Readers of this website are familiar—perhaps overly familiar!—with the threats to resilient positioning and navigation that are posed by interference, intentional and unintentional. Timekeeping applications for critical infrastructure using GNSS must also protect themselves against jamming and spoofing.
GNSS provides excellent time accuracy for synchronizing many commercial applications: datacenters, communication networks, power and process control operations and more. When these applications are part of critical infrastructures, as many are, then GNSS susceptibilities to jamming and spoofing can undermine operations of large regional and national scope, even involving the economy and national security. Resiliency is urgently needed.
Most detection and mitigation techniques are practical and can be implemented without significant additional cost. For highly critical applications, where even a low probability of occurrence can have a catastrophic impact, the more expensive countermeasures may be warranted. In these cases, one must consider even highly unlikely threats that can cause major disruptions to society. GNSS timing systems can be made more resilient for critical infrastructure in several ways.
In general, jamming is easy, but spoofing is hard. It is shocking how a simple 1 watt, $50 jammer available illegally on the Internet can disable GNSS reception for an area several kilometers wide. No skill is required. For spoofing, one needs to faithfully reproduce the GNSS signal, requiring sophisticated equipment. However, spoofing is becoming easier as the GNSS simulation test equipment becomes more affordable. The availability of software defined radio (SDR) hardware and software now allows the average wireless engineering student to implement the equipment needed for spoofing. So that threat too is growing—exponentially.
Interference Detection and Mitigation
The first step in dealing with any problem is knowing you have it. Several techniques detect jamming and spoofing at the receiver before it corrupts the timekeeping operation. Let’s start with jamming. Since GNSS signals are so weak that they are below the thermal noise floor, any detectable energy in the receiving band is interference. C/N0values can also be tracked, and when they go below a specified value become an indication of loss of signal. Also, the GNSS receiver itself will report loss of lock and how many satellites it is using in its solution.
Interference may come and go over time, so detection becomes complex: at which point do you reject the GNSS signal as a timing reference because it has become corrupted by jamming? One method is to build a penalty score based on many factors. Any one factor may not be a sufficient trigger, but a combination of several will accumulate a score that crosses a threshold and indicates jamming. The same method can apply to spoofing detection.
Spoofing is more difficult to detect, but more pernicious if it goes undetected. Successful spoofing will allow normal operation with an erroneous time reference and could have catastrophic results. The Dept. of Homeland Security (DHS) has issued a Best Practices document for the development of GPS receivers used in critical infrastructure.
• Detecting movement or jumps in time or position
• Inconsistent power levels among the various satellites.
• Overly consistent power levels.
• Examining data correctness.
• Independently obtaining data message from the GPS Control Segment, for example, via the Internet.
• Correlation among the reports from all the GNSS constellations.
For the timing application, mitigation is mainly done by providing a holdover oscillator. Upon detection of a problem, GNSS can be ignored as a reference, and timekeeping is maintained by the internal oscillator that has been already synchronized to UTC time and GNSS’s precise frequency. The Holdover Time—the period over which the timekeeping equipment will maintain its stated accuracy—depends on the quality of the oscillator.
For more persistent situations, signal filtering can be done. Of course, nothing can be done to filter out broadband jamming which cancels the entire reception band, but most of the illegal low-cost jammers on the market today are simple narrowband sweep (or “chirp”) jammers. It is possible to track and filter out this type of jamming with devices capable of providing up to 40 dB of Jammer/Signal (J/S) protection.
Multiple Holdover Oscillators
The holdover mode can be made even more robust by the use of two or more holdover oscillators. With multiple holdover oscillators in a single system, while Oscillator A is being disciplined, Oscillator B serves as a comparative reference, ensuring that A is not being corrupted by an erroneous signal. High-quality atomic oscillators are becoming more affordable and smaller in size and power consumption, so that a timing system with multiple atomic oscillators is quite practical today.
The best defense against jamming and spoofing is to prevent the counterfeit signal from entering the receiver in the first place. Several methods accomplish this.
