Operators of critical infrastructure must start taking a more responsible attitude to the GPS receivers in their systems, according to a new presentation from the US Department of Homeland Security (DHS).
Published in December by the Homeland Security Systems Engineering and Development Institute (HSSEDI), Responsible Use of GPS for Critical Infrastructure paints a picture of a world that has radically changed since GPS was first made available to civilian users in 1992.
Back then, GPS was a “wonderful technology with nice people”, receivers were simple radios, and signals were few and far between, so receivers had to be as open as possible.
GPS receivers are computers and must be protected
Now, in the 21st century, that’s all changed. Receivers have got a lot more complex, and are now effectively networked computers with a wireless access point. But they’re still widely thought of as simple radios, so they’re not protected in the way that IT systems, networks and devices are.
A slide from the HSSEDI presentation
As a result, criminals and other malicious actors have started to view GPS receivers as an attractive attack surface, providing possible entry points into safety-critical and liability-critical systems.
Disruption to GPS-dependent systems is increasing
Attacks (both malicious and unintentional) on GPS-dependent systems are not only increasing, but also getting more sophisticated, as the technology available to carry them out gets cheaper and more accessible. In the past few years we’ve seen incidents like:
• A large east coast US container port brought to a halt for several hours due to GPS interference
• Widespread disruption to aviation at airports around the globe, due to GPS jamming and other forms of interference
• Disrupted digital radio broadcasts caused by an error in the GPS control software
• Disruptions to shipping in the Black Sea and traffic in Moscow city centre, seemingly caused by Russian testing of GPS spoofing weapons
• Criminal use of GPS spoofing techniques to evade US border control detection
GPS has become an indispensable and widely-embedded utility
These are unsettling developments, because every sector of critical infrastructure relies on GPS for position, navigation and timing information. GPS receivers are built into everything from mobile telecommunications networks and energy grids to core banking systems, emergency services co-ordination and air traffic control.
The scale of adoption underscores just how useful GPS is to all kinds of critical operations, but it also creates valid concerns. If anything disrupts the availability or accurate processing of this “invisible utility”, key services could be threatened.
DHS demands a more responsible approach to GPS
The DHS presentation positions this as a significant risk to national security, and calls upon developers, integrators, buyers and users alike to take a more responsible approach to GPS receiver design, selection and use.
In particular, it urges them to make sure receivers used in critical infrastructure are resilient. In US policymaking terms, that means receivers should be designed not only to withstand interference, but also to recognise when disruption is in progress and sound an alarm, and to know when they have been compromised and take action that allows them to recover quickly to their normal state.
Impressively, it goes on to provide some excellent practical advice for ensuring receivers are resilient at every layer, including:
Antennas: Use antennas designed to resist jamming and spoofing, and position them carefully to make them less vulnerable to over-the-air attack.
Receivers: Install “competent” receivers equipped with effective anti-jam and anti-spoofing software, and which can receive and process the more secure “modernized” GPS signals (broadcast on the L5 frequency) rather than just the original GPS signals (broadcast on the L1 frequency).
Backup technologies: Integrate the receiver with other technologies that can temporarily take over position, navigation and/or timing duties if GPS is disrupted. This might include holdover clocks for timing systems, or inertial sensors like accelerometers, LiDAR or WiFi for navigation and positioning.
System design and assurance: Pay close attention to overall system design and configuration, to avoid vulnerabilities that could become entry points. Apply rigorous software assurance throughout the stack, from the embedded firmware (often taken for granted) up to the application layer.
Risk management: Above all, the presentation calls for a more responsible approach to risk management as it relates to GPS use in critical infrastructure. Operators are urged to conduct thorough risk evaluations to understand how receivers might be compromised and draw up contingency plans to ensure continued operation in the event of a GPS outage.
Testing that a receiver meets the required levels of competence and resilience cannot be done adequately with live signals or recorded live signals – and the presentation recommends the use of a GPS simulator to understand how a receiver performs in the presence of natural or man-made interference.
The DHS advice echoes the words of Brad Parkinson, the “godfather of GPS”, who was very aware of the fragility of these extremely weak but ultra-useful signals from space. His watchwords for GPS operator and users were “protect, toughen and augment” – exactly the approach that the DHS presentation calls upon operators of critical infrastructure to apply to their receivers.
A watershed moment in the history of GNSS vulnerabilities
In my view, this presentation marks a watershed moment in the history of GNSS vulnerabilities. In my keynote presentation to the 2017 International Navigation Conference in November, I argued that GNSS cybersecurity is following the same trajectory as IT cybersecurity, with GNSS receivers becoming more complex, more vulnerable, and more in need of protection as we become more reliant upon them.
The DHS has issued guidance before to designers and developers of receivers (for example, this excellent 2017 paper on Improving the Operation and Development of GPS Equipment used by Critical Infrastructure), and has alerted buyers and users of GPS equipment to the risks presented by natural and man-made interference.
Now, it’s combined these two approaches to create a practical guide for buyers and users that will help them evaluate receiver competence and resilience in the face of known and unknown threats.
In the continued absence of international security standards for GNSS-based systems, warnings and guidance like this one from the Department of Homeland Security become not only welcome, but absolutely necessary.
Stay up to date with GNSS cybersecurity developments
Threats to GNSS-based position, navigation and timing (PNT) systems are evolving all the time. To stay up to date with the latest news on GNSS vulnerabilities, join the growing community in the GNSS Vulnerabilities LinkedIn Group.