Mitigating GPS Vulnerabilities in Mission Critical Applications Eran Gilat October 2014

Agenda Overview of GNSS GNSS Vulnerabilities Mitigation Strategies in Government (Defense, Research & Public Safety) Applications Summary

GNSS Technology is Ubiquitous Aerospace/Defense, Satellite Systems and Public Safety within Government market depend heavily on GNSS technology to synchronize their network infrastructure

GNSS Navigation Satellite Systems (GNSS) Beidou Regional systems are also in operation or being planned Galileo (European Union) In preparation stages Beido (China) Partially operational GLONASS (Russia) Operational GPS (United States)

GNSS Vulnerabilities – March 2012 GNSS vulnerability is a growing concern in critical infrastructure applications

GNSS Transmit Power is Very Low Visibility of 4 satellites typically needed to solve for position and precise time applications Multiple atomic clocks are on each satellite. PPS Precise Positioning Service P(Y) Code modulated onto L1 and L2 carrier Encrypted signals Authorized users only SPS Standard Positioning Service C/A (Coarse Acquisition) Code modulated onto L1 carrier No encryption Commercial, civil and gov’t users (everybody) L2 Band – 1227.6 MHz L1 Band – 1575.42 MHz - Another source: “GPS signals are extremely weak. According to a report presented to the U.S. National Transportation Systems Center in 1998, the GPS signal is equivalent to the light coming from a 25-watt bulb 11,000 miles away. When received at earth they are spec’d around -157 to -160 dBW (decibel Watts) (1 x 10-16W)as As low as one tenth of 1 quadrillionth of a Watt at the receiver. GPS provides two positioning services - the Standard Positioning Service (SPS) and the Precise Positioning Service (PPS). GPS is broadcast on two carriers – on the L1 band and the L2 band. The SPS – the civil or Coarse Acquisition (C/A) Code – is available to anybody. This is broadcast only on the L1 band. It is not encrypted, so anyone with a receiver can pick it up. PPS is only available to authorized military or government users. It is broadcast on both carriers. It is encrypted; so a SAASM (Selected Availability Anti-Spoofing Module) device is needed to decrypt the signal. PPS is more resistant to jamming, and is broadcast with more power. GPS transmit power is very low… less than a 25 watt light bulb 11,000 miles away..

GPS Signal Characteristics The encrypted GPS signal is referred to as the P(Y) code. The unencrypted signal is known as the Coarse Acquisition (C/A) code. The C/A code is a narrow band signal and more susceptible to jamming. The P(Y) code is a wider band signal with a higher overall power level which provides jam resistance. C/A code is on the L1 band only and more vulnerable than the P(Y) code

GNSS Vulnerabilities

GNSS Vulnerabilities are a Major Concern 7th ANNUAL GNSS VULNERABILITIES AND SOLUTIONS CONFERENCE 18 – 20 April, 2013 “Maintains a central database for reports of domestic and international interference to civil use of GPS …” COORDINATES MAGAZINE March 2012 U.S. Department of Homeland Security GNSS vulnerability is a growing concern in critical Government infrastructure applications

GNSS Challenges: GPS tested by DOD 782 Hours 90 days Cumulative Duration 141 NOTAMs Shortest 1.0 hour Average 6.63 hours Longest 72 hours 9 Month Duration Geographical Area Impacted Geographical Area Impacted Maximum Maximum Minimum Minimum Average Average Miles Miles 2 2 2 2 2 2 Miles Miles Miles Miles 455,805 455,805 66,018 66,018 139,795 139,795 During the 9 month study there was an outage somewhere in the study area ~12% of the time, affecting on average ~4.5% of the continental U.S. Source: FAA, 2010

Everyday GNSS Outages (Intentional) Jammers and Spoofing Software attacks Jammers $55 Ebay $83 GPS&GSM Spoofing Cheap jammers to sophisticated spoofing

