1996 soccer game in the Midwest, (Rick Dikeman image)

Nouméa ground station after the flood

A pencil and a coffee cup show the size of NASA’s teeny tiny PhoneSat

Bonus Hotspot: Naro Tartaruga AUV

Pacific lamprey spawning (photo by Jeremy Monroe, Fresh Waters Illustrated)

“Return of the Bucentaurn to the Molo on Ascension Day”, by (Giovanni Antonio Canal) Canaletto

The U.S. Naval Observatory Alternate Master Clock at 2nd Space Operations Squadron, Schriever AFB in Colorado. This photo was taken in January, 2006 during the addition of a leap second. The USNO master clocks control GPS timing. They are accurate to within one second every 20 million years (Satellites are so picky! Humans, on the other hand, just want to know if we’re too late for lunch) USAF photo by A1C Jason Ridder.

Detail of Compass/ BeiDou2 system diagram

Hotspot 6: Beluga A300 600ST

1. Mangrove Tree-Planting Drones
Myanmar (Southeast Asia)

1. Mangrove Tree-Planting Drones
Myanmar (Southeast Asia)
√ For about five years now, a group of villagers in the delta of the Irrawaddy River in Myanmar (also known as Burma) has painstakingly planted 2.7 million mangrove trees with the hopes of beginning to restore an ecosystem that has been disappearing for decades. But this work is rather laborious, and the local nonprofit guiding the work wants to cover a much larger area — so they’re turning drones to help with their large-scale tree-planting project.

The drones, from the startup BioCarbon Engineering, can plant as many as 100,000 trees in a single day, leaving the local community to focus on taking care of the young trees that have already started to grow, according to the company, which has offices in Oxford, U.K., Sydney, Australia and Dublin, Ireland. In September, the company will begin a drone-planting program in the area along with Worldview International Foundation, the nonprofit guiding local tree-planting projects. To date, the organization has worked with villagers to plant an area of 750 hectares, about twice the size of Central Park. The drones will help cover another 250 hectares with 1 million additional trees. Ultimately, the nonprofit hopes to use drones to help plant 1 billion trees in an even larger area.

In the past villages have spent years replanting mangroves along the Irrawaddy River. With drones, their work will now go much faster.

2. Laser-Mapping Landscape Changes
Gargoyle Ridge in the McMurdo Dry Valleys, Antarctica
√ With the help of LiDAR, researchers led by Portland State University (PSU) have publicly released high-resolution maps of Antarctica’s McMurdo Dry Valleys, a unique desert region. The high-resolution maps cover 3,564 square kilometers of the McMurdo Dry Valleys and allow researchers to compare present-day conditions with the last surveys conducted more than a decade ago.

The research project led by PSU, and funded by the United States National Science Foundation (NSF), mapped the area using LiDAR, a remote-sensing method that uses laser beam pulses to measure the distance from the detector to the Earth’s surface. The data, collected by aerial survey missions flown in the Southern Hemisphere summer of 2014-2015, provides detailed imagery of the perpetually ice-free region, where changes, such as rapid erosion along some streams, have been observed in recent years.

The LIDAR maps are publicly available on two NSF-funded facilities: Open Topography, and the Polar Geospatial Center.

The McMurdo Dry Valleys are interesting to a wide range of scientists from biologists to geologists to glaciologists. The valleys are, for example, one of the few places on the massive continent—which is the size of the U.S. and Mexico combined—where bedrock is exposed, allowing geologists to reconstruct the continent’s geological history.

The region also is home to one of NSF’s Long Term Ecological Research sites, which support studies of its unusual habitat, dominated by microbial life, both in the soil and in unique ecosystems under at least one of its glaciers and in several of its highly salty lakes.

Evidence of past glacial advance and retreat is also more easily observed in the Dry Valleys, which provides window into the past behavior of the vast Antarctic ice sheets, the activity of which can influence global sea levels.

3. Fries with Your Drone Delivery?
Reykjavik, Iceland
√ Impatient Icelanders are getting help from Flytrex, an Israeli startup, that just started delivering small orders like takeout food by drone in a partnership with Aha, Iceland’s largest instant delivery platform. The drones, technically hexacopters, were approved by the Icelandic Transport Authority to pick up orders from restaurants and stores on one side of Reykjavik, where Aha has its offices, and fly them to a drop-off point in the suburb of Grafarvogur.

While Flytrex and Aha don’t offer direct store-to-home-delivery, the companies said that even on a trial basis the service would slash waiting times in a city whose bay delivery trucks must skirt to reach their destinations. A drone cuts delivery times by flying across the water to a truck that will complete the delivery.

Flytrex doesn’t make drones but develops autonomous, drone-based delivery systems. The drones can carry packages weighing up to three kilograms, about the size of a mailbox, so they can only handle smaller orders or takeout food.

The single drone now in use can make between 20 and 60 flights day, according to Flytrex, which has developed hardware that is installed on the drone and links it to a cellular network via a SIM card that enables a controller to locate, monitor its speed, altitude and other parameters in real time.

4. Tough Testing for Galileo
Noordwijk, the Netherlands
√ Each Galileo satellite must go through a rigorous test campaign to assure its readiness for the violence of launch, airlessness and temperature extremes of Earth orbit. Each one is dispatched to a unique location in Europe to ensure its readiness prior to launch: a 3,000-square meter cleanroom complex nestled in sandy dunes along the Dutch coast, filled with test equipment to simulate all aspects of spaceflight.

The test centre in Noordwijk – Europe’s largest satellite test site – is part of ESA’s main technical center, but it is maintained and operated on a commercial basis on behalf of the Agency by a private company created for the purpose: European Test Services (ETS) B.V.

ETS has been responsible for supporting many historic test campaigns – including space-certifying Europe’s 20-metric-ton ATV space truck and Envisat, the world’s largest civilian Earth-observing mission. But in terms of scale alone, its work with Galileo is the company’s greatest challenge.

ETS is about to complete its contracts with OHB System AG, covering the environmental test of 22 “Full Operational Capability” Galileo satellites, preceded by the testing of the very first of the first-generation “In-Orbit Validation” Galileo satellites on a previous, separate contract.

The post GNSS Hotspots | September 2017 appeared first on Inside GNSS - Global Navigation Satellite Systems Engineering, Policy, and Design.

Today’s headlines frame my thoughts about securing GNSS assets, which one expert has characterized as our “least visible and most vulnerable infrastructure.”

In the Columbia River Gorge, a National Scenic Area spanning the Washington-Oregon border, a 15-year-old boy has been accused of intentionally tossing fireworks into tinder-dry grass thereby starting a (thus far) 33,000-acre forest fire that has devastated a natural treasure. Meanwhile, in the latest incident of large-scale identity theft, credit-rating agency Equifax has belatedly acknowledged a months-long breach of its database in which 143 million personal records were reportedly accessed.

In one case, an individual — obliviously or purposefully — creates outsized havoc, in the other, a skilled team of professional thieves disrupt a global enterprise and endanger the financial well-being of millions.

Of course, we have headlines closer to the point, such as “Reports of Mass GPS Spoofing Attack in the Black Sea,” or “South Korea developing eLoran Network to Protect Ships” from North Korean GPS jamming.

These latter incidents, of course, arise from state-sponsored or –enabled actions. But, as with the Columbia gorge fire, personal behaviors — often harder to detect and prevent — can similarly afflict GNSS capabilities. In recent years, considerable attention has focused on the use of small GNSS jammers, also known as “personal privacy devices.” Perhaps the best-known case is that of a trucker trying to jam his vehicle’s own receiver who interrupted GPS-aided landing operations at Newark International Airport.

As the articles on jamming and spoofing mitigation in this issue of Inside GNSS reflect, the motives and methods of perpetrators vary. But, given the natural progression of information-sharing and widening expertise in GNSS — along with our cultural soft spot for making heroes out of rebels and outlaws — we can probably assume that the trend toward disruption will only get worse.

Some GNSS user groups have struck out on their own to ensure the security of their constituencies and their particular needs. Military users benefit from a variety of alternative PNT technologies such as geomagnetic mapping, vision- and image-based navigation, and chip-scale atomic clocks and inertial measurement units. The U.S. Federal Aviation Administration has decided to retain, for the time being, a minimum operational network of VHF omnidirectional range (VOR) facilities originally planned to be phased out with the introduction of GNSS.

Over time, some of these alternatives may migrate into the commercial and professional space — then again, they may not. And the vast majority of individual GNSS consumers have no organizations to advocate for their needs.

So, what is to be done? How can we ensure that the positioning, navigation, and timing (PNT) utility is available to all users, and not just those sectors with the resources to develop solutions for themselves? The future of location-based applications and enterprise — and the associated economic benefits — depend on a satisfactory answer to that question.

Multi-level threats clearly require multi-tiered responses that fit the corresponding scope and scale of different domains. At the system level, GNSS providers are exploring such measures as encryption, signal authentication, stronger signal power, and advanced signal designs.

National and international legal/initiatives include such efforts as regulating the sale and use of GNSS jammers and spoofers. Alternative PNT systems — for example, enhanced Loran (eLoran) — represent a potential multinational approach to the problem.

At the level of user equipment, several GNSS manufacturers are incorporating interference detection and mitigation (IDM) and antispoofing capabilities into proprietary products.

The variety of these initiatives and their advocates illustrates the breadth of concern about assured PNT, but also reflect the fractured nature of responses to the threats to GNSS. The situation calls for leadership with the expertise and stature to bring comprehensive solutions before the wider GNSS community.

The International Committee on GNSS has the membership and forum, if not yet the clear mandate, to impose such solutions globally. At the national level, the U.S. Space-Based PNT Executive Committee assisted by its expert advisory panel seems the most likely candidate for this role.

The post Ensuring PNT for All appeared first on Inside GNSS - Global Navigation Satellite Systems Engineering, Policy, and Design.

Q: How do you use GNSS to compute the attitude of an object?

A: GNSS technology is used to support a wide range of position, velocity and time applications across numerous platforms. One of the lesser-known applications of GNSS is its ability to determine the attitude, or orientation, of an object. Such systems can be made to be quite small and can yield accurate solutions that operate in virtually any environment in which GNSS satellite visibility is reasonable. The only requirement from a GNSS receiver perspective is that the receiver be able to provide reliable carrier phase measurements.

This article begins with a brief summary of how the attitude of a vehicle is determined and then explains how GNSS can be used. It wraps up with a brief discussion about attainable accuracies.

Attitude Determination
Attitude determination is the process of determining the rotation angles that relate two different coordinate frames. Although any two coordinate frames can be used, we herein consider the rotation between a local-level frame (e.g., North, East, Up or East, North, Down, etc.) and the body frame. The body frame is a frame attached to the object (“body”) whose attitude is desired (an example body frame is given later).

With this in mind, we present the following key relationship

r⃗^l = R^l_br⃗^b     (1) 

where r⃗ is a vector parameterized in the local-level (superscript l) or body (superscript b) frame and R^l_b is the rotation matrix (or direction cosine matrix) from the body frame to the local-level frame.

The rotation matrix between any two frames can be defined using three consecutive rotations about the three coordinates axes — these are called Euler angles. For the case under consideration, since one of the frames is the local-level frame, the Euler angles can be expressed as familiar roll, pitch and azimuth angles.

To compute the rotation matrix, one needs to know or measure at least two vectors in each coordinate frame. These vectors could be anything including velocity, rotation rates, etc., as long as they are non-collinear (i.e., not parallel). It is possible to use a single vector, but then you cannot determine all three Euler angles; more on this later.

GNSS Attitude System Setup
For GNSS attitude determination systems, the vectors used in equation (1) are relative position vectors. The question, of course, is: where do these come from?

Before answering this question, let’s clarify what constitutes a GNSS attitude system. To determine the full attitude, at least three GNSS receivers are needed. The only other requirement is some software to process the data from these receivers.

Returning to the question that opened this section, the body frame vectors are defined by the location of the receivers (actually the antennas; denoted A ‒ C) on the object whose attitude is desired. Assuming a three-antenna system, a common (if not easy to understand) configuration is to mount the antennas such that two antennas fall along the direction of travel, and the third one is 90 degrees offset. One possible setup is illustrated in Figure 1 (see inset photo, above right) for the case of a road vehicle.

Once installed, the body frame coordinates are defined by measuring the position of the antennas relative to the coordinate frame of the vehicle. The coordinate frame of the vehicle can be arbitrarily defined but is usually selected such that one axis is along the direction of travel, one lateral to the direction of travel, and the third axis completes on orthogonal frame (e.g., forward, right, down).

As might be expected, these same vectors in the local-level frame are determined from GNSS measurements. Once computed, the rotation matrix between the body and local-level frames can then be determined. Both of these steps are accomplished by the processing software and are discussed in the next section.

Data Processing
As mentioned, the inter-antenna vectors in the local-level frame are computed from GNSS. For an N-antenna system, only N-1 independent vectors need to be solved. Although not required, this is commonly done by selecting one antenna/receiver as the “base” and then computing the vector to each of the other antennas/receivers in the system.

Continuing with the three-receiver example in Figure 1, we select antenna A as the base and compute vectors ray AB and ray BC. Of course, if there are other antennas, the vector from Point A to each point would also be computed.

To be more specific, the inter-receiver vectors are computed using standard differential carrier phase processing. Because the inter-antenna spacing is typically limited to a few meters, the spatially-correlated orbit, ionosphere and troposphere errors are virtually zero. This dramatically simplifies the ambiguity resolution process, since the only errors that need to be handled are multipath, noise and antenna phase center variation, which are generally small, as discussed later.

It is also possible to use the known baseline length between the receivers (as measured in the body frame), or any a priori attitude information to make the ambiguity resolution process even more robust.

Some of you might be wondering why I have not mentioned the requirement for a base station. The reason is precisely because we are estimating relative, not absolute, position vectors. By definition, differential data processing yields a relative position vector. If the location of the base station is known in an absolute sense — this is the most common use of a base station — then the resulting solution of the rover is also absolute.

For attitude determination, absolute location is not important. As such, the location of the base receiver (Point A in the above example) can be computed from a standalone (single point) solution. Even absolute positioning errors of 100 meters (which would be extremely large if the carrier phase data needed for attitude determination is still available) will be buried by the other errors in the system, and thus can be ignored.

The only other effect that might be important here is the timing accuracy of each receiver. As discussed in the March/April 2011 GNSS Solutions column, “GNSS Receiver Clocks,” a relative timing error of Δt between the receivers will result in a relative position error of s · Δt, where s is the speed of the vehicle. Assuming a timing error of 2 milliseconds (most receivers limit timing errors to ±1 milliseconds) and a vehicle traveling at 100 kilometers per hour, the relative positioning error would be approximately 5.6 centimeters. As discussed below, this would dominate the error budget and would therefore have to be properly accounted for.

The outputs of the GNSS processing are the vectors in the local-level frame; these can be computed directly in that frame or can be computed from vectors in an Earth-Centered Earth-Fixed (ECEF) frame. Mathematically, this is written as

r⃗^GNSS = r⃗^l + n⃗^GNSS
= R^l_br⃗^b + n⃗^GNSS     (2)

where r⃗^GNSS is the GNSS-derived vector in the local-level frame, n⃗^GNSS is the measurement noise, and equation (1) was used to get from the first to second line. Equation (2) is written in parametric form and can thus be used as input to any standard least-squares or Kalman filtering estimation algorithm to estimate the Euler angles embedded in R^l_b.

Two-Antenna Systems
Until now, we have only considered systems consisting of three or more receivers in order to estimate the full attitude of an object. However, two-receiver systems can be used to estimate rotations orthogonal to the vector connecting the two antennas.

The most common two-receiver system is one where the two receivers are set up parallel (or orthogonal) to the direction of travel. This allows for estimation of the azimuth and pitch (or roll) of the vehicle; the third angle is unobservable.

Expected Accuracy
As discussed above, the GNSS measurement errors are limited to multipath (2‒3 centimeters), noise (less than 1 millimeter) and phase center variation (1‒2 centimeters or less) (all values quoted as one standard deviation values). Assuming the measurement geometry is reasonable (HDOP ≈ 1 and VDOP ≈ 1.5), the main factor affecting accuracy is the length of the inter-antenna vectors.

To illustrate, let’s consider a two-receiver system with the understanding that there is an analogous relationship for three-plus receiver systems. Specifically, for the setup in Figure 2 (see inset photo, above right), for an inter-receiver separation of d, the pitch (ϕ) and azimuth (α) can be computed as

(see inset photo, above right for equations)

where σ_EIN is the North/East relative positioning uncertainty, σ_U is the vertical relative positioning accuracy, and d_h is the horizontal distance between the receivers. In other words, the longer the inter-receiver separation the better the attitude accuracy.

To give some numbers, for the lower- end measurement errors and DOP values listed at the start of this section, and nominal horizontal receiver separation of 1 meter, the pitch and azimuth accuracy would be 1.3 and 1.9 degrees, respectively. This is a one-off accuracy estimate and further filtering/ averaging would yield even better performance.

Summary
This article has given an overview of how GNSS can be used to determine the attitude of an object. Although reliant on ambiguity resolution, the short baselines involved make the process quite robust. The result can be highly accurate attitude estimates that can be applied to a wide range of applications.

The post How do you use GNSS to compute the attitude of an object? appeared first on Inside GNSS - Global Navigation Satellite Systems Engineering, Policy, and Design.

After several years of shifting plans the competition to build the next tranche of GPS III satellites is poised to start, though the context in which that contest will take place has changed markedly from when planning first began.

The Request For Proposals (RFP) will go out in November 2017, the Air Force told Inside GNSS in response to a query. If that seems somewhat later than expected, it is. In a June 28 presentation, the GPS Directorate’s Deputy Director Col. Gerry Gleckel told the National Space-Based Positioning, Navigation, and Timing (PNT) Advisory Board the RFP would be out by the end of the 2017 fiscal year — that is by Sept. 30, 2017. Other than a delay, the November release should not create any new issues.

Gleckel also told the PNT Advisory Board that for cost and scheduling reasons the Air Force plans to select, and stick with, one contractor to build all 22 satellites.

“Every time we restart that (process), it’s billions of dollars in nonrecurring engineering costs,” Gleckel said. “There’s delay going through the satellite design process and in qualification. We want to get some more stability in our satellites.”

If the Air Force does indeed choose a winner-take-all approach, it will add to the pressure on would-be contractors. Not only will unsuccessful bidders lose out on what promises to be a multibillion dollar contract, but the plan puts losing firms at a long-term disadvantage when it comes to future GPS-related deals. Key personnel and expertise will naturally coalesce around the new prime contractor, which according to Gleckel’s presentation, will be developing and then building and launching GPS III satellites into 2033 — that is for the next 16 years. That’s a long time for a losing bidder to maintain resources while it waits for another chance.

A Long Process
The initial GPS III contract won by Lockheed Martin in 2008 was for two research and development satellites plus five options to build pairs of additional spacecraft for a total of 12 GPS IIIA satellites. The next phase, which was to be the GPS IIIB tranche of eight more spacecraft, was to be awarded in roughly 2011 followed sometime later by the final contract for 16 GPS IIIC spacecraft. The Air Force, however, retained the right to re-compete the procurement for GPS IIIB and GPS IIIC — a hedge against poor performance or the need to secure the industrial base for future space developments. That turned out to be a wise decision.

