PNT is primarily provided through the Global Positioning System (GPS) and other Global Navigation Satellite Systems (GNSS). PNT is not just used for navigation, though. It also provides precision timing information that enables critical functions within telecommunication networks and the power grid. However, these PNT services are susceptible to interference such as GPS jamming and spoofing, which pose a risk to critical infrastructure. What was once an emerging risk is quickly becoming a pressing issue, with industry reporting a growing trend in the past two years of prominent PNT disruption events around the world. As the technological barriers to conducting these activities continue to fall, it becomes even more important to ensure our critical infrastructure is resilient to PNT disruptions.
New document provides roadmap to threat mitigation
One of the key activities for addressing this at the DHS S&T is the Resilient PNT Conformance Framework, which is planned for public release by the end of the year. The conformance framework was developed with input from industry stakeholders and is focused on outcome-based behaviors of resilience to encourage industry innovation and creativity in technical solutions. Industry has made significant progress in improving PNT equipment, with some manufacturers citing the DHS Best Practices for GPS(PDF, 21 pgs., 512 KB). The conformance framework is the next step forward and provides a common reference point defining what to expect from resilient PNT equipment. This will help critical infrastructure owners and operators make risk-informed decisions when deciding what PNT equipment to deploy. It provides distinct levels of resilience so end users can choose equipment that’s appropriate for their needs, based on criticality and risk tolerance.
The conformance framework also will be able to complement federal activities required under Executive Order 13905, “Strengthening National Resilience through Responsible Use of PNT Services,” which was signed in February 2020.
“In order to do effective risk management, it’s important to understand your vulnerabilities, your risk posture, and select appropriate mitigations,” says Jim Platt, director of the DHS PNT Program Management Office, housed within the Cybersecurity and Infrastructure Security Agency (CISA). “Combined with the National Institute of Standards and Technology’s PNT Profiles from the PNT Executive Order, the conformance framework will be a valuable risk management tool.”
Outlining important resilience concepts
Industry equipment manufacturers have made great progress in making their PNT systems more resistant to disruptions by adding in capabilities such as spoofing detectors, additional PNT sources, and holdover devices (e.g., atomic clocks and inertial measurement units). While these are all important, resilience also requires considering how a system is structured and how internal components interact. Additionally, the conformance framework views PNT systems more like computers rather than radios and incorporates concepts from cybersecurity practices.
Presidential Policy Directive (PPD)-21 defines resilience as the ability to withstand and rapidly recovery from disruptions. Based on this, “A key concept in the conformance framework is recognition that one-hundred percent perfect security does not exist,” says S&T technical manager Ernest Wong. “Therefore, while it’s important to prevent threats from entering our systems, it’s just as important to understand what happens when systems fail and how to recover from them.” The levels in the framework are cumulative, and this concept of recoverability is foundational to the framework; it is a requirement starting at level 1.
As PNT systems begin to have more PNT sources, each new source is also an additional attack surface. To mitigate these attack surfaces, level 3 of the framework requires isolation between the PNT sources. This is similar to the concept of sandboxing in cybersecurity applications, which prevent errors and exploited vulnerabilities in one application from spilling over into other parts of the system.
There is also a distinction between resilience and performance. In some cases, resilience measures may not result in direct impacts to performance; examples include security measures such as component isolation and sandboxing. In other cases, systems can be structured in ways to allow trading performance for greater resilience.
New PNT framework in practice
The conformance framework lays out four levels of resilience to allow flexibility in meeting different user needs. The levels are cumulative, with requirements in each level carrying over into the next. This results in higher levels corresponding with greater resilience.
The framework levels are also designed so that levels 1 and 2 should be feasible in the near-term. This is done by prioritizing the most impactful and easily attainable capabilities. While vulnerabilities may still exist, this will significantly reduce the possible exploitation chains available to attackers and also increases the difficulty for them to achieve their intended effect on target systems. Levels 3 and 4 are expected to involve more architectural changes and are targeted toward the next generation of PNT systems.
The Resilient PNT Conformance Framework is planned for public release in December 2020. A preview of the levels is available in S&T’s presentation(PDF, 8 pgs., 531 KB) at the Civil GPS Service Interface Committee from September 2020.
Over the past few years, S&T’s PNT program has worked to improve resilience against threats and disruptions by engaging with industry, developing mitigation technologies, and publishing best practices. “The Resilient PNT Conformance Framework is the culmination of our work from the past five years,” said Brannan Villee, S&T PNT program manager. “It will create the foundation for industry to develop resilient PNT standards and ultimately improve critical infrastructure’s ability to prevent, respond, and recover from GPS disruptions.”