GNSS threats

The Galileo/PRS and EGNOS case

31st NEASCOG / CNS Security Workshop

EUROCONTROL, Brussels
14th June 2013

Rodolfo Crescimbeni
European GNSS Agency (GSA)
Tel. +32(0)229 85170
Rodolfo.crescimbeni@gsa.europa.eu
 Introduction

This presentation is UNCLASSIFIED, whereas the subject could

be classified up to SECRET

 CNS developments are driven not only by ATM needs but also
by other requirements, including safety and security (1)
 In this context by navigation we intend GNSS (GPS, GLONASS,
Galileo) and Augmentation Systems (WAAS, EGNOS…)
 GNSS is a key elements of CNS
 Security requirements of CNS/ATM must be flown down to
Navigation (GNSS)

1) Civil-Military CNS/ATM Interoperability Roadmap 1.0

2
 Vulnerabilities of GNSS: jamming

 GNSS signals are vulnerable to radio frequency

interference
 The received power on ground of GPS C/A or Galileo OS signal is
below the noise floor (-157 dBW)
 Low jamming power is needed, difficult to locate jammers
 Consequences: reduced accuracy or complete loss of service

Source: Roke Manor Research

3
 Vulnerabilities of GNSS: spoofing

 Except for restricted services, GNSS signals

(GPS C/A and Galileo OS) are made openly
available and predictable
 They use short and well known codes

 These signals are vulnerable to spoofing, the

process of counterfeiting open GNSS signal
codes so that the user computes incorrect PVT
solutions
 Signal generators widely distributed and available

4
 How spoofing works

Authentic satellites Real signal

100
Malicious signal

Correlation Output
Code Phase (t)

L P E

1. Match Real Code

100

Correlation Output
Code Phase (t)

L P E

Authentic trajectory 2. Capture

100
Spoofing transmitter

Trajectory induced Correlation Output

by the spoofing signal
Code Phase (t)

L P E

3. Pull Off

5
 Cases of interference/jamming in Aviation

Newark airport - USA

GPS-based landing system suffered of
breaks in reception on many days over
several months period due to jammers used
by truck drivers circulating on nearby roads

Taoyuan airport - Taiwan

A 2011 study from Lulea and Cheng Kung
Universities shown that several noticeable
variations of the GNSS interference level
were observed each day during two
Low-power jammers,
months embarked on anonymous
According to the author, the interference vehicles running close to
critical infrastructures, are
may come from a road nearby the airport
considered as one of the most
and so likely from jammers insidious threats to GNSS

6
 Spoofing

 In 2012 University of Texas researchers

successfully hijacked a drone by “spoofing” it,
i.e. giving it bad GPS C/A coordinates
 Spoofing is a real threat
 Spoofing is a sensible matter, studies on this
subject are CLASSIFIED
 Encryption provides a huge added value against
spoofing: signals are not openly known
 GPS PPS
 Galileo PRS

7
 Risks towards large use of GNSS

 Every time the use of a new technology

is growing, up to a complete dependence,
a contemporary growth in criminal activity
conducted to attack this technology and to
exploit its vulnerability is registered
• As already happened for other technologies,
like internet, mobile phones, etc.

 GNSS gets an increasingly importance in our society

• Transportation, timing, critical infrastructure, asset tracking…
• Evolution of CNS/ATM assigns to GNSS a primary role

 Success of GNSS makes attacks to these assets

more attractive

8
 Threats to GNSS are increasing

14
Source : RF Threat Observatory  Unintentional
12
(GSA) interference cases are
10
slowly increasing
8
 Military jamming is
6 constantly used
4
 Deliberate jamming
2 cases are strongly
increasing after their
0
Ja Ja Ja Ja Ja Ja Ja Ja Ja Ja Ja Ja Ja Ja Ja Ja early appearances in
n- n- n- n- n- n- n- n- n- n- n- n- n- n- n- n- 2008
97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12

Unintentional interference Military Jamming Cause unidentified Jamming

In addition, spoofing cases have been found:

 Several discussions on internet websites, blogs, etc.
 Feasibility of various types of spoofing attack has been
demonstrated (UAV) by various experiments and scientific papers

9
 What to do? Defence in Depth

 Defence in Depth: a range of technical and non-

technical security measures, organised as multiple
layers of defence, in order to mitigate the risks of
an effective attack
 Deterrence and prevention
 Detection, characterisation and response
 Resilience and recovery

 if one layer fails, other

defence layers are in place

10
 Galileo PRS and Defence in Depth

 PRS represents an implementation of the

“Defence in Depth” concept and ensures a high
level of protection against the RF threats
 Layers of protection implemented in PRS are:

 Legislation

 System design

 Mitigation techniques at Rx level

11
 Different layers of protection in PRS

 Legislation
 By legislation, use of unauthorized jammers and RF attack
devices is already forbidden in EU (1999/5/EC)
 Decision 1104/2011/EU (PRS access rules) and the Common
Minimum Standards ensure an additional level of protection

 System design
 Strong access control through the PRS key management
 Strong security control of the PRS management chain

 Mitigation techniques
 Robustness of the signal
 Signal processing at Rx level
 Security Module

(*) Rules for access to the PRS

12
 Benefits of multi-GNSS operations

 Multi-GNSS Benefits
• Improvements in availability, especially in
difficult reception environment
• Improvements in accuracy Dual Constellation
improvements in availability
[Source: ION 2010 – N. Davies]

L1A L1 Combined Galileo Combined Galileo

GPS – L1 only
Galileo PRS GPS M-code GPS

Dual Constellation PRS + GPS M-Code: Improvements in Accuracy

[Source: Inside GNSS – Hein et al, Jan. 2006]

13
 The EGNOS case

 The European Geostationary Navigation Overlay

Service (EGNOS) is the first pan-European satellite
navigation system
• It augments the US GPS satellite navigation system and
makes it suitable for safety critical applications such as
flying aircraft or navigating ships through narrow channels
• It consists of three geostationary satellites and a network
of ground stations,

 EGNOS achieves its aim by transmitting a signal

containing information on the reliability and
accuracy of the positioning signals sent out by GPS

14
 Security vs. Safety: some issues

 State assets equipment often integrate protection devices to

secure telecommunications which shall comply with security
requirements

 The security functions to be implemented (and the overall level of

protection to be obtained) may interfere with the operational and
safety requirements of the equipment

 The implementation of the security requirements shall be verified

through a dedicated certification process involving accredited bodies
that are different from the bodies in charge of the safety certification

15
 Security vs. Safety in EGNOS

 Security and safety aspects should not be developed

independently in order to avoid conflicts between
operational performance standard and security
implementation

 But in EGNOS case there is the need to

implement security when the system is already
operational, and make it live with safety
without creating problems to the users

 Way forward: a risk assessment for EGNOS has

been launched by ESA on the basis of the
experience gained with Galileo and perimeters
for accreditations have been defined

16
 Conclusions

 GNSS is an extremely powerful tool for CNS, but

vulnerable to RF attacks
 Number of deliberate jamming attacks is increasing
 Several mitigation techniques against jamming are
possible, for instance:
 Controlled Reception Pattern Antenna
 Rejection filters in receiver
 Hybridization with Inertial Measurement Units
 Spoofing can be avoided using encrypted GNSS signals
 Studies on mitigation techniques against spoofing are CLASSIFIED
 GNSS devices provide PVT solutions, but timing is often
forgotten
 Beside the position, also the Galileo timing could be a key element
for Critical Infrastructures such as ATM

17
 Thank you for
your attention!