrates performance of the spoofing detection algorithm for the Libya attack scenario. The upper panel of the figures is a repeat of the upper panel of the single-differenced beat carrier-phase time histories from Figure 10, except that they are plotted for a longer duration. The lower panel shows the γ(t) spoofing detection statistic time history. It plots the same information that appeared in the upper left panel of Figure 6 during the corresponding real-time detection tests. At 196 sec γ(t) is clearly above the blue dash-dotted spoofing detection threshold γ_th. At 196.4 sec it is clearly below γ_th, which indicates a spoofing detection. It remains below γ_th for the duration of the attack. In this reprocessed version of the detection calculations, γ(t) has been updated at 5 Hz. Therefore, the earliest possible detection point would have been 196.2 sec, which is 0.1 sec after the onset of the attack. This point corresponds to the green dot in the lower panel of Figure 11 that lies slightly above the blue dash-dotted γ_th line. Theoretically, the system might have detected the attack at this time, but the finite bandwidth of the two receivers’ PLLs caused lags in the transitions of the single-differenced phases in the top plot, which led to the 0.3 sec lag in the detection of the attack. It is encouraging, however, that the spoofing detector worked well during the initial pre-drag-off phase of the attack, from 196.1 to 321.5 sec, despite the added noisiness of the single-differenced carrier phases in the top plot, likely caused by beating between the true and spoofed signals.

Figure 11. Single-differenced carrier-phase time histories (top plot) and corresponding spoofing detection statistic time history (bottom plot) for Libya spoofing attack scenario.

Figure 12 plots the same quantities as in Figure 11, but for a different spoofing attack, a little less overt than the Libya attack. The power advantage of the spoofer ranged from 3.0 to 14.0 dB for the different channels with a mean power advantage = 9.2 dB. It was detected by the system, as evidenced by the convergence of the single-differenced carrier phases at the onset of the attack at 397.5 sec. The spoofing detection statistic in the bottom panel dives near to the γ_th detection threshold at the onset of the attack and sometimes passes below it, but it does not stay permanently below the threshold until after the time of drag-off, after 531 sec.

Figure 12. Single-differenced carrier phase time histories (top plot) and spoofing detection statistic time history (bottom plot) for a spoofing attack with a slightly lower power advantage than the Libya attack.

The large oscillations of the single-differenced carrier phases during the pre-drag-off initial capture interval from 397.5 to 531 seconds is likely due to beating between the true and spoofed signals. The largest variations occur for PRNs 12 and 31, which are the ones with the lowest spoofer power advantages, 3.2 and 3.0 dB, respectively. Apparently these oscillations cause γ(t) sometimes to take on values slightly above γ_th during the interval 397.5 sec < t < 531 sec. Thus, the spoofing detector can experience problems in the initial phases of an attack.

Note that the spoofer failed to capture the tracking loops of the ship’s GPS receiver. This is surprising, given the average spoofer power advantage of 9.2 dB above the true signals. We conjecture that the ship’s GPS antenna had lower gain in the low-elevation direction toward the spoofer transmission antenna than did the detector’s antennas. A lower gain would reduce the spoofer power advantage in the ship’s receiver and could explain why the spoofer failed to deceive it.

Many additional spoofing attacks were carried out aboard the ship. The spoofing detector proved finicky. It took quite some time to get the spoofing detection two-antenna system positioned in a sensible place relative to the ship’s GPS antenna so as to be sensitive to nearly the same spoofing signals. In addition, the spoofing detector’s GPS receiver tended to lose lock at the initiation of an attack, prior to signal drag-off. This was likely caused by the large power swings of the received signals due to beating of the true signals against the spoofed signals. This problem went away at higher spoofer power levels. When lock was lost, the software receiver would attempt to re-acquire the signal. Often a reacquisition would succeed only after signal drag-off by the spoofer. Typically, the spoofing detector immediately detected the attack once it had reacquired the spoofed signals that were no longer beating against the true signals due to having been dragged sufficiently far away from them, as in Figure 7. Re-analysis of the recorded data indicated that poor PLL tuning may have caused the losses of lock during the initial attacks. Spoofing detection calculations carried out on the reprocessed data have proved more reliable when implemented with a better PLL tuning.

Two attacks were carried out with only a subset of the visible GPS satellites being spoofed. The first involved spoofing 7 of 9 visible satellites, and the second test spoofed only 4 of 9. The spoofing detection system had trouble maintaining signal lock during the initial part of the first attack. It subsequently reacquired signals and was able to detect the attack successfully after reacquisition. The first attack also succeeded in capturing the ship receiver’s tracking loops as evidenced by spoofing of the yacht to climb off the sea surface. The second attack, with only four spoofed satellites, was not detected by the prototype system, but it succeeded in deceiving the ship’s GPS receiver about its altitude. This latter result indicates a need to modify the detection calculations to allow for the possibility of partial spoofing. In their current form, they assume that all signals are either spoofed or authentic. Of course, in the partial spoofing case it may also be possible to use traditional pseudorange-based RAIM techniques to detect an attack.

Possible Future Work Directions

The tests suggest further work on the following topics,which are discussed in more detail in the PDF paper on which this article is based:
- Improved detection during pre-drag-off initial phase of attack;
- Detection when only a subset of signals are spoofed;
- Advanced RAIM techniques;
- A real-time prototype of the switched-antenna version;
- Detection of a spoofer that uses multiple transmission antennas;
- Reacquisition of true signals to recover from a spoofing attack.
Conclusions

A new prototype GNSS spoofing detection system has been developed and tested using live-signal spoofing attacks. The system detects spoofing by using differences in signal direction-of-arrival characteristics between the spoofed and non-spoofed cases as sensed by a pair of GNSS antennas. A spoofing detection statistic has been developed that equals the difference between the optimized values of the negative-log-likelihood cost functions for two data-fitting problems. One problem fits the single-differenced beat carrier phases of multiple received signals to a spoofed model in which the fractional parts of these differences are identical -— in the absence of receiver noise — because the spoofed signals all arrive from the same direction. The other problem fits the single-differenced carrier phases to a non-spoofed model. This second optimal data-fitting problem is closely related to CDGPS attitude determination. The simple difference of the two optimized cost functions equals a large positive number if there is no spoofing, but it equals a negative number if the signals are being spoofed. Monte Carlo analysis of the probability distributions of this difference under the spoofed and non-spoofed assumptions indicates that it provides a powerful spoofing detection test with a low probability of false alarm.

A real-time version of this system has been implemented using USRPs and real-time software radio receivers, and it has been tested against live-signal spoofing attacks aboard a yacht that was cruising around Italy. Successful detections have been achieved in many spoofing attack scenarios, and detections can occur in as little as 0.4 seconds or less. One scenario spoofed the yacht’s GPS receiver into believing that it had veered off of a northwesterly course towards Venice in the Adriatic to a southwesterly course towards the coast of Libya, and at the incredible speed of 900 knots. The spoofing detector, however, warned the crew on the bridge about the attack before the yacht’s spoofed position was 50 meters away from its true position.

The live-signal tests revealed some challenges for this spoofing detection strategy. They occur primarily during the initial attack phase, before the spoofer has dragged the victim receiver to a wrong position or timing fix. If the spoofer power is not much larger than that of the true signals, then beating occurs between the spoofed and true signals during this initial period. This beating can cause difficulties for the receiver tracking loops, making single-differenced carrier phase unavailable. Even when single-differenced phase is available, both the spoofed and non-spoofed models of this quantity can be inadequate for purposes of designing a reliable spoofing detection test.

This article’s new two-antenna spoofing detection system has generated promising real-time results against live-signal spoofing attacks, but further developments are needed to produce a sufficiently reliable detection system for all anticipated attack scenarios. The best defense will likely employ a multi-layered approach that uses the techniques described in this paper along with advanced RAIM techniques that detect additional signal anomalies that are characteristic of spoofing.

Acknowledgments

The authors (brief bios given in online version) thank the owner of the White Rose of Drachs for the loan of his vessel to conduct the live-signal GNSS spoofing detection tests reported here. The crew of the White Rose aided and supported this project in many ways.

Red Team, White Team, Blue Team

Background

Before March 2013, members of the UT Radionavigation Lab and the Cornell GPS Lab didn’t know about gold-plated sinks and spiral staircases at sea. They did know something about spoofing navigation systems and detecting spoofer attacks. The UT group had hacked a helicopter drone at White Sands Missile Range in June 2012, coaxing it to dive towards the ground. The Cornell group had developed a prototype system that could reliably detect all UT Austin attacks, but it was clumsy, having an oscillating antenna and requiring hours of post-processing.

Andrew Schofield, master of the White Rose of Drachs, attended Todd Humphreys’ 2013 South-by-Southwest conference talk on the drone hack and challenged him to go big — bigger than a 1.3-meter drone helicopter. How about a 65-meter superyacht? The result: a summer 2013 Mediterranean cruise that produced intriguing, provocative results.

The UT team had implemented a feedback controller for their spoofer, but they were unable to control the spoofed drone in a smooth, reliable manner. The White Rose cruise offered a chance to test a next level of sophistication: a controlled sequence of lies leading the victim on a precise course selected by the spoofer, different from the one intended by the captain.

The UT team was able to induce inadvertent turns while the ship’s bridge thought it was steering a straight course. They could nudge the yacht onto a wrong course paralleling the desired course. The crew remained unaware of the yacht’s true course because its GPS receiver and GPS-driven charts indicated that she was on her intended route.

The Push for Protection

Andrew Schofield quickly began advocating for a follow-up experiment: a UT Red Team attack against the White Rose GPS and a simultaneous Cornell Blue Team demonstration of real-time spoofing detection.

The Cornell Team, however, faced challenges in transitioning from its initial prototype to a more sophisticated system, one that eliminated the moving parts and that operated in real time. Team members thought they could produce the next system, but had never been quite sure they could make good on their boast.

Development of a second prototype system began with implementation of a new Cornell detection algorithm in Matlab. The first tests of this algorithm involved UT recording and pre-processing of transmissions in an RF chamber that housed the two antennas of Cornell’s second prototype. Cornell applied its new Matlab algorithm to these data and demonstrated off-line spoofing detection.

The remaining hurdle was real-time operation. The original development plan called for translation of the Matlab algorithm to C++ followed by integration with a UT Austin/Cornell real-time software radio. It would be understatement to say that this was an ambitious task for the two-month window that remained until the White Rose cruise.

UT Ph.D. student Jahshan Bhatti steered the team around this hurdle by proposing the direct use of Cornell’s Matlab code in the real-time system. Prior to this, no one had realized that it could be practical to call Matlab from C++ in real time. Mark Psiaki packaged the Matlab spoofing detection software into a single tic function, Jahshan coded the calling C++/Matlab interface, and the team was on track to test spoofing detection in late June 2014.

Spoofer, Detector Clash at Sea

The White Rose would sail from southern France on June 26, setting a course around Italy to Venice. The Cornell Blue Team would have three full days in international waters to demonstrate and evaluate their real-time spoofng detection system. A Ph.D. graduate from UT’s Radionavigation Laboratory would operate the Red Team spoofer, aka the Texas Lying Machine.

In preparation for the voyage, the two teams converged in the White Roses’s home port of Cap-d’Ail. They performed initial shake-down tests of their systems in port. They could not do full live-signal tests in Cap d’Ail because they were still in French territorial waters. Transmission of live spoofing signals in the GPS L1 band is permitted only in international waters, and only if conducted for scientific purposes.

The spoofing and detection tests started in earnest on the morning of June 27 off the southern coast of Italy. The White Rose had passed through the Strait of Messina between Italy and Sicily earlier that day. The initial tests were concerned with antenna geometries and spoofer power levels. Later tests concentrated on serious deception of the White Rose regarding its true course and location.

During the tests, the UT Red team and its spoofer were situated on the White Rose Sun Deck, above and behind the bridge. The Cornell Blue team and its electronics were on the bridge with its two antennas on the roof. A walkie-talkie link between the teams provided coordination of detector operation with spoofing attacks along with feedback about spoofer and detector performance.

Hijacked to Libya!

For the final day of tests, Andrew Schofield suggested sending the spoofed White Rose to Libya as she cruised the Adriatic from Montenegro to Venice — a difference of 600 nautical miles. The target trip time of 50 minutes necessitated a peak speed over 900 knots (1,667 kilometers/hour) after factoring the need to limit initial acceleration and final deceleration; if too large, they might cause the victim receiver’s tracking loops to lose lock and, therefore, the spoofed signals.

The Cornell and UT Austin teams programmed the spoofer for a trip to Libya, and they initiated the attack. The White Rose bridge soon became a scene of excitement. The ship started veering sharply to port, and its velocity vector lengthened until it literally went off the charts. The GPS receiver showed the ship hurrying towards Libya on a collision course with the back of Italy’s boot. The bridge’s GPS receiver displayed speeds that increased through 100 knots, 200 knots, 300 knots — for a yacht with a speed capability of about 15 knots.

The Cornell detector issued a spoofing alert at the onset of the attack, long before the White Rose veered off course. After a few minutes, the detector’s continued successful operation became boring. Of course, boring success is better than exciting failure.

The Cornell system had not been as successful during some of the preceding attacks, and the results from the June voyage suggested avenues for improvement. If new live-signal tests become necessary to evaluate planned improvements, the Red and Blue teams stand ready for a future superyacht cruise.

See http://blogs.cornell.edu/yachtspoof for further details.

Mark L. Psiaki is a Professor of Mechanical and Aerospace Engineering. He received a B.A. in Physics and M.A. and Ph.D. degrees in Mechanical and Aerospace Engineering from Princeton University. His research interests are in the areas of GNSS technology and applications, spacecraft attitude and orbit determination, and general estimation, filtering, and detection.

Brady W. O’Hanlon is a graduate student in the School of Electrical and Computer Engineering. He received a B.S. in Electrical and Computer Engineering from Cornell University. His interests are in the areas of GNSS technology and applications, GNSS security, and space weather.

Steven P. Powell is a Senior Engineer with the GPS and Ionospheric Studies Research Group in the Department of Electrical and Computer Engineering at Cornell University. He has M.S. and B.S. degrees in Electrical Engineering from Cornell University. He has been involved with the design, fabrication, testing, and launch activities of many scientific experiments that have flown on high altitude balloons, sounding rockets, and small satellites. He has designed ground-based and space-based custom GPS receiving systems primarily for scientific applications.

Jahshan A. Bhatti is pursuing a Ph.D. in the Department of Aerospace Engineering and Engineering Mechanics at the University of Texas at Austin, where he also received his M.S. and B.S. He is a member of the UT Radionavigation Laboratory. His research interests are in the development of small satellites, software-defined radio applications, space weather, and GNSS security and integrity.

Todd E. Humphreys is an assistant professor in the department of Aerospace Engineering and Engineering Mechanics at the University of Texas at Austin, and Director of the UT Radionavigation Laboratory. He received a B.S. and M.S. in Electrical and Computer Engineering from Utah State University and a Ph.D. in Aerospace Engineering from Cornell University. He specializes in applying optimal estimation and signal processing techniques to problems in radionavigation. His recent focus is on radionavigation robustness and security.

