GNSS Challenges Robust - PNT

Similar documents
GNSS integrity monitoring for the detection and mitigation of interference

With Satellite Technology

Maritime Integrated PNT System

The Impact of GPS Jamming on the Safety of Navigation

The front end of the receiver performs the frequency translation, channel selection and amplification of the signal.

GPS Jamming Threat Scenarios CGSIC 2013 Nashville. Prof. Charles Curry BEng, CEng, FIET Managing Director Chronos Technology Ltd

GPS Forensics Crime, Jamming & Spoofing. Professor David Last

GPS Jamming Quantifying the Threat

DT3: RF On/Off Remote Control Technology. Rodney Singleton Joe Larsen Luis Garcia Rafael Ocampo Mike Moulton Eric Hatch

LDACS1 L-band Compatibility and Extension Towards Navigation

Optimizing IP3 and ACPR Measurements

The evolution of data connectivity

ASI Agenzia Spaziale Italiana Galileo Workshop Roma 26/07/2012. Alessandro Pozzobon, Project Manager & Co-founder Qascom

GNSS Anti-Jam Technology for the Mass Market

Biography. Key Words. Abstract. Table of Contents. 1. Introduction. Spectrum management, GPS interference, jamming

Analysis of Immunity by RF Wireless Communication Signals

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Tx/Rx A high-performance FM receiver for audio and digital applicatons

Agilent E6832A W-CDMA Calibration Application

Introduction to Receivers

Secure Navigation and Timing Without Local Storage of Secret Keys

Positioning (DiNO) DISTRIBUTION A. Approved for public release; distribution is unlimited

How To Make A Multi-User Communication Efficient

How To Understand And Understand The Power Of A Cdma/Ds System

TI GPS PPS Timing Application Note

The Phase Modulator In NBFM Voice Communication Systems

Cellular Networks: Background and Classical Vulnerabilities

CS263: Wireless Communications and Sensor Networks

ICTN Enterprise Database Security Issues and Solutions

In 3G/WCDMA mobile. IP2 and IP3 Nonlinearity Specifications for 3G/WCDMA Receivers 3G SPECIFICATIONS

Scanning with Sony Ericsson TEMS Phones. Technical Paper

Interpreting the Information Element C/I

RAIM for Ship and Rig Management

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Agilent AN 1315 Optimizing RF and Microwave Spectrum Analyzer Dynamic Range. Application Note

II. Radio equipment which transmits only under the control of electronic communications networks

Introduction to AIS White Paper

LTE Evolution for Cellular IoT Ericsson & NSN

Agilent AN 1316 Optimizing Spectrum Analyzer Amplitude Accuracy

MATRIX TECHNICAL NOTES

How To Attack A Key Card With A Keycard With A Car Key (For A Car)

Next Generation of High Speed. Modems8

How To Use A Sound Card With A Subsonic Sound Card

White Paper How are thieves stealing modern vehicles?

HF Receiver Testing. Issues & Advances. (also presented at APDXC 2014, Osaka, Japan, November 2014)

Spectrum and Power Measurements Using the E6474A Wireless Network Optimization Platform

Application Note Noise Frequently Asked Questions

Hacking a Bird in the Sky

CHARACTERISTICS OF DEEP GPS SIGNAL FADING DUE TO IONOSPHERIC SCINTILLATION FOR AVIATION RECEIVER DESIGN

DESIGN AND IMPLMENTATION OF INTELLIGENT MOBILE PHONE DETECTOR

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Patriot Watch VIGILANCE SAFEGUARDING AMERICA

Current Probes, More Useful Than You Think

Secure and Reliable Wireless Communications for Geological Repositories and Nuclear Facilities

APPLICATION NOTE. RF System Architecture Considerations ATAN0014. Description

Information Paper. FDMA and TDMA Narrowband Digital Systems

EE4367 Telecom. Switching & Transmission. Prof. Murat Torlak

A comparison of radio direction-finding technologies. Paul Denisowski, Applications Engineer Rohde & Schwarz

CDMA Technology : Principles of CDMA/DS Decoding

CDMA Performance under Fading Channel

Electronic Communications Committee (ECC) within the European Conference of Postal and Telecommunications Administrations (CEPT)

SYSTEM GLOBAL NAVIGATION SATELLITE SYSTEM LANDING TECHNOLOGY/PRODUCT DEVELOPMENT

GSM/EDGE Output RF Spectrum on the V93000 Joe Kelly and Max Seminario, Verigy

RF Measurements Using a Modular Digitizer

Technical Datasheet Scalar Network Analyzer Model MHz to 40 GHz

AN Application Note: FCC Regulations for ISM Band Devices: MHz. FCC Regulations for ISM Band Devices: MHz

Course Curriculum for Master Degree in Electrical Engineering/Wireless Communications

An Interference Avoiding Wireless Network Architecture for Coexistence of CDMA x EVDO and LTE Systems

RF Network Analyzer Basics

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

Maximizing Receiver Dynamic Range for Spectrum Monitoring

White Paper: Microcells A Solution to the Data Traffic Growth in 3G Networks?