Work on IIIA started off smoothly but internal interference problems developed in the payload as ITT Exelis, the payload subcontractor, worked to add new signals. (Exelis became part of Harris Corp. in 2015). There were other problems as well including a failure to qualify and then properly test a ceramic capacitor — an oversight that added four months to the program’s already delayed schedule. The Air Force became increasingly annoyed and didn’t mind saying so in public.

“Obviously, we want a GPS III that does what it’s supposed to do, delivered on time,” said Lt. Gen. Ellen Pawlikowski, commander of Air Force Materiel Command, during the 2016 National Space Symposium, according to Defense News.

By 2014 GPS officials were so frustrated they went out of their way to boost competition for Lockheed Martin, creating a two-phase process for the follow-on procurement. Under Phase 1 they planned to award up to two Production Readiness Firm Fixed Price contracts worth $200 million each. The winners were to go through critical design review for the space vehicle and navigation payload with demonstrations and qualification of the satellite subsystem boxes. Then, in Phase 2, the Phase 1 firm or firms would compete against Lockheed Martin (which, along with Exelis, was barred from competing in Phase 1). The prize, after all of this, was a deal for as many as 22 satellites.

That plan, however, did not last. In May 2015, under budget pressure from sequestration, the Air Force reframed the competition to allow Lockheed Martin to compete — but shrunk the award from $200 million to a scant $6 million per firm. That money was to enable them only to demonstrate that they had, or could attain, a long list of capabilities, including the ability to produce an average of two satellites a year (down from the previous requirement to be able to produce two to three spacecraft annually).

The Air Force went ahead with the scaled-down awards, inking Production Readiness Feasibility Assessment contracts with Boeing Network and Space Systems, Lockheed Martin Space Systems Company, and Northrop Grumman Aerospace Systems in May 2016.

Phase 2
Earlier this year, in an April 19 Special Notice posted on Fed Biz Opps, Air Force Space Command announced the next step in its two-phase selection process — an Industry Day for potential GPS III bidders to be held May 4, 2017 in El Segundo, Calif. The Air Force wanted to share information on its plans with potential bidders and get feedback from them on what it intended to do. According to the notice, an RFP for a fixed-price contract to begin delivering GPS III spacecraft in 2025 was to be released later in 2017 with an announcement of the winning contractor to be made late in 2018.

Interestingly, the notice made clear that the three winners of Phase 1 were not the only ones being invited to compete. “Participation in Phase 1,” the Air Force wrote, “is not a prerequisite to participation in Phase 2.”

Even so, it’s unlikely that firms outside of the Phase 1 winners will compete, said Todd Harrison, director of the Aerospace Security Project and of defense budget analysis at the Center for Strategic and International Studies. “They are leaving it open that another company could bid,” he told Inside GNSS at the time, “but it doesn’t mean that some other company would actually be able to crack into this acquisition. There is still a substantial barrier to entry for building a GPS satellite.”

Circumstances Shift
Whoever bids on Phase 2 will be competing to provide spacecraft to an Air Force whose operational environment has sharply changed in just the last several years.

In April 2016, not quite a year after the Air Force released its Phase 1 RFP and month before the Phase 1 winners were revealed, Gen. John Hyten, then the commander of Air Force Space Command, announced the Space Enterprise Vision (SEV). The SEV framed how programs across the full range of military space activities were to take action to meet the threat posed by a more space-capable China and Russia

“In the recent past, the United States enjoyed unchallenged freedom of action in the space domain,” Hyten said in a statement formally announcing SEV. “Most U.S. military space systems were not designed with threats in mind, and were built for long-term functionality and efficiency, with systems operating for decades in some cases. Without the need to factor in threats, longevity and cost were the critical factors to design and these factors were applied in a mission stovepipe. This is no longer an adequate methodology to equip space forces.”

China became a particular focus of concern in 2007 after the nation used an anti-satellite missile (an ASAT) to destroy one of its own spacecraft, an aging weather satellite in low Earth orbit. And defense officials have made clear China is working hard to expand its military capabilities in space.

“The PLA (People’s Liberation Army) is acquiring a range of technologies to improve China’s counter-space capabilities,” the Department of Defense (DoD) said in its annual report to Congress on military and security developments in China. China was working on directed-energy weapons and satellite jammers, DoD wrote, and navigation satellites were among the targets suggested in Chinese PLA writings.

“The potential adversaries we have around the world know very well how important space is to us and how important it is to our alliances and to our partners and how we would operate and fight,” confirmed Deborah Lee James, who served as secretary of the Air Force from December 2013 to January 2017.

China has been watching and learning from U.S. space operations for the last 25 years, James told a September 6 symposium on organizing military space.

“They’ve not been sitting still when it comes to investing and testing capabilities which ultimately could threaten our ability to be able to use space, our space assets, in the event of conflict,” she told the audience at the Center for Strategic and International Studies.

In addition to the ASAT test in 2007, she said, China in 2013 tested a direct-ascent, anti-satellite system that could reach geosynchronous orbit — where key military satellites reside. Both China and Russia have also demonstrated their ability to do robotic rendezvous and proximity operations and, James told the audience, a year or two ago a Russian satellite showed an unusual pattern of movements in GEO orbit including loitering near several U.S. commercial communications satellites.

“Space is no longer a peaceful domain if it ever was one,” said James. “It is now contested and congested.”

Must Go Faster
“In the not-too-distant future, they (the Chinese) will be able to use that capability to threaten every spacecraft we have in space. We have to prevent that, and the best way to prevent war is to be prepared for war,” Hyten told an audience in January at Stanford University in California, according to a DoD summary. “So, the United States is going to do that, and we’re going to make sure that everybody knows we’re prepared for war.”

Now the commander of United States Strategic Command, Hyten is pushing the service to make that happen. Though America still enjoys a significant advantage in space, he told the Washington Free Beacon, that advantage is eroding and space defense requires moving much more quickly than the Pentagon’s acquisitions processes currently allow.

“Can we go fast enough as a nation to stay ahead of our adversaries?” Hyten said in an interview. “We have to go fast.”

That sense of urgency was underscored in an SEV-related Sources Sought announcement posted August 30 by Air Force Space Command.

Defense officials reached out to determine what systems engineering and integration (SE&I) services industry had available to support, among other activities “new and on-going efforts in all phases of the acquisition life cycle and standardize systems engineering processes.” The eventual contractor would work on three programs: the Air Force Satellite Control Network (AFSCN), the Launch and Test Range System (LTRS), and the Space Training Acquisition Office (STAO). Though not specific to the GPS III RFI, the work would cover a long list of mission areas including navigation satellites, next generation space navigation systems, navigation user equipment and satellite ground stations among its mission areas.

“The purpose of this Synopsis is to gain insight into existing Industry capabilities and systems,” Space Command wrote. “It is aimed at receiving feedback from industry on the capabilities out there to perform SE&I support within a diminished timeline due to the urgency of this Space Enterprise Vision (SEV) requirement directed from Space and Missile Systems Center (SMC) leadership.”

The Air Force may also be looking at other ways to speed up replenishment of the GPS constellation in a pinch. On July 31 Space Command posted a Special Notice asking for feedback on reducing the design life of the GPS satellites. Shorter-lived spacecraft can be made smaller, perhaps enabling more than one satellite to be launched per spacecraft. Though the July 31 notice asked for ideas for the generation of satellites after GPS III, the notion of building smaller GPS satellites has been discussed for years. Quick replenishment is one way to address the risk of losing satellites and also a way to update the constellation with important new technology.

In fact, the current GPS III work schedule, according to Gleckel, specifically incorporates “tech insertion points” aimed, at least in part, at adapting to the new, contested nature of space operations.

“That’s where we can add additional capabilities into a future flow,” Gleckel said during his presentation. “Again, with the same contractor without starting over, without the costs and time that go along with that — but still allowing us to change with the threats.” 

The post GPS III Contest At Hand But Context has Shifted Sharply appeared first on Inside GNSS - Global Navigation Satellite Systems Engineering, Policy, and Design.

Enrico Salvatori, Qualcomm Europe

Carlo Bagnoli, STMicroelectronics

Multinational semiconductor and telecommunications company Qualcomm is a world leader in the design and marketing of 3G, 4G and next-generation wireless technologies. Headquartered in San Diego, California, Qualcomm has been widening its footprint in the Europe, Middle East and Africa (EMEA) region, with a core focus in Europe.

“We expect to grow Qualcomm’s presence in Europe, becoming a major EU (European Union) player in the digitization of European industries,” said Qualcomm senior vice president and president of Qualcomm Europe, Enrico Salvatori.

Multinational semiconductor and telecommunications company Qualcomm is a world leader in the design and marketing of 3G, 4G and next-generation wireless technologies. Headquartered in San Diego, California, Qualcomm has been widening its footprint in the Europe, Middle East and Africa (EMEA) region, with a core focus in Europe.

“We expect to grow Qualcomm’s presence in Europe, becoming a major EU (European Union) player in the digitization of European industries,” said Qualcomm senior vice president and president of Qualcomm Europe, Enrico Salvatori.

Part of that growth entails the company’s recently announced acquisition of Dutch-based NXP Semiconductors, a leading supplier for the secure identification, automotive and digital networking industries, a deal expected to be sealed by the end of calendar year 2017.

Key European Considerations
“Accurate, reliable, and rapid position location is an important part of the mobile experience,” Salvatori said. “We are currently continuing 5G standardization in 3GPP under an accelerated timeline, which will ultimately achieve results for all use cases for extreme mobile broad-band (MBB), massive Internet of Things (IoT) and mission-critical services, in line with the European Commission’s 5G Action Plan.”

The Commission, which is the executive arm of the EU, has been actively promoting very high-capacity networks such as 5G as Europe works to keep pace in the global wireless technologies market, citing expected worldwide 5G revenues for mobile operators in the region of €225 billion per year by 2025 (about 270 billion USD).

Salvatori said Qualcomm is proud to have established a long-lasting partnership with the European Commission (EC) and, as it happens, with the European GNSS Agency (GSA), sharing that agency’s central goal of bringing Europe’s global satellite navigation program, “Galileo,” to full fruition.

“Here at Qualcomm,” Salvatori said, “we are pursuing ongoing work on various IoT verticals, including LTE MTC/ NB-IOT and in particular C-V2X. And with LTE Release 14, we believe we can lead the way toward dedicated evolutions of 5G in addition to the NR.”

Salvatori is well-positioned to speak on such matters. He oversees Qualcomm’s European strategy for ensuring that OEMs and operators drive the latest G technology (4G/5G) adoption throughout all of Europe, in both developed and emerging markets.

Galileo in its Proper Place
For companies like Qualcomm looking to make the most of Europe’s emerging navigation and location-based services markets, the launch of live Galileo services last year was a veritable milestone.

“We were thrilled to see the European satellite system starting operations,” Salvatori said, “a real turning point for the location industry. We strongly believe that broad availability of Galileo will underpin Europe’s future innovation at home and globally, providing a backbone for the further development of the Digital Single Market and Europe’s industrial growth and competitiveness in the context of 5G, but also to the benefit of the new connected verticals.”

European authorities expect the addition of another GNSS, in the form of Galileo, will enable more accurate location performance, faster time-to-first-fix, and improved robustness all over the world, particularly in challenging urban environments where the combination of narrow streets and tall buildings can reduce accuracy.

And the launch of Galileo services was in many ways a victory for Qualcomm itself; as long-standing partners, the EC, the GSA and Qualcomm have worked in concert, with the GSA consistently highlighting Qualcomm’s role as a central player in the EU wireless technologies arena. The first European Galileo-enabled smartphone, produced by Spanish company BQ, was based on a Qualcomm chipset.

In fact, Salvatori said, “Qualcomm Technologies began implementing hardware support for Galileo several years ago in selected chipsets. And it was our company that proposed the mobile industry’s first pervasive, end-to-end, location services platform (Qualcomm® Location), for smartphone, computing, infotainment, telematics, and IoT applications.”

With optimized software enhancements, Qualcomm® Location now uses up to six satellite constellations. “Our users now benefit from more than 80 different satellites when calculating global position for navigation or location-based applications,” he said.

Salvatori said Qualcomm’s Galileo-enabled platform is being deployed broadly across the company’s modem and application processor portfolios. “This feature is integrated in the latest Qualcomm Snapdragon 800, 600, and 400 processors and modems,” he said. “And Galileo will be supported on smartphones and computing devices with the appropriate software release on Snapdragon 820, 652, 650, 625, 617, and 435 processors.”

The same goes for automotive infotainment solutions using Snapdragon 820A, and telematics and IoT solutions with Snapdragon X16, X12, X7, and X5 LTE modems, and Qualcomm 9×15 and MDM6x00 modems.

“This will also enable infotainment and telematics solution providers to satisfy an important component of the European eCall mandate ahead of the March 2018 deadline,” Salvatori said.

Low Investment, High Benefits
Salvatori said bringing Galileo into Qualcomm’s already broad location services platform presented no particular technical issues. “Supporting a new GNSS constellation does require some R&D,” he said, “but we had already implemented support for other GNSS constellations like GPS, GLONASS and BeiDou.

“For us, Galileo’s introduction in the market at commercial scale promises more innovation and business models for the expanded connectivity needs of tomorrow. This is particularly clear to us in areas such as automotive, where Galileo’s capabilities will underpin the evolution of cars toward ever greater connectivity and automation.”

Salvatori said Qualcomm’s support of Galileo is an essential extension of the company’s work in creating and evolving vehicle-to-everything communications and 5G, working closely with the mobile and automotive industries to bring these innovations to market fast and with sustained investments.

THINGS YOU SHOULD KNOW
3GPP—Third Generation Partnership Project, a collaboration between groups of telecommunications associations, known as the Organizational Partners.
LTE—Long Term Evolution, applying to the idea of improving wireless broadband speeds to meet increasing demand.
MTC—Machine Type Communication, also known as machine-to-machine communication, i.e. direct communication between devices.
NB-IOT—Narrow-Band Internet of Things, a Low-Power Wide-Area Network radio technology standard enabling a range of devices and services to be connected using cellular telecommunications bands.
C-V2X—Cellular Vehicle to Everything, combining features of V2V (Vehicle to Vehicle), V2I (Vehicle to Infrastructure), V2P (Vehicle to Pedestrian) and V2N (Vehicle to Network).
LTE Release 14—3GPP standards are structured as Releases. Discussion of 3GPP thus frequently refers to the functionality in one release or another.
NR—5G New Radio, aimed at bringing fiber-like performance to wireless broadband at a significantly lower cost per bit.
UMTS—Universal Mobile Telecommunications System, a third-generation mobile cellular system for networks based on the GSM standard.
HSPA—High Speed Packet Access commonly refers to UMTS-based 3G networks that support specialized data for improved download and upload speeds.

R&D FOREFRONT
QUALCOMM IS CURRENTLY LEADING THE “CONVEX” CONSORTIUM, which also includes Audi, Ericsson, Swarco Traffic Systems and the University of Kaiserslautern. The group’s aim is to set up a test bed for first LTE Rel. 14 trials for V2X and to validate performance and feasibility.

The project combines techniques for vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), vehicle-to-person, (V2P), and vehicle-to-network (V2N) communications, which are considered key components for the implementation of advanced driving assistance systems and for automated driving.

The project is funded by the German Ministry of Transport and Digital Infrastructure (BMVI) in the program “Automated and Connected Driving on Digital Test Fields in Germany.”

The post GSA’s GNSS Opinion Leaders for September 2017 appeared first on Inside GNSS - Global Navigation Satellite Systems Engineering, Policy, and Design.

Spoofing of Global Navigation Satellite System (GNSS) signals can have deleterious effects on society given the widespread use and dependence of critical infrastructure on GNSS. However, few commercial receivers have significant anti-spoofing (A/S) mechanisms. Even simple interference events such as jamming and meaconing have resulted in erroneous position outputs from shipboard and airborne receivers (see W. Dunkel et alia; S. Pullen and G. Gao; A. Grant et alia; and A. J. Van Dierendonck in Additional Resources). Spoofing tests have shown that deliberate GNSS spoofing could have significant impact on the GNSS receiver and hence GNSS dependent systems (J. S. Warner and R. G. Johnson; D. P. Shepard et alia). While the extent of the impact is still debated, it is clear that a spoofing event would significantly harm some users. So, the debate over the utility of A/S comes down to the likelihood of spoofing events.

It is clear that GNSS spoofing, outside a laboratory or military setting, has occurred. Recently, GNSS spoofing was observed outside the Kremlin (C. Sebastian) and in the Black Sea (see Goward, Additional Resources). Furthermore, the popularity of location-based games such as Pokémon Go has also induced hackers to build and utilize GNSS spoofers (I. Birnbaum). While the spoofer in Birnbaum uses an expensive GNSS signal generator, other professional security groups have put together GNSS spoofers using low cost software defined radios (SDRs), open source software, and some basic GNSS know-how (see L. Huang and Q. Yang). GNSS spoofing capabilities are no longer solely the realm of navigation experts. As time goes by, spoofing capabilities will get better and costs will only decrease.

There are many motivations to spoof. Ordinary citizens may spoof to aid their gaming, to protect their privacy, or to subvert location based charges (e.g., road tolling) or restrictions. A quick search on the Google Play store shows multiple pages of “Fake GPS” applications. The first application, “Fake GPS Location Spoofer Free,” alone has more than 60,000 reviews as of May 2017. This indicates that many people took the time to not only download and use the app but also to comment on its benefits! There is substantial and growing public interest in spoofing location. Coupling these two factors — the availability of GNSS spoofing equipment or know-how and public interest in spoofing — means we should expect more spoofing incidents in the future. And while critical infrastructure may not be the target for most spoofers, it may fall victim as collateral damage.

We developed and examined a GNSS spoofing detection method via direct comparison of acceleration using commercial inertial sensors. The developed concept allows for comparison of the two sensors without coupling GNSS with an inertial measurement unit (IMU). The design allows for a robust, steady state spoof detection capability that can be developed as an add-on to existing receivers. This article focuses on our preliminary development and demonstration of the concept for aviation.

Background: Prior Art & Developed Technique
Prior Art and Goals
Despite not being a current commercial concern, there is significant literature on GNSS spoofing detection (see Additional Resources). Various researchers have proposed and developed numerous anti-spoofing techniques. Antenna-based techniques use signal properties such as direction of arrival and polarization to detect the presence of spoofing. Internal receiver metrics can be examined for signatures found in spoofing attacks. This includes changes in automatic gain control (AGC) and signal power. The network method checks the received signal against known trusted signals. Redundancy techniques check GNSS measurements against redundant internal or external measures.

While there are many A/S techniques, there is no panacea for spoofing. There is currently no one technique that ideally satisfies all needs. There will likely need to be different solutions for different users, applications, and requirements. As each technique is likely only good against a subset of threats, the overall solution may actually employ several, complimentary techniques to cover all desired threats. Regardless, the techniques employed should have certain characteristics. First, they need to be robust meaning that they catch the threats that they were designed for while having very low false alert rates. Second, they need to be reasonable to implement. This means that they do not significantly change existing receiver designs or add to their cost. A/S needs to be effective but also transparent to the user. It cannot inconvenience users through false alerts or additional, costly complexity. This motivates our investigation of the use of simple inertial-based techniques.

