by Logan Scott
There has been much discussion of the need for resilient PNT over the past few years, as dependencies have grown and an evolving threat matrix has become more active. As a nation, we need a measured and cost-effective response commensurate with the level of threats and the possible consequences.
What is resilience?
Do we even know what resilience is? Mostly it looks like an extra cost when you don’t need it. Then, when it is needed and you don’t have it, it looks like failure —sort of like the Texas power grid back in February. Resilience has costs, and budgets are bounded. My working definition for resilience is that it is about building sufficiently secure and reliable systems out of insecure and unreliable components operating in an indeterminate environment.
How do you measure resilience? You try to break it and then decide whether the protection is adequate for the domain of use. Any system will break under sufficient stress. Determining what is sufficient is a hard question but it is a key question. Resilience could end up being quantified using a series of tests like UL standards for safes. You expose the safe to a skilled safecracker and see how long it takes them to break in. Interestingly, the highest security rating, TXTL-60, only guarantees protection for 60 minutes.
The need for standards and mandates
A core question we have not addressed at a national policy level is how to incentivize resilience. When seat belts were invented, they were made available as an option by Ford and others. It was not a popular option. Less than 2% of buyers elected to get them. Then, through a series of federal mandates, they became required equipment and later, we saw requirements to use them. The point being that safety standards are needed, they have costs, and, if they are left optional, they may not be implemented or used.
I like that the Department of Homeland Security (DHS) is addressing resiliency as a risk management question. However, leaving the implementation of protections entirely up to the user community strikes me as unworkable. Our user communities are rarely aware of the potential risks, much less how to address them. Even when they are aware of the risks, industry is often more driven by cost considerations under nominal conditions, and they fail to prepare.
I’ll pick on the Texas power grid in February again, but I could also have picked on “just in time” manufacturing systems vulnerable to supply chain disruptions, or the Suez Canal. By establishing standards and exposure-based testing procedures, vendors and buyers in critical infrastructure domains can avoid the more egregious outcomes in a cost-effective manner.
The need for Modular Open Systems Approaches (MOSA)
In prior discussions, I have noted that building a resilient architecture is not just about having the right parts; they must be integrated correctly — and tested. MOSA is about effectively leveraging the capabilities of diverse system components and maintaining currency as new innovations and technologies become available. MOSA is a platform, it is an operating system, it is an enabler. It is not a point solution.
A cell phone’s positioning process is a great example of MOSA. Android phones come in diverse flavors and have a rapid innovation cycle based on a rich and constantly evolving ecosystem of parts. Yet, they all manage to integrate sensors together to establish position with good accuracy both indoors and outdoors. That said, cellphones performed abysmally when exposed to inadvertent spoofing at the ION GNSS+ conference in 2017.
In many ways, integrity and resilience are highly intertwined problems and so, there are opportunities within MOSA constructs to approach the problem of safely integrating less than 100% trusted, 100% reliable components. Experience with cybersecurity shows the need for a rapid update and response cycle. MOSA will help.
The need for authentication
Authentication is about knowing where your data comes from, knowing where your software comes from, and establishing a chain of evidence to establish provenance. In the MOSA paradigm, if subsystems can report problems due to spoofing, jamming, cyberattack, hardware failure and software corruption, and if there are performance and security monitors in place to aggregate information and watch for discrepancies, a more effective and resilient response can be mounted.
Galileo’s Open Service Navigation Message Authentication (OS-NMA) and the proposed Chips Message Robust Authentication (CHIMERA) for GPS can help by providing unambiguous discrepancy reports. Depending on the operating domain, it may even be possible to report problems to higher authorities so as to establish patterns and causes. For instance, jamming might be rapidly geolocated using crowdsourcing methods à la J911, but such an approach is viable only if you can establish trust in your sources.