Agilent PN RF Component Measurements: Amplifier Measurements Using the Agilent 8753 Network Analyzer. Product Note

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

Optimizing Your CDMA Wireless Network Today and Tomorrow Using Drive-Test Solutions

COMPATIBILITY STUDY FOR UMTS OPERATING WITHIN THE GSM 900 AND GSM 1800 FREQUENCY BANDS

Spectrum Analyzer Two models available: OGR-24 (24 GHz) and OGR-8 (8 GHz)

Attenuation (amplitude of the wave loses strength thereby the signal power) Refraction Reflection Shadowing Scattering Diffraction

Ralph L. Brooker, Member, IEEE. Andrew Corporation, Alexandria, VA 22314, USA

Why it may be time to consider Certified Avionics for UAS (Unmanned Aerial Vehicles/Systems) White paper

AN BGU8009 Matching Options for 850 MHz / 2400 MHz Jammer Immunity. Document information. Keywords

Agilent U2000 Series USB Power Sensors

Chap#5 (Data communication)

MIMO Antenna Systems in WinProp

SkyWay-Mobile. Broadband Wireless Solution

Effects of Radio Frequency Interference on GNSS Receiver Output. Masters Thesis Peter F. de Bakker

AM TRANSMITTERS & RECEIVERS

AM/FM/ϕM Measurement Demodulator FS-K7

HD Radio FM Transmission System Specifications Rev. F August 24, 2011

Field Calibration Software

The Network and The Cloud: Addressing Security And Performance. How Your Enterprise is Impacted Today and Tomorrow

Propsim enabled Aerospace, Satellite and Airborne Radio System Testing

Evaluating Cell Phone and Personal Communications Equipment and their EMC Effects on Automotive Audio and In-Cabin Modules

Use Data Budgets to Manage Large Acoustic Datasets

VME IF PHASE MODULATOR UNIT. mod

Modernising Justice 24 th June Charles Curry BEng, CEng, FIET Chronos Technology Ltd

RECOMMENDATION ITU-R BS.704 *, ** Characteristics of FM sound broadcasting reference receivers for planning purposes

INTRODUCTION TO COMMUNICATION SYSTEMS AND TRANSMISSION MEDIA

Acquisition of Weak Signals in Multi-Constellation Frequency Domain Receivers

ILS Replacement. ACI World Safety Seminar November 2008 Kempinski Hotel Beijing Lufthansa Centre

Transcription:

GNSS Challenges Robust - PNT

2 Why is GNSS Vulnerable? A Weak Signal from Space Very weak when received on the Ground Easily interfered with, Easy to Reproduce a fake signal, good enough to fool many receivers Operational Characteristics Many Receivers are not looking for signal issues, will lock onto poorly reproduced signals, will move position a long way, without any warning and will smooth fit through erratic positions GNSS is a Positioning and Timing system It is not a complete navigation system. Other sensors should be used as well to support Navigation The Ground Environment is not ideal to receive signals Urban Canyons, Poor Geometry, Reflections, etc. - can degrade performance without warnings Complacency GPS has appeared to work very well for many years It s timing use in particular is very widespread, often little thought has been given to backup or integrity The higher the level of performance required the higher the risk

3 Non-Deliberate Threats to GNSS

4 GNSS Incidents San Diego 2007 - US Navy accidentally jams GPS signals during an exercise Knocked out ATM s and a Hospital Paging System until rectified Hannover Airport 2012 - A GPS repeater in a Hangar Caused GPS anomalies on the Runway which was 1km away Florida 2014 - Cargo thieves used GPS jammers Only picked up after a traffic incident when Police searched the refrigerated trailers China 2014 High-end Car thieves used jammers for GPS and Cell There were 46 recorded incidents Many criminals now assume their targets have GPS trackers GPS leap second issue 2015 Navigation Data is reporting a leap second event for June 2015, many receivers though have already implemented the leap second and are now 1 second out on the GPS/UTC offset