Use of inertial sensors to complement and cross check GNSS is not new. Traditional aviation GNSS/inertial cross-checking algorithms for fault detection have previously been adapted to spoof detection (Y. Liu et alia). Tanil et alia investigated the use of inertials with Kalman filtering to perform spoofing detection in the position domain. These techniques, which require comparisons in the pseudorange or position domain, essentially require GNSS to regularly calibrate IMU results. The deep intertwining of GNSS information to transform IMU results to the position domain limit the trustworthiness of the comparison over time. A spoofer may induce a small GNSS error that causes a bias error in the calibration of the acceleration that can then be slowly exploited. Hence, these spoofing detection methods are considered transient detectors as they only have a limited detection window in which the IMU-derived positions can be considered uncontaminated by GNSS spoof induced errors.

Developed Technique
Overcoming the limited spoof detection window means not deeply intertwining GNSS with the IMU-derived results. Position domain comparison requires regular calibration of the MEMS accelerometer and gyroscope measurements by the GNSS and could cause GNSS spoof induced errors to affect IMU results in a manner that cannot be unraveled. Instead we compare the fundamental IMU outputs of acceleration and rotation rate by aligning GNSS and IMU measurement axes. This alignment is accomplished using GNSS information to approximate attitude. For the study, we compared acceleration as measured by the GNSS and IMU and developed test statistics to help decide if spoofing is present. These tests will have to account not just for errors due to the sensors but also for those due to misalignment of the GNSS and IMU coordinate frames. The benefit of the technique developed is that in uncoupling GNSS outputs from the IMU, we provide an unlimited detection window and steady state detection. It also allows the technique to be implemented as an overlay so that it can be an add-on to an existing receiver.

Any spoofing attack without a good estimate of the vehicle acceleration should be detectable. Even a spoofer that can measure the acceleration remotely or relay a measurement of acceleration from an onboard device may be detectable. This is because the spoofer will incur errors and delays that may be detected provided there are high frequency dynamics. However, there are threats that the technique cannot catch. An attacker with accurate and near real-time knowledge of acceleration can slowly drift the measured position from truth as long as they keep the acceleration error within the allowable detection tolerance. Physical security or complimentary detection techniques may handle these threats.

To be effective, the technique requires a high frequency component of acceleration and predictable attitude. The former represents in cryptographic terms, a one-time pad that a spoofer cannot guess a priori. In flight, there can be many sources of unpredictable acceleration — wind, pilot input to thrust, lowering of the landing gear, etc. Others have considered these items for their ability to provide motion that is difficult for a spoofer to predict (C. Tanil et alia (2015a, 2015b)). Because GNSS alone is used to derive attitude, stable or predictable attitude is desired. Single antenna GNSS measurements cannot estimate some attitude parameters such as roll angle without additional information. Without a reasonable sense of the true attitude, the reference frames between the IMU and GNSS may not be well-aligned and a comparison between IMU and GNSS accelerations cannot be made. While the requirement seems demanding, commercial flights desire stable attitude, especially on approach. This makes sense as the aircraft should be reasonably steady for landing. It should not have much roll and the pitch angle should be small as the aircraft tries to maintain a small, constant glide slope (approximately three degrees). Another time where aircraft attitude is reasonably stable is during cruise, i.e., the majority of any flight. Having established a generally stable attitude over the course of a given flight, we now focus on final approach, as it is the most critical phase of flight.

Critical to the utility of the methodology are two key questions. First, are there adequate motions available for spoof detection using a low cost INS? The motion must be semi-random and significant relative to the capability of the sensors and their errors. This will be examined using flight test data. It must be significant enough to rise above the errors and biases induced by our methodology. The second question is whether we can develop a robust, steady-state test metric for spoof detection given that information.

Data Collection & Testing
While theoretically acceleration from GNSS acceleration and microelectromechanical systems (MEMS) inertials should be suitable for aviation and other transportation, real world errors and biases may result in different performance. We conducted a flight test to gather data to validate our theoretical conclusions and examine flight disturbances.

Data collection equipment
Several instruments were used to collect data for evaluating the utility of a low cost accelerometer for spoof detection. (Please see Manufacturers section for information on the various system components). The receiver and flight test vehicle are shown in Figure 1. The receiver is connected to an external aircraft antenna located on the top center of the body. Normally, GNSS carrier derived velocity would be used to calculate velocity and acceleration. However, the equipment set up was fixed for the test and did not collect this measurement. Instead, dual frequency Precise Point Positioning (PPP) at 10 hertz was used as a proxy with only the Global Position System (GPS) constellation being processed. A smartphone provided the MEMS inertial data. Ideally, the inertial should be tied to the same sampling device as the GNSS. However, due to the fixed set up, the inertial portion of the receiver was not utilized.

Flight Test
A flight test was conducted on August 24, 2016 to collect data for the feasibility of concept. The smartphone was placed on the armrest roughly aligned with the aircraft body axis — it was not collocated with the GNSS antenna though it is located at roughly the same place along the aircraft body. The flight test incorporated several segments representative of the key phases of flight. There are straight and level, coordinated banked turns (in a figure eight pattern), and missed approach segments. The flight and its segments, flown over the period of about 3.5 hours, are shown in Figure 2.

Comparison of Flight Acceleration Data
To compare the GNSS and accelerometer measurements, we must align these measurements and account for gravity. Aligning the measurements means rotating the GNSS measurements to the body frame. We first convert the GNSS positions from Earth centered, Earth fixed (ECEF) to the local east north up (ENU) frame using an initial or representative GNSS position. Then positions are differenced and double differenced to get velocity and acceleration in that frame. This information is used for the comparison and to estimate attitude. The velocity vector in the horizontal direction is used to derive the aircraft heading, which is roughly the direction of the aircraft nose or yaw. If the aircraft is relatively level, such as on approach and in level flight, roll and pitch are small (approximately zero) and adjustments are not necessary. If necessary, the velocity vector in the vertical direction can be used to derive the climb angle which approximates the pitch angle with a bias. Roll may also be derived by assuming a coordinated turn. We do not use roll or pitch estimates in the analysis that follows. The estimated angles are used to derive the rotation matrix to transform GNSS ENU axes to aircraft body axes. Gravity must be accounted for as accelerometers measure specific force rather than acceleration. Hence it will measure gravity whereas GNSS will not. We can either add the acceleration due to gravity, g, set nominally at 9.81 meters per second squared (m/s²), to the GNSS up direction or subtract it from the accelerometer z-axis. Both are equivalent and yield the same equation for acceleration difference. These adjustments result in some residual errors — particularly from residual differences between the accelerometer frame and the adjusted GNSS frame. Additionally, the gravity adjustment can also have errors from variations of gravitational force at different locations and altitudes. With the adjustments, we can calculate the acceleration differences between the sensors. This is shown in Equation (1) where is the acceleration from the sensor (accelerometer or GNSS) along the i-axis.

Equation (1) (see inset photo, above right)

Figure 3 shows the comparison of the accelerometer and GNSS PPP derived acceleration on each axis adjusting for heading only. The comparison is conducted with GNSS and IMU acceleration data that has undergone five seconds of exponential averaging. There are periods where the accelerations are well-matched and other periods where they are not. Generally, they match well during level flight and final approach. They do not match well during the turn section or in climb. This is not surprising as these are periods where the small pitch and roll assumptions are not valid. Estimating and accounting for pitch and roll angles results in better alignment and agreement between the accelerations on all axes. Figure 4 shows the acceleration applying roll estimates. Since most turns were reasonably coordinated, the roll estimates are good and their application results in good alignment.

Comparison of Acceleration Data
The initial analysis uses comparisons of the up body axis during approach — up (GNSS) and z-axis (accelerometer). In Figure 5, the estimated vertical acceleration as measured by GNSS and the accelerometer of the first approach is shown. The acceleration is exponentially averaged over five seconds. The only major difference between GNSS and the accelerometer occurs when the aircraft turns (banks) slightly. The two accelerations have a correlation coefficient of about 0.93. Figure 6 shows the vertical acceleration profile of the second approach. Again the GNSS and accelerometer accelerations are well matched with a correlation coefficient of about 0.96. Also note that the acceleration profile is dissimilar from the first approach. This is demonstrated later when the cross-correlation of the accelerometer accelerations between approaches is calculated.

Figure 7 shows the normalized autocorrelation of the IMU acceleration for the first two approaches, again with five second exponential averaging. The figure shows the (1/e) decorrelation times which range from 2.5 to 3.2 seconds for the approaches. Figure 8 shows the cross-correlation of the second approach with the first and third approaches normalized by the maximum autocorrelation of the second approach. The maximum normalized cross-correlation value over all approaches is about 0.55. The results indicate a fast decorrelation period and no significant cross-correlation between approaches. These results affirmatively answer the first question: Aircraft acceleration measured by low cost accelerometer can provide meaningful comparison with GNSS.

We measured the noise on accelerometer and GNSS acceleration using static measurements of vertical acceleration. Without averaging, the accelerometer showed a mean (μ) and standard deviation (σ) of -0.03 and 0.027 m/s², respectively, and the PPP GNSS acceleration was zero mean with a standard deviation of 1.198 m/s². These statistics are used as the basis of our model bounding variance for the statistical spoof detection tests. With five second exponential averaging, the z-axis accelerometer has a mean of –0.03 m/s² and standard deviation of 0.003 m/s². Similarly, PPP up acceleration was zero mean with 0.028 m/s² standard deviation.

Analysis of Detection and False Alerts
The previous section demonstrated two important qualities. First, low cost accelerometers, not coupled to GNSS, are accurate enough to provide corroborative information to the GNSS-derived movement for aircraft approach. Second, aircraft approaches present useful acceleration signatures that can be used like a cryptographic one-time pad to foil spoofing. The next step is to develop a test for spoofing that can provide robust detection with low probability of false alert. Basic, proof-of-concept monitors were developed using just the accelerometer z-axis and standard statistical testing to demonstrate feasibility. The acceleration comparison suggests that using the z-axis on the accelerometer provides the best information. In future development, other axes and/or sensors may be used either independently or in combination.

Two test statistics are examined and standard hypothesis tests are used to develop monitors based on each test statistic. The first statistic uses the difference in acceleration as measured by GNSS and accelerometer. A spoofed GNSS should experience different accelerations than those measured by the accelerometer. The second statistic examines the standard deviation of the acceleration difference (σ_Δa). The σ_Δa should be larger than the nominal value when the accelerations between the two sensors are not well matched. The second test is less sensitive to a relatively constant bias, such as those resulting from axis misalignment.

The first test statistic, z (mean difference), is shown in Equation (2). It examines the mean difference of acceleration (ȳ) normalized by the model standard deviation, σ. It also accounts for the effect of the maximum nominal bias b. The max function used to incorporate the bias since its sign is not known. The statistic should be bounded by a standard normal distribution provided the model standard deviation and bias are representative. Hence, our threshold test is to flag if z > z_thres. For a 10^-9 probability of false alert (P_fa), z_thres is 6.1. The second test statistic, χ², is shown in Equation (3) with n being the number of samples examined, and s² and σ² being the sample and model variances, respectively. For the initial analysis, n = 8 samples are used to generate the sample variance. The statistic is (central) χ² distributed with (n-1) degrees of freedom (dof). Similarly, our threshold test is to flag when χ² > χ²_thres with χ²_thres being 55.87 for 10^-9 and dof equal to 7 (since n = 8). Both statistical tests depend on the model standard deviation, σ, of the acceleration difference. As such, incorrect modeling affects the monitor performance. If σ is too large, then there will be a larger missed detection rate than modeled. Given the steady state nature of the developed spoof detector, this may be acceptable as there are many chances to catch the spoofer. If σ is too small, the false alert rate will be higher than expected. This is the worse outcome of the two possibilities as it may lead users to distrust the system. So it is better to err on the side of slightly too large. For our testing, the exponential average values are used for the test statistics. The model standard deviation, σ, used is 0.06 m/s² which is twice the root sum squared (rss) of the standard deviation of the accelerometer and GNSS acceleration, as found in the static tests. As the exponential average is used, the static exponential average standard deviations are used. This is shown in Equation (4). A test bias, b, of 0.03 m/s² and n = 8 samples are used.

Equations (2), (3) & (4) (see inset photo, above right)

The statistical tests provide the basic building blocks for the spoof detection monitor. There are several considerations that the monitor must address. One important consideration is minimizing false alerts. Each test may get flagged in non-spoofing situations if our assumptions are not well met. For example, unmodeled attitude can cause large differences in the z-axis accelerometer and up GNSS acceleration. Another consideration is that the tests will not flag during every instant where there is spoofing. For example, the first test will not flag if the spoofed acceleration happens to be within the allowable error tolerance of the true acceleration. This can happen purely by chance or if the acceleration does not vary much and so is easy to anticipate. The monitor should be designed to be robust to these issues. A moving observation window is used primarily to reduce false alerts. Initially a five second window is chosen since this is larger than the decorrelation time. Within the window, each test flag must exceed specified thresholds a certain number of times before the monitor issues an alert. The thresholds may differ for different tests and conditions. Figure 9 shows a general architecture for the spoof detection.

Two overall detection monitors based on these tests are implemented. The simple executive monitoring (EM) indicates spoofing if both detectors indicate spoofing by having their moving sums, Σ₁ and Σ₂, respectively, each exceed a threshold value, Σ_thres. A more nuanced EM leverages the strengths of each test. The EM may alert for each of several different conditions. We developed a multi-condition EM that alerts if the simple EM conditions are met or if the χ² test triggered at a higher threshold, Σ_thres,2 only. This allows us to leverage the power of the χ² monitor to detect spoofing even when the mean difference test is oblivious to it. The mean difference test will not flag for acceleration differences that vary by a small shift in time, whereas the χ² test could flag variation changes. These example executive monitors are shown in Figure 10.

To test the spoof detection monitor, both no spoofing (nominal) and simulated spoofing cases are examined. The nominal case tests the probability of false alert. Testing the nominal case is straightforward and is done with the collected data without modification. To test the spoof detection, we do not need to simulate the spoofing signal. We only need to model the effect of the spoofer on the statistical tests – that is, the acceleration resulting from the spoofing signal. The ability to defeat the monitor is determined by the acceleration that the spoofer can predict. An unsophisticated spoofer may have no knowledge of acceleration and hence its best guess is to assume zero acceleration in the vertical. A sophisticated, worst-case spoofer would accurately know the true GNSS acceleration with a small delay and could generate a spoofed GNSS exhibiting any acceleration profile. While the spoofer can produce many different acceleration profiles with delayed knowledge of the true acceleration, repeating back the true acceleration was found to be a good strategy. This is an extreme spoofing scenario as the spoofer only cares to spoof the acceleration profile without regard to the actual spoofed position. An actual attack would be constrained by the need to generate its spoofed positions.

Figure 11 illustrates an example of the accelerations used for evaluation. The figure shows the acceleration as indicated by the accelerometer, nominal PPP GNSS, and the worst case spoofed GNSS as previously discussed for the first approach. The spoofed case shown assumes that the nominal PPP acceleration is known with a two second delay and a spoofed signal is generated with that acceleration (repeat back). Figure 12 and Figure 13 show the acceleration difference (IMU minus GNSS or spoofed GNSS, top) and performance of each monitor (bottom) for the nominal and spoofed cases, respectively. The bottom of those plots show when each test, the mean difference test (black) and standard deviation difference test (red), was triggered over the course of the approach. A zero value indicates no spoofing while a non-zero value (1.5 and 1 for acceleration difference and standard deviation, respectively) indicates a flag by the specified test. In the nominal case, the standard deviation test flags only once while the mean difference test did not flag. In the spoofing case, each test flags many times on the approach though there are some quiet periods where neither tests flag. Figure 14 shows the number of times each test, the mean difference test (black), standard deviation difference test (red), and the sum for both tests (blue), flags over a moving five second (50 sample) window. The top shows the nominal case while the bottom shows the spoofed case. As desired, there is not much happening in the nominal case. Examining the spoofing case, there are many intervals where the tests flag 20-40 times each or 40-80%. However, there are other intervals where there are no flags. Comparing the time periods where there are spoofing flags to the accelerations shown in Figure 11 suggests that the tests are effective during periods with rapid changes in acceleration. No flags occur during reasonably calm acceleration periods. This is not surprising, as the spoofer can easily approximate the actual acceleration in these periods.

Table 1 shows a summary of the results for the simple and for the multicondition EMs from Figure 10 with a threshold, Σ_thres, of 6% or 3 total test flags in a 50 sample window. For the multi-condition EM, the Σ_thres,2 used is 12% or 6 flagged instances. The table shows the percentage of time spoofing is alerted by each EM and time from start to first detection presented for all four approaches and for different cases: nominal, a spoofer with no knowledge (assuming zero acceleration), and the repeat-back spoofing cases. The repeatback spoofing cases are conducted with one-half- and two-second information delay. In the table, any non-zero detection percentage indicates that the EM has generated a spoofing alert during the approach. Hence, the multi-condition EM catches all simulated spoofing cases shown. Additionally, the monitor alerts within about 13 seconds of the start of the approach and spoofing with the exception of Approach 1. This time to first detection (TFD) is a function not just of the monitor but also of the dynamics of the aircraft. With little variation in motion, it is easy for an attacker to predict the acceleration profile and hence remain concealed to the monitor. As seen in Figure 11, Approach 1 does not have much vertical acceleration variation initially. Hence it has high TFD. The simple EM can catch the longer delay (two second) spoofing attack but with a larger TFD. With a shorter delay, the simple EM may not alert throughout the entire approach as the acceleration difference monitor never flags. This is because the acceleration is continuous and does not change rapidly over a short period of time. Thus, with very small delays, difference between the actual and spoofed acceleration can be small and always remains within the tolerances specified by the low probability of false alert. Similarly, the percentage of time the monitor detects spoofing also depends on the dynamics of the flight. For example, the multi-condition EM detects the repeat-back spoofer with half-second delay between 14.2 to 50.3% of the time.

Another important result is that there are no false alerts in any case with the exception of Approach 4 with the multiple condition EM. The cause of the false alert was found to be dropouts in the GNSS measurements, which caused outlier GNSS accelerations for a few seconds. The result of the drop-out, which was exponentially averaged with other measures, can be seen in Figure 15 which shows the accelerations from the accelerometer, GNSS, and spoofer. The standard deviation monitor flagged the resulting jump. Hence, the false alert was due to a data issue rather than the monitor itself. The detection architecture should be designed to manage data handling errors.