Everyday GNSS Outages (Unintentional) Mechanical, Human Error Natural, Environmental Antennas are easily damaged and can interfere with each other Lightning hits, antenna icing GPS cable conduit dangling in the wind Harmonics or radiation from nearby electronics failures or misaligned transmission equipment Solar flares, atmospheric phenomena Foliage obscures GPS deployments

Anti-Terrorist Initiatives Governments may intentionally jam GNSS to stop terrorist activities, for example: Five GPS phones that were used by the terrorists during the Nov 26, 2008 attacks in Mumbai Terrorists using GPS to navigate and organize anti-government activities War operations

Even Normal Operations Can Introduce Errors Orbit error Satellite clock error Ionospheric delay Tropospheric delay Multipath Receiver noise Tropospheric

EWR, Liberty International Airport, NJ GPS Outages Event Duration Cause & Impact St Charles, MO 11-21 Oct, 1994 and May 1995 GPS/L1 interference from test equipment at nearby aerospace facility Chesterfield, SC 15-23 April 1999 Army communications system radiating in GPS/L1 band Moss Landing, CA 15 April – 22 May, June & Fall, 2001 TV antenna pre-amp radiating in GPS/L1 band, GPS denied throughout harbor region Mesa, AZ 13-18 Dec, 2001 Signal generator radiating at 1575.002 MHz, GPS denied for 150nm radius San Diego, CA 22 Jan, 2007 US Air Force, emission at GPS due to personnel error, wide-scale denial of GP New York, NY 2008 GPS outage and effected systems similar in character to ’07 San Diego event Leesburg, VA July 2011 - January 2012 100mW jammers caused minor disturbance to FAA Control Center, ZDC EWR, Liberty International Airport, NJ 2009 - Present suspect 100mW - 250mW jammers, FAA equipment going off line Las Vegas March 2012 DoD event, unintentional going; exercised Cease Buzzer; Las Vegas airport ground stop for approximately 1 hour March 2011: a U.S. military reconnaissance aircraft was forced to land during an annual major east Asian military exercise, known as Key Resolve, due to GPS jamming. The jamming reportedly took place along the northern portion of the 684-mile long Korean peninsula, with the jamming supposedly originating with the North Koreans. March 2011: North Korean military units jammed GPS signals in some parts of South Korea. Intermittent GPS failures occurred in northwestern base station coverage areas such as Seoul, Incheon and Paju. "We suspect the interference was caused by strong jamming signals sent by the North.“ It was believed that 146 cell sites were knocked out. Source: Examples compiled from published reports and open literature

Mitigation Strategies

Timing Accuracy Requirements for Various Applications 1 ms 10 ms 100 ms 1 s PTTV R&D N/F Scientific/ Experimental High Precision Military GPS Monitor Situations GPS Weapons ATS Airborne Geolocation Demo Bistastic Radar Other Applications Advanced Comms Power Systems Fault Location Phasor Measurements Data Sharing CDMA2000 Base Stations Low Precision Military Ground Terminals VHF Terminals Wide Area Data Logging Sesmic Monitoring Nuclear Blast Detection Digital Time Servers NTP, etc. Astronomy Authentication Internet login Timing user survey not intended to be a complete representation of all users. Requirements have been generalized and averaged over user groups. Financial Transactions

Mitigation of GNSS Vulnerabilities Strategy 1: Network distributed timing Strategy 2: Holdover Oscillator Technologies Quartz Rubidium Cesium Primary Reference Strategy 3 Use Model: Jamming recognition algorithms Strategy 4: Secure GNSS (SAASM) Technology Used only by US Government Authorized Users