Andrew Schofield is a career Yacht Captain. After completing his degree in Applied Biology and working in the bio-science industry for a year, he left all that behind in 1991 and found a deck hand’s job on a sailing yacht in the Caribbean. Since then he has worked on various yachts in various locations. He has been Captain of the White Rose of Drachs since launch in June 2004. He is President of the Professional Yachting Association, the large yacht professional body, and focuses on the training and certification of crew. In his time at sea GPS has transformed navigation. He feels that the relevance of the work done to detect GPS spoofing cannot be overstated with regard to the safety of life at sea, and he is delighted to have facilitated the voyage during which spoofing detection was proven.
November 6, 2014
Danger, Will Robinson! Beware the IMES of Japan
The IMES navigation concept. Credit: IMES

In May 2011, Dinesh Manandhar and Hideyuki Torimoto of GNSS Technologies, Inc., Japan, penned a very interesting article in GPS World titled – Opening Up Indoors: Japan’s Indoor Messaging System, IMES. The opening paragraph of their lengthy article seemingly describes the Holy Grail for the indoor positioning lobby:

“An indoor messaging system (IMES) has been developed to meet the challenges of indoor and deep indoor positioning, as a system that can be implemented in any device that has a GPS/GNSS receiver without hardware modification. IMES can provide reliable 3D position data with a single transmitter device without performing range calculation[s].”

They go on to describe the IMES concept thusly:

“The main concept of IMES is to transmit position and floor ID of the transmitter with the same RF signal as GPS. IMES transmits latitude, longitude, height, and floor ID by replacing the ephemeris and clock data in the navigation message of GPS. A single unit of IMES is enough to get the position data, since the position itself is directly transmitted.”

Now, you don’t have to be a rocket scientist to start thinking about interference and spoofing issues or risks, especially when you read that the navigation message ephemeris and clock data are being replaced by data broadcast by IMES. To be fair, the authors address these issues briefly:

“Since IMES shares the same frequency as [the] GPS L1 band (1575.42 MHz), there is an interference level that IMES may have on GPS signals. This interference has been studied in detail by conducting experiments and simulations. Based on these studies and analysis, various methods have been considered to avoid harmful interference to GPS signal. To avoid such interference, IMES center frequency is shifted by +/– 8.2 KHz from GPS L1 band. This will have the least impact on the GPS L1 band signal. For example, if the IMES signal is –110 dBm (very strong) and the GPS signal is –142 dBm (very weak), the loss of GPS signal (C/N₀) due to IMES is less than 2 db. If the IMES signal is –120 dBm and the GPS signal is –142 dBm, there is no loss of GPS signal (C/N₀). Based on this analysis, the IMES transmitter power must be controlled such that the maximum power to the receiver does not exceed –110 dBm at a distance of 3 meters from the transmitter. [There are] guideline[s] specified in the QZSS IS document for setting the transmitter effective isotropic radiated power (EIRP) based on location.”

Let’s put these concerns in perspective. I thoroughly enjoyed the article and firmly believe that we desperately need to solve the indoor positioning and navigation problems, especially for our warfighters and first responders. While many of today’s excellent commercial receivers work well indoors near windows and doors, they are absolutely abysmal underground and deep inside large buildings with lots of metal, or in the middle of dense urban canyons such as Tokyo, Japan. Without a doubt, there is a dire need for a system like IMES — or maybe exactly like IMES — but there must be some caveats and stipulations as to how the IMES system is implemented.

Not Alone

Fortunately, I am far from being a lone wolf in voicing my concerns and my position, for once again the conspiracy theorists as well as renowned scientist and policy makers are concerned about IMES and the operating systems they supposedly desire to replace or augment. Chief among them is the Father of GPS, Dr. Bradford Parkinson, who has frequently described improperly operated in-band pseudolites as “…just another name for a legal jammer or spoofer.” Having known Brad for almost 40 years, I am convinced few GPS experts in the world today have as much experience with pseudolites as Dr. Parkinson. Consequently, the very reason that an indoor navigation system such as IMES is needed may well be a portent for why it may well fail, unless it is implemented properly.

It would be easy but extremely tedious to write about the numerous issues facing IMES in a complicated and technical manner. Certainly previous articles have become bogged down in minutia, and I want to avoid that. It is actually very simple. The issues are fairly straightforward and should be faced head on and not hidden in the midst of tech-speak lingo, legal jargon, policy minutia or politics. So lets dive straight in, shall w,e and make sure these issues see the light of day?

Interference

There can be no doubt that IMES has the potential to significantly interfere with GPS and QZSS signals. The authors of the IMES article are quite clear concerning the potential for interference, and in their own way attempt to mitigate it with signal power restrictions. Their example of a small three- to four-story building with IMES transmitters may indeed be adequate for signal power mitigations, but what happens in Tokyo where tall buildings — skyscrapers if you will — abound? When the Tokyo Skytree skyscraper opened to the public in 2012, it was then listed as the world’s tallest tower and Japan’s biggest new landmark. At over 2,080 feet tall, this is definitely the type of building where one would need an IMES system. With an average of 20 IMES transmitters per floor and weighing in with over 200 floors, we can quickly see that there would be over 4,000 IMES transmitters in this one building alone, all broadcasting simultaneously on or near the center frequency for GPS. Absent stringent regulations and infinite care (the IMES article authors propose that the pseudolite network operator will have the responsibility to continuously monitor each pseudolite and the pseudolite network to prevent interference), and perhaps even with those caveats in place, the GPS L-band noise floor would be such that GPS signals would be incapable of being received.

Now, put 20 such buildings in a ten-block area and the noise floor would be almost incalculable and certainly not predictable. Dr. Parkinson’s fears are realized; your legalized IMES system becomes a distributed network of jammers and/or spoofers. However, technically IMES is currently far from being a legal jammer or spoofer as currently IMES transmitters are not legal to operate in the GPS band at 1559-1610 MHz under the International Telecommunications Union (ITU) Treaty per the International Table of Frequency Allocations of the ITU Radio Regulations. The ITU further states that IMES currently operates on an interfering basis with the co-primary allocations (ARNS/RNSS) in this band, and therefore are in violation of the ITU Treaty. However, Japan’s frequency regulatory agency can develop and implement regulations that allow IMES operations. When this occurs, if not operated within stringent guidelines, IMES could then be considered a legalized jammer or spoofer.

Even the Joint Research Centre of the European Commission, the JRC, states in its Executive Summary on pseudolites that in-band pseudolites pose a significant jamming risk to GNSS receivers. Specifically they state:

Pseudolites or pseudo-satellites are an emerging technology with the potential of enabling satellite navigation indoors. This technology found several applications that are not limited to indoor navigation. Precise landing, emergency services in difficult environments and precise positioning and machine control are few examples where pseudolite technology can be employed.

Despite the great potential of this technology, severe interference problems with existing GNSS services can arise. The problem can be particularly severe when considering non-participating receivers — legacy devices not designed for pseudolite signals. The design of pseudolite signals is thus a complex problem that has to account for market requirements (modifications of existing receivers for enabling the use of pseudolite signals, measurement accuracy, target application), regulatory aspects (frequency bands to be allocated for pseudolite services) and interference problems.

JRC investigates the main aspects to be considered for the design of a pseudolite signal standard minimizing the interference problem without compromising the location capabilities of the system. The focus is on the signal characteristics and topics relevant for the signal design.

Pseudolite or Communications System

The second technical portion of the interference issue revolves around how exactly you define IMES, for when you are dealing with radio regulation agencies semantics matter. Think back to the first paragraph of this article where the IMES authors defined IMES as a messaging system. That certainly sounds like a communications system to me, and others agree. Consequently, the question has been raised and rightfully so: Is IMES a navigation and positioning system, a pseudolite or a communications system? Honestly, to me it sounds like a bit of all three, but if you define it as a communications system, then Japan is seeking to authorize the integration of a communications system with known significant interference issues with GPS signals right in the middle — indeed, potentially on the center frequency of the protected navigation band using terrestrial PRN codes assigned by the U.S. government. If IMES is deemed an indoor pseudolite, then the interference issues are still there. But it is defined as a bonafide PNT system using authorized terrestrial PRN codes. Talk about a bucket of worms!

The issues here are numerous, and they need to be fully addressed to ensure that all those who are potentially affected clearly understand what is being proposed and the risk for the public at large, including who owns responsibility if something goes wrong. I could go on for several pages on this issue alone, but suffice it to say, we do not want to authorize a communications system that is a known and acknowledged GPS interferer right in the middle of the band — or anywhere in the band for that matter. Remember all the issues GPS had in the past several years with a communications system in adjacent bands. So, do we really want a known communications system — or communications system masquerading as a pseudolite, for that matter — with known GPS signal interference issues in the restricted GPS frequency spectrum? The blaringly obvious answer is absolutely not! Yet this is exactly what the IMES authors are proposing not only for Japan, but eventually, if they receive authorization, for other countries around the globe as well. Japan has twice petitioned the U.S. government to make the assigned IMES terrestrial PRN code allocations global in nature. Fortunately, to date those request have been denied.

Dichotomy

Certainly, other countries and companies have noticed this apparent frequency authorization dichotomy and are following suit. For instance the Conference of European Postal and Telecommunications agencies, or CEPT, which is Europe’s regional representative to the World Radiocommunication Conference (WRC), has proposed adding several troubling IMES-related agenda items for the quadrennial WRCs coming up in 2015 and 2019. Even more importantly, these critical issues could be aired in the next three weeks, as the agenda for the 2015 WRC will be largely set at a plenipotentiary conference happening October 20 through November 8 in Busan, South Korea.

There are what I consider to be dangerous proposals under consideration by the ITU (International Telecommunication Union), which should concern GNSS users worldwide. The ITU is the United Nations’ specialized agency for information and communication technologies — ICTs. This is the ITU, where every member state (currently 193) gets one vote, whether they fully understand the technical issues or not and regardless of whether they are a space-faring nation or have a dog in the fight, so to speak. This means that the vote of tiny Saint Lucia counts the same as the United States or Canada or Australia. The ITU charter is to “…allocate global radio spectrum and satellite orbits, develop the technical standards that ensure networks and technologies seamlessly interconnect, and strive to improve access to ICTs to underserved communities worldwide.” Fortunately, the ITU regulations, unlike the CEPT or IMES proposals, wisely require new transmitters proposing to operate in the radio navigation spectrum to operate without causing interference to primary users. Meanwhile, there are member states, countries and companies that want to capitalize on this seeming dichotomy within the global safety-of-life, historically protected, radio bands. Those nefarious efforts, for the future of GPS and GNSS worldwide, need to be stopped in their tracks.

Spectrum is a limited and valuable resource, to say the least, and here fortunately the ITU regulations have it right and do not risk human life, by intruding and potentially interfering with the frequencies used globally by airliners to control, route and land aircraft. I am convinced there are solutions available to us through cooperative efforts with the ITU and other national organizations that will produce pseudolites without causing interference in the protected safety-of-life frequency bands.

When Is a PRN Code Not a PRN Code?

Some of you who are a bit more savvy or have been following this fiasco for some time may now be thinking, what’s the problem, the IMES authors are merely using and proposing further use of U.S. government-authorized terrestrial PRN codes for IMES. This indeed touches on the third thorny issue, which is not only technical but political as well — the use of and authorization to use PRN codes for what is ostensibly a communications system, if you believe the authors of the IMES article, who go to great lengths to differentiate IMES from pseudolites. They continually make the argument that IMES is not a pseudolite, but as we shall soon see, when the U.S. government authorized these specific PRN codes (173-182) for Japan, they were to be used solely for a low-power terrestrial pseudolite program, not an in-band communications system.

Technically, these specific PRN codes assigned to the Japanese for IMES expire in 2017. The authorization of these PRN codes come with numerous restrictions that legally make the codes useful only for the Japanese landmass. This is where the technical, political and operational issues come to a head. We are in for some tough sledding here. However, I will endeavor to make it as simple as possible.

History

In 2007, ten PRN codes were specifically assigned to the Japan Aerospace Exploration Agency or JAXA “for the Indoor Messaging System (IMES) terrestrial pseudolites of the Quasi-Zenith Satellite System (QZSS).” The Memorandum of Agreement from the GPS Wing at SMC (Space and Missile Systems Center) in Los Angeles at Los Angeles Air Force Base (LAAFB) clearly states that the codes are valid for ten years and expire on 19 November 2017, unless a renewal application is filed and approved. Hence, PRN codes 173-182 for IMES were assigned with several crucial caveats and restrictions by the U.S. government that are definitely pertinent to our discussion:
1. The codes are designated for low-power terrestrial regional applications limited to Japan only.
2. Although the GPS Wing conducts an initial check on PRN number requests with respect to potential interference issues, the issuance of a PRN number does not convey authority to radiate in the [GPS] band. In order to radiate in the GPS L1 band, the applicant [Japan] shall obtain a frequency assignment from the [Japanese] national authority.
3. The GPS Wing assumes no responsibility for ensuring systems using these spreading codes follow domestic radio frequency regulations or other applicable laws or regulations, or for ensuring that systems using GPS PRN codes do not cause radio frequency interference.
4. GPS PRN codes were developed for signals transmitted from satellites, and are not necessarily optimized for use by terrestrial transmitters.
5. The maximum effective isotropic power for each terrestrial transmitter will be less than -94 dBW.
6. The QZSS [organization] is responsible for the redistribution of these spreading codes throughout Japan and will limit their use to Japan only.
With all these restrictions, it is difficult to see how the IMES authors could legally use, distribute or promote authorization of IMES and the use of the PRN codes outside of Japan and at the power levels related in the GPS World IMES article. Regardless of the IMES author’s interpretation of the PRN code assignment, the GPS Wing 2007 Memorandum restrictions and caveats are clear, and it cannot be disputed that the codes expire in 2017 unless renewed by the USAF. The PRN codes are restricted to the landmass of Japan even if they are renewed, and if IMES wishes to broadcast anywhere in the GPS band, they need to have permission from their national frequency allocation authority (the Ministry of Internal Affairs and Communications, which is equivalent to the U.S. FCC –Federal Communications Commission) to do so.

The Way Ahead

This is the easy part from my perspective. See if you don’t agree. If the U.S. government is concerned about IMES and what Japan is planning to do with the assigned PRN codes for terrestrial use, the U.S. government through the USAF has the options to:
1. Rescind the PRN codes immediately.
2. Insure the Japanese adhere to the caveats and restrictions in the original Memorandum.
3. Simply refuse to renew or recertify the codes for future use and/or recommend for IMES frequencies that are outside the protected GPS band.
4. Update and clarify the footnote on the GPS Wing PRN Codes website pertaining to the Japanese IMES PRN Codes with all the restrictions listed in the GPS Wing Memorandum so other countries will realize this is not a global IMES PRN assignment.
Japan is a valuable ally and we need to work together cooperatively, but frankly, the plans laid out for IMES by the authors in the GPS World article must be troubling to those whose job it is protect the GPS spectrum and enforce mutual agreements with our allies. If we were just concerned about a Japanese IMES system, this whole discussion might be moot. However, other countries and commercial companies around the world are watching closely and laying the groundwork for similar IMES and pseudolite incursions into the GPS L-band spectrum — if the Japanese are allowed to proceed and the limited use of PRN codes for IMES is not clarified for all. No one, and I include the Japanese, wants to see this happen if it means interference with GPS, and QZSS for that matter.

Fortunately, where European countries are concerned, there are the ITU regulations. Specifically for GPS and pseudolites, the CEPT regulation has a license condition that requires the pseudolite network operator to submit to the European country regulator confirmation of the terrestrial PRN codes from the GNSS operator before operating pseudolites in the GPS band. So again, the U.S. government wields the hammer here.

