Embed Size (px)
Citation preview
Is GPS More Vulnerable Than Ever?Panelists:Richard Linzy, Data Architect Engineer, Windstream CommunicationsRichard Funderburk, Timing Systems Architect, Trimble, Inc.Sarah Mahmood, Science & Technology Directorate, Department of
Homeland Security
Moderator:Marc Weiss, NIST Consultant, Marc Weiss Consulting
Webinar Introduction:Is GPS More Vulnerable Than Ever
Marc Weiss ConsultingNIST Consultant
Time from GNSS: Intentional and Unintentional Error Sources
Position (Ephemeris) error
Ionosphere
3) Issues at Receiver:
Coordinates
Multi‐path interference
Jamming and Spoofing
Delays in cables
Delay through receiver
Receiver software
Satellite Clock
System Time
1) GPS works by transmitting time and satellite position. Satellites get these as predictions in uploads.
Troposphere
2) The signal is delayed and inhibited by the iono‐ and troposphere
Poor Antenna Installations:Perhaps the most common source of problems
Illegal Jammers are Advertised on the Web
Cigarette LighterJammer:
Personal Privacy Device
Disruption Mechanisms ‐Spoofing/Meaconing
• Spoof – Counterfeit GPS Signal– C/A Code Short and Well Known– Widely Available Signal Generators
• Meaconing – Delay & Rebroadcast
• Possible Effects– Injection of Misleading PVT Information
– Perhaps no alarm Spoof Code
GPS S.V. CodeCo
rrelation %
100
Code Phase (t)
L P E
3. Pull Off
L P E
Code Phase (t) Correlation %
100
2. Capture
Correlation %
100
Code Phase (t)
L P E
1. Match Real Code
Successful Spoof
Richard LinzyArchitect EngineerWindstream Communications
GPS Vulnerabilities and Impacts
8
GPS Vulnerabilities
9
1. Intentional Sabotagea. Spoofingb. Jamming
2. Collateral Sabotage a. Professional Drivers
a1. Truck Driversa2. Cab Driversa3. Package Delivery
b. Minor Children [Just want to have FUN]
3. Environmental Impactsa. HVAC Compressorb. Antenna Fieldsc. New Building construction
Cost of Impacts to Business
10
1. Loss of Sync Clock in a Central OfficeA. Voice Services
a. Loss of SS7 servicesb. Loss of all 911 services to local marketc. Loss of all Long Distance calling
B. Data Servicesa. Quality of service impact to 100 Gb Ethernet Linksb. Quality of service impact to Sonet or SDH carrier Systems.c. Quality of service impact to VoIP carrier services.d. Quality of service impact to Wireless systems.
Sync Diversity Architectures
11
1. GPS Antenna Diversity 2. Clock Card Redundancy for Holdover1. Network Diversity using PTPv2 (1588V2)2. Route Diversity using weighted routing Algorithm
BNG
BNG
Site “A”
Customer Access Network
MDR
MDR
TP5000-1NTP
SYNC
TP2700 PTP B/C
TP5000-2NTP
SYNC
1PPS/TOD
1PPS/TOD
GPS
NTP
PTP1588v2
Grand Master Site “A”
PE
MDR
MDR
Site “B”
TP2700 PTP B/C
GPS
TP5000-3NTP
SYNC
TP5000-4NTP
SYNC1PPS/TOD
1PPS/TOD
Grand Master Site “B”
PEPTP
1588v2PTP
1588v2
PTP1588v2
NTP
Winterstate 100Gb
RT Wgt 100
BNG
BNG
Rt Wgt 50
Rt Wgt 50PTP/NTP/SYNC
Rt Wgt 50
Adtran5K
Adtran5K
Adtran5K
Adtran5K
Adtran5K
Adtran5KSyncE
SyncE
NTP Sync Device
PTP Sync Device
PTP Master Link
PTP Client Link
SyncE Timing Link
Color Code Legend
RT Wgt 50PTP/NTP/SYNC
RT Wgt 50
SS
RT Wgt 50
GPS
GPS
THANK YOU
12
Richard FunderburkTiming Systems ArchitectTrimble, Inc.
Is GPS More Vulnerable Than Ever?Richard FunderburkTiming Systems ArchitectTime & Frequency Division
Mar 8, 2017
Market Perceptions
Researchers Steer Off Course to Show Potential Power of ‘GPS Spoofing’August 2, 2013 at 12:00 AM EDT
EXCLUSIVE: GPS flaw could let terrorists hijack ships, planesPublished July 26, 2013
GPS Hijacking Catches Feds, Drone Makers Off Guard07.19.12 | 5:32 PM |
GPS spoofing the new game in town
College students hijack $80 million yacht with GPS signal spoofing
Was Malaysia Flight 370 Boeing 777 in fact GPS
Terrorism Spoofing?
