After years of delay, we see movement toward a back-up service for PNT and ensuring that critical infrastructure owners and operators take steps to limit vulnerabilities.
At this point in 2020, there is an irresistible temptation to compare all potential crises—like the loss of GPS position, navigation and timing (PNT)—to the ballooning emergency of the coronavirus. The affect of both contagion and signal loss could remain local, as with jamming from personal devices in the case of PNT. Or it could become truly global with economic impact escalating sharply.
One could also insist that, in both cases, we have lost opportunities to strengthen the U.S. against catastrophe. With pathogens, it’s arguably harder to know which risk to tackle first. That is not the case with satellite navigation.
We have long had a reasonably good idea of what to do, or at least some very good ideas on where to start, but the opportunity for easier fixes has largely disappeared due to inaction. That’s alarming, given how long the navigation community has labored to avoid calamity. The George W. Bush administration called for a backup and improved resistance to interference when it issued National Security Policy Directive-39. Sixteen years ago.
The last 12 months, however, have seen movement toward real change that could genuinely bring the U.S. closer to a PNT backup, more resilient receivers and better-prepared users. Stimulated by hourly updates on how bad things can get in another realm, these steps toward disaster-resistant PNT could actually get us somewhere.
A PNT Backup
The organization closest to concrete results is the U.S. Department of Transportation (DOT), which recently awarded contracts to support testing of a variety of PNT technologies. The contracts to 11 different firms stem from a Congressionally-ordered effort to create a backup for the broad range of PNT capabilities needed in the U.S.
The many technologies chosen for testing reflect the fact that the nation’s use of PNT has evolved well past the point of needing simply a backup for GPS, said Karen Van Dyke, director of DOT’s office of PNT and spectrum.
“Knowing the diverse nature of the critical infrastructure sectors that rely on positioning, navigation and/or timing, it’s unlikely there is one solution that can meet everyone’s needs,” she said, adding that “even GPS itself can’t meet all of the needs, particularly indoors and underground—some of the more impeded environments.”
The testing was mandated in the Fiscal Year 2018 Defense Authorization bill, which also allocated $10 million to implement the plan. Not long thereafter, Congress appropriated another $5 million to move things along and in December 2018 directed DOT to establish a backup system for GPS timing.
Lawmakers wrote clearly what they wanted in the authorization language, setting requirements that were summarized neatly by DOT Deputy Assistant Secretary for Research and Technology Diana Furchtgott-Roth. The system is, “to the maximum intent possible, required to be terrestrial, wireless, have wide area coverage, be difficult to disrupt and capable of expansion to provide positioning and navigation services.”
“We might not be able to do all those things,” she told attendees at the Institute of Navigation’s ION GNSS+ meeting in September, “but we are very much going to try our best possible.”
As of press time, the testing was set to begin the week of March 9 at NASA Langley Research Center in Hampton, Virginia, and continue the following week at Joint Base Cape Cod in at Buzzards Bay, Massachusetts. The Departments of Transportation, Defense (DOD) and Homeland Security (DHS) devised the testing specifics jointly with input from the other member agencies in the Space-Based PNT Executive Committee. Van Dyke stressed that her group has been working with the agencies on the committee so that they are all comfortable with what the results show and with the report that will be sent to Congress.
Furchtgott-Roth is expected to decide sometime in August what kind of PNT backup she’ll recommend in that report. Given the broad use of PNT, she is expected to suggest a system of systems incorporating different technologies. “We are seeking the best solutions to ensure that America has a combination of PNT systems that, when used together, will be difficult to disrupt,” she stated.
DOT’s report is to include a timeline, funding requirements and lessons learned from the testing. The test results on equipment performance may also be folded into efforts underway at DHS to make clearer the distinctions between more- and less-resilient receivers and other equipment.
The good news is that GPS users, specifically users involved with critical infrastructure (CI), are now more attuned to what could happen if the GPS signal they rely on—say for synchronization—became unavailable or untrustworthy.
“In recent years, the agency (DHS) has made some fairly good progress in raising awareness of this issue: of GPS vulnerabilities, of spoofing and also data spoofing,” said Ernest Wong, PNT technical manager in DHS’s Science and Technology Directorate. More manufacturers are releasing more resilient equipment and competing based on the hardiness of their new models. Many of them cite the 2017 DHS document Best Practices for Improving the Operation and Development of GPS Equipment Used by Critical Infrastructure, he said, when talking about their equipment. (That document is available on the first page of gps.gov).