The need for trustable multi GNSS
In the quest for resilience and augmentations, I am not convinced that we as a nation have fully explored how to safely integrate foreign navigation systems into critical applications. Access to more signals and more systems offers considerable resilience potential. Instead, the Federal Communications Commission (FCC) has unilaterally restricted their use under part 25 rules with limited justification. Perversely, this has led to some US companies flying their satellites under foreign flags so as to gain legal access to FCC proscribed navigation signals. These same restrictions limit the performance of precision positioning systems, receiver autonomous integrity algorithms, positive train control systems, and spoofing detection processes.
One of the things I found fascinating about the Galileo failure in July 2019 was that the satellites all continued to produce good ranging signals. If you could provide your own ephemeris, say from JPL, NASA, Naval Surface Warfare Center (NSWC) and/or other sources, you still got great performance. Treating foreign navigation satellites as “signals of opportunity” and using curated and signed US-generated ephemeris strikes me as a useful augmentation. Much less trust is placed in the foreign state, yet you get a lot of augmentation benefit for minimal cost.
Additionally, you limit the impact of a global system’s outage. If Galileo had been the only game in town, its one-week outage would have been catastrophic. As it was, its absence was noted but had almost no effect on GNSS-dependent operations.
The need for an honest evaluation of Ligado’s impact on GNSS
GNSS really is different from communications. The FCC, by setting a standard where the mechanism of harm is to place GNSS receivers in deep and uncontrolled saturation, ignores the possibility of normally harmless signals mixing and causing harm. None of the testing to date has explored this issue and so, our national policy might be the RF equivalent of mixing alcohol and fentanyl and hoping for the best.
Furthermore, the FCC showed almost no cognizance of the importance of GNSS-based remote sensing in monitoring climate change. The RF smog that is Ligado’s signals will restrict our ability to develop a clearer picture of what is happening.
The FCC’s decision must be revisited using sound engineering as a basis.
Augmentations and the role of markets
One of the most insidious things about GNSS is its price to the user: Free. That, combined with its worldwide coverage and superb accuracy in both time and positioning creates significant barriers to entry for new offerings. In the commercial arena, a new entry that provides only the same services as GNSS, maybe a little better, seems doomed. A successful entrant will need to have a value-added proposition with features that cannot be met using GNSS.
Communications facilities, indoor operation, proof of integrity and location, and uninterruptible service would all be on my short list. In large measure, these capabilities can be provided by combining GNSS with other sensors and systems, especially if we use the full constellation of 125 navigation satellites on orbit and healthy now. That said, I do expect new entrants.
5G NR and 802.11 both have strong potential to meet the requirements of my short list, particularly as they move towards higher frequencies. Yes, the ranges there will be short, but densities will be high. Both technologies have strong and active initiatives within their standards-setting process oriented towards providing accurate, high integrity positioning. Also, because they are extant systems, there is less pressure to offer ubiquitous service at inception, a daunting challenge for a brand new entrant.
I expect LEO satellite systems will also have a role. Because they have high angular rates across the sky, you can get nearly instant cm-level positioning. Operating at higher frequencies, e.g. X, Ku or even V-band, they can simultaneously provide strong communications capabilities when outdoors and so, might play very well in the autonomous vehicle markets. Yes, the antenna issues are challenging, but they ride a wave of actual deployments.
The role of government
So, what is the proper role for government?
First: stably fund, maintain, and operate GPS. It is critical infrastructure, not easily supplanted. Providing secure ephemeris and integrity data to support safe use of multi-GNSS should be funded. Of course, removing FCC roadblocks to its use is also essential. PPP data services should be considered as part of the package to promote rapid adoption of “safe ephemeris.”
Beyond that, government’s role should be one of, dare I say it, leadership.
Defining what we want for resilience and what standards of performance are needed in critical applications is only part of the solution. We also need to take action to ensure these standards are met by introducing clear requirements and ensuring necessary infrastructure is available. Developing an integrated infrastructure plan that uses GEO, MEO, LEO and terrestrial components to our best advantage is a necessary step.
Government needs to influence approaches not only as a provider of public infrastructure but as a customer for private infrastructure. Resilience is best achieved as a cooperative undertaking with industry, but absent leadership, nothing is going to happen. Until it does.