Since the launch of first CDMA network in 1990 more than 685 commercial networks in 120 countries rely on GPS for time reference
GPS timing is used in 15 of the “Critical Infrastructure Sectors”
According to a US study of the 20 methods of getting time, all but two of them were dependent on GPS
IEEE 1588 is also, ultimately, dependent on GNSS for primary reference
GNSS as Reference Source
Jamming vs. Spoofing
Trimble Confidential
Jamming and Spoofing are two entirely different concepts but they are often used together which tends to create confusion and false alarm
Jamming Spoofing Generally unintentional RF Generation only
– Knocks out GNSS signal
– Unable to track GPS signal
Easy to produce
Limited Area Easy to identify
Always intentional Generate counterfeit signal
– Full GNSS data reproduction
– Can alter position/time information
Complex / sophisticated equipment is needed
Limited Area Difficult to distinguish from
real signal
Knowing the environment– Spectrum sweep to characterize the RF – Site survey
Selection of Antenna – Multiple layers of filtering– Larger ground plane
May need ground plane treatment– High linearity in the LNA design
Antenna Installation– Spatial Diversity– Frequency Diversity (L1/L2)– Pattern Diversity
Mitigation of the Effects of Jamming
Trimble Confidential
Bandpass Measurement (L1)G
ain
Frequency (MHz)Trimble Confidential
Filter vs. well Filtered Antenna
Antenna with multi-level filtering
Elevation Pattern (L1)Small vs. Large Ground Plane
Trimble Confidential
The amount of signal captured below the horizon is much higher with a smaller ground plane thus restricts the placement options
Antenna with smaller ground plane captures more signal from the bottom
Secondary reference signal– Dual GNSS band, like GPS L1 & L2– Multi-Constellation– PTP (IEEE-1588) / SyncE– Good quality oscillator
Improved Sensitivity Multi-stage Filtering Weak signal extraction Proper antenna site selection
Other Mitigation Techniques
Trimble Confidential
GNSS reference is still the only solution for distributed time– IEEE-1588 is based on GNSS (PRTC)
Multi-constellation, multi-band provides the most robust solution– Receiver manufacturers also
deploying/recommending mitigation techniques The application and end-use case will
determine the selection of timing source, but in some cases GPS is the only primary reference source
Conclusion
Trimble Confidential
Sarah MahmoodScience & Technology DirectorateDepartment of Homeland Security
DHS SCIENCE AND TECHNOLOGY
GPS Timing in Critical Infrastructure
Sarah MahmoodProgram ManagerFirst Responders Group Science and Technology Directorate
March 8, 2017
Our Economy Depends on Critical Infrastructure, & Our Infrastructure Depends on GPS
• Usage: Accurate position, navigation and timing (PNT) information is necessary for the functioning of many critical infrastructure sectors
• Precision timing is particularly important• Primary source of distributed and accurate timing is currently through
GPS
• Problem: GPS susceptible to disruption (both intentional and unintentional)
• Newark/I-95 jamming incident• January 25, 2016 event• Jamming for criminal activity• North Korea
• Impacts:• Not well understood• Evolving
DHS Science and Technology Directorate | MOBILIZING INNOVATION FOR A SECURE WORLD 25
DHS Risk Management & Program Strategy
DHS Science and Technology Directorate | MOBILIZING INNOVATION FOR A SECURE WORLD 26
• Alternate Timing Sources(eLoran, Iridium, Fiber, etc.)
Complementary PNT
• Specialized antennas• Alerts & monitoring• More robust receivers
Mitigations
Mitigation via Vulnerability & Impact Assessment
Mitigation via Awareness
Mitigation via Improved Equipment
• Receiver characterization testing (lab, open air, system-level)
Vulnerability Assessment
Mitigation via Diversity
Engage & Educate• Best Practices• Manufacturers (create fixes)• End-Users (create demand)In
crea
sing
ly R
esilie
nt
Holistic view with a layered approach
Vulnerability Assessment & Awareness: Test Events• Purpose:
• Validate laboratory test results in live-sky test environments • Provide this signal environment to industry stakeholders
• Past Events:• Jamming Exercise 2016 at White Sands Missile Range• October 2016 event at Savannah River National Laboratory
• Planned Future Events:• April 2017 GET-CI Event: Allow CI GPS equipment manufacturers to
test their equipment in live-sky spoofing environment • Jamming Exercise 2017: Focus on live-sky jamming environment• More events targeted at specific stakeholders
DHS Science and Technology Directorate | MOBILIZING INNOVATION FOR A SECURE WORLD 27
Awareness: Best Practices (1)
• “Improving the Operation and Development of Positioning, Navigation, and Timing Equipment Used by Critical Infrastructure”
• https://ics-cert.us-cert.gov/Improving-Operation-and-Development-Global-Positioning-System-GPS-Equipment-Used-Critical
• Issued January 6, 2017 via US-CERT
DHS Science and Technology Directorate | MOBILIZING INNOVATION FOR A SECURE WORLD 28
Examples• End-User Guidance:
• “Obscure antennas. Install antennas where they are not visible from publicly accessible locations or obscure their exact locations by introducing impediments to hide the antennas.”