But Best Practices, while a good initial step, is not a standards document or any type of requirements document, said Wong. “The question remains; when someone says that their equipment is resilient, what does it mean? What’s it resilient against? What does it protect against? What are its capabilities?”
This lack of standards makes it harder for companies that build more resilient equipment to differentiate their hardware. As a result, less capable receivers are more likely to find their way into important CI systems.
To address this, DHS is developing the Conformance Framework, a sort of consensus vocabulary for talking about PNT equipment based on levels of resilience.
Though still very much a work in progress, the overall concept is to define the types of expected behaviors for resistant receivers at different levels, Wong told Inside GNSS. Level 1 receivers, for example, will likely be defined as being capable of robust recovery from a threat; equipment with Level 4 resilience should be able to operate through threats. The definition of the levels and the language in the framework will incorporate four core functions: prevention, detection (internal state), response and recovery.
In the early days of GPS, people did not worry about corruption of the signals or build receivers to handle such problems, said Jim Platt of DHS’s Cybersecurity and Infrastructure Security Agency (CISA).
“This Conformance Framework,” said Platt, “is really a step forward in changing that paradigm from building GPS receivers as just radios to recognizing the fact that these GPS receivers are really computers that are ingesting GPS signals, processing that information and then passing information on to other systems. Therefore we have to start differentiating what level, what types of receivers are used in what type of applications. More critical applications need receivers with additional security built into them, with better software assurance—and those are some of the things that the Conformance Framework will look to help define.”
Focus on Timing
The initial focus is on GNSS-based timing equipment, Wong told the November meeting of the National Space-Based PNT Advisory Board. This is “primarily to address the most pressing PNT attack surface in critical infrastructure,” Wong said.
The working group hammering out the framework’s definitions includes a number of key equipment manufacturers, CI owners, CI operators and other industry stakeholders. DOT and the Federal Aviation Administration are also members to ensure that the framework is extendable to positioning and navigation. DHS would like more critical infrastructure owners and operators to participate, Wong said, asking that anyone interested in getting involved should email firstname.lastname@example.org.
The definitions the group comes up with must be non-prescriptive; that is, they define an outcome but not the technology that achieves that outcome. They also must be signal-agnostic so they remain relevant as additional
signals—from, for example, a new backup system—come online.
“The reason why we try to make this source-agnostic is we do view that simply adding an additional PNT source to your device doesn’t automatically make it more resilient,” said Wong. “It depends on how you implement it. If you don’t implement it securely, it could just be an additional attack surface.”
The agency plans to release guidance documentation for the framework this spring and begin the time-consuming standards development process sometime next calendar year. Choosing a standards development organization (SDO) and reducing the time to finalize standards could be real challenges.
“I think the key thing here,” Wong said, “is going to be we may need to go to different SDOs for different sectors because different sectors do have different standard requirements.”
DHS is also working with the Army to suss out vulnerabilities in CI equipment through a program called GET-CI or GPS Equipment Testing for Critical Infrastructure. GET-CI will again offer testing opportunities this year to both manufacturers and CI owners/operators
“We’ve only had two events so far, and the objectives of those first two were really more discovery,” Wong told Inside GNSS. He added that he felt they’d get a much better sense this year of how good current equipment performance really is, because a number of new products have come on the market.
Having more information about receivers isn’t helpful if you don’t know what you need. An Executive Order released by the White House on February 12 aims to address that by having the Department of Commerce—specifically DOC’s National Institute of Standards and Technology (NIST)—develop user profiles.
NIST is to profile the different ways PNT is used and where the vulnerabilities lie. The profiles are meant to help CI owners/operators better understand their level of PNT dependency when using specific applications and their ability to tolerate signal disruptions—all of which can be used to build resiliency based on how the equipment is being used.
“If you’ve developed your PNT profile and you say that timing is critical to my operations, I would probably want to choose a PNT receiver that is higher on the Conformance Framework scale because it’s supporting a critical operation,” Platt said. Eventually certified equipment or adherence to particular industry standards may become part of what is expected for CI operators with certain profiles, but that is something for the future. In the meantime, NIST has the job of developing the profiles because it’s already done something similar for cybersecurity.