Conclusions
The results provide good indication that a low cost IMU can be useful for spoofing detection during critical phases of flight. It demonstrated unique random vertical accelerations experienced on aircraft approach. Furthermore, it found that a good comparison between GNSS and IMU derived acceleration on approach and cruise can be made. Other segments of flight may be used provided we can derive a reasonable attitude estimate without inadvertently allowing a GNSS spoofer to contaminate our IMU results. Approaches having more high frequency and high amplitude accelerations result in better detection. The acceleration differences were used as the basis for a simple and multi-condition executive monitor for spoofing. These EMs demonstrated their spoof detection capabilities and their ability to limit false alerts using collected flight test data. Preliminary results show that monitoring can be designed to detect spoofing on all four approaches tested. Time to first detect depends on both the monitor design and aircraft dynamics. Fast detection (< 10 seconds) can be achieved especially if there are high amplitude and frequency accelerations. Many more flights will be needed to validate the performance results.

The analysis conducted provides only a preliminary feasibility demonstration and there is still much to be done. One area for future work is fault-tolerant design. The detection architecture needs to determine when it is suitable for use – i.e., when the attitude assumptions are valid. While the analysis conducted leverages some special characteristics of flight, other test measurements conducted have shown that this technique may be suitable for other transportation such as railways and automobiles. Both automobile and rail have additional characteristics that can be leveraged.

Acknowledgements
The authors thank FAA Navigation Programs and the Stanford Center for Position Navigation and Time (SCPNT) for supporting this work. We also thank the FAA Technical Center and Stuart Riley of Trimble Navigation for their help.

Disclaimer
The views expressed herein are those of the authors and are not to be construed as official or reflecting the views of the Federal Aviation Administration or Department of Transportation.

Additional Resources
[1] Birnbaum, I.,“‘Pokémon Go’ Players Are Spoofing GPS Locations to Catch’ Em All,” Motherboard, July 8, 2016
[2] Borowski, H., Isoz, O., Eklöf, F. M., Lo, S., and Akos, D., “Detection of False GNSS Signals using AGC,” GPS World, April 2012
[3] Brenner, M., “Integrated GPS/Inertial Fault Detection Availability,” NAVIGATION, Volume: 43, Issue: 2, pp. 111-130, 1996
[4] Chen, Y.-H., Juang, J.-C., Seo, J., De Lorenzo, D., Lo, S., Enge, P., and Akos, D., “Design and Implementation of Real-time Software Radio for GPS/WAAS Controlled Reception Pattern Antenna Array Adaptive Processing,” Sensors, Volume: 12,Issue: 10, pp. 13417-13440, 2012
[5] Chen, Y.-H., Lo, S., Akos, D., De Lorenzo, D., and Enge, P., “Getting Control: Off-the-Shelf Antennas for Controlled-Reception-Pattern Antenna Arrays,” Innovation Column, GPS World, February 2013
[6] Chen, Y.-H., Rothmaier, F., Akos, D., Lo, S., and Enge, P., “Towards a Practical Single Element Null Steering Antenna,” Proceedings of The Institute of Navigation International Technical Meeting, Monterey, CA, January 2017
[7] Diesel, J. and Dunn, G., “GPS/IRS AIME: Certification for Sole Means and Solution to RF Interference,” Proceedings of the 9th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GPS 1996), Kansas City, MO, September 1996
[8] Diesel, J. and King, J., “Integration of Navigation Systems for Fault Detection, Exclusion, and Integrity Determination—without WAAS,” Proceedings of The Institute of Navigation National Technical Meeting, 1995
[9] Dunkel, W., Weber, O., Butsch, F., “GNSS Interference Detection with GIMOS,” 11th International GBAS Working Group Meeting (I-GWG-11), Osaka, Japan, February 24, 2011
[10] Goward, D., “Mass GPS Spoofing Attack in Black Sea?,” The Maritime Executive, July 11, 2017
[11] Grant, A., Williams, P., Ward, N., and Basker, S., “GPS Jamming and the Impact on Maritime Navigation,” Journal of Navigation, Volume: 62, Issue: 02, April 2009
[12] Gross, G. and Humphreys, T. E., “GNSS Spoofing, Jamming, and Multipath Interference Classification using a Maximum-Likelihood Multi-Tap Multipath Estimator,” Proceedings of the International Technical Meeting of The Institute of Navigation, Monterey, CA, January 2017.
[13] Heirich, O., Robertson, P., Garcia, A. C., Strang, T., “Bayesian Train Localization Method Extended By 3D Geometric Railway Track Observations From Inertial Sensors,” 15th International Conference on Information Fusion, July 2012
[14] Huang, L. and Yang, Q., “GPS Spoofing, Low cost GPS Simulator,” DEFCON 23, August 2015
[15] Key, E. L., “Techniques to Counter GPS Spoofing. Internal memorandum,” USA: MITRE Corporation, February 1995.
[16] Khanafseh, S., Roshan, N., Langel, S., Chan, F.-C., Joerger, M., Pervan, B., and “GPS Spoofing Detection Using RAIM with INS Coupling,” Proceedings of Proceedings of The Institute of Navigation/IEEE Position Location and Navigation Symposium (PLANS), Monterey, CA, pp. 1232-1239, May 2014
[17] Last, D., Grant, A., and Ward, N., “Demonstrating the Effects of GPS Jamming on Marine Navigation,” 3rd GNSS Vulnerabilities and Solutions Conference, Baška, Krk Island, Croatia, September 5-8, 2010
[18] Levin, P., De Lorenzo, D. S., Enge, P. K., Lo, S. C., “Authenticating a Signal Based on an Unknown Component Thereof,” US Patent # 7,969,354, June 28, 2011
[19] Liu, Y., Fu, Q., Liu, Z., and Li, S., “GNSS Spoofing Detection Ability of a Loosely Coupled INS/GNSS Integrated Navigation System for Two Integrity Monitoring Methods,” Proceedings of The Institute of Navigation International Technical Meeting (ITM), Monterey, CA, January 2017
[20] Lo, S., Chen, Y. H., Barrows, A., Reid, T., Perkins, A., Jan, S. S., and Enge, P., “Using Traffic Information Services Broadcast (TIS-B) Signals for Aviation Navigation,” Proceedings of The Institute of Navigation/IEEE Position Location and Navigation Symposium (PLANS), Savannah, GA, April 2016
[21] Lo, S., De Lorenzo, D., Enge, P., Akos, D., Bradley, P., “Signal Authentication: A Secure Civil GNSS for Today,” Inside GNSS, September/October 2009
[22] Manickam, S. and O’Keefe, K., “Using Tactical and MEMS Grade INS to Protect Against GNSS Spoofing in Automotive Applications,” Proceedings of the 29th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2016), Portland, OR, pp. 2991-3001, September 2016
[23] McMilin, E., “Single Antenna Null-Steering for GPS & GNSS Aerial Applications,” Ph.D. Dissertation, Stanford University, March 2016
[24] Psiaki, M. L. and Humphreys, T. E., “GNSS Spoofing and Detection,” Proceedings of the IEEE, 2016.
[25] Pullen, S. and Gao, G., “The Impact of Uninformed RF Interference on GBAS and Potential Mitigations,” Proceedings of the ION International Technical Meeting (ITM), Newport Beach, California, January 2012
[26] Sebastian, C., “Getting Lost Near the Kremlin? Russia could be ‘GPS Spoofing’,” CNN Tech, December 2, 2016
[27] Shepard, D. P., Bhatti, J. A., Humphreys, T. E., Fansler, A. A., “Evaluation of Smart Grid and Civilian UAV Vulnerability to GPS Spoofing Attacks,” Proceedings of the 25th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2012), Nashville, TN, pp. 3591-3605, September 2012
[28] Swaszek, P. F., Pratz, S. A., Arocho, B. N., Seals, K. C., Hartnett, R. J., “GNSS Spoof Detection Using Shipboard IMU Measurements,” Proceedings of the 27th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2014), Tampa, FL, pp. 745-758, September 2014
[29] Tanil, C.,Khanafseh, S., Joerger, M., and Pervan, B., “Kalman Filter-based INS Monitor to Detect GNSS Spoofers Capable of Attacking Aircraft Position,” Proceedings of The Institute of Navigation/IEEE Position Location and Navigation Symposium (PLANS), Savannah, GA, pp. 1027-1034, April 2016
[30] Tanil, C., Khanafseh, S., and Pervan, B., “Impact of Wind Gusts on Detectability of GPS Spoofing Attacks Using RAIM with INS Coupling,” Proceedings of The Institute of Navigation 2015 Pacific PNT Meeting, Honolulu, HI, pp. 674-686, April 2015 (2015a)
[31] Tanil, C., Khanafseh, S., and Pervan, B., “GNSS Spoofing Attack Detection using Aircraft Autopilot Response to Deceptive Trajectory,” Proceedings of the 28th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2015), Tampa, FL, pp. 3345-3357, September 2015 (2015b)
[32] Tanil, C., Khanafseh, S., and Pervan, B., “An INS Monitor Against GNSS Spoofing Attacks During GBAS and SBAS-assisted Aircraft Landing Approaches,” Proceedings of the 29th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2016), Portland, OR, pp. 2981-2990, September 2016
[33] Thompson, R. J. R., Cetin, E., and Dempster, A. G., “Evaluation of Relative GPS Timing Under Jamming Conditions,” Proceedings of the 25th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2012), Nashville, TN, pp. 717-730, September 2012
[34] Van Dierendonck, A. J., “GPS Re-Radiator Issues,” Presentation to the US GPS Industry Council, October 2005
[35] Waid, J. and Fly, B., “Tactical HIGH™ – Solution Separation Methods Applied to the Warfighter Environment,” Proceedings of The Institute of Navigation 60th Annual Meeting, Dayton, OH, 2004
[36] Warner, J. S. and Johnston, R. G., “Think GPS Offers High Security? Think Again!,” Business Contingency Planning Conference, Las Vegas, NV, May 23-27, 2004

The post Consumer Mass Market Accelerometers for GNSS Anti-Spoofing appeared first on Inside GNSS - Global Navigation Satellite Systems Engineering, Policy, and Design.

GNSS is the technology of choice in most applications due to its dedicated infrastructure, Earth coverage, medium to high accuracy, and large market penetration. Most of the applications, including those we download on our smartphones, are in the category of Location Based Services (LBS). However, there are many other services and businesses that rely heavily on GNSS performance and reliability. For instance, Intelligent Transportation Systems (ITS) make extensive use of GNSS technology and this dependence will only grow in the future.

It’s not just that GNSS has become ubiquitous in our daily life, but many critical infrastructures worldwide have some sort of reliance on it. In addition to the already mentioned transportation systems, GNSS plays a significant role in synchronization in the power grid, high frequency trading operations, and synchronization of distant wireless communications towers.

This growing dependence on GNSS within critical (and non-critical) infrastructures has posed some concerns on the potential vulnerabilities of GNSS (see Amin et alia, “Guest Editorial: Vulnerabilities, threats, and authentication in satellite-based navigation systems,” in Additional Resources). As a consequence, there is a need for protecting GNSS against intentional and unintentional interference sources since disruption of GNSS can lead to catastrophic consequences.

The jamming threat, a specific form of intentional interference, is real and its occurrence has been documented in many occasions. Jamming devices are illegal in most (not all) countries, yet they are very easy and cheap to buy. Simple jammers can disrupt GNSS-based services in wide geographical areas (even in several kilometers), a fact that has certainly triggered research into anti-jamming techniques. Not only is jamming a threat, but other sources of unintentional interference can severely compromise GNSS performance.

This article aims at providing a discussion of classical mitigation techniques, while providing links to the field of robust statistics. This link provides a principled way of analyzing existing mitigation techniques, as well as conceiving new methodologies that rely on solid statistical principles. Purposely, we do not discuss interference detection techniques, leaving all the discussion to interference mitigation. Finally, the article introduces Transform Domain (TD) techniques and their robust versions, which are compared against time domain techniques using real data gathered in an experimental test.

The IC Principle
In this article, we are interested in both intentional and unintentional interference and, in either situations, the signal at the receiver antenna can be modeled as

y(t) = x_θ(t) + i(t) + w(t)     (1)

where x_θ(t) is the legitimate signal, made of different components coming from the visible GNSS satellites, i(t) represents the interference signal, and w(t) is the random contribution of the thermal noise. Notice that x_θ(t) is parameterized by θ, a vector containing the unknown parameters of the received signals such as their amplitude, time-delay, Doppler-shift, or carrierphase. For the i-th satellite signal, we define the parameters as A_i, τ_i, f_d,i, and φ_i respectively. Roughly speaking, the estimates of θ are used to solve for the position at the receiver side. Most of the commercial jamming devices transmit rather simple periodic signals whose frequency is time-varying, f_I(t). Therefore, a rather simple but general model is

i(t) = A_I cos(2π(f_RF + f_I)t + φ_I)     (2)

where A_I is the amplitude of the interfering signal, f_RF is the central Radio Frequency (RF), f_I(t) is the time-varying interference frequency, and φ_I represents its phase. Depending on the behavior of f_I(t) different jamming signals can be conceived such as Continuous Wave (CW) jammers when f_I(t) = f_I is a constant, or chirp-like jamming signals when f_I(t) evolves over time following a saw-tooth pattern. Intuitively, the faster the variability and transitions of f_I(t), the harder it is to mitigate interference at the receiver side. At the receiver, we are interested in digital signal processing methods to counteract interferences, therefore we assume that y(t) is sampled at a rate (f_s = 1/T_s) satisfying the Nyquist criterion to yield its discrete-time version:

y[n] = x_θ[n] + i[n] + w[n]     (3)

A common approach to interference mitigation is to formulate it, statistically speaking, as an estimation problem. After detecting the interference, the set of unknown parameters characterizing the interfering signal needs to be estimated to enable Interference Cancellation (IC) at the receiver. A reconstructed version of the interference term, î[n], is subtracted from the observations such that a clean signal version is used afterwards by the receiver, ỹ[n] = y[n] – î[n]. The principle is depicted in Figure 1.

In the context of the standard operations of a GNSS receiver, IC can be better understood as the modification of the objective function in acquisition and tracking. Typically, GNSS receivers estimate the parameters of the received signals using a variety of methods that implement a Least Squares (LS) solution, where the input samples are compared with locally generated signal replicas. In particular, code delay, Doppler frequency and carrier phase are estimated as:

Equation (4) (see inset photo, above right, for equations)

Equation (5)

Notice that the subindex i denoting the satellite signal is hereafter omitted since we consider independent acquisition/tracking among satellites. c(·) denotes the spreading sequence for the satellite of interest and N the total number of samples used in the process. Cost function (5) can be minimized independently from A which can be estimated in a separate step. For this reason, the determination of A is not explicitly indicated in (4). In particular, it is possible to show that the minimization of (5) is equivalent to the maximization of the absolute value of the Cross-Ambiguity Function (CAF) defined as

Equation (6) 

In the IC case, the cost function is modified after gaining knowledge of the interference. More precisely, the signal model is extended in order to account for the interference term and the cost function is rewritten as

Equation (7)

where î[n] is the reconstructed version of the interference, which requires detection and estimation as for Figure 1.

Using these definitions, the main IC techniques can be defined. For instance, a popular method for pulsed interference mitigation, due its simplicity, is pulse blanking (see article by Borio, 2016, Additional Resources). At a glance, pulse blanking detects the presence of interference by identifying abnormally large values in the pre-correlation samples. This can be easily achieved by comparing |y[n]| to a predefined threshold T_PB. Then, the interfered samples are set to zero such that they are not used throughout the receiver. Mathematically, the estimated interference is

Equation (8)

which can be plugged in cost function (7) to understand how pulse blanking operates.

Robust Estimation
When the IC principle is used, the interfering term is treated as a signal component whose parameters should be estimated. A different approach for the design of interference mitigation techniques can be derived from the theory of robust statistics (see, for example, Huber and Ronchetti, Additional Resources). In this case, the receiver does not try to estimate the jamming signal but adopts processing strategies which can produce reasonable results even in the presence of interference.

The term “robust” is often used in the literal sense, in many cases just according to the definition provided by the dictionary. This has often generated confusion and algorithms defined as “robust” are not actually “statistically robust”. Robustness has to be intended here as a mathematical property of a system and can be assessed using rigorous criteria. An analogy can be made with the concept of Bounded Input Bounded Output (BIBO) stability: a system is BIBO stable if a bounded output is obtained for every bounded input. In a similar way, Qualitative Robustness states that a robust estimator is such that bounded departures from the assumed model do not cause it to provide aberrant results (see Hampel in Additional Resources). For instance, if an estimator assumes a Gaussian model for the observations, but outliers — which break the Gaussian assumption — are received and used, we expect the estimator to be relatively insensitive to them if claimed to be robust. For location estimators of the type

Equation (9)

i.e. that depend on a linear combination of input samples, y[n], processed by the non-linearity, ρ(·), robustness is obtained when ρ(·) is bounded. When pulse blanking is used, the CAF of the input samples is computed as:

Equation (10)

where, in accordance to (8), the non-linearity is

Equation (11)

is clearly a bounded function of the input samples. In this way, pulse blanking is not only a form of IC but is also a robust estimator for the CAF.

Although techniques implementing the IC principle can be robust, robust statistics provides, in general, a shift in the design paradigm for interference/jamming mitigation techniques. In particular, the focus is no longer in the definition of the most appropriate model for the interfering term, i(t), but on the search for robust procedures that allow the estimators to combat i(t) without actually estimating (or even detecting) it. A possible design strategy is to reformulate model (3) as

y[n] = x_θ[n] + w′[n]     (12)

where interference and noise are grouped together, with

w′[n] = i[n] + w[n]

In the robust estimation framework the goal is to adopt models for the aggregate term, w′{n}, which lead to robust estimators. In robust statistics, a model is considered as well, but its statistical assumptions are relaxed such that the estimators have some flexibility to process outlier measurements, which otherwise would make non-robust estimators diverge. In this respect, there exist several noise models which lead to robust estimators in classical robust statistical problems. It turns out that these models are also effective in the context of jamming mitigation in GNSS receivers. These models, which mainly characterize the statistics of w′{n}, include:

• Laplacian model: the aggregate noise term is assumed to follow a Laplace distribution.
• Cauchy model: the aggregate noise term is assumed to follow a Cauchy distribution.
• Student’s t model: the aggregate noise term is assumed to follow a t-distribution.

Other noise models could be considered for the design of different jamming mitigation techniques. Notice that, typically these distributions exhibit heavy-tail behavior, as opposite to the standard Gaussian assumption. From the aggregate noise model, robust mitigation techniques are finally obtained. We recently considered (see the paper presented by one of the authors at the 2017 European Navigation Conference and listed in Additional Resources):

• The usage of Zero-Memory Non-Linear (ZMNL) functions to pre-process the input samples.
• Non-linear correlators based, for example, on the median (which results from the Laplace noise assumption) and on the sample myriad (from the assumption of Cauchy noise).

The sample myriad is a location estimator, as the mean and the median, and it is defined, for real input samples, as

Equation (13)

where K is the linearity parameter of the Cauchy distribution (this is better explained in the following). A clear parallelism with the sample mean can be made: the mean is the argument which minimizes the sum of squares of the residuals, y[n]-μ. Additional details on the sample myriad can be found, for example, in the book by G. R. Arce listed in Additional Resources.