Therefore, the U.S. government must act immediately and decisively to put an end to the threats against the protected GPS spectrum caused by the proposed in-band IMES system. At the same time, the Japanese government has an obligation and responsibility to adhere to the letter of the law where the original GPS Wing 2007 IMES Memorandum is concerned.

Finally, the U.S. government must urgently engage cooperatively with the European Union administration and Japan to prevent the authorization and proliferation of interfering devices in the GNSS frequency bands, and to work together to ensure the positive benefits to GNSS from commercializing pseudolite uses outside the GNSS radio frequency bands. GNSS manufacturers worldwide are successfully marketing commercial pseudolites that do not cause interference. In my opinion, this is the way to go both in terms of regulations and governance.

Until next time, happy navigating, and remember GPS is brought to you free of charge by the United States Air Force.
October 8, 2014
Assured PNT for Our Future: PTA
Actions Necessary to Reduce Vulnerability and Ensure Availability

By Brad Parkinson
(From the 25th Anniversary GNSS History Special Supplement)

Introduction

Brad Parkinson

About 40 years ago, we had a vision for positioning, navigation, and timing (PNT). That vision was more than successful, and became known as GPS. In some respects we have been almost too successful: PNT is frequently taken for granted. PNT, in the form of GPS, has become a powerful worldwide enabler for productivity and for safety. Estimated yearly value runs to many tens of billions of dollars.

For several years, I have been concerned about comments that denigrate GPS because the signal strength is relatively weak. The speakers have gone on to say it can be completely replaced with inertial or other techniques. Recently, comments by government officials further energized me to look at the full picture.

What can we do to reduce the vulnerability and ensure that the expectations of the users are going to be met? I summarize my solution as the PTA program and will elaborate in this article. At a top level, the term PTA means: Protect, Toughen, and Augment GPS to assure PNT. Note I say PNT, not GPS. The central issue is assuring access of PNT to the user, not the source of the information. I strongly believe that PTA is both achievable and absolutely necessary. Protecting PNT is particularly important to Europeans as they are just about to launch their fledgling Galileo system.

Speeches and travel only reach a limited number. When GPS World invited me to write a piece for the magazine’s 25th anniversary issue, it seemed an ideal opportunity to expand knowledge of the PTA program. The following is an edited form of a talk I have given a number of times, most recently at the European Navigation Conference in Rotterdam in April 2014.

GNSS initiatives and the GNSS community are growing rapidly, and certainly we are very enthusiastic about the progress of Galileo. But some places in the U.S. community are saying, “Well, this GPS band is underutilized; devoting all that bandwidth to a single system is not prudent.”

I beg to differ with that view. If you look at the separate signals in the L1 band around the world, by the year 2023 they will grow to be well more than 400 individual signals. Those signals service over 2 billion users, from emergency service providers to precision agriculture to crustal monitoring and many, many more. I have an entirely separate talk on “GPS for Humanity,” but that is not our subject today.

Calling the GPS frequency band “underutilized” simply points out ignorance, even among our supporters. For example, we say PNT to emphasize that GNSS provides four dimensions. Certainly, timing is the forgotten fourth dimension of GPS, and even our politician friends rarely understand the importance of this aspect. Yet we know that highly accurate timing, supplied by GPS, is absolutely critical for power distribution, for telecommunications, and for the financial sector.

It is instructive to summarize the penetration of the PNT “Stealth Utility” into the fabric of our society.

Market Size. Overall, GPS has more than 2 billion users worldwide. This represents a very diverse user group; we providers are continually seeing new and innovative ways to use GPS.

Figure 1, for which I am indebted to Frank van Diggelen, gives an estimate of the number of receivers currently fielded. Notice the number of military receivers: less than half a million. The gray bar depicts the industrial uses such as survey and machine control, which come in at about 4.5 million; these tend to be extremely high enhancers of industrial productivity.

Figure 1. GNSS market size, 2012.

We have to change the chart scale to depict bigger market segments. For example, recreation, automotive, and computing are shown on the lower half of the chart. In fact, mobile phones will still not fit on the chart. Attesting to the size of the estimated mobile phone base: one company alone will produce more than 900 million GPS-equipped smartphones this year. The pie diagram shows the dominance of mobile devices, but much higher productivity gains come from high-precision devices whose impact is very disproportionate to numbers of receivers.

We asked some economists, just what is all this worth? They looked at a subset of all the industries and concluded that GPS has a positive net effect to the tune of at least $32 billion annually. They had an expanded study that suggested about $90 billion annually. So, for those who question the value of GPS, the answer is that the net yearly returns to our national investment are more than 1000 percent. (Note: National investment is about $3 billion annually.)

To ensure these enormous economic benefits of PNT, there are two fundamental needs, and we providers must assure that they are met. The first and most important need is availability.

Availability. When we say availability, it is defined in a certain way; it means that PNT is available at the application-specified accuracy. We usually measure that accuracy at the 90th percentile: only 10 percent of the time can that error be exceeded.

Integrity. The second user need is the required integrity. That means that when the user expects a specific accuracy, the system is not lying to him. Integrity assurance is very much a focus of both the International Civil Aviation Organization (ICAO) and, in the United States, the Federal Aviation Administration (FAA). In many cases they require that PNT errors not exceed specified bounds more than once in 10 billion measurements (1 x 10^-7). This integrity level requires so many samples, it is virtually impossible to verify experimentally; we have not had that many airplane landings, but it can be calculated. The metric we use is how many minutes GPS is not available — unavailability — at the specified accuracy and integrity. That is more easily understood than availability that aproaches 99.9XXX percent. The usual goal is that unavailability be zero.

We have an independent assessment of how well we are doing: FAA’s Wide Area Augmentation System (WAAS). They put out a report card with a lot of numbers. GPS clearly deserves a grade of A+.

And it will get better. The U.S. government’s PNT Advisory Board, which I co-chair, recently advocated that the full navigation message be added at the new civil frequencies, the L2C and L5C signals. The Air Force has now complied, thanks to strong support from General Willie Shelton. This makes two more civil signals fully available. They currently expect 2.9 meter ranging accuracy, but by the end of the year the Air Force operators expect the same full accuracy as the rest of the signals, on the order of 0.5 meter of ranging error.

This is an outstanding picture.

So What’s the Problem? A statement made by a high-level U.S. government official in my presence exemplifies the problem: “GPS is much too vulnerable. We must replace it with new inertials and chip-scale atomic clocks.”

I found this statement appalling. Unfortunately, it was a meeting where you don’t normally speak up, and I didn’t. Nonetheless, to me, that was totally wrong.

GPS indeed has a very weak signal, and it depends on having clear line-of-sight to four satellites. But in my opinion, a much better statement is what I call the PTA solution. Our goal should be to:
- Protect the system and the signal.
- Toughen the receiver and the system.
- Augment GPS as needed to ensure users’ PNT requirements are met.
The focus is ensuring positioning, navigation, and timing (PNT), not merely ensuring GPS.

Fundamental Prerequisites for PNT

The first prerequisite for GPS-based PNT is a receivable, clear, and truthful (truthful implies full integrity) ranging signal. There are five main challenges to this.

Too-powerful authorized signalsnearby. This aspect snuck up on our community. The FCC authorizers were about to license a powerful signal in the frequency band adjacent to GPS, drowning out any hope of receiving the GPS signal. This can be called the authorized jammer. All PNT providers must be very vigilant about this; we have seen ignorant elements of the government poised to do great harm with well-intended but destructive actions, without knowledge of the unintended consequences.

Natural Interference. This interference, the cause of delays and attenuation, is reasonably well understood, and the subject of much research, dating back to when we first defined GPS. Random events such as solar flares can potentially cause great harm.

Inadvertent Natural or Manmade Jamming. A nearby device that creates spurious, destructive emissions can be a serious problem for GPS receivers. This class tends to be manageable by well-designed receivers.

Collateral Interference. An example is a person who wants to evade tracking but is inadvertently jamming nearby GNSS receivers in addition to his own local receiver.

Deliberate Jamming or Spoofing. This is perhaps the major concern for developers and users. I will discuss this further later.

There is a second major prerequisite: satellite geometry. The user who cannot see enough of the sky is called “sky-impaired.” There are two possible underlying problems:
- The satellite constellation has “brown-out” because of failures or inadequate numbers; or
- The user is operating in a mountainous or urban area with high, local shading angles.
Overcoming sky-impairment requires a denser constellation, or use of multiple GNSS.

Protect, Toughen, Augment

What can we — as developers, operators, and manufacturers — do to overcome the PNT availability challenges for our users? My solution is PTA. The good news is that quite a few of the actions I recommend are underway — in fact, many of GPS World’s readers are active participants.

I am going to examine these three PTA principles, expand on them a bit, and hopefully explain a few things that help focus on a broad solution.

Protect the System and the Signal

This can be organized into seven actions: three PreActions and four ReActions. PreActions are before there is serious interference, and ReActions obviously come after interference is occurring.

First, the PreActions.

Protect the Spectrum. The chart in Figure 2 represents the frequency plan for the L1 band, and displays some of the sources of the 400 signals I referenced earlier. The blue star, GPS L1 C/ A, is the only fully operational and reliable signal in the world right now. The red star is the U.S. GPS military signal. You can see it has important power lobes close to the band edge. The black star is M-code, the new military signal of the United States.

Figure 2. Frequency plan for the L1 band.

The Galileo power curve, which is pale green, has very significant nodes close to the band edge. Of course, the Galileo PRS (the magenta star) is right on the band edge. The imperative for these wider bandwidths is that they produce sharper correlation edges and consequently produce greater measurement precision. This leads to greater accuracy, and greater usefulness and utility for many PNT users.

Reallocation of radio bands adjacent to GNSS poses a significant threat. The band edge of the proposed high-power communication signal (sometimes called broadband) appears as the black vertical line. It is obviously very close to the edges of many of the colored PNT signals. Tests conclusively demonstrated unacceptable levels of interference with L1 C/A.

Consider the proposed, high-powered terrestrial signal one quarter-mile from a GPS receiver. This produces a power ratio of 5 billion (broadband) to one (GPS). To visualize that power ratio, consider Niagara Falls, which produces about a billion watts. Compared to that, GPS power is a tablespoon of water dropped from five feet, once per second (about 0.2 watts). This is the power ratio that was almost authorized with 40,000 ground-based transmitters in the U.S. At a city block away, the effect is 10 times worse.

To quantify interference effects, some initial tests were run and measured broadband effects used for analysis. Cell-tower locations near Las Vegas, Nevada, approximated the broadband transmitter locations. The nearby airport, McCarran Field, has three RNAV (GPS) approaches. As expected, GPS users on the ground would be significantly jammed, but the effect on aircraft would be nine times worse than the impact on ground receivers. This is due to altitude (line of sight), geometry, and the sensitivity of aircraft receivers.

The 12 broadband transmitters around McCarran Field would jam all of the RNAV GPS approaches to all three runways. Signals of this type would effectively shut down or severely limit operations at the airport.

Signals in the GPS band will increase in the next decade as the newer GNSS become operational. The proposed, adjacent broadband is even more incompatible with these newer signals since they will be closer in frequency. Note that the whole approach was rejected, solely on the basis of L1/CA. It was not even tested against the other, more susceptible, modern signals. The worst would have been yet to come, had they been authorized to broadcast in the adjacent band.

Adjacent bands can continue to broadcast non-GNSS signals originating in space because the power levels will be comparable with the PNT spectrum. But we must be very vigilant to stop any high-power terrestrial signals from being allowed. They would become, effectively, authorized jammers. There should be no spectrum reallocation to ground transmitters until technology has been thoroughly demonstrated to solve any problems, (particularly for the high-precision users) and there is enough time to re-equip the users.

Europeans should have two other important frequency authorization concerns. First, there is a legal barrier within the United States to using Galileo signals. They have not been formally authorized. I think it is a bureaucratic glitch, but it is something we in the United States have to solve; we do want to use all GNSS signals. Stay tuned!

There is another concern. A group at the Electronic Communications Committee, European Commission, recommends allowing pseudolites in the L1 GNSS band. As an experienced user of pseudolites for aircraft landing and some other applications, I believe this is a very risky idea; pseudolites can be very useful, but frequencies should be found elsewhere to avoid unexpected interference.

Stiff Legal Penalties for Interference. The second PreAction is to enact stiff legal penalties for GPS jamming, both in terms of jail time and fines. The goal is to deter the ubiquitous $33 GPS jammer that one can buy on the Internet.

On the U.S. FCC website, the agency lists the penalties for having a GPS jammer. Forfeitures range up to $16,000, and they might even put you in jail. The Australians take a much stronger view: up to five years imprisonment or $850,000 in some cases. Some people are alarmed by these heavy penalties and call them brutal. However, they are not always imposed, and if jamming and spoofing is intentional, especially where the landing of airplanes is concerned and lives are at stake, I think a strong deterrent is warranted.

Stop Jammer Manufacturing, Sales. The third pre-action is to prevent proliferation by shutting down manufacturing and web sales of jammers. What is the status?

The FCC website states that manufacturers should comply with the law: stop marketing these devices in the United States and stop selling and shipping to addresses in the United States. The loophole is you apparently can manufacture these devices if you sell them outside the U.S. Now, I have a little difficulty with this. I have pointed this out to the DHS and others; hopefully, stronger action will be taken.

The FCC told me in an open meeting a few months ago that they were shutting down the websites where these devices are sold. But about three weeks ago, I went online and immediately found a website that sells nine different devices to jam GPS and cellphone devices. Indeed, there were jammers, all very affordable, for jamming just about everything. More recently, the FCC assessed a multi-million dollar penalty against such a jammer manufacturer. We will see if this actually happens. I hope they accelerate these efforts.

Now for the ReActions.

Detect Jamming. To stop jamming, the first step is to know when it is occurring. There are a variety of ways to do this. Some devices or concepts are already on the table: for example, a Chronos CTL3510 GPS Jammer Detector, an Exelis Signal Sentry Jammer Detector, and the J911 cell phone detection and reporting of jamming, an example from NavSys.

The idea behind the NavSys J911 is that all GPS-equipped smartphones have the capability to detect jamming. This does not pinpoint jammer location, but alerts authorities to the problem. Phone location can be reported to a central database for the next two actions.

Pinpoint Jammer Location. Techniques range from directional antennas to time-difference-of-arrival using Fast Fourier Transforms. The latter was demonstrated for the FAA at Stanford more than 10 years ago: location pinpointed within five meters. Cell towers could implement such techniques, since they have accurate time and could run correlations. There are already commercial GPS jamming locators: something called a JLOC (NaySys Jammer Locator). The British are using similar techniques for jammer detection on some of their freeways.

Eliminate Jammer. Having pinpointed the jammer, the next step is to physically eliminate it. What is the status? At Newark Airport there is an FAA, ground-based GPS augmentation system antenna right next to the turnpike. They are part of a blind landing system. In early 2010, there was an infamous jammer interfering with the FAA GPS receiver. It took three months to locate the offending truck driver and shut down the jammer. The good news is that, more recently, in the same general location, they located a similar moving jammer within 24 hours after the interference started. However, these are very special locations. Recent studies have suggested that interference sources are much more widespread. Note: Only certain enforcement personnel are authorized to seize the jammer and arrest its operator.

Prosecute. Having located the offender, the law should then be applied to prosecute. Leeway should be applied, commensurate with the circumstances. In this New Jersey case, the authorities say the perpetrator is liable for a forfeiture of $31,875.