Strategy 1: Network Distributed Timing Distribute timing over WAN using PTP when GNSS is jammed locally: GNSS remains the primary reference from a remote location PTP 1588v2 able to transfer time accurately Remote location enabled by PTP clients Both Time & Frequency can be transferred Key Applications: Test ranges: weapons and launch vehicles Distributed sensor networks Remote campus timing Locations not accessible to GNSS deployments Security reasons Bunkers No provision for antennas PTP 1588v2 GNSS Frequency & Phase Layer 2 and 3 Legacy & Next generation networks 1-10 microsecond accuracy Frequency & Phase Physical Layer Legacy & next generation networks 100 nanosecond or better

Use Model: Distributed Sensor Network Driver Sensor network requiring a reliable back-up to the local GNSS infrastructure Need to monitor remote GPS units and manage Central Timing Systems with PTP Central timing system delivers time to remote when GNSS is lost using PTP via WAN PTP with Telecom Profile can sync instruments across the WAN accurately On-path support not required in many cases Central Time Standard Time Cesium 4500 Clock TimeProvider 5000 GM & Time Pictra WAN/LAN PTP/ Ethernet

Strategy 2: Holdover Holdover: continuing operation when the primary timing and synchronization source is lost with a local oscillator Holdover period is a function of the system timing requirements and the performance of the holdover oscillator Temperature changes, both degrees of change and speed of change, affect holdover performance Higher quality oscillators provide longer holdover (Ex: Cesium) There are a wide variety of oscillator types in use today. OCXO and Rubidium are most common due affordabaility

Holdover Performance OCXO Rb OCXO 8 µs / day Microsemi Optimized OCXO < 4.5 µs / day OCXO Rb Rb 1.5 µs for 24 hours

Use Model: Government Tactical Communications Systems KU Band KU Band HC Line-of-sight Radio Services Black Voice Red Voice XLi /XLi SAASM High Stability Rb 10 MHz LPN T1 N.1 Freq - NTP SIPRNET The JNN system includes communication equipment mounted in shelters on HMMWVs, called JNN shelters, satellite terminals mounted on trailers, and communication equipment mounted in transit cases. There are two classes of transit case equipment: Brigade Cases and Battalion Cases. [4] The system's core is a Promina switch and cisco routers, with NIPRNet and SIPRNet capabilities, plus secure and non-secure voice systems, VTC, and the ability to link in older "legacy" systems, such as MSE, into the global network.[5] To accomplish this objective, the TTS would comprise asynchronous transfer mode (ATM) backbone switches, Integrated Services Digital Network (ISDN) access switches, and High-Capacity Line-of-Sight (HCLOS) radios, as well as wireless communications used in both local area networks and Personal Communication Services (PCS). These capabilities would be achieved primarily through technology insertion and enhancement of the current Area Common User System such as the Mobile Subscriber Equipment (MSE) located at division/corps, and the Tri– Service Tactical (TRITAC) equipment at Echelons Above Corps (EAC). http://www.globalsecurity.org/military/systems/ground/win-t-cap.htm NIPRNET BITS Rubidium provides the most reliable holdover mobile communications

Ultimate Holdover: Cesium Technology Cesium Technology is considered the most comprehensive holdover option against GNSS vulnerabilities Exhibit no frequency drift Maintains 5x10-15 accuracy over the life of the instrument Critical for long-term autonomous operation No on-going calibration required More expensive than Rubidium and OCXO Consumes more power and space Typical applications Fixed wireline communications infrastructure Under sea (Submarine) Satellite ground stations

Use Model: Strategic Government Communications Cesium 56k or SSU 2k BITS Clock 10 MHz Primary Secondary 10 MHz IRIG XLi (C/A) or SAASM Time & Frequency Receiver ATM Future SONET Crypto SIPRNET Voice / Video SyncServer (C/A) or SAASM Network Time Server TOD NTP NIPRNET IDNX SAASM technology backed by Cesium delivers ultimate protection against GNSS vulnerability

Strategy 3 Use Model: Jamming recognition algorithms Modern GNSS receivers got internal mechanism to identify jamming Indicator for continuous wave (narrowband) jammers indicator for broadband interference (Example from u-blox 8MF receiver) Management (NMS) system technics to identify jamming scenarios Recognition of Jamming in the receiver should cause holdover in the System