ZMNL functions can be directly obtained from the aggregate noise model as

ρ(y[n]) = –log f(y[n])     (14)

where f(y) is the probability density function (pdf) adopted to describe w′{n}. In this case, alternative versions of (10) are obtained by replacing ρ_PB(·) with ρ(·). In the ZMNL function case, the input samples are simply pre-processed using ρ(·) before being used by the standard correlator blocks. In this way, a robust CAF similar to (10) is obtained. In the second approach, it is recognized that the CAF is a weighted mean. The mean is inherently non-robust and thus, it can be replaced by robust operators such as the median and the myriad. For example, in the median case, the CAF in (6) becomes:

C_R(τ,f_d) = MEDIAN(y[n]c(nT_s – τ)e^{–j2πf_dnT_s}|n=0,1,…,N – 1).     (15)

Note that the samples at the input of the MEDIAN operator in (15) are complex. In this case, it is assumed that two independent medians are computed on the real and imaginary parts of the samples. These approaches introduce significant robustness in the case of pulsed jamming and allow receiver operations even in the close proximity of a jammer.

Time, Frequency, Scale and All the Others
By representing the input samples in a different domain, an advanced class of interference mitigation techniques arises. A classic example is the usage of the Discrete Fourier Transform (DFT) and its fast implementation, the Fast Fourier Transform (FFT), to project the input samples, y[n], into the frequency domain. In this way, a new set of samples, Y(k), is obtained. Here, the index, k, is used to denote the set of discrete frequencies. The rationale of operating in a different domain is that, in such domain, the interfering term, i[n], admits a sparse representation. This implies that, I(k), the TD representation of i[n], is significantly different from zero only for a relatively small number of values of k. I(k) will thus appear as a set of pulses which can be easily blanked in the TD.

Depending on the domain of the transformation, it is possible to classify the different interference mitigation techniques as in Figure 2. The figure also takes into account the receiver stages where the techniques are actually implemented. In particular, interference mitigation techniques are classified according to their implementation with respect to the correlation operation as

• Pre-correlation: the algorithm operates before the correlation process takes place. In this way, mitigation is performed for all the processing channels at once and the characteristics of the useful received signals are not taken into account.
• In-correlation: mitigation is performed by modifying the standard correlation process.
• Post-correlation: mitigation is applied at the output of the correlators. In this case, different processing can be applied to the signals from different channels.

Time domain techniques are those that do not require a preliminary transformation to bring the input samples in a different domain. In this respect, adaptive notch filtering and pulse blanking are time domain techniques commonly used for interference mitigation, both implementing the IC principle. Adaptive notch filtering is an effective technique where the instantaneous frequency of the jamming signal is continuously estimated. The region of the spectrum occupied by the jamming signal is then removed through filtering. Although notch filtering performs the excision of a narrow frequency band, it is implemented using a recurrence equation in the time domain and thus it does not require a signal transformation. Alternative classifications can be adopted. Pulse blanking can be seen as a robust technique (as discussed earlier), whereas notch filtering is very sensitive to model mismatches. The notch filter can only operate if the interfering signal is instantaneously narrowband and if its center frequency is slowly varying with time. Other examples of time domain approaches used for interference mitigation are the usage of ZMNL functions, as described above, and the adoption of a Kalman Filter (see Mitch et alia in Additional Resources) to track and reconstruct the jamming signal. This latter approach is, in general, non-robust and sensitive to deviations from the model adopted for the design of the Kalman Filter.

Time domain pre-correlation techniques are, in general, low-complexity and approaches such as pulse blanking and notch filtering are now commonly implemented in professional and mass-market receivers. Time domain processing can be integrated with the correlator and, for example, robust correlators discussed in the previous section can be adopted. The complexity depends on the approach adopted. The median can be implemented in a quite efficient way and its complexity is comparable with that of the mean performed in standard correlators. The computation of the sample myriad requires an iterative procedure which can be computationally expensive.

Post-correlation mitigation techniques are not explicitly indicated in Figure 2. Techniques operating at this stage tend to be “mixed” in the sense that post-correlation information is used to drive pre-correlation processing. Moreover, after correlation, the input samples are significantly down-sampled and, for this reason, adoption of different domains is usually not considered. Remarkably, post-correlation techniques are typically ineffective in terms of jamming suppression, the main reason being that correlation with the local code causes a spread out of the (uncorrelated) interference, which makes it harder to be mitigated. Degradations in post-correlation products, such as the estimated Carrier-to- Noise power spectral density ratio (C/N₀), can, however, be exploited for jamming detection.

In TD approaches, considered in the bottom row of Figure 2, the input signal, y[n], is projected into a different domain in the first place. These domains include frequency, with the usage of the DFT/FFT; joint time-frequency representations based, for example, on the Short Time Fourier Transform (STFT) or on the Wigner- Ville distribution; and joint timescale representations based on the Discrete Wavelet Transform (DWT). The Karhunen-Loeve Transform (KLT) has also been considered as a possible tool to obtain TD representations of the received GNSS signal, y[n]. Once in the TD, it is possible to apply techniques similar to those adopted in the time domain. TD excision is probably the most commonly adopted approach and it operates in a way analog to pulse blanking. If the absolute value of a sample in the TD is larger than a threshold, it is blanked and set to zero. Robust techniques can be also implemented in the TD, both at the pre- and in-correlation level. This topic is discussed in more detail in the next section. Although TD techniques are usually computationally demanding, several high-end professional receivers implement FFT-based algorithms and are able to perform interference detection and mitigation in the frequency domain.

In hybrid approaches the complexity of TD techniques is reduced using, for example, a bank of filters. The time domain signal is not transformed but split into several streams. Each stream is obtained using a separate filter which captures the content of the original signal on a specific frequency sub-band. This is a hybrid approach in the sense that each stream is a time domain representation of the frequency content of the original signal on a specific sub-band. Here, we referred to “frequency”, but other representation domains such as scale can be adopted for the design of the filter bank used for the signal decomposition. Approaches such as pulse blanking and the usage of ZMNL functions can then be implemented on the individual streams.

Finally, we would like to comment on spatial domain techniques, which can be used complementarily to the previously mentioned approaches. In this case, the time domain signal is not explicitly transformed but, instead, the signal is recorded using a multi-antenna receiver, which confers it with spatial discrimination capabilities. Conceptually, one can point to desired directions-of-arrival, while nulling the radiation pattern of the antenna at directions where an interference is detected. A detailed discussion is out of the scope of this article, but it suffices to say that pre- and postcorrelation techniques can be considered. Beamforming design can follow a plethora of options, being classified into temporal-, spatial-, or hybrid-reference beamforming techniques depending on the knowledge assumed for the desired and interfering signals. Typically, array processing techniques involve demanding computational resources and precise hardware designs.

Some general considerations on the properties of interference mitigation techniques are provided in Figure 3. In particular, the impact of model specification is analyzed. Strong model specifications reduce, in general, the flexibility and robustness of estimation methods to cope with (non-nominal) interference situations. This is the case of adaptive notch filters which can only deal with frequency modulated signals with slowly varying central frequencies. On the other hand, precise model specifications can significantly reduce the computational complexity of the technique and lead to optimal performance when the design conditions are met. For instance, notch filtering is computationally efficient and achieves performance comparable to that of TD techniques when dealing, for example, with CW interference.

TD techniques usually make only weak assumptions on the interference model. In particular, the underlying assumption is that the interfering signal admits a sparse representation in the TD. This corresponds to assuming that the interfering signals can be effectively described by a linear combination of few functions from a basis of the TD. For example, when the FFT/DFT is adopted, it is implicitly assumed that the interfering signal can be effectively described as the linear combination of few complex sinusoids. In general, weak assumptions on the interference model lead to flexible techniques which can operate in a wide range of conditions.

As a general principle, the increase of computational load should yield to performance improvements. When this improvement does not occur or it is limited, the mitigation technique should be re-considered. This phenomenon may occur for example when considering new TDs: the computational load of the transform required to project the input signal in the new TD might not be justified by the improvement of performance, for example, with respect to other TD techniques which can be implemented using fast algorithms such as the FFT.

Robust TD Approaches
Finally, we consider a new class of TD approaches which is based on the usage of ZMNL functions in the TD. More specifically, we assume that a linear transform, such as the DFT and the DWT, has been applied to the input signal and that the following TD samples have been obtained:

Y(k) = X_θ(k) + I(k) + W(k) = X_θ(k) + W′(k)     (16)

Since linear transforms are used, the superposition principle applies and the different components in (12) have a corresponding term in (16). In particular, it is possible to identify the useful signal components, the interference term and the noise term. In this approach, we propose to model the received signal directly in the TD rather than in the time domain. In particular, we focus on different noise models for the aggregate TD noise term, W′(k). As discussed in the section on robust estimation, the model does not need to be accurate but should be selected in order to obtain robustness. In other words, in robust statistics, optimality is sacrificed in favor of robustness. In this case, we considered two non-Gaussian noise models: the complex Laplace and the complex Cauchy distributions for W′(k).

Following an approach similar to that developed for the time domain (see article by Borio, 2017, in Additional Resources), robust TD interference mitigation techniques can be obtained by processing the TD samples using a ZMNL function. Figure 4.a provides a schematic representation of TD approaches implemented at the pre-correlation level. The input samples are projected into the TD, processed and used to reconstruct a clean version of the time domain input signal, y′[n]. In the approach proposed here, the processed samples, Y′(k), are given by

Y′(k) = ρ(Y(k))     (17)

where ρ(·) is the non-linearity defined by (14). In this case, f(y) has to be interpreted as the pdf of the aggregate noise in the TD. If a Laplacian model is adopted, the following non-linearity is obtained:

Equation (18)

This implies that the TD components of the input signal are normalized by their amplitude and only the phase information is retained. Eq. (18) leads to a normalization of the different TD components: when frequency is considered, the spectrum of the output signal, Y′(k), has a constant unit amplitude. In this respect, the ZMNL function defined by (18) acts as a Zero-Forcing (ZF) equalizer. In common ZF equalizer implementations, however, several time samples are used to estimate the signal spectrum and determine the impulse response of the equalizer. In this case, a direct normalization is implemented in the TD. This, apparently simple processing, provides the receiver with remarkable interference mitigation capabilities.

Alternatively, if a Cauchy model is considered, the following processed signal is obtained:

Equation (19)

where K is the linearity parameter introduced in the robust estimation section when defining the sample myriad. This name is justified by the fact that K controls the “linearity” of (19): as K goes to infinity, non-linearity (19) becomes the identity. K should be set as a function of the variance of the non-interfered input noise. The determination of K is out of the scope of this paper.

Figure 4.b shows the in-correlator implementation of the TD processing. In particular, due to the Plancherel theorem, it is possible to show that unitary transforms preserve the scalar product and correlation operations. Examples of unitary transforms are the DFT and DWT (when properly scaled). In these cases, it is possible to compute the correlator directly in the TD. In some cases, this design choice allows significant computational load reduction. A well-known approach is, for example, the parallel code acquisition algorithm based on the usage of the FFT. In the parallel code acquisition algorithm, the FFT is already used for the computation of the correlators: the usage of nonlinearities in the frequency domain can be efficiently adopted without requiring additional operations.

A schematic representation of the parallel code acquisition algorithm is shown Figure 5. As already mentioned, the algorithm foresees the transposition in the frequency domain of the input signal, y[n], thus it can be easily modified by introducing an additional processing block. This block is the light green box labelled “Additional Processing” in Figure 5. This block simply implements the ZMNL functions in Eqs. (18) and (19). In this case, robustness can be introduced with limited additional computational requirements.

In order to demonstrate the effectiveness of RTD approaches, we used the data available here and previously used to evaluate the behavior of an adaptive notch filter. The data contain a short dataset with GNSS data affected by jamming. In the archive, basic code allowing the acquisition of the GNSS signals present in the dataset is also provided. Without interference mitigation, it is not possible to detect the useful signal and the CAF shown in Figure 6 is obtained. Secondary peaks caused by the jamming signal are clearly present. RTD has been implemented by modifying the parallel code acquisition algorithm as indicated in Figure 5. Parallel code acquisition is implemented in the “DftParallelCodePhaseAcquisition.m” Matlab function and it is included in the archive indicated above.

Significant robustness can be introduced by adding a single line of code which implements normalization (18). We invite the readers to experiment with the code and add the following line of code

X = X ./ ( abs( X ) );

in the “DftParallelCodePhaseAcquisition.m” script. This line should be inserted in the “for” loop, before the computation of the inverse IFFT. With this modification, the impact of jamming is significantly reduced and it is possible to effectively acquire the useful GNSS signal. In particular, the CAF shown in Figure 7 is obtained: the signal peak clearly emerges from the noise floor and the secondary peaks due to the jamming signal are strongly attenuated.

The effectiveness of the proposed approach is further analyzed in Figure 8 which shows the C/N₀ estimated for a signal affected by jamming under different conditions. In this experiment, the jammer was connected to a variable attenuator. The attenuation was progressively reduced leading to an increasing jamming power. In particular, the received jamming power was increased with steps of 2 decibels. This fact is reflected by the C/N₀ values shown in Figure 8. After 1,200 seconds, the attenuation reaches its minimum value before being increased again. TD processing was implemented using the architecture depicted in Figure 4a and non-linearity (18) was adopted. TD processing significantly outperforms the notch filter used in Figure 8 for comparison. More specifically, a gain of more than 5 decibels is achieved for strong jamming signals. The considered notch filter implements interference detection and it is activated only when significant jamming power is sensed.

Conclusions and the Future of (Anti-) Jamming
Interference mitigation, in the context of GNSS receiver design, has been an active topic for research for several lustrums. It is likely to keep its good pace towards securing GNSS receivers — and the growing list of facilities and infrastructures depending on GNSS — from malicious jamming or unintentional interference. The field has indeed made substantial progress, mainly leveraging on advanced signal processing techniques. In this article we have covered classical time domain methods, but also discussed TD techniques that exploit sparsity of interference in other domains besides time. Additionally, the use of robust statistics was seen to provide interesting results and is a way forward for research. Anti-jamming is advancing, so are the capabilities of jammers to cause damage to GNSS receivers. Besides spoofing — which is probably one of the most complicated interference signals to generate — and jamming — probably the simplest — there is a middle ground. For instance, deceptive jamming, where a simple pulsed-jamming signal is disciplined to target specific parts of the navigation message. It was shown (see Curran et alia, “On the Threat of Systematic Jamming of GNSS”, Additional Resources) that deceptive jamming is not only feasible, but hardly detectable. It is foreseen that this, and other threats, will spur research in the area of antijamming.

Additional Resources
[1] Amin, M. G., P. Closas, A. Broumandan, J. Volakis, “Guest Editorial: Vulnerabilities, threats, and authentication in satellite-based navigation systems,” Proceedings of the IEEE, 104(6), pp. 1302-1317, 2016.
[2] Amin, M. G., X. Wang, Y.D. Zhang, F. Ahmad, and E. Aboutanios, “Sparse arrays and sampling for interference mitigation and DOA estimation in GNSS,” Proceedings of the IEEE, 104(6), pp. 1169-1173, 2016.
[3] Arce, G. R., Nonlinear Signal Processing: A Statistical Approach. Wiley-Interscience, Nov. 2004.
[4] Borio, D., “Swept GNSS Jamming Mitigation through Pulse Blanking” Proc. of the 2016 European Navigation Conference (ENC), Helsinki, Finland, June 2016, pp. 1-8.
[5] Borio, D., “Robust Signal Processing for GNSS,” Proc. of the 2017 European Navigation Conference (ENC), Lausanne, Switzerland, May 2017, pp. 150- 158.
[6] Curran, J. T., M. Bavaro, P. Closas, M. Navarro, “On the Threat of Systematic Jamming of GNSS,” Proceedings of the 29th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS+ 2016), Portland, OR, September 2016.
[7] Fernández-Prades, C., J. Arribas, P. Closas, “Robust GNSS receivers by array signal processing: theory and implementation,” Proceedings of the IEEE, 104(6), pp.1207-1220, 2016.
[8] Hampel, F. R., “A general definition of qualitative robustness,” The Annals of Mathematical Statistics, vol. 42, pp. 1887-1896, 1971.
[9] Huber, P. J., and E. M. Ronchetti, “Robust Statistics,” Wiley, second edition, February 2009.

The post A Fresh Look at GNSS Anti-Jamming appeared first on Inside GNSS - Global Navigation Satellite Systems Engineering, Policy, and Design.

Table 1

Working Papers explore the technical and scientific themes that underpin GNSS programs and applications. This regular column is coordinated by Em. Univ.-Prof. Dr.-Ing. habil. Dr. h.c. Guenter W. Hein.

This is the first article in a series. For Part 2: Hybrid- and Non-GNSS Localization, see here.

Working Papers explore the technical and scientific themes that underpin GNSS programs and applications. This regular column is coordinated by Em. Univ.-Prof. Dr.-Ing. habil. Dr. h.c. Guenter W. Hein.

This is the first article in a series. For Part 2: Hybrid- and Non-GNSS Localization, see here.

Positioning (or localization) is a key component in many wireless devices and a key enabler and optimizer of many mobile applications, including transportation, smart cities, and ambient assisted living. For example, mobile wireless devices relying on a location component can be used as mobile assistants and wearable devices for the elderly, sick, or disabled, for traffic and environment monitoring, for green mobile crowd sensing, in crisis scenarios, for wildfire risk prediction, etc. (see I. Maglogiannis et alia and L. Skorin-Kapov et alia in Additional Resources). When the time dimension is added to the positioning information, we talk about user or device tracking.

To enable a large-scale uptake of the location-based and location-aware applications, one of the main barriers to overcome is finding solutions to the current vulnerabilities in wireless positioning. Such vulnerabilities exist with respect to the privacy, security, positioning reliability, robustness, and availability, especially in indoor environments, and to the acceptability and safety of tracking devices. Users are indeed, slowly, becoming aware of the potential vulnerabilities in making their minute-by-minute position known to the external world and legislation efforts all over the world are dedicated to build the legal frameworks covering tracking and location privacy (see L. Chen et alia and K. Pomfret). Operators and mobile manufacturers are collecting location-based data and possibly geo-tagged context information en masse from our mobile devices for the purpose of network and service optimization. Crowdsourcing, mobility sensing, and cloud storage processing are becoming default options. Many mobile devices can now be used as identifiers, and digital wallets and biometric data play a crucial role. Location is a key component in all of these aspects. A known location, or being able to fake a current location, could mean, in the near future, higher vulnerability to theft, privacy invasion, and increased stalking. Geo-located patterns can lead to the re-identification of individuals and thus could pose a risk to the right to a private life. All these vulnerabilities with respect to the acquisition, storage, and misuse of the users’ geospatial information are long-overlooked factors which need to be addressed in a systematic and dedicated manner. The promising potential of future prosperous wireless markets relying on some form of localization and geo-spatial information, such as Internet of Things (IoT), Industrial IoT (IIoT), 5G, Device-to-Device (D2D), or Vehicle-to-Anything (V2X) communications, means that the security, privacy, and transparency aspects in mobile positioning need to become a high priority in the world of mobile computing.