Toughen Receivers

There are at least five well-known ways to toughen receivers, thereby increasing jam resistance:
- Increased satellite signal spreading (such as L1C, L5) allowing greater processing gain;
- Integration with inertial navigation components;
- Digital beam-steering or null-steering antennas;
- Increased satellite power such as L5 (a difficult and fairly expensive technique);
- Local antenna shading, for example, the top of an airplane, which is shaded from the jammer.
These improvements cascade and are cumulative, but a remaining issue is to make such techniques more affordable.

To illustrate these anti-jamming techniques, consider the effective area of a 1-kW jammer located on the Capitol building in Washington, D.C. A basic high-quality GPS receiver, within a line-of-sight range of 20 miles, will stop providing PNT. Simply using the newest L1C spread-spectrum GPS signal reduces the jamming area by about two thirds, allowing operation to about 10 miles from the Capitol. Adding inertial aiding allows PNT to within three miles, and adding digital beam-forming antennas and using aircraft natural shading brings the effective radius to about 0.1 mile, about the size of the capital building.

The point is toughening the PNT receiver with the technologies mentioned is an extremely effective strategy. It would require over 60,000 jammers to cover the same area as the original non-toughened GNSS receiver.

Some techniques are very affordable today, while others, such as digital beam-forming antennas, remain too expensive for the ordinary user. In addition, there is a potential U.S. problem of export restrictions. Unfortunately, many of these existing restrictions have simply incentivized non-U.S. development of equivalent capabilities.

Augment

The last element of the PTA construct is to augment or substitute PNT sources. We are all aware of the coming revolution in multiple PNT sources from new GNSS. An all-GNSS receiver diversifies the frequencies and the signals, thereby reducing vulnerability to interference. It also improves availability for the sky-impaired user because of densification of satellites sources. Using satellites from multiple constellations can significantly improve availability, provided integrity requirements are met.

With these additional GNSS constellations, there are three major levels of cooperation:
- Compatible: no mutal interference;
- Interoperable: working to allow common time and geodesy system;
- Interchangeable: using accurately calibrated biases and offset. Any four SVs will suffice.
The major issue again is probably integrity, because to ensure economic value, availability requires known integrity. As far as the U.S. FAA and ICAO are concerned, for precision aircraft operations the integrity value should be that the system be “out of spec” less than once in 1 billion times. To be productive they also would like zero minutes of unavailability. That may seem extreme, but commercial aviation and public safety demand it. Regarding integrity, some new GNSS are clearly making faster progress than others.

It is useful to further examine the densifying opportunity of additional GNSS. The chart in Figure 3 shows how densification can impact the user. The number of satellites (SVs) available in the sky (assumed optimal distribution) is shown. The colors refer to whether 0, 1, or 2 SVs are out of commission for maintenance or repositioning (typical maximum is 1 for GPS). The measure of effectiveness is minutes of outage per day. Consider a shading angle of 60 degrees, representing a user near a rugged mountain slope area or a city. With the nominal 24 SV GPS constellation (the GPS specification is 24 despite the U.S. having 31 active SVs), the outages, due to geometry alone, are six to ten hours. Improvement with additional satellites is dramatic and quite non-linear. With 33 satellites (about a 37% increase in density) outages are zero minutes per day to 33 minutes if one satellite is out for maintenance (reduction by a factor of over 10!). Of course, SVs could be from different GNSS constellations if they are truly interchangeable and have the required integrity. The clear message is that about 33 SVs are needed to cover reasonably high elevation angles.

Figure 3. How densification of additional GNSS can affect the user.

Integrity Monitoring. Currently, the U.S. GPS control segment continuously monitors GPS satellites. If a fault is found, they set the satellite inoperative until the problem is resolved, which may take many minutes. This alarm time is not fast enough for precision aircraft landing and approach (the requirement is six seconds to alarm). For these rapid integrity alarms, the United States relies on the FAA’s WAAS, and Europe uses EGNOS to monitor the basic GPS L1 C/A signal. Soon, the EGNOS message will include Galileo integrity alerts. Unfortunately, the United States does not yet have a plan for reciprocal WAAS monitoring of Galileo signals. In fact, formal approval to even use these signals has not yet been granted by the U.S. FCC.

Self Integrity (RAIM). If an all-GNSS receiver has more than six satellites in view, the user can use the Receiver Autonomous Integrity Monitoring (RAIM) technique. This allows the user to cross-check each measurement against others to find erroneous satellites and guard against spoofing. Take the recent GLONASS situation. With a good RAIM PNT receiver, the user could quickly isolate the large errors from the combined set of GPS/GLONASS measurements. In fact, some deployed receivers did just that. If all GNSS are totally interchangeable, it will be enormously helpful to implement RAIM.

The recent, prolonged GLONASS outage saddened us all because it reduced the credibility of all GNSSs. We hope the Russians will be forthcoming in announcing what happened and the corrections that are being made; hopefully, it won’t happen again.

Fortunately, there is a third independent, real-time tracking network of 200+ sites, known as the Global Differential System (GDGPS). Although NASA administers GDGPS, local-country scientists maintain and operate individual sites in near real time. GPS is monitored down to centimeter precision.

A central issue for GDGPS is whether the integrity monitor capability itself has integrity. Because of redundancy and independence, a form of inverse RAIM, hereby named System Autonomous Integrity Monitoring (SAIM), can be used. Figure 4 depicts the number of independent looks or ranging measurements to a single satellite over various points on the Earth. You can see in the dark areas the value is 60, and even in the relatively unmonitored areas around South America, the redundancy is 20. At a typical spot, perhaps off Spain, it depicts 50-fold redundancy. By cross-checking the dozens of GDGPS measurements for each satellite, a strong integrity cross-check can be created. The GDGPS plan is to also monitor Galileo as it becomes operational. Thus, GDGPS has excellent prospects to provide real-time integrity assessments for all users and all operational constellations. We need plans to connect all users to these potential integrity alarms.

Figure 4. The number of independent looks or ranging measurements to a single satellite over various points on the Earth.

There are three classes of ground-based augmentations:

Pseudolites. Ground augmentations could also include pseudolites broadcasting GPS-like signals for additional ranging. While somewhat helpful, this technique cannot cover large areas and can act as a strong interference source if the signal is in any GNSS frequency band. For this reason, in my opinion, pseudolites should never be authorized in GNSS frequencies.

Distance-Measuring Equipment. Modernized DME, planned as a GPS supplement by the U.S. FAA, is very valuable for the airborne users. Most ground users derive no benefit from DME because they do not have line of sight to the widely scattered transmitters. Ohio University’s Frank van Gras is working for the FAA on a DME plan should GPS not be available. It involves moving from the so-called legacy DME to the enhanced DME to ensure continuous aviation operations.

eLoran. eLoran, covering expandable local regions, uses a powerful signal at an entirely different frequency. It is two-dimensional, but in calibrated areas differential (eDLoran) is perhaps as accurate as 10 meters for harbor areas and similar purposes.

I chaired a study of eLoran for the FAA in 2006. Initially skeptical, the study members finally concluded (unanimously) that eLoran:
- meets the needs of all identified critical applications: 10–20 meter navigation accuracy for harbor entrance; 0.3 mile required navigation performance (RNP 0.3); stratum 1 frequency precision and 50-ns time accuracy.
- is a modern system: new infrastructure, solid state transmitters, state-of-the-art time and frequency equipment, uninterruptible power supplies; new operating concepts, time of transmission, all-in-view signals, message channel with differential corrections, integrity; new digital user equipment, processes eLoran and GPS signals interchangeably, compact H-field antennas eliminate p-static.
- is affordable: Less than $143M to fully complete eLoran, avoid costs of decommissioning existing Loran-C infrastructure; operations and maintenance currently $37M/year, reduced with eLoran-enabled automation.
And our group concluded it was the most prudent and cost-effective general augmentation or backup to GPS.

The National PNT Advisory Board also unanimously recommended that we deploy eLoran. The departments of Transportation and Homeland Security supported it; then, after a change of administrations, in a budget crunch, it was defunded, and the dismantling of existing Loran C stations began. Congress now may be taking action, and the recent GLONASS outages should give an impetus to that.

Who Will Implement PTA?

To my knowledge, many elements are currently being pursued, some by GPS World readers. But I can identify no entity that has the authority, the knowledge, the breadth, and the resources to create a single, well-focused program. This reminds me of a fable from Aesop regarding ants. When no leadership emerges, the ants have to band together to solve the problem. Yes, I am suggesting that we are the ants and we all must contribute to the solution, as well as seeking governmental agencies to step up to the responsibility.

In that regard I have a “to do” list. We must:
- Protect PNT.
  - Vigorously defend the spectrum.
  - Work with lawmakers to increase legal penalties for PNT interference.
  - Work with manufacturers and law enforcement to improve timeliness and accuracy of interference identification (crowd-sourcing, every cell phone a detector).
  - Field jammer location equipment.
- Toughen PNT.
  - Develop industry (ICAO/RTCA/RTCM) standards for deep inertial integration and directional antennas.
  - Develop vector receivers (all GNSS).
  - Continue to implement ARAIM and inertial for integrity (+WAAS/EGNOS).
  - Encourage users to move to rugged receivers.
- Augment PNT.
  - Expand integrity notifications to include GDGPS.
  - Develop RTCA standards for seamless DME and GPS/GNSS.
  - Implement eLoran and develop RTCM standards for seamless use.
  - Develop an international process for integrity certification of all GNSS (GLONASS, Galileo, and BeiDou).
In conclusion, the rumors of the death of GPS, in my opinion, are greatly exaggerated. Let’s not throw out the baby with the bath water. Instead let’s accelerate and expand PTA to Protect our band, and Toughen our receivers, and Augment GPS to ensure that PNT is available for all users now and in the future.

In the words of American poet Robert Frost,

The woods are lovely, dark and deep,

But we have promises to keep,

And miles to go before we sleep,

And miles to go before we sleep.

Thank you.

BRAD PARKINSON has been the Edward C. Wells Endowed Chair (emeritus) at Stanford University, where he is a recalled professor of aeronautics and astronautics.

He co-founded the well-known Stanford GPS Laboratory and led the development of many innovative uses of GPS, including blind aircraft landing, precision farm tractors, and the prototype of the FAA’s WAAS. He also directed development and was a co-PI for the successful test of Einstein known as Gravity Probe-B sponsored by NASA. He worked in various executive or board capacities at Trimble Navigation, Intermetrics, Rockwell International, and The Aerospace Corporation.

As an Air Force colonel, from 1972 to 1978, he was the chief architect and first director of the NAVSTAR GPS development program, retiring from the service after orbiting the first GPS satellites and proving GPS capabilities. He is a fellow of five professional societies and recipient of dozens of awards, including:sharing the 2003 Draper Prize with Ivan A. Getting for leading the development of the Global Positioning System.
September 1, 2014
Spoofer and Detector: Battle of the Titans at Sea

Two satnav superpowers battled it out aboard a superyacht in the Mediterranean this summer, as a spoofing detector designed to differentiate between real and fake GPS signals came to grips with a spoofing device previously responsible for hijacking a sophisticated drone helicopter, deceiving it into landing when it was trying to hover, and for misdirecting the same luxury yacht in tests last summer.

Mark Psiaki, Cornell University professor of mechanical and aerospace engineering, and graduate student Brady O’Hanlon spent a week aboard the White Rose of Drachs, a luxury superyacht, testing their second-generation spoofing detector as the boat cruised from Monaco around the boot of Italy to Venice at the head of the Adriatic Sea. Also on board was a researcher from assistant professor Todd Humphreys’ Radionavigation Laboratory at the University of Texas at Austin. Humphreys tested his latest spoofer aboard the same yacht last year; this year, Psiaki and O’Hanlon embarked for a follow-up experiment to see if they could outsmart the spoofer.

The Cornell team’s spoofing detection system electronics quietly at work detecting evildoers on the bridge of the White Rose.

Both researchers have published earlier versions of their work in GPS World magazine, Psiaki in “GNSS Spoofing Detection,” the Innovation column in the June 2013 issue, and Humphreys in “Drone Hack” in the August 2012 issue.

The former story relates how Humphreys and Psiaki began their investigations as far back as 2008. “There was no intention to help bad actors deceive GNSS user equipment. Rather, our goal was to field a formidable ‘Red Team’ as part of a ‘Red Team/Blue Team’ (foe/friend) strategy for developing advanced ‘Blue Team’ spoofing defenses.”

In international waters this summer, the Cornell and Texas teams could conduct their research unhindered; on land, it’s very difficult to get permission to hack a GPS signal, even for research purposes, Psiaki said.

The Cornell two-antenna system installed on the roof of the White Rose bridge next to the superyacht’s GPS antenna.

Aboard the White Rose, Humphreys’ team initiated an attack of the boat’s GPS receiver, overlaying a disguised false signal on top of the real one, and attempting to send the boat off-course without generating any obvious warning signs. Stationed in a different area of the boat, Psiaki and O’Hanlon’s device set itself to detect the false signals through real-time analysis of their properties, and to provide protection against any attack by issuing a definitive warning whenever false signal characteristics were identified.

“We tested numerous spoofing scenarios,” recalled Psiaki. “We proved the efficacy of the new two-antenna version of one of our spoofing detection systems. It is the functional equivalent of our previous moving-antenna spoofing detection system. With two antennas we can simulate the effects of antenna motion without any need for moving parts. The only problems we encountered were with the initial spoofing drag-off, at which point the true and spoofed signals interfere with each other, and signal tracking can be tricky.

“We recorded wide-band data for all these cases. We think that we know how to enhance our defenses to hold on to the signals and recognizing spoofing during the initial drag-off. We also think that we know how to recover the true signals after an attack. The recorded wide-band data should enable us to develop and test these refinements in the lab, i.e., without the need to go back to sea — not that we would mind having to take another cruise on the White Rose of Drachs.”

In one test, the yacht’s GPS receiver was spoofed into believing that it was veering off its course, set northwards to Venice, and heading south to Libya at a very high speed. The Cornell detector was able to warn the White Rose’s bridge crew about the attack before the yacht was 20 meters off course.

The White Rose’s GPS-driven chart showing it off the coast of Libya (black line) when it was actually in the Adriatic, cruising from Montenegro to Venice (blue line). The spoofing detector knew all along that this was a false reading.

“This photo shows the White Rose’ Litton GPS receiver with ridiculous speed and altitude readings — we were in a hurry to get from the Adriatic to Libya and therefore spoofed a straight line route that took us across, actually beneath, Italy and Sicily, at speeds exceeding 900 kts in order to get there in 50 minutes. “

“We want to progress to the point where not only can we tell it’s a false signal, but we can also say, ‘Here is the true signal; here is the true position,’” Psiaki added.

The owner of the White Rose of Drachs, an anonymous businessman, allows the boat to be used for scientific purposes during off seasons.

The Cornell and White Rose team: (from left) Brady O’Hanlon, Cornell ECE Ph.D. student, Andrew Schofield, master of the White Rose of Drachs, and Mark Psiaki, Cornell Prof. of Mechanical & Aerospace Engineering.

Psiaki will present a paper on the superyacht experiments at the Institute of Navigation’s GNSS+ conference in September in Tampa, Florida, and GPS World will publish an article based on this paper in the November issue.

This story draws on initial reporting by Anne Ju in the July 28 Cornell Chronicle, with additional material and photos supplied by Mark Psiaki.

