Due to the low power level and spread-spectrum nature of the radio signals transmitted by all the GNSS constellations, it is trivial to interfere with the operation of a GNSS receiver by jamming the radio signal with a higher power noise source local to the antenna. This disrupts the operation of the receiver as it cannot receive any satellite signals while it is being jammed. Jamming signals may be intentional or completely accidental.

The commoditisation of software-defined radios (SDRs) and the advent of freely available open-source software means that ‘spoofing’ (creating a false copy of the radio signal to fool the receiver in decoding and locking onto a completely fake source of time and position) a GNSS signal is easier than ever.

The attack surface continues to grow as the number of GNSS timing systems deployed to support national critical infrastructure increases. It’s useful to consider what attack vectors might be used against such systems and how we can mitigate these security risks.

Physical Security

When considering physical attacks on the antenna systems or facilities where GNSS time systems are housed, measures should be taken in-line with existing physical security measures for existing critical national infrastructure sites & installations. Other risks are shootings (reports do exist of GNSS antennas being used for target practice!), nesting birds (or other interference from wildlife), and unintentional conspicuity e.g., 5G base station sites with a ‘<Operator’s Name> GPS’ labels on GNSS antenna cabling. Included here is protection from lightning strikes. The GNSS antenna can often be the highest point of a building and is vulnerable to lightning strikes.

Radio Security: Jamming & Spoofing

Jamming

The technology to defeat jamming has been around since before GPS. GPS antenna arrays are US ITAR restricted, but in 1978 a Rockwell Collins proof of concept (PoC) ‘GPS anti-jam set’ flew over a 10kW jammer with no effect on its position or time solution. Civilian commercial phased-array antennas (Controlled Reception Pattern Antennas or CRPAs) are also used to address jamming attacks.

Spoofing

Subtle attacks might create small time offsets in the receiver (of the order of nano/micro/milli-seconds of error). This affects systems that have time or position accuracy requirements and slowly edges them out of an optimal range. More brute-force attacks might spoof a ‘leap second pending’ indicator to provoke software errors when handling leap seconds. They may even spoof a time offset of more than 19.7 years (more precisely 1024 weeks). The original GPS interface specification used by some older receivers uses a 10-bit number to hold a ‘week number’ as part of the ‘GPS Time’ timescale. This is commonly referred to the ‘GPS Week Number Roll-Over’ (WNRO) problem) and is used to brick receivers.

GNSS Firewall

A relatively recent addition to the defences against both jamming and spoofing is the ‘GNSS Firewall’. This hardware addresses the radio signal structure in much more detail than existing GNSS receivers. These designs date from an era when spoofing was less of an issue so they offer very little protection. Such products may also contain GNSS signal simulators. These can be used with a local atomic-clock traceable timebase to keep critical national infrastructure GNSS receiver timing systems synchronised in the event of extended jamming/spoofing attacks.

Network Security

Many GNSS-based time servers are managed and configurable over a network interface just like other elements/nodes in a modern network. So, they face all the same attack vectors as other network-based equipment in terms of critical national infrastructure cybersecurity. Examples include Distributed Denial of Service (DDoS) attacks and ‘Man-in-the-middle’ (MiTM) attacks. Some Time Server systems may provide PTP or NTP functionality on the same or other network ports. These require a similar level of protection and monitoring as existing IT/OT systems. Many systems are moving to a ‘zero trust’ architecture where every stage of a control/management process is authenticated/verified.

Supply Chain Attacks

Both hardware and software components that provide GNSS functionality have become commoditised. This includes the low-cost silicon in the latest smartphones that provide sophisticated Multi-Constellation Multi Frequency (MCMF) receivers to specific timing modules. These provide an < 30ns of error to UTC on their time output interfaces. They are routinely integrated into time server systems by manufacturers rather than developing their own GNSS receiver technology.

The nature of CPU hardware/processing modules that are integrated into GNSS systems might run a real-time operating system (RTOS) along with FPGA reference designs and other software components. These could include GPSD, the open-source Linux/UNIX daemon that is commonly used to manage locally connected GNSS receivers. All these building blocks are at risk of supply chain attack and introduction of hidden functionality that might suit the agenda of bad actors.

The GNSS security aspect of Critical National Infrastructure cybersecurity can be improved by carefully considering all these risk factors and attack vectors and addressing them with the mitigation strategies described.