In traditional positioning approaches, such as those purely based on Global Navigation Satellite Systems (GNSS), the user device is a purely passive device, thus fully preserving the user’s privacy. Modern localization solutions, including those evolved from GNSS such as Cloud GNSS (C-GNSS) and Assisted GNSS (A-GNSS) involve smart processing of cloud-gathered data, inter-connectivity, and exchange of information between different stakeholders in the localization chain, and possibly geo-tagged content de-identification. Therefore, these are vulnerable to privacy breaches, whereas the user position is fully private in GNSS as its receiver acts only as a passive (receiving) device. This article sheds light on the challenges related to location privacy, emphasizing current user perception of location-based mobile applications, and discusses future research directions and solutions that can benefit the community at large.

Is Location Privacy Something We Should Worry About?
In order to better understand users’ concerns with regard to their location privacy and how much users would be willing to pay for preserving their location privacy, a Webropol web survey (see Additional Resources) was conducted from January to May 2017. The survey was initially built in English and then translated to Finnish and Romanian. The survey link was distributed on different social media channels (e.g., LinkedIn, Twitter, Facebook) and through various mailing lists in order to reach a wide audience with variable backgrounds. In total, 327 answers from respondents across 38 countries in four continents were obtained. 8.8% of the respondents did not answer the question about the country of residence. There were 208 answers in English, 79 in Finnish, and 40 in Romanian. The overall gender distribution is quite balanced: 46.3% male respondents, 49.4% female respondents, and 4.3% declined to state. The age and country distribution of respondents are shown in Figure 1, with Finland, Romania, and UK being the countries of residence for most of the respondents, and the majority of respondents being between 36 and 45 years old.

Figure 2 shows how the respondents are using their mobile phone’s navigation capabilities and Location Based Services (LBS) on their mobile devices. The left plot shows that the vast majority of users (86.6%) are using some form of navigation on their phone, among which 52% typically activate both the GNSS and the non-GNSS (e.g., WiFi and cellular) positioning engines on their phones when navigating. The center plot of Figure 2 describes how often a user reads the permissions before installing an LBS application on his/her phones. These permissions are more or less intrusive in terms of privacy, depending on the application provider and reading them already denotes some minimal concern with regard to the privacy of mobile data. The survey shows that 30.0% of the respondents always read the permissions, 35.49% only occasionally read the permissions, and 28.4% never read the permissions. A small amount of respondents (6.2%) did not know about these permissions.

The right plot of Figure 2 shows how many of the respondents allow the LBS provider to collect their location data. The vast majority of respondents (61.9%) allow their location information to be collected only if they cannot use a particular service otherwise, as is the case with many LBS providers, such as Google maps and HERE maps. 5.2% of respondents always allow the location application to collect the user location data and 9.6% of respondents allow the location application to collect such data from time to time, independently of whether or not the LBS application could have been used in “private” mode (i.e., no data collection). 23% of respondents answered that they had never allowed an application to collect their location data. However, one could also infer that it might be unclear for some users whether or not a certain LBS application collects location data and sends it to the cloud. This comes as a conclusion when comparing the left plot of Figure 2, where only 13.6% of the respondents wrote that they do not use any location engine on their phone, with the right plot of Figure 2, where 23% of respondents say that they never allow an application to collect their location data. Nevertheless, one has to keep in mind that the vast majority of current LBS mobile applications cannot run unless the user allows the application to collect his/her location data.

Figure 3 compares the level of concern of users with respect to their location privacy with other types of personal digital data, such as emails, documents, calls, phone contacts, or images/videos. If we look at the “Very high concern” bars, clearly the users are much more concerned with protecting the privacy of all other types of personal digital data than protecting the location privacy. However, “High” and “Moderate” concerns bars are rather similar for different types of data, which shows that users have significant concerns regarding the privacy of all their personal data, location data included. As for the “No concern” bars, privacy of pictures and videos are least worrisome to those in the survey, with 12.6% having no concern for the privacy of these items. For location privacy, 7.3% had no concern, 14.4% had little concern, 19% moderate concern, 24.5% high concern, and 29.4% very high concern.

How these concerns translate also in a willingness to pay extra for location privacy can be seen in Figure 4. Clearly, the vast majority of users (61.9%) are not yet ready to pay anything extra for a privacy-preserving location engine. It is interesting to see that, among those who are interested in paying something (23.2% of the total respondents), the majority (60.9% of the respondents willing to pay something) would opt to pay up to 15% more compared to their current monthly mobile fee, and no respondent opted to pay more than 20% of the current monthly fee.

The survey findings show that there is already a reasonable awareness about location privacy challenges and that such awareness could be capitalized upon to some extent in business, by offering users more privacy-aware location solutions. The next sections will focus first on some aspects regarding granularity of location estimation, and then on GNSS location technologies categories, and will point out if and how such technologies can better support location privacy.

Granularity of Location Estimates for Various LBS
When talking about location privacy, one refers to the capacity of preventing any third parties to learn anything about a device location in space and time. There is thus a quadruplet (x, y, z, t) characterizing the location, where x, y, z are the spatial coordinates of the mobile device and t is the time at which that location is valid. When time is also known, we often talk about the user or device tracking.

There are two ways of defining the granularity of a location estimate: one is from the point of view of an attacker and it refers to the accuracy level at which the attacker can detect the location information; the other is from the user’s point of view, and it refers to the Quality of Service (QoS) received from a Location Service Provider (LSP), knowing that there is an inherent tradeoff between preserving his/her own location privacy via, for example, some cloaking or obfuscation mechanisms, and the QoS of the LBS. For example, let’s assume that the user’s true position at time t is (x, y, z), but the location information sent to the LBS and/or accessed by an attacker is (x + Δx, y + Δy, z + Δz). Then, the location granularity g in this case is defined as

g = √Δx² + Δy² + Δz²,

which is basically the distance uncertainty in the location estimate.

Table 1 (see inset photo, above right) gives examples of how an attacker can make use of the user location, if the user location is known with a certain granularity. The last column also shows positive examples of how the location information of a certain granularity can serve the user. Typically, the location needs to be known at several moments in time, ranging from a few hours to several months, in order for an attacker to be able to act upon the knowledge, but sometimes even the knowledge of as little as four different locations in time can lead to personal identification (see De Montjoye et alia in Additional Resources). As shown in Table 1, while one may be completely unconcerned if his/her location is known within a kilometer of error, this might be enough for an attacker to establish if a family is away from their home and to organize a house burglary. The examples of attacks shown in all rows above the current row are also applicable to the current row. For example, if the location is known within a few tens of meters from the actual position, house burglary, car thefts, or stalking are also potential threats, in addition to terrorism or disclosures of unwanted personal information, which are enabled by a more precise location known to an attacker.

Location Privacy in GNSS-Based Positioning Cloud GNSS
In the coming years, the development of new GNSS-based applications will play a leading role in the context of urban environments, i.e., Smart Cities, where almost every object or device such as urban furniture or wearable items can be connected between themselves, i.e., Machine to Machine (M2M) or D2D, and to the internet. In this sense, IoT applications have triggered the use of GNSS technologies for retrieving the Position, Velocity, and Timing (PVT) of the devices. Nevertheless, GNSS was designed for outdoor applications, and its performance gets truncated in urban working conditions. Moreover, IoT devices cannot implement advanced computational tasks due to constraints on low energy consumption, thus hindering the use of GNSS in harsh working conditions such as urban canyons, indoors, etc. Computational constraints are not only circumscribed to GNSS-based IoT devices, but also to conventional GNSS receivers providing advanced features such as multi-constellation processing, signal authentication, or threat detection (e.g., interference or propagation effects such as multipath or NLOS).

To overcome this hurdle, the Cloud GNSS concept has recently been proposed as a disruptive approach for solving most of the current limitations of conventional GNSS receivers (see Additional Resources). In this paradigm, the GNSS signal processing tasks traditionally carried out in on-chip GNSS modules at the user terminal, are now relocated in a cloud server, as illustrated in Figure 5, where on-demand scalable computing capacity in terms of data storage and processing power is available. Thanks to this availability, the energy consumption and computational power required by the user terminal is significantly reduced, since its main function is now to gather raw GNSS samples and transfer them to the cloud. Thanks to the computing capacity provided by the cloud, sophisticated GNSS signal processing techniques can easily be performed, thus providing a wider range of use cases where the GNSS sensor can effectively operate. For instance, Cloud GNSS can be used in liability-critical and safety-critical applications, where the use of conventional GNSS receivers faces some limitations due to the stringent requirements imposed on the user terminal in terms of integrity, continuity and, in the future, authentication.

The transfer of information from the user terminal to the cloud may raise some concerns on the potential vulnerabilities of cloud GNSS signal processing in terms of privacy and security. From a high-level perspective, we can identify three different categories of vulnerabilities, explained below: i) at the user-to-cloud communication link; ii) on the cloud storage of personal digital data, such as identifiers or GNSS raw samples; iii) on the computation, and therefore knowledge, of users’ location by third-parties, for example at the Location Based Service Provider (LBSP) side.

User-to-Cloud Communication
During the transmission of raw GNSS samples from the user’s device to the cloud server, personal data may eventually be intercepted by attackers. Location may also be known by the service provider of the network infrastructure due to the identifier each device holds, e.g., IP or MAC address or International Mobile Station Equipment Identity (IMEI). However, communication privacy and security is already provided by wireless infrastructures through secure communication protocols and standards, e.g., user access authentication implemented in Long Term Evolution (LTE) or Narrow Band Internet of Things (NB-IoT). Hence, the security and privacy of the user-to-cloud communication link is achieved with state-of-the-art wireless communication standards. Besides that, some cloud providers also offer secure platforms to connect users’ devices with the cloud. For instance, Amazon Web Services (AWS) offers an IoT platform, which already provides traffic encryption over Transport Layer Security (TLS) by using different cryptography standards such as X.509 or the Signature Version 4 Signing Process (SigV4).

Cloud Storage of Personal Digital Data
Customers may worry about the security involving the raw GNSS samples and personal digital data they upload to the cloud, due to the possibility of it being read or analyzed by third-parties (or attackers) and thus being used in an unauthorized manner. Nine critical threats to cloud security are identified by the Top Threats Working Group (Additional Resources): data breaches, data loss, account hijacking, insecure APIs (Application Program Interface), denial of service, malicious insiders, abuse of cloud services, insufficient due diligence, and shared technology issues. To prevent many of these threats, current cloud providers such as AWS, Microsoft Azure, and Google Cloud provide high-security systems with ISO 27001 certification, thus assuring confidentiality, integrity, and availability. With regard to the stored data, cloud platforms do not distinguish between personal data and any other type of data. Therefore, by using certified cloud platforms, the security of personal data, which in this case would be the raw GNSS samples file, the device location and any other stored personal data, would be guaranteed. Users shall realize that the security policies of a cloud service may change depending on the legislation of the country in which the cloud server is allocated, and hence personal digital data may be accessed by the government.

User’s Location Calculation by Third-Parties
Device anonymization is needed when the user’s location is known to a third-party, either when the location is calculated by the cloud GNSS platform or when it is used by some LBS. If not, the cloud and the LBS server might know who the devices’ owner is, and use the personal data and location for their own benefit. For LBS, a k-anonymization model to deal with location privacy is presented by B. Gedik and L. Liu. In this approach, an anonymity server decrypts the data transferred from the device to the LBS and removes all the related identifiers (e.g., IP or MAC address, device, or customer identifier). Next, the location information is disrupted by means of spatio-temporal cloaking (i.e., hiding the true location information in a wide spatio-temporal area), and finally, the anonymized location is sent to the LBS server. Note that this approach may perturb the quality of service, and thus a tradeoff between the QoS and location privacy is faced.

Another alternative is to assign a random identifier to every device, which is then changed after a fixed time such as minutes, hours, or days depending on the application, in order to facilitate the anonymization. In this context, hash-based ID variation (see Additional Resources) can be used for enhanced location privacy. This process is often accomplished through two different and independent entities, the first one (e.g., a certification body) being in charge of randomly assigning identifiers to users, and the second one (e.g., the LBSP) being in charge of the exploitation of the randomized data. This scheme guarantees that the entity making use of the data has no access to the mechanism whereby the identifier was generated and assigned to the user. In this manner, users have a time-varying identifier with limited lifetime that thus cannot be tracked for a long period of time. Clearly, the shorter the identifier lifetime, the better the user privacy, since we prevent inferral of user identification via behavior pattern analysis.

In conclusion, there are many protection schemes that can be used to solve the potential vulnerabilities of cloud GNSS positioning in terms of location security and privacy. When it comes to strengthening the privacy requirements of the user’s location, this often translates into a tradeoff between privacy and QoS.

Assisted GNSS
In order to position itself using the signals from navigation satellites, the GNSS receiver needs to know the precise time and orbital parameters to compute the positions of the satellites. The GNSS satellites broadcast this information in their navigation messages. However, decoding the orbital information from navigation messages takes 30 seconds in good signal conditions, which is a significant Time-To-First-Fix (TTFF), i.e., delay in the starting of positioning. This time may be much longer in environments dense with buildings or foliage where these obstacles attenuate the satellite signals. If the signal power decreases further, the receiver cannot decode the navigation data even if it is still able to make the ranging measurements. In this case, without information on satellite orbits and precise time, the measurements are useless for the receiver and it cannot compute its position.

In A-GNSS, the functionalities of a GNSS receiver are enhanced through terrestrial communication networks to shorten the TTFF and to improve the sensitivity of the receiver, i.e., to allow positioning with weaker satellite signals (J. Syrjäinne; F. Van Diggelen, Additional Resources). In A-GNSS, the missing information is provided to the receiver by a server that is connected to the receiver that has good visibility to the satellites (Figure 6). In addition to the orbital information and time, the A-GNSS can also deliver the Differential GNSS (DGNSS) corrections which allow improvements of positioning accuracy even to the one meter level.

Two architectures were proposed for A-GNSS where the roles of the user terminal (mobile station, MS) and the server in the network are different. In MS-based A-GNSS (MS-Based Network-Assisted) the user receives assistance data from the server and makes the ranging measurements, possible DGNSS corrections, and positioning calculations by itself. In MS-assisted A-GNSS (MS-Assisted Network-Based) the user terminal makes the ranging measurements and sends them to the server. The server applies the possible DGNSS corrections to the measurements, computes the position, and sends it back to the user. To assist the user terminal in the positioning measurements, the server sends a small set of assistance data to the user to enable fast signal acquisition.

In MS-based A-GNSS, in good signal conditions the user terminal can also position itself without assistance from the server. That is to say, the network connection is not necessary. In MS-assisted A-GNSS, the positioning of the user terminal always requires two-way communication with the server. The best achievable accuracy in both A-GNSS modes is defined by the DGNSS, which allows accuracies on the level of one meter (see Additional Resources). However, both modes are susceptible to multipath and NLOS, and therefore the accuracy is not always as good as in clear LOS. Actually, in an MS-based approach, the positioning accuracy may deteriorate to hundreds of meters when assistance is needed due to bad signal conditions. When the satellite signal levels drop very low, e.g., in underground settings, the user devices also cannot make the measurements, and both A-GNSS modes fail.

While both MS-based and MS-assisted architectures require point-to-point communication, either in the control plane of a cellular network or in the user plane of a wireless internet, only in MS-assisted approach does the user terminal reveal its accurate position to the server. The functionalities of the current Cloud GNSS are very similar to MS-assisted A-GNSS, therefore the privacy threats are also similar. For A-GNSS, secure architectures exist (L. Wirola et alia), e.g., the Open Mobile Alliance Secure User Plane Location Protocol (OMA SUPL) which provides security and authentication services using Generic Bootstrapping Architecture (3GPP GBA) (please see Additional Resources).

Conclusions
Our studies shed more light on users’ perception of their location privacy and on the privacy threats and solutions in modern wireless localization. We learned that, in general, users are not yet particularly aware of location privacy threats and most would not be willing to pay much or anything for private or passive positioning. In addition, privacy of localization is not yet fully solved in many state-of-the-art GNSS localization systems, such as Cloud GNSS and Assisted GNSS.

Acknowledgements
The authors express their warm thanks to the Academy of Finland (Project 303576) for its financial support for this research work.

Additional Resources
[1] 3GPP TS 33.220 Generic Bootstrap Architecture
[2] Chen, L., Thombre, S., Järvinen, K., Lohan, E. S., Korpisaari, P., Kuusniemi, H., Leppäkoski, H., Honkala, S. , Bhuiyan, M. Z. H., Ruotsalainen, L., Ferrara, G. N., Bu-Pasha, S., “Robustness, Security, and Privacy in Location-Based Services for Future IoT,” IEEE Access, Vol. 5, pp. 8956-8977, 2017
[3] De Montjoye, Y. A. , Hidalgo, C. A., Verleysen, M., and Blondel., V. D., “Unique in the Crowd: The Privacy Bounds of Human Mobility,” Scientific Reports 3, Article number: 1376, 2013
[4] Gedik, B. and Liu, L., “Location Privacy in Mobile Systems: A Personalized Anonymization Model,” Proceedings of the 25th IEEE International Conference on Distributed Computing Systems, ICDCS, pp. 620-629, June 2005
[5] Gschwandtner, F. and Schindhelm, C. K., Spontaneous Privacy-Friendly Indoor Positioning using Enhanced WLAN Beacons, 2011
[6] Henrici, D. and Muller, P., “Hash-based Enhancement of Location Privacy for Radio-Frequency Identification Devices using Varying Identifiers,” Proceedings of the 2nd IEEE Annual Conference in Pervasive Computing and Communications Workshops, pp. 149-153, March 2004
[7] Li, M., Zhu, H., Gao, Z., Chen, S., Ren, K., Yu, L., and Hu, S., “All Your Location are Belong to Us: Breaking Mobile Social Networks for Automated User Location Tracking,” Proceedings of MobiHoc, ACM, pp. 43-52 2014
[8] Lucas-Sabola, V., Seco-Granados, G., López-Salcedo, J. A., García-Molina, J. A., and Crisci, M., “Cloud GNSS Receivers: New Advanced Applications Made Possible,” Proceedings of the International Conference in Localization and GNSS (ICL-GNSS), pp. 1-6, June 2016
[9] Maglogiannis, I., Kazatzopoulos, L., Delakouridis, K., and Hadjiefthymiades, S., “Enabling Location Privacy and Medical Data Encryption in Patient Telemonitoring Systems,” IEEE Transactions on Information Technology in Biomedicine, Vol. 13, No. 6, pp. 946-954, November 2009
[10] Mascetti, S., Bertolaja, L., and Bettini, C., “A Practical Location Privacy Attack in Proximity Services,” 2013 IEEE 14th International Conference on Mobile Data Management, Milan, pp. 87-96, 2013
[11] Misra, P. and Enge, P., Global Positioning System – Signals, Measurement and Performance, 2nd ed., Ganga-Jamuna Press, ISBN 0-9709544- 1-7, 2006
[12] OMA Secure User Plane Location 1.0, OMA-ERP-SUPL-V1_0-20070615-
[13] Pomfret, K., “Geolocation Privacy – Implications of Evolving Expectations in the United States,” Inside GNSS, September/October 2016
[14] Skorin-Kapov, L., Pripužić,K., Marjanović, M., Antonić, A., and Žarko, I. P., “nergy Efficient and Quality-Driven Continuous Sensor Management for Mobile IoT Applications,” 10th IEEE International Conference on Collaborative Computing: Networking, Applications, and Worksharing, Miami, FL, pp. 397-406, 2014
[15] Syrjärinne, J., Studies of Modern Techniques for Personal Positioning, Ph.D. Dissertation, Tampere University of Technology, 2001
[16] Top Threats Working Group, The Notorious Nine: Cloud Computing Top Threats in 2013, Cloud Security Alliance, 2013
[17] Van Diggelen, F., A-GPS : Assisted GPS, GNSS, and SBAS, Artech House, 2009
[18] Webropol web survey tool
[19] Wirola, L., Laine, T. A., and Syrjärinne, J., “Mass-Market Requirements for Indoor Positioning and Indoor Navigation,” Proceedings of the International Conference on Indoor Positioning and Indoor Navigation (IPIN), Zürich, Switzerland, 2010

The post Location Privacy Challenges and Solutions, Part 1 appeared first on Inside GNSS - Global Navigation Satellite Systems Engineering, Policy, and Design.

