Satellite-based positioning, navigation and timing (PNT) plays a crucial role in many areas of critical infrastructure – and systems that use it must be able to cope appropriately with interference, satellite system errors and cyberattacks.
That’s the premise behind the recently publishedfrom the US Department of Homeland Security’s Science and Technology division (DHS S&T), and the subject of our latest .
Published in December 2020, it sets out a five-level framework for categorising the resilience of PNT user equipment in the face of threats like jamming, spoofing, multipath and constellation errors. Buyers and users of GNSS-dependent systems should familiarise themselves with it now, as it’s likely to inform future technical standards for PNT system robustness and resilience.
Welcome guidance as threats to GNSS increase
The framework is a welcome piece of guidance, because the threats to GNSS-dependent systems are growing all the time.
In April 2019, for example, the GPS week number rollover event(NYCWiN) for several days, leaving City Hall unable to monitor traffic lights at 12,389 intersections or to read licence plates via its automatic licence plate readers.
And that was a long-planned event for which users had, and could (and should) have prepared. Most disruption to GNSS-dependent systems is caused not by scheduled updates to satellite constellations, but by unpredictable threats on the ground, like radio frequency interference (RFI) from jammers or faulty equipment, , and .
Recently we’ve also seen the rise of signal spoofing, or the transmission of fake GNSS signals. For a few days in 2017, for example, more than 20 ships in the Black Sea found their– due almost certainly to nation state-level spoofing. A more sophisticated type of attack emerged in 2019, when ships approaching the Port of Shanghai in China that showed them apparently sailing in circles. These spoofing attacks continue to occur, with a warning of impacts on bridge navigation, GPS-based timing, and communications equipment in a variety of locations.
A step in the right direction for ensuring system resilience
Buyers of GNSS-dependent systems for critical applications need to be confident that those systems will cope adequately with threats like these. But to date, there has been no commonly accepted way of categorising a system’s level of resilience, and no commonly agreed test methodologies for evaluating whether a system exhibits the required level of resilience.
The Resilient PNT Framework is a step in the right direction, in that it addresses the first of these requirements. It sets out five levels of resilience, from 0 (not resilient) to 4 (most resilient), and describes what the outcome should be at levels 1–4 in terms of the system’s “ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions."
Specifically, that includes “the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents."
The emphasis on recovery is important, because this is what distinguishes resilience from robustness. A Level 1 system may not function while an incident is occurring (and thus is not robust), but can be manually reset to its normal working state afterwards. A Level 4 system, by contrast, should continue to provide a PNT solution with no degradation of performance throughout the incident, and any affected components will auto-recover with no need for manual intervention.
A framework, but no practical test methodologies
While the framework provides a solid foundation for thinking about system resilience, it doesn’t provide any test methodologies or scenarios to help regulators, buyers and users establish the resilience of a given system.
That’s deliberate, as the DHS recognises that systems are architected differently depending on their intended application, and that they operate in different conditions and face different threats. A self-driving car with a battery of PNT sensors will require a different test methodology from a static, GPS-dependent grandmaster clock in an electricity grid, for example.
Instead, the DHS recommends that industry regulators define their own technical standards and test methodologies, using the Resilient PNT Conformance Framework as a common foundation.
Our view at Spirent is that, to be effective, the framework needs to be taken up not just by national regulators, but by international bodies as well. Many GNSS-dependent systems are used in cross-border contexts – from maritime and aviation navigation systems to just-in-time supply chain management – so international consensus on the guidelines would be preferable.
Regulators will find it challenging to define test methodologies
Whether national or international, those bodies will encounter challenges in translating the outcomes-focused framework into practical test methodologies.
Any methodology will need to include a set of relevant test scenarios, but the wide variety of threats, and the different levels of risk they pose to different systems, means flexibility will be needed in terms of which scenarios are used and how each threat is modelled.
Then there’s the fact that man-made threats to GNSS-dependent systems are constantly evolving as bad actors attempt to stay one step ahead of security measures. We see new types of jammer emerging all the time, and spoofing is becoming progressively more sophisticated. A GNSS receiver that conforms to Level 4 resilience in 2022 may be less resilient by 2025 if a previously unknown type of spoofing emerges in the interim (as we saw in Shanghai in 2019).
Find out more about the challenges and potential solutions
While we wait for the expected standardisation of the framework, Spirent has created a webinar series to look at the challenges of standardisation, the way to assess the risks your business faces, and a perspective on testing PNT as part of a wider cybersecurity framework.