August 5, 2014
Mitre Product Detects Timing Spoofing Attacks

Mitre’s new Time Anomaly Detection Appliqué (TADA) protects modern digital systems from spoofing attacks that can corrupt time source signals.

Successful spoofing attacks could result in navigational systems going haywire and grounding airplanes, jumbling of buying and selling orders, a shutdown of the stock market, or power-grid failures. Infrastructure and defense systems often rely on GPS’s unencrypted position, navigation, and timing (PNT) signal as their source of accurate time, accurate to about 14 nanoseconds.

The TADA system detects and, for certain users, mitigates timing attacks. “Almost every system has a need for precise and accurate time,” said Darrow Leibner, the Mitre TADA project lead. “Because GPS is accurate and ubiquitous, users have gotten away from implementing other time-keeping methods. That’s where the potential vulnerability comes in.”

TADA is designed to provide a cost-effective, reliable, and easy-to-use method for protecting GPS receivers against spoofing attacks. The system defends against spoofing by continuously comparing a trusted input, such as a known frequency or location, with those provided by the GPS receiver. When a difference between these two inputs is detected, TADA alerts the user to the suspected PNT anomaly.

For a trusted input, TADA uses an atomic clock frequency. For each second measured by the incoming GPS timing signal, TADA counts the number of frequency cycles generated by a Cesium clock. If the incoming GPS signal is valid, TADA will count exactly the expected number of Cesium frequency cycles. If TADA measures a higher or lower number of timing signals than expected, it will display the difference. A difference outside the acceptable margin of error will prompt TADA to alert its users that the GPS timing signal is possibly being spoofed.

In the same way it uses a trusted time source, TADA can also use a known location to detect a spoofing attack. To do this, the user inputs the location of a GPS receiver antenna into TADA. TADA monitors the reported position for any changes. Any reported change of the stationary location would most likely be due to spoofing attack and prompt an alert to the user. Once alerted by TADA to a spoofing attack, users can quickly switch to existing backup systems.

“This is not the invention of the lightbulb,” Leibner said. “Rather, it’s a clever use of existing technologies packaged in such a way that users obtain a greatly increased level of protection for a minimum of investment. None of the TADA components on their own are brilliant. But as one manufacturer said after seeing a detailed description of TADA, ‘It’s brilliantly simplistic.’”

The next stage in TADA’s development is to provide it with the capability to not only detect spoofing attacks, but to mitigate its effects and pinpoint their origin. Mitre will also continue to advocate that to bolster the nation’s infrastructure defenses against spoofing, TADA-like monitoring techniques be included within commercial product design.

Adapted from an article by The MITRE Corporation.

August 4, 2014
Year of the Generals

Several pleasant surprises popped up at this year’s Institute of Navigation’s Joint Navigation Conference (ION JNC) in Orlando, Florida, and the best by far centered on the presenters and the attendees. In a change from recent years due to budget restrictions, better known as sequescastration, this year two senior Air Force generals attended and actively participated in several events.

General (S) John Hyten – Vice Commander AFSPC – Courtesy of the USAF

General (S) John E. Hyten (USAF), currently the Vice and soon to be the Commander of USAF Space Command (AFSPC), participated in two days of ION JNC and was featured as the keynote speaker on the second day of the plenary session. As a senior steward of the Global Positioning System, indeed for all USAF Space Systems, General Hyten has a special place in his heart for GPS, having served as the Commander, 50th Space Wing, Schriever AFB in Colorado, the home of GPS.

The 2nd Space Operations Squadron is a component of the
50th Operations Group, 50th Space Wing, Schriever AFB, CO.
The squadron was activated Jan. 30, 1992.

Conference attendees were pleasantly surprised with the access they had to General Hyten as he toured exhibits and joined fellow attendees for lunch, presentations, and discussions in the hallways. General Hyten made it clear that he was there to interact with ION JNC attendees and welcomed everyone to engage him in conversation. A rare invitation from a very busy general officer with huge responsibilities — and an invitation that many attendees clearly took to heart, as General Hyten was continually engaged in discussions during his two-day stay.

In his plenary presentation, General Hyten addressed GPS and the general lack of knowledge in the public today concerning the origins of the system. Hint — the answer is the United States Air Force. More on that later.

Major General (USAF) Robert Wheeler

Major General Robert Wheeler (call sign Wheels) also attended ION JNC this year to speak during the classified day on June 19 and to participate as an ad hoc member of the always-popular War Fighter Crosstalk Panel. General Wheeler currently serves on the staff of the Secretary of Defense (SECDEF) as Deputy Chief Information Officer for Command, Control, Communications and Computers (C4) and Information Infrastructure Capabilities (DCIO for C4IIC). General Wheeler is a command pilot with more than 5,000 hours in multiple aircraft, including the B-2 bomber in which he saw combat time over theater.

It was obvious from his initial comments in the classified sessions that General Wheeler is a warrior and staunch supporter of GPS and all things PNT-related. As much as I would like to relate some of his more pithy remarks, they were made in a classified environment, so sharing them is impossible in this venue. However, suffice it to say the General’s comments were well received by the war fighters who attended as well as the classified session attendees, which included many of our closest international allies.

The comment was made several times in my hearing that “We sure hope General Hyten and General Wheeler are invited back again next year.”

If all goes according to plan, General Hyten will be a four star and a MAJCOM Commander in just a few weeks. If he thought he was busy before . . .

Now let’s utilize that sage observation as a segue to General Hyten’s Plenary remarks at this years ION JNC. Having known John Hyten for over 20 years it has always been my experience that he does things just a bit differently – he hears a slightly different drumbeat and this year’s plenary speech was certainly no exception. Right from the start this speech was a bit different. General Hyten warned his audience he was going to praise them for their hard work and then gently admonish them but in a good way. With that opening statement he certainly had everyone’s attention. General Hyten asked for a show of hands from those attendees who knew that GPS originated with the USAF, the 50th Space Wing at Schriever AFB and particularly the 2SOPS (2nd Space Operations Squadron).

2SOPS operators on the GPS Operations Floor at Schriever AFB, CO

In the GPS/PNT-savvy audience Gen Hyten was addressing, literally every hand went up, and that was evidently what he hoped to see. The response was not a surprise to anyone, however the general went on to make the point that if he went out into the general population in the Renaissance Hotel at SeaWorld he would be lucky to find one in ten who even knew what GPS stood for, and that it came from space, and almost none would know that it was, is, and will for the foreseeable future always be provided free of charge to global users courtesy of the USAF.

GPS has been provided by the USAF free of charge for global users ever since President Ronald Reagan declared it so via a Presidential Decision Directive issued in 1988 shortly after the Soviet military shot down a Korean Air airliner (Flight 007) that had strayed off course and into Soviet Airspace due to a navigation error.

Ironically, General Hyten made the point that if the U.S. Government charged for use of the GPS signals, even at a nickel (5 cents) per user per device per year, it would pay for itself, and everyone would know that the USAF provided the service on behalf of the U.S. Government.

However, since it is free, ubiquitous, and considered almost a utility today, everyone around the world just assumes it will always be there and they don’t think about how or why the signals are provided. GPS is just always there.

GPS Orbitology 101- Courtesy of the USAF

General Hyten went on to make several cogent points concerning current and future use of GPS and other PNT assets. At the same time he warned us that there are those in the Pentagon [Obviously shortsighted, my comment, not the general’s.— DJ] who erroneously question why we still need GPS today. They myopically see it as an antiquated, compromised system. When in fact GPS and multi-GNSS PNT systems are on the cutting edge of technology.

The general made the comparison with WWII bombers that were being shot down at an alarming rate until the War Department (circa 1943) started the practice ofusing fighter escorts to help them fight through and return home safely. The analogy applies to GPS, which even today is being purposefully and at times maliciously attacked by spoofers and jammers.

Augmentations

Fortunately there are numerous actions that can and are being taken to secure GPS as a critical global service — fighter escorts if you will — that will not only help GPS maintain its preeminent Gold Standard position in the world of global PNT, but allow the system to grow and mature, even flourish, with additional high tech capabilities such as CNAV and MNAV (new civilian and military navigation messages).

Indeed the general stated that we have just begun to explore all the transformational capabilities being added to our GPS/PNT and multi-GNSS arsenal with the addition of L1-L2 M-Code (military code) and L2-L5 CNAV signals.

Of additional interest are space-based augmentations (SBAS) such as WAAS (Wide Area Augmentation System) and EGNOS (European Geostationary Navigation Overlay Service) as well as independent regional terrestrial augmentations and backups such as E- and D-LORAN (long range navigation), which today have demonstrated a time stability of 1×10(-12) and a position accuracy of 5-10 meters, an order of magnitude better than LORAN C’s 50-1,000 meters.

General Hyten went on to warn the commercial PNT vendors and government program managers in the 400+ audience that they must cease placing commercial GPS receivers in critical government systems that support the war fighters, government users, and our critical national infrastructure. Indeed he said this is why we have SAASM (Selective Availability Anti-Spoofing Module) and M-Code: to help secure these critical systems against interference, jamming and spoofing, intentional or otherwise. He also pleaded with industry manufacturers and vendors of PNT devices to please build their devices in strict adherence to the U.S. government;s ICD process. While the general declined to mention specific cases or companies, most in the room were aware of the ramifications of ICD non-compliance, from usefulness, mission and financial perspectives.

The general cited several known cases where, due to noncompliance, several systems just never did work well or consistently in a war zone. He said he knew of cases where “…the PNT systems worked fine in Yuma, Arizona but failed to work in Afghanistan. Please do not put commercial systems in critical military equipment.”

Pseudolites

Pseudolites are another area where the general has concerns. This is of course a hotly debated spectrum issue. Whereas we in the United States have been fighting highly-publicized spectrum battles, attempting to preserve the sanctity of the GPS spectrum globally, the Europeans are on the verge of approving pseudolite implementations all over the European continent that could seriously degrade GPS/PNT/Galileo signal reception and make PNT systems unusable or at least undependable in some critical areas, especially around the approaches to airports. Although on the surface pseudolites may seem like a good solution, I always remember what Dr. Bradford Parkinson is fond of saying: “An improperly implemented pseudolite is just another name for a potential GPS or PNT jammer.”

The Unofficial Test

After General Hyten’s comments, I decided to put his theory to the test. Just how many people know GPS is provided free to the world courtesy of the United States Air Force?

As someone who has been working GPS issues since 1975, I find it hard to believe that the American public is so uninformed about a system that is so critical to their everyday existence, because as most of you know, GPS is pervasive in almost all of our critical and not-so-critical national infrastructure. Indeed stealth GPS chips and receivers are embedded in so many devices today that it would be easier to name the devices that don’t use GPS. So I took the General at his word and set out to conduct my own mini-survey.

However, before I even had a chance to think much about what I would ask, I stepped into an elevator at the Sea World Renaissance Hotel where the ION JNC was taking place and found myself face to face with an elevator full of attendees from a major medical convention in the same hotel. They saw the ION JNC patch on my black golf shirt and asked me about it.

I told them and then asked what they knew about GPS. As in, did they know where the GPS signals came from and who provided them? Lots of answers were given and none of them remotely correct.

Frankly I was appalled, and before they exited the elevator I made sure they knew that GPS signals came from space and were provided totally free by the USAF. Mission accomplished. But not so fast; unfortunately the rest of my day and ad hoc surveys went about the same way. Some actually knew that GPS signals were free, some knew or thought they were provided by the government but had not a clue what agency or service.

Most thought they were radio signals from ground transmitters and were provided by the GPS equipment manufacturers. After asking more than 100 people where GPS signals originated and who provided them, I received exactly two correct answers, from wives whose husbands had recently served in the military in theater.

In my informal survey, 2% (two percent) of the respondents knew the right answers — and they had a military background. None of the true civilians had a clue. It was appalling and discouraging! Apparently General Hyten has done his homework and his point is well taken.

We need to get the word out that GPS is totally free, provided to the world by the United States Air Force. A simple but important message. Simple yes, and certainly discouraging at this specific venue, as this is a major part of the mission of ION and JNC — educating the world about the capabilities of GPS. Now I guess we need to emphasize the basics, just as GPS acquisition has reverted to a “back to a basics” approach. I agree with General Hyten that we (all those of us who care about GPS and all that it enables) need to do the same: get out the basic message every chance we get. Join me, won’t you, in getting that simple message across?
The next ION symposium, ION GNSS+ 2014 will take place September 8-12, 2014 at the Tampa Convention Center in Tampa, Florida. I hope to see you there.

Thanks

In closing I tip my hat to Lisa Beaty, the Executive Director of ION, and her entire team especially the new Military Division headed by my good friend and Institute for Defense Analyses (IDA) colleague Jim Doherty. Jim arranged the classified Cross Talk Military Panel this year, which was the hit of the show, as it has been under Jim’s leadership for the past several years. Jim stepped down this year as the Military Division Chair during the ION JNC symposium, and he will be sorely missed, although I suspect he will still be involved in some fashion.

The bottom line is that the ION symposia just keep getting better every year. The venues and the host hotels are first class, the food is excellent, and most of all the speakers and papers presented are scrubbed to the point that you really only get the cream of the crop. Unfortunately, you can’t say that about every GPS/PNT symposium today.

This year the exhibitors were in a large area that allowed everyone more room, and it made for a much more relaxed atmosphere in the exhibit area. I found that I spent a great deal more time with the exhibitors this year than in years past, and what I discovered there will be the subject of several future columns.

Until next time, happy navigating and remember, GPS comes to you courtesy of the United States Air Force.

Aim High!

What’s Don Reading?

Beyond Horizons – A Half Century of Air Force Space Leadership

David N. Spires, PhD – Professor Emeritus University of Colorado, Boulder, CO.

Reading good history volumes is one of my favorite pass times and when it comes to an early history of Air Force Space there is none better than Beyond Horizons.

Dr. Spires does an excellent job of setting the stage and explaining exactly how Air Force Space Command came into existence and why it was so sorely needed. The current volume covers the US Air Force and Air Force Space from its very beginnings at the end of WWII; think Dr. Theodore von Karman (Toward New Horizons) and General of the Army (Five-star) H.H. Arnold.

General Arnold actually flew a Wright Flyer back in 1911 and would have retired as a 5-star Army General but on May 7, 1949, Public Law 58-81 changed the designation of Arnold’s final rank and grade to that of General of the Air Force, and he remains the only person to have held the rank. He is also the only person to hold five-star rank in two U.S. military services. General Arnold was instrumental in funding and authorizing research conducted by von Karman, and von Karman was instrumental in research that eventually led to an Air Force and an Air Force Space Command. It is all here in this fascinating book which is edited by longtime friends and colleagues George W. Bradley III (PhD) and Rick W. Sturdevant (PhD), who serve today as the Chief and Deputy Historians respectively at Air Force Space Command.

I highly recommend this wonderful historical masterpiece, which is now in its third printing, and I predict will see many more versions and updates. In fact you can read it online at: http://www.afhso.af.mil/shared/media/document/AFD-110125-038.pdf

The only pastime better than reading, this book is talking about it with the author personally, who was also a career Air Force Officer, which I have had the pleasure of doing briefly, on several occasions, and the conversations were fascinating. David is just full of interesting facts and stories concerning Air Force Space. I am convinced that if he were to commit them all to paper, there would be several volumes. I hope you enjoy this fascinating Air Force Space history.