The vulnerability of GNSS to various forms of malicious interference have been widely discussed in recent years, and have considered a wide range of both real and potential attacks. Some of these have included extensive studies of commercially available jamming devices, while others have considered the more comprehensive case of spoofing, where the interference takes the form of genuine GNSS signals (For details, see papers listed in Additional Resources, including M. G. Amin et alia).

The vulnerability of GNSS to various forms of malicious interference have been widely discussed in recent years, and have considered a wide range of both real and potential attacks. Some of these have included extensive studies of commercially available jamming devices, while others have considered the more comprehensive case of spoofing, where the interference takes the form of genuine GNSS signals (For details, see papers listed in Additional Resources, including M. G. Amin et alia).

Studies of simple jamming attacks have demonstrated that it is relatively easy, given sufficient broadcast power, to deny the use of GNSS to many commercial receivers (For details, see papers listed in Additional Resources, including M. Johnson and R. Erlandson). However, it has also been shown that given the easily identifiable or periodic nature of simple jamming signals, a receiver can often mitigate the threat, for example, via the use of adaptive filtering or pulse blanking (F. Dovis, Additional Resources). Furthermore, it has been demonstrated that the jamming signal itself can be readily exploited to identify and locate the jamming source. On the other hand, recent work on GNSS spoofing has shown that current receivers are vulnerable to a well calibrated spoofing attack (T. E. Humphreys, et alia), and it is clear that many receivers can be manipulated without arousing any suspicion. However, such attacks are highly complicated and require knowledge of the GNSS signals, and the attack scenario, including precise timing and positioning.

It is highlighted here that a middle ground exists between the simple jammer and the spoofer, and it is the most likely “next step” for the malicious adversary. A typical jammer is blind to the GNSS signals it overwhelms, and simply relies on power and spectral occupation to deny the GNSS signals. In contrast, a spoofing device must faithfully replicate the characteristics of genuine GNSS signals. As such, spoofing is highly sensitive to alignment of time, phase and power of the spoofing signals with respect to the genuine signals. It is suggested that it is possible to create a device, only slightly more complex than a simple jammer, that can increase the efficiency of a jamming-based denial-of-service (DOS) attack.

Specifically, this work introduces the concept of systematic jamming: where a simple jammer might be combined with information of the GNSS signals to produce a more sophisticated jamming signal. For example, a jammer may be equipped with a simple low-cost commercial GNSS receiver, providing accurate position, time and satellite ephemerides. With this information, it might be possible to trigger short and sparse bursts of interference, such as to deny GNSS to a nearby receiver with a very low average power. In this manner, a receiver might be unable to: reliably detect that a jamming attack was ongoing; to effectively mitigate the jamming attack; or to identify or localize the jamming source. In the work that follows, we consider what form such a jammer might take, what the implications for the nearby target receiver might be, and how a target receiver might be equipped to thwart such an attack.

The basic principle is that for standalone GNSS, the position, velocity and time (PVT) can be denied by either: denying the physical layer, on which the ranging measurements are made; or by denying the data layer, prohibiting the recovery of ephemeris or transmit time; or both. Because the data layer need only be sporadically interrupted to completely deny the message recovery, it represents the weakest link in the PVT generation. It is therefore the obvious target, particularly when channel coding is not present in the jammed signal.

Problem Definition
This work considers the threat that might be posed if a malicious adversary were to add a small amount of added complexity to the typical GNSS jammer, with the intention of providing bursts of interference at specific epochs. A modification to the typical GNSS jammer is envisaged, which includes an on/ off keying driven by a micro-controller, as depicted in Figure 1 (for all figures, tables and equations, please see inset photo, above right). The algorithm controlling the keying employs position and timing information sourced from a simple, low-cost GNSS consumer-grade receiver (naturally, care must be taken to avoid self-interference). Using the GNSS measurements, accurate estimates of the transmit-time observed on GNSS signals seen in the vicinity of the jammer can be computed.

It is proposed that this information might be exploited by an adversary to trigger short pulses of interference which are tightly aligned with specific portions of the navigation message of each satellite. Previous work has demonstrated that a low duty-cycle pulsed interference, appropriately synchronized with the navigation message, can cause disruption to the receiver data recovery process, equivalent to that of an always-on interference (J. Curran et alia, Additional Resources). This process requires that the pulse pattern be designed to specifically target weaknesses in the navigation message coding scheme, and it has been shown that a malicious adversary might inflict a DOS upon a naïve receiver, using an average interference power 10 to 20 decibels lower than continuous interference.

Naturally, this offers some distinct advantages to the adversary: a given broadcast power might impose a DOS over a wider geographical area; by broadcasting short sporadic bursts of interference, it may be more difficult for an authority to detect or locate the jamming source; it may also be possible that the interference pattern can be made sufficiently sparse that the target receiver, although experiencing a DOS, might not reliably assert that it is experiencing interference.

Here, the current Galileo E1BC and GPS L1C/A signals are studied, seeking to identify how the adversary might target these signals, and will then analyze to what extent a DOS might be conducted.

Systematic Interference and Denial of Service Attacks
The methodology chosen for the generation of harmful pulse-patterns is based on denying navigation capability of the receiver, rather than denying the signal itself. To produce a PVT solution, a receiver generally needs to extract the ephemeris from each satellite and the time-of-week (TOW) from at least one satellite. This work examined the design of interference pulse patterns which might disrupt this process.

Sensitive navigation data
A TOW message is broadcast by all GNSS signals at regular intervals, and generally occupies a very small portion of the overall navigation message. In the case of GPS L1 C/A the TOW is broadcast in an unencoded form once per subframe, whereas for Galileo E1B, it is encoded, and broadcast once per pair of pages. Thus, the denial of TOW for the GPS L1 C/A signals requires either the denial of the subframe synchronization, or denial of the raw data itself. In the case of Galileo, the TOW might be denied by either denying page synchronization, or by inducing errors in the symbol decoding process. The basic details of the navigation messages, as shown in Figure 2, are as follows.

GPS: The L1 C/A preamble is an 8 bit sequence (160 milliseconds) transmitted every 6 seconds. The GPS parity is composed of 6 bit (120 milliseconds) transmitted every 600 milliseconds (navigation data word). Checking the consistency of two subsequent preambles, as well as the 10 parity checks in between, is a commonly accepted mean of synchronizing to the 6 seconds boundary.

Galileo: The E1B signal transmits a plain 10 symbol synchronization sequence (40 milliseconds) every second. It is interesting to see that GPS and Galileo synchronization sequences hardly overlap in time. The Galileo message CRC is FEC encoded and then spread by an interleaver. The E1B receiver deinterleaves the data and runs a Viterbi decoder to retrieve the 120 bit/sec of I/ NAV. The identification of a word results in resolving a 2 seconds time ambiguity, where certain words contain the time of week and/or week number.

Considerations for Navigation Message Authentication: Although the example examined here is that of denial of the PVT through the denial of the TOW, there are many other parts of the navigation message that could be targeted. In particular, it is worth mentioning the recent interest in the use of cryptographic methods for the protection of the navigation data. These methods typically require the inclusion of a significant number of cryptographic data bits in the navigation message, either as additional navigation data words or pages. This cryptographic data can be the order of several hundred bits, and generally has an all-or-nothing property, where any single bit error can render the entire message useless. For example, cryptographic keys can be several hundred bits in length, and digital signatures can be 300 to 600 bits in length. In both these cases, a single bit error is sufficient to corrupt them.

At present, data such as the ephemeris is broadcast piecewise, in short packets (words or pages), and repeated very frequently. Each ephemeris can be recovered piece-by-piece over time. In contrast, many proposals for GNSS message authentication have suggested that the cryptographic data be nonrepeating, in order that it provide some secondary spoofing-detection, or “carry-off” protection. Following these recommendations might render the message authentication data highly sensitive to systematic-jamming, where even very sparse interference might render the authentication function unavailable. If the availability or validity of the PVT is then associated with, or conditioned upon the correct verification of the navigation message authenticity, then this PVT might be denied quite easily, and covertly. This might compare very poorly with the resilience enjoyed by current receivers, especially those that utilize extended ephemeris or assistance data.

Design of Interference Pulse Patterns
The object of this section is to identify an interference signal that will deny the extraction of the TOW from the above signals using the least amount of energy possible such that the target receiver either remain unaware of the jamming attack; might be unable to effectively mitigate the jamming signal. To simplify the problem somewhat, the jamming signal is restricted to be an on-off-keying of a chirp interference signal, transmitting pulses of fixed duration equal to some integer milliseconds.

Two particular examples are explored here: GPS L1 C/A which is subjected to pulsed interference across the broadcast TOW, and the case of Galileo E1B, which is subject to pulsed interference across a series of symbols spaced according to the symbol interleaver, and are depicted in Figure 3. The GPS pulse pattern has been aligned with the 17-bit TOW and consists of six 20-millisecond pulses evenly spaced across a period of 240 milliseconds. The Galileo pulse pattern consists of fifteen 4-millisecond pulses, spaced according to the Galileo 8 °— 30 block interleaver, such that all 12 pulses appear consecutively once the received symbol stream has been deinterleaved.

This particular choice of pulse patterns is somewhat arbitrary, and has been selected based on some simple experiments. A more thorough design might carefully weigh the choice of number of pulses, pulse duration, and instantaneous interference power, to find a pattern which provides the highest probability of inducing bit errors, with the minimum probability of being detected. This will depend on the monitoring techniques of the receiver – including the carrier-to-noise density (C/N₀) estimator and tracking loop design.

To align these pulse patterns with the received GNSS signals, they are broadcast with a delay relative to the edge of a GPS 6 second boundary. All GNSS satellites broadcast their messages in synchronous, and all have a range between 18,000 and 24,000 kilometers, depending azimuth and elevation, this fixed delay was set to 67 milliseconds, or approximately 20,000 kilometers.

Note that the maximum variation between nearest and furthest satellite results in a misalignment of less than 20 milliseconds, and so the pulse pattern applied to the GPS L1 C/A message will still overlap completely with the 17 bit TOW message. Similarly, owing to the nature of the block interleaver used for Galileo E1B, when the pulse pattern is shifted relative to the encoded symbols, provided they still overlap with a single page, the receiver will deinterleave to a continuous stream.

Anatomy of a Systematic Jammer
Central to any jamming device is the interference generator. In the systematic jamming device envisaged here, the key to its effectiveness is the interference pulse pattern, rather than the modulation of the interference signal itself, and so it is assumed that the source is similar to a typical chirp jammer, as depicted in Figure 4. These devices are remarkably simple, consisting of little more than a crystal, a VCO and a power amplifier. As can be seen from the exploded view in Figure 4, the device comprises only a handful of discrete components. Elaboration to a systematic jammer would involve on-off-keying the output of such a device. This suggests that the cost and complexity of a systematic-jammer would be driven by the inclusion of a GNSS receiver, rather than the actual generation of interference.

Figure 5 shows the measured spectrum of the jammer depicted in Figure 4. The interference signal has a chirp modulation with a bandwidth of approximately 40 megahertz centered at L1. The amplitude varies slightly with frequency such that the chirp period can be clearly identified as approximately 20 microseconds. Even a very small device such as this is capable of creating a powerful wideband interference that poses a significant threat to typical GNSS receivers.

Until very recently, the only widely available transceiver option existing for radio amateurs and navigation/telecommunication engineers was the Ettus product line: the USRPs. More recently the technological advances in the integration of RF components into single multi-modal chips (mostly driven by the 3G/4G and DTV market) have enabled the design of relatively simple, highly versatile low cost SDR peripherals. A comprehensive review of such hardware is not appropriate here. Two commercially available transceivers were used in laboratory experiments. The most relevant specifications for these two devices are presented in Table 1.

Rather than develop and integrate the hardware required for a systematic- jammer, an equivalent model was developed based on the PPS-triggered broadcast of a pre-generation of an intermediate- frequency dataset containing the required pulse-patterns. This offered a very simple means of experimenting with the concept, however a practical device would simply implement an on-off- keying of a jammer similar to that shown in Figure 4.

Synchronization of the Jammer with GNSS-Time
A trigger for transceiver two was added to the stock firmware released on June 2016. At the time of writing, however, transceiver one did not support triggering but, as it is an open hardware and software design, this feature was implemented. Testing for synchronization of two transmitters was performed by generating a simulated single GPS L1 C/A signal (for a satellite that was not visible at the time), and triggering its broadcast using a PPS edge, as shown in Figure 6. This simulated signal was then combined with live signals from the rooftop antenna and processed by a GNSS receiver. By examining the pseudorange difference between the simulated and live GNSS signals it was possible to assess the accuracy of the PPS-triggered broadcast. It was observed that the start of the broadcast was accurate to within a few hundred microseconds, but the range diverged rapidly due to the poor clock quality of the transmitter. This indicated that it would be necessary to periodically re-synchronize the transmission with GPS time.

Live Testing with a COTS Receiver
This section briefly describes results of a simple systematic interference test conducted on a COTS GNSS receiver. The prototype systematic jammer was constructed using a single open source SDR platform, which derived synchronization with GPS time via a timing receiver, which delivered a rising edge on a trigger once every 30 seconds, as depicted in Figure 6. Note that although this device delivered a very precise timing reference, the systematic jamming attack does not necessarily require such accuracy, indeed the GNSS propagation delay is approximated with an error of up to 10 milliseconds. Therefore, a 1 to 10 millisecond accurate reference derived from a wired or wireless network, being WiFi or a 3G mobile network, would suffice. The test consisted of a conductive combination of a live GNSS feed from a roof mounted antenna with a systematic interference signal. The receiver under test was configured to deliver raw observations to a host PC for post processing.

Denial of GPS L1 C/A PVT
In the first test, the ability of the systematic jammer to deny observations and a PVT from GPS L1 C/A was examined. The experimental setup described above was used, and the pulse pattern depicted in Figure 3 (top) was used. The prototype jammer was powered up and allowed to initialize and align with GNSS time. Next the receiver under test was issued a cold-start command and its behavior was observed. The test was repeated with progressively increasing interference power until a power level was established at which the receiver was unable to produce a PVT, which was observed to occur at an instantaneous interference to noise floor level of approximately 30 decibels.

A trace of the 11 GPS satellites being tracked by the receiver are shown in Figure 7, where it can be seen that the received C/N₀ for the L1 C/A signal ranges from 49 to 35 decibel-hertz, but experiences brief reductions in power of approximately 6 decibels. During the entire test, the receiver was unable to provide a sufficient set of observations and ephemerides such that a PVT could be computed. Unfortunately, it was not possible to gain enough visibility into the internal receiver functionality to determine exactly which information was successfully extracted. It would have been helpful to understand whether ephemeris, almanac, health status and other variables were available, or whether the annihilation of the TOW and subsequent CRC failure rendered all data unavailable. Nonetheless, the results confirm that it is possible to deny a GPS L1 C/A based PVT via the targeted jamming of just a small portion of the navigation message. Beyond the results presented here, a similar systematic interference test was conducted and configured to run continuously over a 24-hour period, such that the receiver experienced a complete change in the visible constellation. Again, it was found that the receiver was unable at any point to provide a PVT despite the fact that the receiver was capable of acquiring and tracking all signals visible with only a minor degradation to the C/N₀.

Denial of Galileo E1B PVT
The second test conducted was designed to assess the ability of the systematic jammer to deny observations and a PVT from the Galileo E1B signals. The pulse pattern was further changed to that of Figure 3 (bottom) and an experimental setup similar to the GPS case was used. However, due to the low availability of healthy Galileo satellites, the live GNSS feed from the roof antenna was replaced with a simulated signal sourced from a multi-constellation simulator. In this case the pulse pattern significantly more distributed in time, being spread relatively evenly across the I/NAV odd page. This particular pulse pattern was shaped according to the interleaving pattern, rather than being aligned with a particular data word, with the intention that once it is deinterleaved, it will appear as a continuous stream of symbol errors arriving at the decoder.

Interestingly, the ability of this approach to deny the navigation message is relatively insensitive to its alignment with the beginning of the page. Provided the complete set of pulses are received within one page, they will be de-interleaved into a continuous stream.

A screenshot from one of the tests is shown in Figure 8 which includes a trace from eight Galileo and nine GPS satellites. As expected, the Galileo E1B message has been denied by the systematic interference, as indicated by the blue color-coding of the figure. Two interesting observations were made during this test. First, it was noted that the reception of the GPS L1 C/A signal was relatively unaffected. Eight of the nine GPS satellites report useful observations, and the receiver steadily provided a GPS-based PVT. The second particularly striking observation is that the C/N₀ reported by the receiver under test does not exhibit any significant variation either for GPS or for the Galileo satellites. A C/N₀ in the range of 48 to 49 decibel-hertz was reported for all Galileo satellites, yet the receiver was unable to extract navigation data from any of them. One reason for this is that the interference is relatively sparse in time and its effect is smoothed by the C/N₀ estimation process.

A few interesting conclusions are drawn from these results. We note that is possible to deny the use of one kind of GNSS signal, in this case, Galileo E1B, while leaving the other, in this case GPS L1 C/A, relatively unaffected, even when they occupy the same RF band. This appears to be due to the relative orthogonality of the navigation message structures, owing to their significantly different symbol periods, 4 milliseconds and 20 milliseconds, and the fact that one employs FEC while the other does not. It is also clear that the observation of C/N₀ may not be a useful means of interference detection, given that the C/N₀ level observed on the GPS and Galileo signals was virtually identical, yet the impact of the interference on the receiver’s ability to process the signal is drastically different.