5 How are GNSS threats evolving? Interference threat increasing rapidly Real jamming events are being detected daily Spoofing is (in comparison) in its infancy but becoming much easier to carry out Human error will cause problems (Control centre operators, Software ) As in the IP world the threats to GNSS will likely come from the following groups (Source SANS Institute) Unstructured Hacker Structured Hacker Organised crime/industrial espionage Insider Unfunded terrorist group Funded terrorist group Nation State Strong parallels with evolution of Information Security threats (Theunissen)

6 GNSS Jamming? GPS interference source At the GPS Receiver: Carrier to Noise Ratio (CNR) degraded the low elevation satellites are affected first.. Noise increases increasing errors in positioning and timing Eventually Receiver cannot track any more Jamming trials in the North Sea (project STAVOG, 2012) showed that it was possible for a shore based jammer to induce large positional uncertainty in the host GNSS receiver without any alarms or other indication of poor accuracy

7 GNSS spoofing Intentional Spoofing: The objective of a spoofing attack is to cheat the receiver position and/or time.. Spoofing Signals Authentic satellite signals Spoofer position X Truth PVT X False PVT

8 GNSS Threat Mitigation an overview Threat Non-Intentional jamming or spoofing Mitigation Integrity monitoring systems Jamming Spoofing Jamming detection / mitigation / localization techniques Signal authentication techniques

9 Summary GNSS has been Fantastic It has enabled and supported multiple applications globally which would not have been possible even 15 years ago If GNSS is to continue to be the widespread utility we rely on then steps are needed to improve Robustness before an incident causes users to lose faith Jamming is the currently the main threat But as Navigation becomes more resilient and backup systems are improved, then other threats may emerge To date there have been no confirmed Spoofing attacks in the real world There have been experiments, and unconfirmed claims of UAV s being brought down An accurate simulation system with sophisticated models is essential to develop mitigation techniques

Thank-you

Backup Material

12 Jammer categories (based on bandwidth) Continuous Wave (CW) Usually defined as occupying less than 100kHz of bandwidth Single frequency only Narrowband (NB) Normally defined as any unwanted signal occupying more than 1MHz of bandwidth but less than the bandwidth of L1 C/A code ( +/- 1.023 MHz) Narrowband interferences is usually centred on the target frequency (e.g., GPS L1) Broadband (BB) or Wideband Occupies the entire bandwidth about the target frequency (for GPS L1, +/- 10.23 MHz) Notes: J/S ratios are always related to dbm Published J/S ratios are often related to P(Y) code only (e.g., L1 = -133dBm, L2 = -136 dbm)

13 The importance of accuracy in simulation Example 1 Most important consideration in simulation is the accuracy of the amplitude The complete signal bandwidth must be measured to account for the full jamming energy Accuracy of signal power levels is critical incorrect power levels will affect the J/S ratio even though the jammer levels may be correct +1dB error in measuring the amplitude of an L1 GPS jammer 1dB = 10 log JM/JT JM is the measured jammer power JT is the true jammer power JT = 1.26 JM, In other words a 26% measurement error!

14 The importance of accuracy in simulation Example 2 You are measuring where a given GNSS Receiver loses lock for a fixed jammer power. How would a 1 db power error affect this JM/JT = (RT / RM )2 JM is the measured jammer power JT is the true jammer power RT is the range calculated using JT RM is the range calculated using JM We can rewrite the equation as 10 log JM 10 log JT = 20 log RT /RM RM = RT * 10-1/20 RM = 0.89 RT In other words we would expect an 11% error in the range Measurement accuracy is Critical!

15 Spirent Interference Test Systems 1 External Signal Generator Combine GNSS simulator & RF interference generator Control via SimGEN software Up to 4 Signal sources Variable frequency CW, swept, AM, FM, white noise High J/S possible (>120dB), uses external combiner

16 Spirent Interference Test Systems 2 Dual RF Signal Generator Embedded Interference Control via SimGEN software Up to Sixteen sources per Constellation/Frequency In-band and Coherant CW & PSK noise Channels can be combined for higher J/S Max J/S 100dB (GSS9000) 80dB (GSS8000) SimGEN Host PCIe Up to 5 Interference Banks Up to 5 GNSS Banks GSS9000 RF Out 1

17 Real Navigation System spoofing From AIS Exposed: Understanding Vulnerabilities and attacks 2.0, Balduzzi et al, Blackhat Asia 2014 Presentation contains details of how AIS could be hacked... Includes examples of attacks Fake Man overboard generation False weather data generation False Collision warning Spoofing position Impersonate Port Authority Book TDMA slots

18 Spirent - Spoofing test set-up Can Use Live Sky + Simulated Spoofer or Simulated both Reference receiver

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information