July 9, 2014
Report from the Munich Summit
Galileo Growth, Constellation Updates, and Jamming

I used to spend quite a lot of time in Munich working on a multi-national, multi-role fighter aircraft program, so returning for this year’s Munich Satellite Navigation Summit stirred some good memories for me.

Held in the opulent Residenz Muenchen March 25-27, the conference always has a special atmosphere that these historic 1385 surroundings convey to the attendees. The former royal palace of Bavarian monarchs, the whole complex has ten courtyards and 130 rooms. The summit was held in the Max-Joseph Hall, which took a little bit of work to find at first, wandering around the huge complex. One wing of the building hosts a theater, and the main hall is the primary concert venue for the Bavarian Radio Symphony Orchestra. Overall, this is a delightful setting.

Munich is in the Southern German state of Bavaria, and Bavaria has taken a real interest in the promotion and success of Galileo; witness the extensive Bavarian booth at recent European and North American GNSS conferences. Germany has, of course, been one of the principle nations providing significant funding for Galileo from its inception.

Ilse Aigner

So with this backdrop, the summit brings together people involved with GNSS from around the world to report on the current status of GNSS and to relate how their participation in satellite navigation has progressed. And, of course, Europe, Germany, Bavaria and the European GNSS industry, which is now recognized around the world, all take the opportunity to present their capabilities and successes.

The plenary session on the first evening covered GNSS, Earth Observation (EO) and Telecommunications — with the panel headed by Ilse Aigner, Bavarian State Minister of Economic Affairs and Media, Energy and Technology — an extensive mandate, even for a state-certified engineer who used to work for Eurocopter.

Dr. Merith Niehuss, speaking at the opening of the summit. (copyright: Munich Satellite Navigation Summit).

The host of the summit is actually the University of the German Army in Munich, and we received a warm welcome from two leading professors: Dr. Bernd Eissfeller and Dr. Merith Niehuss, the president. The theme of the summit was to move from implementation to utilization, and in typical European form, all parties were looking to shower potential users with funded solutions to problems of which users are not yet aware — so users clearly need government-provided education, pilot projects and funding. Not exactly a North American concept, where we tend to encourage users to buy our innovative stuff by demonstrating how it can save them money or earn them more revenue.

The European Commission, ESA, DLR, European GNSS Agency (GSA), Airbus, OHB, and Telespazio were also represented. The minister did indeed associate with and praise the local area, claimed 1,000 jobs created related to Galileo through an incubation center at Oberpfaffenhofen, and declared Bavarian support for satellite navigation.

Other important things mentioned by the panel at the plenary included an €11B budget for Galileo/EGNOS and Copernicus (EO project) under the Horizon 2020 program, and an intent to declare Early Service for Galileo before the end of this year with two or three dual Galileo satellite launches — the first two FOC (production) SVs should go to the European launch center in Kourou in April in preparation for launch around June. I heard in a corridor that launches may be planned for June, October and December, but an EU spokesman later said that there would only be two launches this year. OHB now has the contract to build 22 FOC Galileo SVs, each with a design life of 14 years, and they are bullish on their ability to deliver on time and budget.

The program continued the following day with constellation updates from GPS, Galileo, Beidou and the UN International Committee on GNSS (ICG) — GLONASS delegates were notably absent. There was much speculation that they declined to attend due to the Crimean situation, and one U.S. delegate even inferred that they were “uninvited.”

Constellation Updates
- GPS: It’s estimated that there are ~2B GPS receivers in use, and there may be ~10B by 2020. A return on investment (ROI) analysis is currently underway, but a rough guess is that costs are in the tens of billions, while annual returns are of the order of $60-100B/year. Another IIF satellite (SV) launched last month, bringing the total to five SVs transmitting L1, L2C and L5, with seven more to come, and multiple launches are expected this year. There are 30 operational SVs on orbit, signal performance significantly exceeds the specs, and consistent, dependable performance has been provided for more than 20 years.
- Galileo: First fix was achieved March 12, 2013, with four SVs, two (maybe three?) launches of two SVs each planned for 2014, and early operational capability to be declared by end of this year. €7B in funding is provisioned for 2014-2020, with 16-24 operational ground stations, Commercial Service (CS) planned by 2016 (more on this later), and a long-term evolution plan being worked up during this year.
- BeiDou: Fourteen SVs are on orbit — five GEO, four MEO and five Inclined Geosynchronous Orbit (IGOS) satellites, providing dual-frequency services. Thirty total SVs are planned, and the intent is to provide open, compatible, interoperable signals with other GNSS free of charge. There was not much other news to report, other than that China intends to invest significantly in BeiDou to keep improving services.
- United Nations ICG: Nine nations and European Union = International Committee on GNSS (ICG), with 20 other associate and observer States. Activities include GNSS compatibility/interoperability, GNSS enhancements, information sharing, and reference frames, timing and applications — lots of upcoming meetings and activities.
Regional and Augmentation Updates
- WAAS: Phase IV is underway with GEO replenishment begun, introduction of L5 to replace L2, and replacement of obsolete component parts. One hundred GIII receivers were ordered with L1/L2C and L5 capability for delivery by September this year — and have capacity to also add Galileo. GIII receivers have already been fielded in six locations as part of initial integration testing. The Safety computer will also be upgraded starting this year. 3,912 LP/LPV approaches have been approved, of which 3,379 LPVs serve 1,667 airports. GBAS CAT I is progressing with four U.S. airport installations. System design approval began in January this year, and United Airlines has begun equipping over 90 B737/B787 for GPS approach and landing. Alternative Positioning, Navigation and Timing (APNT) investigations are underway (as a backup to GPS) with a hybrid DME-pseudolite configuration currently favored. Stanford University subsequently presented this and other concepts.
- EGNOS: A €1.58B budget has been approved, and EGNOS V3 evolution is underway, with L1/L5 and GEO (SES 5 and Astra 5B) replenishment, a requirement to expand East and West and to the North to provide full coverage to all EU States.
About 100 EGNOS LPV approaches are approved — this year, it’s hoped to add 150 more.
- QZSS: The operational concept has been proven with the first IGOS SV (Michibiki), so Japan is moving forward quickly to add another three SVs (3xIGOS and 1xGEO) and ultimately would like to have a total of seven SVs in orbit providing QZSS services. L1/L1C/L2C/L5 signals are identical to GPS, and L1s/L5s are augmentation signals, while L6 is proposed to be similar to Galileo E6, providing centimeter-level PPP-type service. QZSS essentially is intended to provide higher elevation satellites to improve urban navigation in dense cities.
- IRNSS: Coverage extends 1500 km beyond India. The target is <20-meter accuracy, and signals are in L5 and S band and can be used independently or in dual-frequency combinations. A second IRNSS-1B GEO satellite is scheduled to launch on April 4.
- GAGAN: The Indian SBAS was commissioned and certified in February this year with a number of ground stations, redundant uplinks and two on-orbit GSAT 8 and 10 GEOs. Gagan is now qualified to provide RNP0.1 (navigation accuracy to 0.1 miles).
QZSS and Japan’s Space Policy

This session provided some detail on how changes in Japan’s Basic Space Law has lead to efforts to expand the use of space and derive further economic benefits that this provides.

Munich Highlights

A collection of examples of Bavarian GNSS innovations followed in a very interesting session led off by an overview of Business Incubation Centers and their collaboration with government agencies and research centers. Small business start-ups are apparently encouraged to apply during four annual time-slots, and receive two years’ incubation support and cash incentives. This has lead to 81 new ventures and has apparently been the source of the 1,000 new jobs mentioned by the Minister of Economic Affairs. The annual European Satellite Navigation Competition and Galileo Masters competition have also generated a whole bunch of ideas and concepts (8,000), some of which have found support through this incubation process.

Airbus Defence gave a short overview of the testing work it accomplished in supporting the first Galileo fix and has prepared several vehicle test platforms, ready to take the next phase of Galileo testing to the streets in realistic, real-world environments.

DLR provided insights into a number of its activities, namely:
- Iono mapping
- Signal distortion
- Multipath
- Jammer mitigation – adaptive antenna and processing
- GNSS repeaters – how they can become unintentional jammers
- Spoofer and Multipath inbvestigations
- Antenna designs
- GNSS evolution – Maser and clock combination benefits
Army University of Munich discussed radio science experiments in the Solar System and experiments using Mars Express (above) in polar orbit around Mars and resulting measurements of the moon Phobos. Internal and external outreach efforts with numerous organizations were also mentioned.

IFEN provided more down-to-Earth information on the on-going activities at the GATE ground-based pseudolite range, which has enabled realistic outdoors testing of Galileo receivers, well in advance of signals from orbiting satellites. Recent testing has now been able to include the four operating Galileo SVs on orbit with GATE pseudolite signals. GATE will continue to evolve over the next few years to keep up as more Galileo orbital signals come on-line.

Fraunhofer presented information on its 40-channel GPS/Galileo/GLONASS chip-receiver (above) – claiming 1-meter accuracy, low-cost, robust reliable position solution, small form-factor and low-power. Following PRS test-bed development efforts, Fraunhofer has now received a contract to also deliver 20 pre-operational Galileo PRS receivers for use in initial pilot projects.

GNSS Interference

Vidal Ashkenazi, in his inimitable form, lead a panel discussion on interference, jamming (in particular Personal Privacy Devices, or PPD) and spoofing, and coaxed his panel members to provide a whole bunch of information on what’s being done, mitigation capabilities and potential enforcement. Unlike all the other sessions, Vidal’s panel members didn’t use presentations, but rather responded to wide-ranging questions on the subject from the session chair.

David Turner, representing the U.S. State Department, indicated that the ICG will meet shortly in Geneva hosted by the International Telecommunication Union (ITU) to focus on interference, jamming and mitigation. The recourse that nations have for use of PPDs by their people is the law — jammers are illegal, sale and purchase of them is illegal — however, Internet sales are very difficult to police. So detection and mitigation are required to find and shut them down. Dave’s presentation on the GPS.gov website indicates that the ICG is working on an education program for states to inform about GNSS sensitivity to interference and the threat to critical infrastructure if they are allowed to operate. The ICG also has a task force on detection, reporting and systems development.

ISRO indicated that PPD jammers in India are restricted, but permitted for gatherings such as at churches where personal safety may be an issue. Ground-based detection is needed, as well as stronger legal protection that may well prohibit use of PPDs altogether.

Japan Aerospace Exploration Agency (JAXA) indicated that it is working on “signal proofing” for QZSS.

BeiDou said it is building a monitor network in China that will detect jamming.

There was a general discussion on whether receiver manufacturers should be mandated to make receivers that are resilient to jamming – many thought that there have already been significant advances in that direction by manufacturers. The normal approach would be to develop requirements with industry, agency and user inputs, publish them, and call up the requirements in equipment specifications. In the U.S., the Department of Homeland Security is seeking an approach to detection and location.

Legal Impacts of Personal Privacy Devices (PPDs)

While the audience may have had high hopes that the legal eagles could come up with some magic prevention and prosecution solution, the next session was more of a legal background briefing without any concrete conclusions (quite similar to other discussions I’ve had with some lawyers in the past, actually).

The first briefing was from the European Commission/European Union, who indicated that the EU doesn’t own the frequency rights to Galileo (Oh Oh…). They have to operate through a member state, which gets the rights through the International Telecommunication Union (ITU) and then licenses use to the EU — the bottom line being that EU enforcement of jamming protection laws maybe be difficult, as the legal framework only exists at the national level for each state. The EU is trying to get recognition under another class of ITU membership.

EU regulations were presented that state that GNSS re-transmitters can only be operated legally by governments or government contractors. Or can be used indoors for indoor navigation, but only for emergency services at fixed sites which are pre-approved. Pseudolites can only be operated indoors, and there should be no interference to other systems. Jammers are forbidden and cannot be placed on the market for sale.

Eurocontrol had a lot to say about the impact on aviation navigation infrastructure and receivers on aircraft. Existing ground nav aids have limitations, the worldwide equipment infrastructure is becoming quite old — aviation has generally moved away to GNSS and inertial based navigation and uses ground navaids as backup. There is a conflict between regulating GNSS heavily for aviation and how people want to use it in the commercial world. We may have to consider a trade-off between heavily restricted GNSS operations, and wide open commercial GNSS applications.

David Sobel, from Electronic Frontier Foundation in the U.S., presented the contrary case for individual privacy. His argument is that sale of tracking devices is unregulated and can readily be purchased, so people may presumably use them to track others, thereby infringing their privacy. So why shouldn’t people be able to “defend their privacy” by use of PPDs?

Say an employer insists that a vehicle you are driving have a tracking device so he knows where you are. Isn’t the driver also justified in trying to protect his privacy? Since the police in the U.S. can no longer place tracking equipment on suspect vehicles without a warrant, tracking appears to be down to private individuals or companies, who it would appear, have the legal ability to attach tracking devices under most circumstances. So the argument goes that if people have a legitimate concern about privacy, there should be acceptable provisions to allow them to disrupt tracking.

If there is a service such as road tolling, there is an incentive for people to avoid these costs. So systems should be robust enough to avoid disruption. Enforcement is a problem — should police chase people they suspect have jammers, or should they rather chase criminals or help and protect citizens? Mitigation systems need testing, so to test these systems there has to be jamming transmission — which needs to be controlled and regulated. Restricting the import of bad devices into a country might be desired, but the manufacturing countries don’t tend to want to restrict exports as exports help their economy. Again, the argument seems to be that of personal privacy over potential risks and damages to society.

No solutions, but a healthy discussion of views from a legal perspective.

Precise Point Positioning (PPP)

The group discussing PPP options consisted of the GSA (charged with exploitation of Galileo services), several principle industry service providers of PPP, and the federal agency, which provides PPP-like services in Germany.

The GSA presented its ideas concerning the provision of high-accuracy PPP corrections over the Galileo E6 signal – the so-called Commercial Service (CS). The intent, however, would not be to disrupt the commercial marketplace. Nevertheless, GSA is proposing a public-funded service to be sold to users within a market that is already well served by commercial worldwide service providers who charge users for cm-level PPP service.

And while Trimble made a polite presentation on the many levels of capabilities of its TerraSat services, as did Veripos and to some extent Fugro, it was clear that the commercial providers are not eager to find competition in their market from a government entity. NovAtel also chimed in on this conflict as it will be involved in Veripos/TerraStar, following its acquisition by Hexagon. Fugro appeared to be interested in acquiring rights to distribute CS on behalf of GSA.

The German Federal agency promoted open data, source and standards from the IGS network to which it contributes: IGS is supported by numerous national agencies around the world. Orbit and clock PPP service is available 24/7 from multiple sources. However, the service is offered on a best efforts basis without a service guarantee, and cannot achieve the accuracies or convergence times of commercial services.

I talked subsequently with Michael Ritter, CEO of NovAtel, to learn the background to the Veripos/TerraStar acquisition. It’s clear that providing PPP services means added value to NovAtel when they sell receivers with PPP capability, so they will quickly discontinue offering Omnistar subscriptions and will shortly launch NovAtel Correct, offering Veripos (marine) and TerraStar (land) PPP subscription services. NovAtel is making significant inroads in the agriculture segment, and they see PPP service as an essential element of this and other businesses. The acquisition was worth something on the order of $200 million, so there is a vested interest in making these services pay and discouraging GSA entry into this market. Veripos will continue supplying other GNSS OEM receiver manufacturers — notably Septentrio, who use TerraStar services, now also NovAtel, and potentially another major GNSS manufacturer.