“The idea,” said Platt, “is to build off the things that we’ve learned in the cybersecurity profiles so that we can build PNT profiles that are specific to applications. We would envision that there would be a profile application for telecommunications users, there would be a profile for IT users, there would be a profile potentially for aviation users.”
DHS, meanwhile is supposed to look at the infrastructure directly and develop a testing plan to determine just how vulnerable CI systems and assets are to PNT disruption and manipulation.
Those test results will be used to update the profiles, which are to be reviewed every two years, and the Federal Radionavigation Plan. The FRP is the foundational policy and planning document governing ground- and space-based radionavigation systems. This includes GPS and any new backup systems and PNT augmentations like those supporting air traffic control.
“It’s not that you develop a profile for a particular sector just once and then you’re done,” said Van Dyke. “It’s a starting point and then you continue to update them. As you pointed out, technology is changing rapidly. The applications that use the technology also are evolving quite quickly. And so it’s a process, and that process will need to continually be updated.”
In addition to the profiles and testing, the Departments of Transportation, Energy, and Security have six months to develop plans “to engage with critical infrastructure owners or operators to evaluate the responsible use of PNT services.” By the end of a year they are to verify those plans by completing pilot projects. Those pilots on responsible use could become very important.
A Plan with Teeth
It’s one thing to freshen up profiles, policy and planning tools. It’s another thing to get the owners and operators of critical infrastructure to update what could be very expensive equipment. To encourage key stakeholders to stay abreast of changes, the administration has adopted a specific policy of fostering “the responsible use of PNT services by critical infrastructure owners and operators.”
“Responsible” in this case means “the deliberate, risk-informed use of PNT services, including their acquisition, integration, and deployment, such that disruption or manipulation of PNT services minimally affects national security, the economy, public health, and the critical functions of the Federal Government.”
That last line is key, because that’s where the “ouch” could come from for those CI owners and operators who don’t keep up.
The profiles are based on “responsible use of PNT” which, according to the executive order, includes alignment with the standards, guidelines, and sector-specific requirements “selected for a particular system to address the potential disruption or manipulation of PNT services.”
Once the profiles are available, sector-specific federal agencies are to work with DHS to develop contracting language requiring that responsible use by PNT-dependent suppliers. Want to sell the Pentagon computer services? Better check what the profile says about updating timing receivers. Hoping to supply electricity to a federal lab? See what the profile says about protecting energy distribution.
“DHS,” Platt said, “has been tasked to develop contract language that could support, or could be used to ensure, that those systems that are highly dependent on PNT—and I say dependent, not just use PNT—but those systems that are dependent on precision PNT are applying the appropriate risk management processes so that we understand what risk is being accepted with PNT and how any risk is being either mitigated or accepted. … If you’re going to provide a service to the federal government, you will have to ensure that you are following the PNT profiles as developed by NIST.” Firms that can show that they meet the new requirements will have a leg up on competitors that are not able to adopt or demonstrate that they can meet those requirements, said Platt.
The profiles won’t be developed in a vaccum, said Platt. NIST will go out and work with the service providers. “This won’t be a surprise to any of them.”
Platt added that, as DHS has spoken with companies and highlighted the importance of timing data, “the light bulb has come on and (the companies) say ‘Oh, there are ways that we can mitigate this—potential disruptions to GPS or other PNT services—that are just good business practices.’ ”
“We realize that there is not going to be a wholesale replacement of receivers out there once we come out with the Conformance Framework or even an industry standard, whatever SDO that we go with. But that doesn’t stop manufacturers from taking a look at their overall operating systems and determining that there are potential risks in the system that they can mitigate through other means. And then … as additional equipment becomes available, there’s also a parallel effort to create additional demand within the owners and operators for more secure and resilient equipment. As they do their lifecycle replacements, the older equipment is replaced with newer equipment.”
Ultimately, this is about more secure and resilient critical infrastructure, Platt said, with more secure and resilient PNT being a subset of that.
“We shouldn’t expect that this should be solved overnight,” said Platt, “but we do see being able to make significant incremental improvements over the next couple of years.”