RING C-UAS
CONTACT US
4 min read

WORKING TOGETHER TO PROTECT GPS - US GOVERNMENT ASKING FOR GUIDANCE ON GNSS CYBERSECURITY

Featured Image

We long know about the importance of resilient GPS for our critical infrastructures that depend on accurate and secure Positioning, Navigation and Timing (PNT).
This year, the US Government has set out to define a framework for the responsible use of PNT services and together with NIST also invites the private sector to contribute knowledge on this topic.

This piece offers insight into our usage of PNT and GPS, based on more than 35 comments that were submitted to the initial RFI.

In this ongoing process, the draft for the PNT User Profile is currently open for comments and can be found on NIST' website or through a link embedded in the article.

The year, 2020, has been an eventful time for all of us, with many aspects of our everyday lives affected.  With everything that has occurred, some important news may go unnoticed.  It’s noteworthy to point out that the US government, and many more administrations around the world, are trying to figure out how to protect critical infrastructures from devastating effects that would be caused by the disruption of GPS, an essential technology used extensively today by multiple industries.

COVID 19 has actually highlighted the importance of satellite-based tracking and navigation and has demonstrated our dependence on it, specifically regarding phone tracking, electronic monitoring, autonomous robots navigating our streets, and other areas. 

Back in February, the US government issued an Executive Order, titled “Executive Order on Strengthening National Resilience through Responsible Use of Positioning, Navigation, and Timing Services.”  It is a national priority to address the establishment of resilient Position, Navigation, and Timing (PNT) Services, a term often used interchangeably with GPS and other Global Satellite Navigation Systems (GALILEO, GLONASS, and BeiDou). 

The Executive Order highlights the requirements for PNT technology specifically in the context of its integration into our critical infrastructure.  It also determines a 1-year time frame (until Feb 2021) during which time the Secretary of Commerce, together with other US agencies, need to formulate ‘PNT Profiles.’  The PNT profiles will enable the public and private sectors to identify systems, networks, and assets dependent on PNT services, identify appropriate PNT services, detect the disruption and manipulation of PNT services, and manage the associated risks to the systems, networks, and assets dependent on PNT services.  Once made available, the PNT profiles shall be reviewed every 2 years and updated as necessary.

The Secretary of Commerce, the Secretary of Defense, Secretary of Transportation, and Secretary of Homeland Security are required to provide a long-term viable plan to achieve national PNT resiliency.  As part of this effort, NIST (the National Institute of Standards and Technology), an agency of the United States Department of Commerce, requested back in July that the public and industry will submit comments around the use of GPS and its vulnerabilities that need to be addressed in the upcoming basic User Profile created by NIST.  This profile will serve as guidance for the further development of more sector-specific profiles.

A total of 39 comments were submitted on NIST’s website from corporations, non-government agencies, and individuals.  Most of the comments were sent by US-based companies, with the exception of a few, such as @Regulus Cyber, which was the only Israel-based submission.

The comments covered industries that are very familiar with the ongoing threat to GPS:

  • Telecommunications
  • Energy
  • Defense

And several new industries that have only recently started dealing with the GPS risk:

  • Datacenters
  • Enhanced 911 + Emergency Service Sector
  • IoT
  • Electronic Monitoring (offender ankle monitors) 

Some of the comments address the location aspect of GPS, while others specify timing issues.  Most services are using one of the two, but are essentially vulnerable to the same type of jamming or spoofing attacks.  Commentators provide different evidence based on both research and real-life examples, demonstrating that even small variations in time or location, caused by an external source manipulating them, can crash an entire system or network.

GPS spoofing as a cybersecurity vulnerability is discussed in 19 of the 39 comments, highlighting the fact that this kind of satellite signal manipulation needs to be addressed with the same urgency as any other cybersecurity vulnerability. 

Many of the comments include more than just a list of potential vulnerabilities.  They also offer different methods to improve the resilience of GNSS-based systems against current and future threats. These protection methods can be divided into 4 main categories:

  • Back-up systems (such as eLoran)
  • Hardware modifications to existing GNSS receivers (such as additional antennas)
  • Sensor fusion
  • Integrating different software solutions that provide real-time detection of an attack (such as the Regulus Pyramid GNSS software).

The comments provides 4 important insights about resilient PNT:

  1. GPS is vulnerable to both jamming and spoofing, but spoofing is harder to detect.
  2. Many critical systems, with national importance, are very reliant on GPS.
  3. Redundancy for GPS, utilizing back-up systems or alternatives, is key.
  4. Being able to detect attacks in real-time and utilizing these back-up systems is also crucial. 

The first deliverable of this NIST effort is now available on the NIST website, where the draft of the Cybersecurity Profile for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services is open for comments until November 23, 2020.

It appears that this is only the beginning of a global process tackling a neglected side of cybersecurity.  There will be long-lasting effects on the way PNT is used and the kind of protection that is being implemented to make sure it continues powering our technology, reliably and securely. 

You may read the official comment made by Regulus Cyber on NIST’s RFI here:

https://www.regulus.com/blog/nist-rfi-for-pnt-resilience-official-response-by-regulus-cyber