Future of GNSS in User Segment

Chaired by Greg Turetzky of Intel, this session opened the third day of the Summit. The presenters offered their concepts for current and future GNSS equipment and systems.

Stanford University outlined its work with FAA on an alternate PNT system to be used as a back-up to GNSS. It used to be that GNSS systems were designed to overcome space-weather effects and faults in equipment design or manufacture — nowadays, there are “bad guys” out there and we need to “protect, toughen and augment” these systems. Antennas can be built that impart a specific signature to the signals they transmit, and this may aid in finding and prosecuting the bad guys, but the main focus of work is development of a hybrid system using Distance Measuring Equipment (DME) and a pseudolite.

Tests have demonstrated good performance, and these prototype efforts could lead to aviation requirements (MOPS) development by 2018 and deployment by 2020.

Septentrio has been involved in Galileo since it began and was the first company with Galileo receivers. Nowadays, they have receivers fielded in multiple commercial applications, including machine control, maritime, aviation, automation, and measurement, delivering accuracies from a meter down to a centimeter. They will add E6 to their AsteRx family of multiple-channel, multi-frequency, multi-constellation receivers, and have developed a number of hardware and software mitigation techniques to combat jamming, interference and multipath, and to integrate receivers with inertial units for aiding.

Furuno is interested in resilient PNT for marine applications, and has examined the use of eLoran as an alternative to GPS, but has moved towards a system of radar beacons that detect radar pulses from passing ships and transmit their positions, enabling position determination. In tests, accuracies of around 2 meters have been obtained with two beacons.

Quascom’s approach is to add firewalls inside receivers, which toughen the processing and prevent distortion of position information. Quascom believes this will be necessary until authentication can be added into the GNSS system itself, so that any data received is validated and is known to be good.

Chris Rizos from the University of New South Wales, Australia, drew attention to the “holes” that exist in GNSS, and reviewed a number of possible “Band-Aid” fixes, such as Wi-Fi especially for indoor location. However, his solution seems to be to establish terrestrial networks transmitting GNSS-like signals.

Eurocontrol indicated that aircraft currently use inertial and DME extensively as a back-up to GNSS navigation. By 2030, there will be multiple constellations, and dual-frequency use should become commonplace in aviation, so GNSS navigation should be much more robust. Aircraft approaches are required to be in conformance with Required Navigation Performance (RNP), so would it be possible to develop RNP procedures for DME and inertial to be used as back-up during approaches in the event GNSS is disrupted?

To conclude the session, Airbus provided a “starter course” overview on inertial systems – how they work, the range of different types available, what they can achieve, costs, strengths and weaknesses and integration with GNSS.

The summit continued with subsequent sessions on:
- Space technologies and users
- GNSS monitoring of Earth and disaster management
- Copernicus – Earth Observation
- GNSS Education
Unfortunately, my deadline didn’t allow me to attend these equally interesting presentations.

There is also a manufacturers’ exhibit area at the summit that just fits into a couple of corridors near the main hall – around 20 booths. I talked with several of the manufacturers, including Spirent who has launched its latest GSS9000 multi-frequency-constellation simulator, with a four-fold increase in system iteration rate over the previous model. Exhibitors appeared to be pleased to be at the summit and by the level of interest shown by the attendees.

So, as this year’s Munich Summit concludes, where does this leave us? We’ve learned some new things about several GNSS topics and heard some interesting new concepts. Europe appears to be now focused on users and applications, to ensure there is market growth and use of Galileo. What stands out for me is the contrast between how European governments go about GNSS and how North America and the commercial world does the same thing without as much direct influence. This is nothing new, of course, it’s just the European way…

Tony Murfin
GNSS Aerospace
March 31, 2014
GNSS Vulnerable: What to Do?
Brad Parkinson

Too Much Sensitivity, Not Enough Robustness, Says Parkinson

Brad Parkinson, the founding architect of GPS, told a UK conference that the system needs to be made more robust to ensure worldwide availability of services to users. His concerns over GPS availability relate to threats such as the loss of authorized frequency spectrum (implicitly creating licensed jammers), space weather due to hyperactive ionospheric conditions, and deliberate or inadvertent jamming of GPS signals.

He warned that GPS is more vulnerable to sabotage or disruption than ever before, and charged that politicians and security chiefs are ignoring the risk. Western governments are “in their infancy in recognizing the problem,” he remarked further in an interview with London’s Financial Times. “[In the United States] I don’t know anyone that is really in charge of it. The Department of Homeland Security should be [but] … they don’t have any people that understand it very well. They’ve got one person without any budget to speak of.”

He also warned that Europe’s €5 billion Galileo system is equally at risk.

Parkinson proposed a three-stage program to:
- Protect (legally) the signal and physically eliminate jamming sources;
- Toughen the GPS/Galileo receiver’s resistance to interference;
- Augment the GPS signals with other satellites or with ground-based transmitters such as eLoran.
To support his proposal, Parkinson stated, “The number one need for all GPS or Galileo users is availability. Over the years, manufacturers of signal receiver technologies have focused too much on sensitivity and not enough on resilience or robustness. The maritime industry is a particular concern where users have taken GPS for granted. They must increase preparedness and backups as they do in aviation or other GNSS using industries.

“Even today, most ships have only GPS and the vision of their crew to guide them when approaching harbours. As you can see from today’s conference there are a wealth of solutions to toughen and backup GPS, many of which are not technologically difficult nor expensive, but still their adoption in sectors such as global shipping is certainly not adequate.”

As part of his protection program, Parkinson urged that penalties for jamming GPS networks be coordinated worldwide. “In Australia, if you cause interference likely to cause prejudice to the safe conduct of a vessel, it’s five years in the jug [jail] and $850,000.” Contrasting this with a U.S. case that may simply impose a forfeiture of the culprit’s jamming device, Parkinson added, “I’m calling for the community of nations to move to the Aussie-type penalties.”

In the toughening regard, Parkinson alluded to integration of GPS data with information derived from an inertial positioning system. “If you combine all of these things, a good set should be able to fly within 1 kilometer of a jammer with a 10-kilometer range,” said Parkinson. “That’s what I call toughening.”

Parkinson made his remarks as the keynote speech at GNSS Vulnerabilities and Resilient PNT 2014, hosted by the Royal Institute of Navigation. He will also deliver the keynote address, “Assured PNT: Assured World Economic Benefits,” for the European Navigation Conference on April 15 in the Netherlands.
February 18, 2014
Spirent Launches SimSAFE to Address GNSS Signal Vulnerability
Spirent Communications, a testing navigation and positioning systems company, today announced the introduction of Spirent SimSAFE, a software solution that concurrently simulates legitimate Global Navigation Satellite System (GNSS) constellations and spoofed or hoax signals to evaluate receiver resilience and help develop counter measures. SimSAFE was developed in conjunction with Qascom, GNSS signal security and authentication experts.

As GNSS become increasingly embedded in modern infrastructure for application timing and device positioning, the opportunities for interference and spoofing attacks become greater, Spirent said. Hoax or spoofing attacks work by mimicking genuine GNSS signals, which mislead GNSS receivers. From mobile telephony to Internet banking, GNSS timing signals are used in many key systems, and yet there is no requirement on GNSS equipment to demonstrate any degree of robustness to block or even detect malicious attacks that disrupt performance. Often, affected receivers do not recognize when they are receiving fake signals and continue to operate normally, but provide false time or position information.

“GNSS signal vulnerability is becoming a significant issue,” said John Pottle, marketing director of Spirent’s Positioning Division. “SimSAFE is the first tool to help develop systems that will detect and counter spoofing attacks. This solution is unique in being able to provide a means of both emulating a spoof attack and monitoring a receiver under attack to evaluate mitigation strategies and countermeasures.”

SimSAFE is a fully controllable laboratory-based, non-radiated test solution to evaluate a receiver’s response to a wide range of spoofing attacks. The test tool generates simulated spoofing attacks that can be aligned with genuine signals from an antenna or locally generated “genuine” signals using a Spirent GNSS simulator. This allows users to simulate a wide range of sophisticated attacks, monitor the response of the receiver under attack and evaluate the effectiveness of proposed countermeasures to then improve resilience against such attacks.

screenshot: Spirent’s SimSAFE

In essence Spirent’s SimSAFE spoofing test bed does two things:
1. Generates simulated spoofing attacks where a Spirent RFCS is controlled to represent a hoax signal synchronized with a “genuine” signal which can be ambient GNSS or itself generated by simulation.
2. Monitors a GNSS receiver subject to simulated spoofing attack in order to evaluate and refine mitigation strategies or countermeasures.
The two principal applications of SimSAFE are:
1. The evaluation of the vulnerability of a user’s receiver when exposed to a wide range of simulated spoofing attacks.
2. The evaluation and refinement of spoofing mitigation techniques, signal authentication strategies or countermeasures. This work can be conducted using any receiver of the user’s choice; however, a range of receiver monitoring tools supplied with SimSAFE are enabled if the receiver supports Septentrio Binary File (SBF). A suitable Septentrio receiver is supplied in the standard configurations for this purpose.
February 11, 2014
Out in Front: Complements of the Season

Alan Cameron

In the wake of last month’s Expert Advice column on eLoran — “The Low Cost of Protecting America” by Dana Goward of the Resilient Navigation and Timing Foundation — come several positive comments and encouraging developments. Rather than rehearse all the arguments why we should care about this, I’ll repeat the one word that I heard most often in GNSS circles in 2013: jamming. Followed closely by: spoofing.

“I have been advocating strongly for reconsideration of the government’s domestic Loran decision for the last year or so,” writes one reader positioned on Washington’s Beltway, “and specifically working within the Department of Defense (DoD) to ensure it is aware of international developments for eLoran in the UK and South Korea, and the possibilities inherent in other former Loran chains.

“The DoD is beginning to recognize the value of eLoran as a complement to GPS, not only for international missions, but in cooperation with the departments of Transportation and Homeland Security for domestic critical infrastructure.”

Last fall, Don Jewell’s Defense PNT newsletter on the same subject drew this reply from another well-known expert:

“One of the key short-term actions is to prevent the decommissioned [Loran] sites from being sold off for subdivisions. These sites are a national treasure with unique properties: soil conductivity, water content, metal content, and more that are hugely important in siting low-frequency positioning systems. Those long-gone engineers of the 1940s and ’50s knew this and chose accordingly.”

Before last month’s issue appeared but after it had gone to press, President Obama signed the National Defense Authorization Act (NDAA) for 2014. It contained several favorable New Year’s auguries for positioners, navigators, and timers.The act evinced an acute awareness of the vulnerability of space systems to disruption. The act is also a law governing the land. Through it Congress requires the administration to, among other things, explain biennially in its “Space Protection Strategy” report exactly how, in the event space systems are disrupted, DOD and the intelligence community “plan to provide necessary national security capabilities through alternative space, airborne, or ground systems.”

Since said administration acted early in its first term to decommission Loran-C, the congressional directive is pointed.

The next big thing coming up on the GNSS international horizon takes place in Rotterdam, the Netherlands, April 15–17: the European Navigation Conference, ENC-GNSS 2014. It includes a track session on “eLoran and other Low-Frequency Systems,” and I’ll be there with pencil sharpened.

Brad Parkinson will give the ENC keynote, and he is on record as one of an august group of Institute for Defense Analyses experts who unanimously recommended that the existing Loran-C be greatly updated and modernized to eLoran. We should hear more from him on this subject amid the wharves, waterways, and docks of Europe’s largest port (world’s third busiest).

There’s barely room left to report the successful tests of Enhanced Differential Loran (eDLoran) by Dutch specialists Reelektronika: absolute accuracy of 5 meters in the North Sea and in the Rotterdam Europort harbor area.

February 1, 2014
Expert Advice: The Low Cost of Protecting America
Dana A. Goward

By Dana A. Goward

Highly precise and free for use by anyone with an inexpensive receiver, GPS and other GNSS are great. Their navigation and timing signals have been incorporated into nearly every aspect of modern life, from synchronizing power grids to financial systems, the Internet, telecommunications, and transportation. The U.S. Department of Homeland Security estimates that these signals are used by all 16 of U.S. critical national infrastructure sectors, and are essential to the functioning of 11.

Jamming Threat Growing. When these faint signals can’t be received, people start to feel the impact immediately. Usually outages have minimal impact because they are localized and short-lived. Often they occur because the user is temporarily in an area without a good view of the sky. More and more often, though, they are due to the presence of one of a growing number of people with jamming devices (many of which also block cell phone frequencies).

Inexpensive, easy to obtain, and illegal, jammers are spreading as people become more concerned about privacy and being tracked by their employer, spouse, the National Security Agency, and others. Although the government tries to collect information on jamming incidents, no widespread detection system has been established, and few verbal reports are received. For the calls that do come in, it is often impossible to determine which are because of user error and which are purposeful interference.

For those cases where jamming is discovered, locating and identifying the perpetrator is difficult and often impossible. As one example, in spite of near-daily disruption of GPS that caused the shutdown of a new landing system at Newark International Airport, it took the Federal Aviation Administration and the Federal Communications Commission more than two years of concerted effort to identify the single perpetrator.

If a navigation satellite outage became widespread and lasted more than a few hours because of a major solar flare, software problem, hacker or cyber-attack, most authorities agree that the impacts would be catastrophic. While much of the information is classified, we do know that transportation would immediately become much less efficient and more dangerous; even many traffic lights are coordinated using satellite timing. Telecommunications, financial, energy and other systems would soon begin to fail as their back-up timing systems lost synchronization with each other. Power grids would lose synchronizations and outages may occur as transmission points became overloaded.

More than speculation, these problems have been documented in academic papers, proven in government tests in the United States and the United Kingdom, and the early stages of such impacts have been observed in localized and short-term outages in the United States. Most dramatically, they have been demonstrated by North Korea’s intentional jamming of South Korea.

Spoofing. Of equal concern is the problem of spoofing. The world’s preeminent ethical spoofer of satellite navigation receivers, Todd Humphreys of the University of Texas, Austin, has demonstrated how easy it is to take control of unmanned aircraft and ships on autopilot by sending a slightly stronger navigation signal, making the receiver think it is somewhere other than where it is. Iran claims to have done something similar, capturing a U.S. military drone in 2010. Humphreys has also shown (on paper) how time-stamps on automated financial transactions could be altered through spoofing. This could do things like reverse the buy-sell equation at a stock exchange, allowing someone to sell at a higher price before buying at a lower one.

The Government Solution

What is to be done? The challenges have been extensively documented and discussed since at least the 1990s. In 2004, President Bush issued the National Space Policy (NSPD-39) that addressed the problem. Although portions of it are still classified, contained within the publically releasable section was direction for the U.S. Department of Transportation (DOT) to, in coordination with the Department Homeland Security (DHS): “develop, acquire, operate, and maintain backup position, navigation, and timing capabilities that can support critical transportation, homeland security, and other critical civil and commercial infrastructure applications within the United States, in the event of a disruption of … space-based positioning, navigation, and timing services.”

eLoran Recommended. In response, the two departments consulted numerous experts and commissioned a study by the Institute for Defense Analysis (IDA) to determine what system or systems should be procured. The IDA study team, which included Brad Parkinson, widely recognized as the father of GPS, unanimously recommended that an existing and outdated nation-wide navigation system called Loran-C be greatly updated and modernized to eLoran. Such a system would provide a navigation and timing signal comparable with and complementary to GPS. They concluded that:

“eLoran is the only cost-effective backup for national needs; it is completely interoperable with and independent of GPS, with different propagation and failure mechanisms, plus significantly superior robustness to radio frequency interference and jamming. It is a seamless backup, and its use will deter threats to US national and economic security by disrupting (jamming) GPS reception.”