Power, Energy and Synchronization
The probability of a bit or symbol error occurring is a very nonlinear function of the instantaneous interference power, however this probability of error saturates at 0.5. To achieve a more reliable denial of the navigation message, more symbols must be targeted, where the probability that the message is corrupted is given by:

P_Err = 1 − 0.5^N_Pulse     (1)

where N_Pulse denotes the number of corrupted symbols. This probability tends to unity quite rapidly. Naturally, the total interference energy required increases as a linear function of the number of symbols:

E_Int = P_Ind N_Pulse T_Pulse     (2)

where T_Pulse the pulse periods, being equal to the symbol or bit period. An astute adversary will tune this energy effecting a trade-off between the probability that the navigation message is denied, and the probability that the interference power will alert the receiver to the attack. In effect, by using a systematic interference, an adversary can reduce the total interference energy, or average interference power required to render the PVT unavailable. The reduction can be computed relative to a continuous interference signal, by expressing the average duty-cycle of the interference:

Equation (3) (see inset photo, above right)

where T_Patt is the repetition period of the interference pattern, being 6 seconds for GPS L1 C/A and 2 seconds for Galileo E1 B. The interference configuration for both the GPS L1 C/A and Galileo E1B are summarized in Table 2, where it is suggested that the effective gain of applying systematic jamming, as opposed to continuously broadcast jamming, is in the region of 15 to 17 decibels. Moreover, although the results here have been generated using a tightly synchronized transmitter, the principle of operation of the systematic jammer would permit synchronization errors in the region of 1 to 10 milliseconds. Notably, at this level of timing error, the jammer may no longer need to avail of position information.

Conclusion
The literature to date has primarily considered the two extremes of GNSS vulnerability, being either a very simple jamming attack, or a very complicated spoofing attack. Simple jamming, as we know it today, is a very easy attack to launch, but it is also very easily detected, readily localized, and often relatively easily mitigated. Spoofing, although very possible, and not necessarily difficult, is considerably more difficult than jamming. In the short term, if denial of service through simple jamming becomes non-viable, it is not unreasonable to expect this threat to evolve. There appears to be a middle-ground between jamming and spoofing, that might thwart current detection, localization and mitigation techniques. It appears to be very accessible to a malicious attacker, as it only requires commercial, off-the-shelf components, and some basic integration; yet it can pose a significant threat to a naïve receiver implementation. This increased threat comes at a very small increased attack cost and complexity, and has the potential to disrupt many location-based services, by imposing an undetectable partial (data recovery) or full (position and timing) denial-of-service. Preliminary results suggest that this attack methodology is feasible and, under certain conditions, may be quite effective when targeting a naïve receiver.

It is interesting to note that through interference signal design, it is possible to deny signals from one constellation why not negatively impacting signals from another, even when these signals share the same spectrum. Because this is achieved by carefully choosing the on-off-keying pattern, it is likely that this technique can be extended to target specific satellites from a given constellation.

This work represents only a very preliminary examination of the concept, but does seem to highlight the fact that it may be naïve to assume that the jamming threat will not evolve in reaction to anti-jamming technology. The notion that jamming devices might be designed in direct response to anti-jamming techniques might open a new avenue of research into the more game-theoretic aspects of resilient GNSS receivers. It might further invigorate the use of technologies such as antenna diversity, or synthetic aperture antennas, or adaptive interference mitigation techniques.

Additional Resources
[1] Amin, M. G., and P. Closas, A. Broumandan, and J. L. Volakis. “Vulnerabilities, threats, and authentication in satellite-based navigation systems [scanning the issue].” Proceedings of the IEEE, 104(6):1169- 1173, 2016.
[2] Curran, J., M. Navarro, M. Anghileri, P. Closas, and S. Pfletschinger. “Coding aspects of secure GNSS receivers.” Proceedings of the IEEE, 104(6):1271- 1287, 2016.
[3] Dovis, F., “GNSS Interference Threats and Countermeasures.” Artech House, Boston, 2015.
[4] Fontanella, D., R. Bauernfeind, and B. Eissfeller. “In-car GNSS jammer localization with a vehicular ad-hoc network.” In Proceedings of the 25th International Technical Meeting of The Satellite Division of the Institute of Navigation, pages 2885-2893, September 2012.
[5] Humphreys, T. E., J. Bhatti, D. Shepard, and K. Wesson. “The Texas spoofing test battery: Toward a standard for evaluating GPS signal authentication techniques.” In Proceedings of the 25th International Technical Meeting of The Satellite Division of the Institute of Navigation, pages 3569-3583, September 2012.
[6] Humphreys, T. E., B. M. Ledvina, M. L. Psiaki, B. W. O’Hanlon, and P. M. Kintner. “Assessing the spoofing threat: Development of a portable GPS civilian spoofer.” In Proceedings of the 21st International Technical Meeting of the Satellite Division of The Institute of Navigation, pages 2314-2325, September 2008.
[7] Johnson, M., and R. Erlandson. “GNSS receiver interference: Susceptibility and civil aviation impact.” In Proceedings of the 8th International Technical Meeting of the Satellite Division of The Institute of Navigation, pages 781-791, September 1995.
[8] Kraus, T., R. Bauernfeind, and B. Eissfeller. “Survey of in-car jammers – analysis and modeling of the RF signals and IF samples (suitable for active signal cancellation).” In Proceedings of the 24th International Technical Meeting of The Satellite Division of the Institute of Navigation, pages 430-435, September 2011.
[9] Mitch, R. H., R. C. Dougherty, M. L. Psiaki, S. P. Powell, B. W. O’Hanlon, B. W. Bhatti, and T. E. Humphreys. “Signal characteristics of civil GPS jammers.” In Proceedings of the 24th International Technical Meeting of The Satellite Division of the Institute of Navigation, pages 1907-1919, September 2011.
[10] Motella, B., S. Savasta, D. Margaria, and F. Dovis. “An interference impact assessment model for GNSS signals.” In Proceedings of the 21st International Technical Meeting of the Satellite Division of The Institute of Navigation, pages 900-908, September 2008.
[11] NSL, Spirent, “Detector”, Accessed 2016. [12] Psiaki, M. L., and T. E. Humphreys. “GNSS Spoofing and Detection.” Proceedings of the IEEE, 104(6):1258-1270, 2016.
[13] Pozzobon, O., C. Sarto, A. Dalla Chiara, S. Pozzobon, G. Gamba, M. Crisci, and R. T. Ioannides. “Developing a GNSS position and timing authentication testbed GNSS vulnerability and mitigation techniques.” In Inside GNSS article, January 2013.
[14] Samson, J., L. Musumeci, and F. Dovis. “Performance assessment of pulse blanking mitigation in presence of multiple distance measuring equipment/ tactical air navigation interference on global navigation satellite systems signals.” IET Radar, Sonar and Navigation, 8(6):647-657, July 2014.
[15] Spirent, “Simsafe”, Accessed 2016.
[16] Wildemeersch M., and J. Fortuny-Guasch. “A laboratory testbed for GNSS interference impact assessment.” In Proceedings of the 22nd International Technical Meeting of The Satellite Division of the Institute of Navigation, pages 49-54, September 2009.
[17] Curran, James T., Bavaro, Michele, Closas, Pau, Navarro, Monica, “On the Threat of Systematic Jamming of GNSS,” Proceedings of the 29th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS+ 2016), Portland, Oregon, September 2016, pp. 313-321.

The post Systemic Jamming appeared first on Inside GNSS - Global Navigation Satellite Systems Engineering, Policy, and Design.

The maritime sector drives the global economy, with ships transporting more than 80% of world trade. Ships and ports have come to rely on global navigation satellite systems (GNSS) for a huge array of applications relating to position, velocity and precise universal and local time.

It is perhaps not surprising that the fallout from GNSS failure in the maritime sector over a five day-period could cost GBP£1.1billion in lost gross value added (GVA) in the United Kingdom alone (or about 1.4 billion USD) – according to a recent study by London Economics, commissioned by Innovate UK, the UK Space Agency and the Royal Institute of Navigation. [For more on this study, see Brussels View in the July/August 2017 issue of Inside GNSS.]

The threat of GNSS disruption to ships themselves is a real one. GPS interference in the Black Sea was reported earlier this year, affecting as many as 20 ships. And the United States Coast Guard warned that a sudden loss of GPS signal had occurred on multiple outbound vessels from a non-US port in 2015. Loss of GPS input to the ship’s surface search radar, gyro units and Electronic Chart Display and Information System (ECDIS), resulted in a lack of GPS data for position fixing, radar over ground speed inputs, gyro speed input and loss of collision avoidance capabilities on the ECDIS radar display.

However, ships do not rely on just GNSS alone for position fixing. A shipmaster can also deploy radar, or cross bearings using compass; terrestrial radio navigation; even sextants. This allows ships to mitigate the impact of GPS disruption.

Regulations in the International Convention for the Safety of Life at Sea (SOLAS) require merchant ships to carry a receiver for a GNSS or a terrestrial radionavigation system, or other means, suitable for use at all times throughout the intended voyage to establish and update the ship’s position by automatic means. But they must also carry a compass, a device to take bearings, and backup arrangements for ECDIS.

The organization which oversees SOLAS and has the remit for adopting carriage requirements, operational requirements and performance standards for world shipping is the International Maritime Organization (IMO). IMO (originally known as the Intergovernmental Maritime Consultative Organization, or IMCO) is the United Nations specialized agency with responsibility for developing the regulations for ship safety and maritime security, and the prevention of pollution from ships.

IMO does not operate GNSS systems, but has an important role in accepting and recognizing worldwide radionavigation systems which can be used by international shipping.

When IMO began its work as the international regulatory body for shipping in 1959, one of its first tasks was to adopt a revised SOLAS treaty, to update the 1948 SOLAS treaty. (The very first SOLAS treaty was adopted in 1914, in the wake of the Titanic disaster, while another version was adopted in 1929.)

When the 1960 SOLAS was adopted by IMO, terrestrial radio navigation systems – including Decca Navigator and Loran A – were already in operation. In these systems, a ship’s radio receiver would measure transmissions from groups of radio transmitters sending signals simultaneously or in a controlled sequence. By measuring the phase difference between one pair of transmissions a line of position can be established. A second measurement, from another pair of stations, gives a second line and the intersection of the two lines gives the ship’s position.

In its chapter V on Safety of Navigation, SOLAS 1960 included a requirement for ships over 1,600 gross tonnage on international voyages to be fitted with radio direction-finding apparatus – a requirement dating back to the 1948 SOLAS Convention. The apparatus was required to comply with system requirements set out in SOLAS chapter IV on Radiotelegraphy and Radiotelephony (SOLAS Chapter IV is now called Radiocommunications).

By the late 1960s and early 1970s, Loran C and Differential Omega radio navigation systems were also becoming operational in major areas of the world’s oceans and they were combined with early computer technology to provide electronic printouts of the ship’s position. The then-Soviet Union’s Chayka system also became operational.

During this time, IMO Member States increasingly recognized the importance of using navigation systems in maritime safety and preventing marine pollution, for example as an aid to avoiding hazards. In 1968, IMO recommended that ships carrying oil or other noxious or hazardous cargoes in bulk should carry “an efficient electronic position-fixing device” (Assembly resolution A.156(ES.IV) Recommendation on the Carriage of Electronic Position-Fixing Equipment).

IMO’s Maritime Safety Committee was also noticing the potential for accurate position finding which satellites could provide. As with other developments in technology with shipping applications, IMO’s concern was to ensure that the user would benefit from the new technology and that such new systems would at least meet agreed performance standards.

A recommendation on accuracy standards for navigation, adopted by the IMO Assembly in 1983 (resolution A.529(13)), provided “guidance to Administrations on the standards of navigation accuracy for assessing position-fixing systems, in particular radionavigation systems, including satellite systems”. Outside harbour entrances and approaches, the order of accuracy was set at “4% of distance from danger with a maximum of 4 nautical miles”.

This was a fairly moderate requirement compared to today’s systems.

The Maritime Safety Committee had, in the meantime, begun to consider whether ships should be required – on a mandatory basis – to carry means of receiving transmissions from a suitable radio navigation system throughout their intended voyage.

A study was initiated to look at the operational requirements (including the need for reliability and low user cost) and how such systems could be recognized or accepted by IMO.

The Report on the study of a World-Wide Radionavigation System was adopted by the IMO Assembly in 1989 (resolution A.666(16)). It gave a detailed summary of the different terrestrial-based radio navigation systems then in operation (Differential Omega, Loran-C, Chayka), and also the satellite systems in development. These were the Global Positioning System (GPS) (United States) and GLONASS (Global Navigation Satellite System) (then Soviet Union – now under the Russian Federation). It was agreed that IMO would develop performance standards for GPS and GLONASS receivers.

The study concluded that it was not feasible for IMO to fund a worldwide radio navigation system. However, IMO’s role would be to review radionavigation systems against set criteria, before they could be accepted. A radionavigation system adopted by IMO should be reliable, of low user cost, meet general navigation needs, provide accuracy not less than the standards adopted in 1983, and have 99.9% availability.

The study also recommended that changes to carriage requirements should not be considered until world-wide coverage had been achieved by a radionavigation satellite system.

In 1995, an updated study was adopted as the IMO policy for the recognition and acceptance of suitable radionavigation systems intended for international use in the world-wide radio navigation system (resolution A.815(19)). This study additionally recognized the need for provision of position information to support the Global Maritime Distress and Safety System (GMDSS), by locating vessels in distress. The needs of high speed craft, such as fast ferries, were recognized and the study noted that ships operating at speeds above 30 knots may need more stringent accuracy requirements.

Performance standards for shipborne GPS receiver equipment were also adopted in 1995, and for GLONASS receivers in 1996. GPS became fully operational in 1995 and GLONASS in 1996. Both systems were recognized by IMO as components of the world-wide radionavigation system in 1996.

Meeting Maritime User Needs
IMO Member States acknowledged that there was a need to look ahead, to ensure that any future GNSS would meet maritime user needs. “Maritime Requirements for a Future Global Navigation Satellite System (GNSS)” were developed and adopted by the IMO Assembly in 1997 (resolution A.860(20)). This emphasized the need for IMO to play a continued role in monitoring the developments and ensuring that any future GNSS meets IMO requirements, including those for navigational accuracy, integrity of the service, availability, reliability and coverage.

In 2000, with both GPS and GLONASS systems now fully functional and providing the required degree of reliability, IMO moved forward with adopting mandatory carriage requirements for GNSS.

A revised SOLAS chapter V (Safety of Navigation), which entered into force in 2002, requires ships to carry a GNSS or terrestrial radionavigation receiver, to establish and update the ship’s position by automatic means, for use at all times throughout the voyage.

IMO also adopted MSC resolutions on updated performance standards for Shipborne Global Positioning System (GPS) Receiver Equipment (MSC.112(73)), for GLONASS Receiver Equipment (MSC.113(73)), for Shipborne DGPS and DGLONASS Maritime Radio Beacon Receiver Equipment (MSC.114(73)) and for shipborne combined GPS/GLONASS receiver equipment (MSC.115(73)).

Reflecting the increased positional accuracy provided by GPS and GLONASS, an updated resolution giving the IMO policy for the recognition and acceptance of suitable radio navigation systems intended for international use was adopted in 2003 by the IMO Assembly (resolution A.953(23)).

This resolution made the accuracy standards required more stringent (revoking those agreed in 1983): in harbour entrances, harbour approaches and coastal waters, positional information error should not be greater than 10 meters with a probability of 95%. In ocean waters, the system should provide positional information with an error not greater than 100 meters with a probability of 95%.

In 2011, IMO further updated the IMO policy for recognizing and accepting suitable radionavigation systems intended for international use (resolution A.1046(27)), inviting Governments to keep IMO informed of the operational development of any suitable radionavigation systems which might be considered for use by ships worldwide.

The resolution also specifically requested the Maritime Safety Committee to recognize systems conforming to IMO requirements. Such recognition would mean IMO recognizes that the system is capable of providing adequate position information within its coverage area and that the carriage of receiving equipment for use with the system satisfies the relevant requirements of the SOLAS Convention.

New GNSS Providers Recognized
The BeiDou Navigation Satellite System (BDS), proposed by the People’s Republic of China, was developed in the 2000s and IMO was requested to develop performance standards for BDS receivers. The performance standards were adopted in 2014 (resolution MSC.379(93)).

BDS was recognized as a component of the world-wide radio navigation system in 2014. Full operational capability for BeiDou is anticipated to be reached by 2020. The IMO recognition (SN.1/Circ.329) notes that the static and dynamic accuracy of the system is 100 meters (95%) and it is therefore not suitable for navigation in harbour entrances and approaches, and other waters in which freedom to maneuver is limited.

The European Galileo Global Navigation Satellite System was developed and presented to IMO as a future component of the GNSS in the early 2000s. Performance standards for Galileo shipborne receivers were adopted by IMO in 2006 (resolution MSC.233(82)). The MSC recognized Galileo in 2016 (SN.1/Circ.334), noting that, in future, the static and dynamic accuracy of the Galileo system is expected to be better than 10 meters with a probability of 95%, with integrity provided by Receiver Autonomous Integrity Monitoring (RAIM) techniques. Once full operational capability is met, it will be suitable for navigation in harbour entrances, harbour approaches and coastal waters. Full operational capability for Galileo is also anticipated to be reached by 2020.

A further system, the Indian Regional Navigation Satellite System (IRNSS) — now also known in India as NaVIC (Navigation Indian Constellation) — is now being considered by IMO. Performance standards for IRNSS receiver equipment will be developed by 2019, and its possible recognition as part of the world-wide radio navigation system will be assessed.

Multi-System Shipborne Radio Navigation Receiver Equipment
Meanwhile, in June 2015, the Maritime Safety Committee adopted performance standards for multi-system shipborne radionavigation receiver equipment to ensure that ships are provided with resilient position-fixing equipment suitable for use with available radionavigation systems throughout their voyage (resolution MSC.401(95), updated by MSC.432(98)).

Such equipment can allow the combined use of current and future radionavigation as well as augmentation systems for the provision of position, velocity and time data within the maritime navigation system.

The World-Wide RadioNavigation System for the Future
As technology continues to develop, the world-wide radionavigation system can also be seen in the context of the wider IMO strategy for e-navigation, approved in 2008, which is intended to meet present and future user needs through harmonization of marine navigation systems and supporting shore services.

A key element in the e-navigation strategy relates to position fixing systems, which will need to meet user needs in terms of accuracy, integrity, reliability and system redundancy in accordance with the level of risk and volume of traffic.

A detailed e-navigation Strategy Implementation Plan (SIP), approved in 2014, sets out a framework and a road map of tasks that would need to be implemented or conducted in the future to give effect to five prioritized e-navigation solutions, one of which is the improved reliability, resilience and integrity of bridge equipment and navigation information, and another being the integration and presentation of available information in graphical displays received via communication equipment.

IMO will continue to oversee the world-wide radionavigation system and to have a role in recognizing systems that may be developed in the future. IMO also has a role to ensure the reliability, integrity and resilience of such systems.

The development of satellite-based position systems — GNSS — has enabled a leap forward in the accuracy standards required of such systems and has no doubt contributed to improved safety, efficiency and environmental protection at sea.

This has implications for both carriage requirements for navigational equipment as well as for the human element, in terms of training requirements.

IMO will continue to provide the forum for careful consideration of any requirements, in order to maintain carriage requirements recognizing the significant value and use of GNSS, but also to ensure that alternative systems continue to be mandated, for more resiliency and redundancy.

IMO
The International Maritime Organization – is the United Nations specialized agency with responsibility for the safety and security of shipping and the prevention of marine pollution by ships.

The post IMO and the GNSS appeared first on Inside GNSS - Global Navigation Satellite Systems Engineering, Policy, and Design.