Search Products
GNSS Security Critical National Infrastructure

GNSS Security Attack Vectors in Critical National Infrastructure

The four main Global Navigation Satellite System (GNSS) constellations (GPS, GALILEO, GLONASS, BEIDOU) provide more than just navigation or positioning. They provide stable & accurate frequency, phase & time references for all manner of systems that underpin modern life. These include telecom networks, power & utility networks, financial services institutions, and radio/TV broadcast to name but a few. Many of these applications form part of a nation’s Critical National Infrastructure (CNI).

Due to the low power level and spread-spectrum nature of the radio signals transmitted by all the GNSS constellations, it is trivial to interfere with the operation of a GNSS receiver by jamming the radio signal with a higher power noise source local to the antenna. This disrupts the operation of the receiver as it cannot receive any satellite signals while it is being jammed. Jamming signals may be intentional or completely accidental.

The commoditisation of software-defined radios (SDRs) and the advent of freely available open-source software means that ‘spoofing’ (creating a false copy of the radio signal to fool the receiver in decoding and locking onto a completely fake source of time and position) a GNSS signal is easier than ever.

The attack surface continues to grow as the number of GNSS timing systems deployed to support national critical infrastructure increases. It’s useful to consider what attack vectors might be used against such systems and how we can mitigate these security risks.

 

Physical Security

When considering physical attacks on the antenna systems or facilities where GNSS time systems are housed, measures should be taken in-line with existing physical security measures for existing critical national infrastructure sites & installations. Other risks are shootings (reports do exist of GNSS antennas being used for target practice!), nesting birds (or other interference from wildlife), and unintentional conspicuity e.g., 5G base station sites with a ‘<Operator’s Name> GPS’ labels on GNSS antenna cabling. Included here is protection from lightning strikes. The GNSS antenna can often be the highest point of a building and is vulnerable to lightning strikes.

 

Radio Security: Jamming & Spoofing

Jamming

The technology to defeat jamming has been around since before GPS. GPS antenna arrays are US ITAR restricted, but in 1978 a Rockwell Collins proof of concept (PoC) ‘GPS anti-jam set’ flew over a 10kW jammer with no effect on its position or time solution. Civilian commercial phased-array antennas (Controlled Reception Pattern Antennas or CRPAs) are also used to address jamming attacks.

Spoofing

Subtle attacks might create small time offsets in the receiver (of the order of nano/micro/milli-seconds of error). This affects systems that have time or position accuracy requirements and slowly edges them out of an optimal range. More brute-force attacks might spoof a ‘leap second pending’ indicator to provoke software errors when handling leap seconds. They may even spoof a time offset of more than 19.7 years (more precisely 1024 weeks). The original GPS interface specification used by some older receivers uses a 10-bit number to hold a ‘week number’ as part of the ‘GPS Time’ timescale. This is commonly referred to the ‘GPS Week Number Roll-Over’ (WNRO) problem) and is used to brick receivers.

 

GNSS Firewall

A relatively recent addition to the defences against both jamming and spoofing is the ‘GNSS Firewall’. This hardware addresses the radio signal structure in much more detail than existing GNSS receivers. These designs date from an era when spoofing was less of an issue so they offer very little protection. Such products may also contain GNSS signal simulators. These can be used with a local atomic-clock traceable timebase to keep critical national infrastructure GNSS receiver timing systems synchronised in the event of extended jamming/spoofing attacks.

 

Network Security

Many GNSS-based time servers are managed and configurable over a network interface just like other elements/nodes in a modern network. So, they face all the same attack vectors as other network-based equipment in terms of critical national infrastructure cybersecurity. Examples include Distributed Denial of Service (DDoS) attacks and ‘Man-in-the-middle’ (MiTM) attacks. Some Time Server systems may provide PTP or NTP functionality on the same or other network ports. These require a similar level of protection and monitoring as existing IT/OT systems. Many systems are moving to a ‘zero trust’ architecture where every stage of a control/management process is authenticated/verified.

 

Supply Chain Attacks

Both hardware and software components that provide GNSS functionality have become commoditised. This includes the low-cost silicon in the latest smartphones that provide sophisticated Multi-Constellation Multi Frequency (MCMF) receivers to specific timing modules. These provide an < 30ns of error to UTC on their time output interfaces. They are routinely integrated into time server systems by manufacturers rather than developing their own GNSS receiver technology.

The nature of CPU hardware/processing modules that are integrated into GNSS systems might run a real-time operating system (RTOS) along with FPGA reference designs and other software components. These could include GPSD, the open-source Linux/UNIX daemon that is commonly used to manage locally connected GNSS receivers. All these building blocks are at risk of supply chain attack and introduction of hidden functionality that might suit the agenda of bad actors.

 

Summary

The GNSS security aspect of Critical National Infrastructure cybersecurity can be improved by carefully considering all these risk factors and attack vectors and addressing them with the mitigation strategies described.

 

Please visit the Chronos Times area of our website to read the latest Insights and Bitesize articles, learn about our attendance at recent Events and much more.

 

Timing Services

Click below to discover more about Chronos Technology's market-leading timing knowhow
Find out more

Contact us to find out more

    For GDPR purposes it is important that you consent to receive communications from us, please read our Privacy Policy to understand how we use your data. Please use the Submit button to indicate your consent. Any future email communications that we send you will give you the option to unsubscribe.

    More in this category

    Bitesize
    Using a Time Service: 5 Key Considerations

    Using A Third-party Timing Service: 5 Key Considerations

    Time and timing service have an increasingly important part to play in many applications, including: Enabling super fast 5G…

    Read more
    Bitesize
    Time as a Service (TaaS)

    Time As a Service (TaaS): Still a work in progress?

    At several points over the last 20 years, I’ve thought that Time as Service (TaaS) was a no brainer.…

    Read more
    Bitesize
    Network timing for substations

    GridTime 3000: Next Generation Timing for Substation Automation Systems?

    Clocks in substations delivering NTP and IRIG-B to substation automation and other systems are generally simple yet robust devices.…

    Read more

    Our Company

    You can call on us for deep knowledge and expertise on Global Navigation Satellite Solutions (GNSS), Precision Time Protocol…

    Find out more

    Expertise you can rely on

    Our Team will ensure that you get the latest technologies, the finest products and the best service Our Team…

    Find out more