What the IDA did not find, but that has since become evident, is that establishing an eLoran system could be an important part of a network to identify and locate jamming attempts. Since all eLoran transmitters would be synchronized with GPS, and many navigation receivers would have both GPS and eLoran sensors, differences between the two systems could be immediately detected and reported.

The body in charge of coordinating navigation and timing issues for the federal government is the National Space-Based Position Navigation and Timing Executive Committee (NPEC). It is chaired by the Deputy Secretaries of Transportation and Defense. Responding to early briefings on the IDA report (which was not formally published until 2009), the Departments of Transportation and Homeland Security in 2007 told the NPEC that they had decided eLoran was the right answer. After further federal deliberations over how to create an eLoran system, 2008 saw:
- A press release by DHS saying that the department would implement eLoran, using the old Loran-C infrastructure (February 7, 2008)
- The DHS 2009 Budget in Brief (February 2008) propose transferring legacy Loran-C systems and $34.5 million/year from Coast Guard to the National Protection & Programs Directorate (NPPD) within DHS, stating:
“The FY 2009 budget transfers the budget authority for the LORAN C system from the United Sates Coast Guard to the NPPD. The Department, acting as Executive Agent, will begin development of enhanced eLORAN as a backup for GPS in the homeland.”
- The National PNT Executive Committee endorse the above decisions (March 2008).
Failure to Launch

Unfortunately, DHS funding for 2009 came as part of a continuing resolution, and the Congress did not see fit to approve the transfer of funds from Coast Guard to NPPD.

This was because influential members of Congress wanted the nation to have eLoran, but were concerned about the lack of a plan for transition of this important capability from one agency to another. The administration was asked to develop and submit a plan with with the next budget cycle. A year later, though, no plan had been presented, and the President’s request (and enacted legislation) for 2010 contained no request to move and upgrade the system. In fact, it contained provisions for shutting down and defunding the old Loran-C system without providing funds for NPPD or any other agency to establish the new eLoran capability.

No Solution at All. What happened between one budget year and the next to take the nation from “solution-in-hand” to “no solution at all” is not a matter of public record. Internal administration budget deliberations are not generally released to the public. It does appear, though, that a new administration putting together its first real budget quite rightly wanted to shut down an antiquated system, but did not understand the importance of a new one. This, and many other factors, unquestionably played a role.

Movement Backward

Without any funding, DHS has since conducted several studies and experiments, but has done very little of substance to address this critical infrastructure issue. While Department of Defense (DOD) officials talk about the need for resilience, experts throughout government and industry decry the lack of action, and the Department of Transportation still has acquiring “backup position, navigation, and timing capabilities” on its to-do list, none have seen fit to move forward on their own.

Felling Towers. Worse, DHS is actually reducing the nation’s ability to create eLoran and a wide-area interference detection and mitigation system. An ongoing effort to fell towers and dispose of equipment from the legacy Loran-C system will significantly increase the cost and time-to-operation of the new system the nation needs.

The Way Forward

Fortunately, awareness and understanding of the problem within government, and the general public has continued to grow.

The U.S. National Space-Based Positioning, Navigation, and Timing (PNT) Advisory Board published a seminal white paper in 2010 on the topic, strongly recommending the establishment of an eLoran system. Todd Humphreys, the UK navigation authority, and others have provided numerous graphic demonstrations of the folly of relying upon just one electronic navigation system, and how things can go horribly wrong. Some of these have been well publicized. Other incidents are known only to a few.

There are also signs that the U.S. intelligence, cyber, and defense communities are becoming more and more concerned. North Korea’s repeated jamming of satellite navigation and timing signals has delivered a particularly powerful lesson. South Korea has reacted by committing to establishment of a robust eLoran system. The UK has established an eLoran system and is expanding it. Russia and China have retained their versions of Loran-C and are using it to augment satellite services. Russia has announced it will upgrade its system to eLoran in cooperation with the UK, and China may not be far behind. Saudi Arabia is upgrading its system to eLoran, and India has plans for an eLoran network in the near future. In December, Iran announced it has established a land-based system with “powerful transmitters” that is “completely different with GPS.”

Allies, adversaries, and economic competitors are augmenting satellite services with strong terrestrial ones. The United States will soon be one of only a small number of major economies that does not have a strong, difficult-to-disrupt terrestrial system protecting its critical infrastructure and providing value-added utilities. DOD’s chief information officer expressed interest in eLoran as part of DOD’s pivot to the Pacific. But providing a system at home is not in Defense’s job description, nor should it be.

Respected leaders at the Departments of Transportation and Homeland Security still see this as an important issue that needs to be addressed. The question for them now is not one of technology. The technology decision made in 2008 has since been revalidated by a plethora of academic papers, risk estimates, and white papers. eLoran still appears to be the most effective and least expensive solution available. DOT and DHS must resolve questions of governance and how to fund the system in one of the most difficult federal budgetary climates in decades.

How? The answer could lie in a public-private partnership (P3). In such an arrangement, the government would bring its interests and the infrastructure it owns to the table. An entity in the non-profit sector or industry would provide investment to refurbish the infrastructure, stand up, and operate the system. Such a P3 enterprise could not only pay for itself, but be an on-going source of revenue for both the government and the private entity.

The Business Model: Demand

A well-configured eLoran system can provide navigation accuracy to within 8 to 10 meters and timing accuracy to within 30 nanoseconds. This meets the needs of an estimated 95 percent of users in the United States. While eLoran does not offer the sub-meter precision of a high end, augmented GPS/GNSS system, it has its own advantages. In addition to being very difficult to disrupt, its high-power (typically 400 kW transmitters), low-frequency (100 kHz) signal easily penetrates and is usable underground, inside buildings, and underwater — where satellite and cell phone signals on much higher frequencies cannot reach.

The UK experience with eLoran and private surveys in the United States have shown high commercial demand for a ubiquitous, wireless, precise, and resilient time and navigation service. Power companies want to synchronize grids with a signal that can’t be disrupted by a delivery driver trying to avoid being tracked by his boss. Cell phone companies would be happy to have alternative timing capability in their networks, provided through inexpensive eLoran receivers. Operators of autonomous vehicles want a robust navigation signal and guaranteed communications. And it would be welcomed by the many users who, research shows, rely upon GPS/GNSS time for mission-critical applications, and who have no secondary source on which to fall back in the event of a disruption.

Since eLoran easily penetrates inside buildings, underground, and underwater, it can be used for timing and navigation in many places where no other navigation and timing sources are available. For example, it has been used for underground and underwater navigation. When paired with an accurate satellite signal before going underground or submerging, eLoran could enable a navigation receiver to maintain a comparable level of precision for several hours. Even after that, it would provide the navigator an accurate underground/underwater compass, and a good position.

The eLoran navigation and timing system now in operation in the United Kingdom also generates revenue by transmitting data. While the full potential of this third-party data-channel capability is still being explored, the ability to assure data delivery to, and communicate with such areas is appealing to many commercial and government organizations. Potential first-responders and commercial benefits appear almost limitless.

The Business Model: Costs

The cost for the P3 to standup and operate an eLoran system in the United States would be exceptionally low. Most of the needed infrastructure is already owned by the federal government in the form of the sites for the shuttered Loran-C system. Many of these still have transmission towers and other equipment that could be repurposed. Re-using this infrastructure and equipment would greatly reduce both the time and expense needed, compared to standing up the new system from scratch.

Operating and maintenance costs would also be low. Solid-state equipment, remote monitoring, and other advances in technology make the process of re-establishing a transmission site fairly inexpensive. Today’s eLoran transmitting site consists of a tower, an equipment enclosure for the transmitter, a fence, and a backup generator. With only a modest investment to refurbish existing infrastructure, regular outlays to service capital debt would be minimal, at best.

Some estimates predict that a terrestrial precise navigation and timing system, such as the one established in the United Kingdom and the one up for contract by South Korea, could be established in the continental United States within three years and for approximately $40 million, if the existing infrastructure were repurposed. Operating costs are estimated at approximately $16 million per year.

Business Model: Revenues

Significant national and homeland security concerns, high demand, and low cost (especially compared to any government space program) — clearly, but for a series of unfortunate bureaucratic reasons, eLoran would have been established in the United States, probably as a government-owned and operated system, long ago.

But high demand and low cost are also excellent ingredients for a business enterprise, provided there are sources of revenue. An eLoran P3 could have multiple sources of revenue. Depending upon the type of partnership and business model(s) the government selected, surplus revenue could also be generated to help fund other programs or offset the deficit. Some of the possibilities include:

◾   Guaranteed Delivery Data Transmission. As mentioned earlier, eLoran’s high power and low frequency mean that the signal penetrates where few others will. In addition to navigation and timing information, which are inherent in the basic signal, low-rate data can also be included between the primary pulses. The highest demonstrated data transfer rate to date has been 1300 bps, which is fine for texting and issuing commands. Many believe that, with a modicum of research, that rate can be much higher. As the owner of the high-power transmitter network, the P3 would generate revenue the same as any telecommunications provider: by charging per message or for time on the network.

Applications could include:

• Assured wireless control of remote equipment and vehicles, including indoors, underground and underwater;
• Information delivery to first responders and other crews regardless of location — especially good for pre-programmed emergency and operational commands to evacuate, use another procedure, and so on.
• Immediate device updates and reprogramming. The ability to reach all of the enabled devices on a given network at the speed of light and virtually simultaneously has unlimited potential.

◾   PNT Interference Detection and Monitoring. One of the biggest challenges to countering jamming satellite navigation and timing signals is the lack of a detection network. The eLoran transmitter and receiver network will continuously synchronize with GPS/GNSS signals and instantly detect when differences between the two dissimilar systems occur. Instant reports could be generated to inform federal, state, and local authorities of the anomalies and their locations. Mobile disruptors could even be tracked as they drove down the highway, sailed through the port, or flew across the sky. The P3 could generate revenue by contracting to provide such information to private parties and government agencies concerned about interference incidents.

◾   Licensing Receivers. One of the simplest ways to generate revenue and endow the P3 would be for the government to assess a small fee on every eLoran and satellite navigation receiver sold in the United States. A one dollar fee per unit could generate more than $20 million per year and fund operation of the entire system. Such a fee could be discontinued as other sources of revenue from the system made it unnecessary.

◾   Broad-based User Fees. Since navigation and timing signals are essential to so much U.S. critical infrastructure, a case could be made that the cost to endow the P3 should be spread as broadly as possible across the technologies it supports. For example, a temporary 8-cent fee on every monthly U.S. cell phone and electric bill for just one year could provide enough funding to endow the P3 in perpetuity.

◾   Value-Added Services For High-End Users. More than 90 percent of the users of precise time in the United States require it at the microsecond (1,000 nanoseconds) level of accuracy. eLoran can provide a signal accurate to 30 nanoseconds. To achieve that level of precision, the eLoran network transmits data that compensates for low-frequency signal propagation over non-homogenous terrain. This correction data could be encrypted. Most users would access the signal at the microsecond level of accuracy for free. Revenue could be generated by charging those who desire the higher level of precision a fee for the encrypted portion of the signal.

eLoran is an essential national and homeland security capability. The above list of potential revenue sources is just a sampling of the many ways a P3 could be funded. The point is that financing the enterprise need not come from tax dollars, and should not be an obstacle to its creation.

The Public-Private-Partnership

The U.S. government has had some great successes solving previously intractable problems through public-private-partnerships. Probably the best known of these are the P3s formed for housing on military bases. Establishing a business model that has private partners constructing and managing on-base housing produced more and higher quality housing for our troops.

Such arragnements must be carefully managed, however. Both the Congressional Budge Office and the Office of Management and Budget are understandably concerned that P3s may get a project going, but soon the costs may fall entirely on the government.

Success in any endeavor often depends upon its execution. The type of partnership the government selects and creates will be key. While, at its heart, a P3 is just a contract, the nature and provisions of government contracts are endlessly varied. Issues to address will include how the infrastructure is provided, if it is to be retained in perpetuity by the government or will be conveyed to the private party, what length of contract will allow the private partner to recoup its initial investment, and the business model(s) to be pursued.

The type of governance will also be important. Models vary from establishment of a self-funded government corporation to oversee daily operations, to an agency-supervised, performance-based contract that only requires regular reports on system availability and performance.

Of course, the concerns of CBO and OMB must be met. Fortunately, the federal government is not without experience with P3s. Also, there are many supporting resources available, such as the National Council for Public Private Partnerships.

We Have to Do It

Establishing a public-private partnership will bring together the best of both the government and the private sector. For its part, the government will bring the legacy infrastructure and its interest in safeguarding the public good to the table. The private sector will bring financing, technical know-how and innovation. A better system for America will result than would have been possible if either were to act alone.

It is unquestionably in our urgent national interest to address the problem now, before jamming becomes more widespread, or we have a larger, more damaging event. The need is clear. The technology exists and works great. All that remains is for dedicated leaders within government and the private sector to work together and implement the solution.

Dana A. Goward is the president and executive Director of the Resilient Navigation and Timing Foundation, a non-profit organization devoted to educating people about the need for and encouraging resilient navigation and timing ecosystems with services that complement each other and have different failure modes. See www.RNTFnd.org.
January 1, 2014
Qinetiq, Rockwell Demonstrate Multi-Constellation Galileo/GPS Secure Positioning for Governmental Applications

On August 30, QinetiQ and Rockwell Collins demonstrated the first joint satellite navigation positioning using live signals from the encrypted governmental services from the U.S. Department of Defense (DOD) GPS Precise Positioning Service (GPS-PPS) and the new European Galileo Public Regulated Service (PRS). The signals on GPS L1 and L2, together with Galileo PRS L1A and E6A, were processed and combined to form multi-frequency, multi-constellation position fixes.

Positioning, navigation and timing (PNT) services provided by GNSS, such as GPS and the forthcoming Galileo system, are essential to underpinning both commercial and economic activity (the EC estimates 6-7% of the developed world’s GDP) and the delivery of governmental responsibilities including the safety and security of citizens.

GNSS systems such as GPS and Galileo make use of very low power signals and are subject to inadvertent interference, deliberate jamming and spoofing (where an attacker generates a false signal masquerading as a valid one to mislead a user receiver). Attacks on GNSS may range from low-level criminal nuisance (a delivery driver stopping their employer tracking them), enabling theft of high-value vehicles fitted with trackers, through to state-sponsored attacks. This is potentially a significant concern for a wide range of governmental users including law enforcement, security and emergency services, critical national infrastructure, transport and defense users. The use of multiple independent, secured navigation services provides significant improvements to navigation robustness and, along with other measures, offers substantial counters to these threats.

“This has been our first opportunity to explore how secured navigation services on GPS and Galileo can be used together to provide users with critical reliance on PNT with robust and continuous navigation services,” Nigel Davies, Head of QinetiQ’s Secured Navigation Group said. “QinetiQ is proud to be a key, long-term contributor to the Galileo Programme, having been working closely with the European Space Agency (ESA), the European GNSS Agency (GSA), European industrial partners and European Member States since 2003. QinetiQ and Rockwell Collins wish to thank ESA, the EC and GSA for support in accessing Galileo, as well as the UK Space Agency, UK Satellite Applications Catapult and the UK MOD for their support.”

November 12, 2013