The simplest uses a horizon-blocking antenna pattern. Since most interference and spoofing is transmitted from the ground, it enters the antenna from the horizon, at low elevation angles. A receiving antenna pattern that blocks energy from low elevation angles, for example, 30 degrees or less, can provide ~20 dB of jamming and spoofing protection at very little additional cost. There are three factors to consider before using this approach:
• Geometric Dilution of Precision (GDOP): the best satellites for creating a 3D navigation solution come from orthogonal directions near the horizon, so position accuracy will decrease, but for the timekeeping application this is not a concern.
• Multi-constellation: With a limited view of the sky, fewer satellites will be seen. This is usually not a problem with multi-constellation receivers, but when using a single constellation, it could limit solution accuracy. Again, the timekeeping application needs fewer satellites than positioning, so this is usually not a problem.
• Pitch and Roll effects: If the antenna is mounted on a vehicle or a ship, the horizon will move, so the blocking elevation angle may drop below 30 degrees, letting in ground-based interference, or rise above 30 degrees, blocking good satellites. Most timekeeping applications are fixed site so this is not a problem, but for shipboard applications, a more complex solution is needed.
The next level of complexity uses null steering and satellite-tracking antennas: a “smart” or controlled radiation pattern antenna (CRPA). Multiple receiving elements, 2–8 or more, combine to create narrow, electronically steerable beams. The beams are either pointed away from the interference (null steering) or toward the desired satellite signal (tracking) as it moves across the sky. The more elements, the more beams and nulls are available for steering.
Alternative time sources to GNSS provide the next level of resiliency. Time references can be delivered via hard-wired means or by computer networks, but it is difficult to achieve accuracy across a wide area or globally. Computer network-based protocols such as Network Time Protocol (NTP) and Precision Time Protocol (PTP) can distribute time to millisecond and sometimes microsecond accuracy across public networks, but to achieve nanosecond level accuracy similar to GNSS requires dedicated connections. This is often impractical even for the most critical applications.
A new source of time and position reference is offered now from low-Earth orbit (LEO) satellites. The Satellite Time and Location (STL) signal from Satelles is the first such offering and has two major advantages over GNSS: very strong signal strength and encryption to prevent spoofing.
The tradeoff is a less accurate signal, but still much more accurate than can be achieved by network-based references. STL is the first in what are expected to be several LEO-based alternative references. Launches of newer, broadband communication satellites in LEO orbit in constellations of several hundred to several thousand nodes are being planned by OneWeb, Boeing, SpaceX and others. These new constellations will offer broadband signaling to provide more precise pseudoranging measurement, and more satellites for better geometries, lower GDOP.
The newer generation of GNSS receivers emerging on the market today have several features that will enhance their resiliency:
• Multi-frequency—triple-band commercial receivers operate in the L1, L2 and L5 bands. Jamming these receivers requires jamming over 400 MHz of spectrum. This is no longer a simple jammer and though it is still possible to jam all these frequencies, a wideband jammer requires more power, more sophisticated electronics and is more easily detected.
• RTK–Real Time Kinematic—The correction communication channel serves as indicator of anomalous behavior. Unless the spoofer is accurately spoofing both the reference base station and the user, which are often separated by several kilometers, the navigation solution will quickly diverge and indicate a problem. Moreover, when communicating with a network of correction reference stations, the spoofing will become even more apparent.
• Augmentation signals—as new alternative LEO signals come on-line, newer receivers will be capable of receiving these signals too and using them in their PNT solution.
• Internal IMUs—with the revolution in MEMs technology for low-cost, high-performance Inertial Measurement Units (IMU), more receivers are including them internally. With this comes an inherent anti-spoofing capability: when a counterfeit spoofing signal pulls a receiver off its true position, the accelerometer and gyroscopic measurements will not match, signaling the event.
• Built-in AJ/AS features—many of the IDM features discussed previously are becoming standard features in the newer receivers. Moreover, some are starting to add Artificial Intelligence (AI) processing to detect interference and multipath conditions