• Manufacturer Guidance:• “Enhance anti-jam capabilities. To the
extent possible, the GPS receiver should be specified and developed to provide good anti-jam capabilities so that it can operate through high received levels of interference and jamming.”
Awareness: Best Practices (2)
• “Best Practices for Improved Robustness of Time and Frequency Sources in Fixed Locations”
• https://ics-cert.us-cert.gov/sites/default/files/documents/Best%20Practices%20-%20Time%20and%20Frequency%20Sources%20in%20Fixed%20Locations_S508C.pdf
• Issued January 6, 2015 via US-CERT
DHS Science and Technology Directorate | MOBILIZING INNOVATION FOR A SECURE WORLD 29
Examples• Receiver Guidance:
• “If the receiver has the capability, record average signal strength/Automatic Gain Control level once the stabilization is complete as a benchmark to be checked during routine maintenance”
• Manufacturer Guidance:• “Place the antenna where it cannot be seen
from publically accessible locations, or deny view of the antenna from public locations using an RF-transparent material… place the antenna where a roof line or structure blocks direct line of sight to the antenna from publically accessible locations.”
Improved Equipment:Horizon Ring Nulling Timing Antenna
• Wide variety of threats to fixed site GPS timing receivers
• Unintentional interference: e.g., spectrum encroachment and out-of-band RF interference
• Intentional interference• Interference sources tend to be below
antenna mounting• MITRE’s low cost horizon ring nulling
(HRN) helix timing antenna• Reduces impact of interference and
multipath slightly above to below the horizon
• Antenna design available for commercial transition via no costlicense agreement
DHS Science and Technology Directorate | MOBILIZING INNOVATION FOR A SECURE WORLD 30
Diversity:CPNT Requirements
• Purpose• Define and validate PNT
requirements with end-users in critical infrastructure sectors
• Approach• Engage directly with CI
end-users for input
• Status• Complete:
• Electricity Subsector• Wireless Communications
• Next:• Financial Services • Emergency Services
DHS Science and Technology Directorate | MOBILIZING INNOVATION FOR A SECURE WORLD 31
Future Requirements Excerpt
Electricity Subsector Wireless Communications
Diversity:Explore Technologies
• Study and test potential other technologies to provide PNT solutions for critical infrastructure applications
DHS Science and Technology Directorate | MOBILIZING INNOVATION FOR A SECURE WORLD 32
• eLoran NYSE Demo (April 16 2016)• eLoran signal received inside
building to within 30 nanoseconds of UTC reference where GPS signals were not receivable.
• For all locations, 95% of data collected is within 200 ns of UTC.
• Iridium Demo (October 2016)• Testing conducted at Savannah
River National Lab.• Average delta to GPS was ~200
nanoseconds.• Able to receive signal even when
GPS was jammed.
DHS Risk Management & Program Strategy
DHS Science and Technology Directorate | MOBILIZING INNOVATION FOR A SECURE WORLD 33
• Alternate Timing Sources(eLoran, Iridium, Fiber, etc.)
Complementary PNT
• Specialized antennas• Alerts & monitoring• More robust receivers
Mitigations
Mitigation via Vulnerability & Impact Assessment
Mitigation via Awareness
Mitigation via Improved Equipment
• Receiver characterization testing (lab, open air, system-level)
Vulnerability Assessment
Mitigation via Diversity
Engage & Educate• Best Practices• Manufacturers (create fixes)• End-Users (create demand)In
crea
sing
ly R
esilie
nt
Holistic view with a layered approach
Is GPS More Vulnerable Than Ever?Wednesday, March 8, 2017 34
Questions?
Is GPS More Vulnerable Than Ever?Wednesday, March 8, 2017
Is GPS More Vulnerable Than Ever?Wednesday, March 8, 2017 36
Thank you for attending the Is GPS More Vulnerable Than Ever Webinar
All registered attendees will receive a follow up email containing links to a recording and the slides from this presentation.
For information on upcoming ATIS events, visitwww.atis.org/01_news_events
