GNSS Challenges Robust - PNT
2 Why is GNSS Vulnerable? A Weak Signal from Space Very weak when received on the Ground Easily interfered with, Easy to Reproduce a fake signal, good enough to fool many receivers Operational Characteristics Many Receivers are not looking for signal issues, will lock onto poorly reproduced signals, will move position a long way, without any warning and will smooth fit through erratic positions GNSS is a Positioning and Timing system It is not a complete navigation system. Other sensors should be used as well to support Navigation The Ground Environment is not ideal to receive signals Urban Canyons, Poor Geometry, Reflections, etc. - can degrade performance without warnings Complacency GPS has appeared to work very well for many years It s timing use in particular is very widespread, often little thought has been given to backup or integrity The higher the level of performance required the higher the risk
3 Non-Deliberate Threats to GNSS
4 GNSS Incidents San Diego 2007 - US Navy accidentally jams GPS signals during an exercise Knocked out ATM s and a Hospital Paging System until rectified Hannover Airport 2012 - A GPS repeater in a Hangar Caused GPS anomalies on the Runway which was 1km away Florida 2014 - Cargo thieves used GPS jammers Only picked up after a traffic incident when Police searched the refrigerated trailers China 2014 High-end Car thieves used jammers for GPS and Cell There were 46 recorded incidents Many criminals now assume their targets have GPS trackers GPS leap second issue 2015 Navigation Data is reporting a leap second event for June 2015, many receivers though have already implemented the leap second and are now 1 second out on the GPS/UTC offset
5 How are GNSS threats evolving? Interference threat increasing rapidly Real jamming events are being detected daily Spoofing is (in comparison) in its infancy but becoming much easier to carry out Human error will cause problems (Control centre operators, Software ) As in the IP world the threats to GNSS will likely come from the following groups (Source SANS Institute) Unstructured Hacker Structured Hacker Organised crime/industrial espionage Insider Unfunded terrorist group Funded terrorist group Nation State Strong parallels with evolution of Information Security threats (Theunissen)
6 GNSS Jamming? GPS interference source At the GPS Receiver: Carrier to Noise Ratio (CNR) degraded the low elevation satellites are affected first.. Noise increases increasing errors in positioning and timing Eventually Receiver cannot track any more Jamming trials in the North Sea (project STAVOG, 2012) showed that it was possible for a shore based jammer to induce large positional uncertainty in the host GNSS receiver without any alarms or other indication of poor accuracy
7 GNSS spoofing Intentional Spoofing: The objective of a spoofing attack is to cheat the receiver position and/or time.. Spoofing Signals Authentic satellite signals Spoofer position X Truth PVT X False PVT
8 GNSS Threat Mitigation an overview Threat Non-Intentional jamming or spoofing Mitigation Integrity monitoring systems Jamming Spoofing Jamming detection / mitigation / localization techniques Signal authentication techniques
9 Summary GNSS has been Fantastic It has enabled and supported multiple applications globally which would not have been possible even 15 years ago If GNSS is to continue to be the widespread utility we rely on then steps are needed to improve Robustness before an incident causes users to lose faith Jamming is the currently the main threat But as Navigation becomes more resilient and backup systems are improved, then other threats may emerge To date there have been no confirmed Spoofing attacks in the real world There have been experiments, and unconfirmed claims of UAV s being brought down An accurate simulation system with sophisticated models is essential to develop mitigation techniques
Thank-you
Backup Material
12 Jammer categories (based on bandwidth) Continuous Wave (CW) Usually defined as occupying less than 100kHz of bandwidth Single frequency only Narrowband (NB) Normally defined as any unwanted signal occupying more than 1MHz of bandwidth but less than the bandwidth of L1 C/A code ( +/- 1.023 MHz) Narrowband interferences is usually centred on the target frequency (e.g., GPS L1) Broadband (BB) or Wideband Occupies the entire bandwidth about the target frequency (for GPS L1, +/- 10.23 MHz) Notes: J/S ratios are always related to dbm Published J/S ratios are often related to P(Y) code only (e.g., L1 = -133dBm, L2 = -136 dbm)
13 The importance of accuracy in simulation Example 1 Most important consideration in simulation is the accuracy of the amplitude The complete signal bandwidth must be measured to account for the full jamming energy Accuracy of signal power levels is critical incorrect power levels will affect the J/S ratio even though the jammer levels may be correct +1dB error in measuring the amplitude of an L1 GPS jammer 1dB = 10 log JM/JT JM is the measured jammer power JT is the true jammer power JT = 1.26 JM, In other words a 26% measurement error!
14 The importance of accuracy in simulation Example 2 You are measuring where a given GNSS Receiver loses lock for a fixed jammer power. How would a 1 db power error affect this JM/JT = (RT / RM )2 JM is the measured jammer power JT is the true jammer power RT is the range calculated using JT RM is the range calculated using JM We can rewrite the equation as 10 log JM 10 log JT = 20 log RT /RM RM = RT * 10-1/20 RM = 0.89 RT In other words we would expect an 11% error in the range Measurement accuracy is Critical!
15 Spirent Interference Test Systems 1 External Signal Generator Combine GNSS simulator & RF interference generator Control via SimGEN software Up to 4 Signal sources Variable frequency CW, swept, AM, FM, white noise High J/S possible (>120dB), uses external combiner
16 Spirent Interference Test Systems 2 Dual RF Signal Generator Embedded Interference Control via SimGEN software Up to Sixteen sources per Constellation/Frequency In-band and Coherant CW & PSK noise Channels can be combined for higher J/S Max J/S 100dB (GSS9000) 80dB (GSS8000) SimGEN Host PCIe Up to 5 Interference Banks Up to 5 GNSS Banks GSS9000 RF Out 1
17 Real Navigation System spoofing From AIS Exposed: Understanding Vulnerabilities and attacks 2.0, Balduzzi et al, Blackhat Asia 2014 Presentation contains details of how AIS could be hacked... Includes examples of attacks Fake Man overboard generation False weather data generation False Collision warning Spoofing position Impersonate Port Authority Book TDMA slots
18 Spirent - Spoofing test set-up Can Use Live Sky + Simulated Spoofer or Simulated both Reference receiver