Microsemi TimePictra 10.2 Example TimePictra is End to End Sync management solution TimePictra checks each GPS for The Reported position has not changed – Remember the antenna is fixed to a building PDOP is checked, which checks for poor satellite geometry Number of satellites that report ok, alarms if less then 4

Strategy 4 Use Model: GPS Positioning Services PPS Precise Positioning Service Encrypted P(Y) code modulated onto L1 and L2 carrier Authorized users SPS Standard Positioning Service C/A (Coarse Acquisition) code modulated onto L1 carrier Commercial, civil and military users (everybody) L2 Band – 1227.6 MHz L1 Band – 1575.42 MHz SAASM GPS receivers are dual band and capable of decoding both the signals provided by the Precise Positioning Service and Standard Positioning Service. Only authorized military users can use the encrypted signals provided by the PPS service. The PPS service has the added benefit of being broadcast on both the L1 and L2 which provides redundancy and improved accuracy. Since the L1 and L2 signals are broadcast at different frequencies, dual band receivers can measure and remove the ionospheric delay to improve the accuracy. SAASM GPS Receivers are PPS Receivers

SAASM Receiver Keys Keyed SAASM receivers support A-S and correct for SA Red Keys Black Keys Encrypted and unclassified Black keys = encrypted Red keys Can be distributed and loaded electronically Decryption of the key takes place in the SAASM module Renew with over-the-air-rekeying (OTAR) (future) Classified - distribution must be protected Cumbersome and not encrypted Antiquated paper tape distribution and loading Must be manually re-keyed In order to decrypt the P(Y) code, PPS receivers must have a valid key (red or black) loaded into the SAASM module. Red keys are classified keys and distribution of the key must be protected. Black keys are encrypted and unclassified so are much easier to distribute. Therefore the US DoD is strongly encouraging users to go to black keys. The only place the black keys are decrypted is within the SAASM module within the tamper proof boundary. Red keys are more difficult to securely distribute and manage as they are Classified Black keys solve key distribution problem as they are Unclassified

XLi SAASM GB-GRAM Time & Frequency Receiver XLi features & functions with security of SAASM For users authorized by the US government only SAASM has been mandated for new US DoD GPS systems since 2006 (unless waivered) Chairman of the Joint Chiefs of Staff CJCSI 6130.01D – April 13, 2007 (FOUO) As of October 1, 2006 all newly fielded DoD GPS system will use SAASM PPS devices. Procurement of non-SAASM GPS user-equipment will be disallowed, unless waivered.

SAASM: Direct Y Acquisition DAGR GPS Satellites L1 Band - 1.575 GHz L2 Band – 1.227 GHz C/A Jammed PLGR The keyed XLi SAASM supports a “Hot-Start” from a DAGR or PLGR when C/A code is absent

GNSS Vulnerability Mitigation Strategies - Recap Satellite based GNSS including SAASM Holdover Protection Rubidium/OCXO Cesium Network based PTP IEEE 1588v2 Resilient infrastructure Needs 2 Out of 3

Summary GNSS vulnerabilities in government infrastructure can be mitigated with: Secure GPS SAASM Technology Redundant clocks in the network Adding PTP over WAN or LAN Rubidium or Cesium for holdover Spoofing identification in receiver or management system Microsemi offers solutions to ensure that mission critical applications will be protected from GNSS vulnerabilities

Thank You Eran Gilat EMEA, System Sales Engineer Eran.gilat@microsemi.com +972.52.342.4718

Reference Section

Other Factors Affecting GPS A sun outage, or sun fade is a signal degradation phenomenon that affects the transmission of radio signals in satellite communications. It is quite clear from the previous section that we are currently unable to meet the measurement requirements for most of the climate variables.