Securing military GPS and PNT systemsStory
December 02, 2022
Almost every part of our modern economy depends on the Global Positioning System, or GPS. For example, agriculture, construction, mining, rail transportation, and search and rescue all rely on the accurate position, navigation, and timing (PNT) enabled by GPS. An even broader set of industries – communications networks, banking transactions, financial markets, and power grids – rely on GPS for precise time synchronization, to such an extent that most systems would cease working without it. Alternative navigation (ALTNAV) systems can supplement GPS systems in GPS-denied environments using internal clocks and onboard sensors, and those ALTNAV systems should be protected from cyberattacks as well.
Like the bulk of so many commercial industries, U.S. military forces depend heavily on GPS. For the military, GPS enables navigation in hostile territory; precise munitions guidance; location of casualties; and fusing of data for intelligence, surveillance, and reconnaissance (ISR). Any gap in the availability of accurate GPS signals or equipment could disrupt aircraft, ships, munitions, land vehicles, and ground troops in military operations.
Military adversaries understand that dependence can disrupt operations through multiple forms of electronic attack, including jamming, spoofing, and hacking. The new military code (M-code) signal mitigates the first two by using a higher-gain transmitter antenna to make jamming more difficult and a more secure encryption algorithm, making spoofing almost impossible. Protection against hacking requires a different solution and should be applied at all segments. Alternative navigation (ALTNAV) systems can supplement GPS systems in GPS-denied environments using internal clocks and onboard sensors, and those ALTNAV systems should be protected from cyberattacks as well.
Modernization of the segments
GPS consists of three segments: space, control, and user (Figure 1). The space segment is a constellation of satellites that continuously broadcast precise time and location data. The control segment is a set of ground stations that control and monitor the satellites. The user segment is the diverse array of GPS receivers used by civilians and the military in aircraft, ships, land vehicles, munitions, and handheld devices. Each of those segments is susceptible to electronic attacks, including jamming, spoofing, and hacking. Jamming and spoofing receive the most attention and are addressed directly by the use of the new military code (M-code) signals as part of the GPS modernization programs.
[Figure 1 | The three segments of GPS – space, control, and user – are illustrated. Source: GAO report.]
The GPS modernization program includes updates to each segment of the system. GPS III satellites supplement and will eventually replace the constellation of GPS satellites now in orbit, starting with the first GPS III satellite launched in 2018. Some previous versions of GPS satellites (GPS IIR-M and IIF) also are capable of transmitting the M-code signal, just not at the higher power level of GPS III. The Next Generation Operational Control System (OCX) will replace the current ground control system, known as the Operational Control Segment (OCS). OCX includes modern cybersecurity protections and the ability to control the two latest generations of GPS satellites now in orbit, including enabling M-code and some new civilian signals. The Military GPS User Equipment (MGUE) program updates the user segment with receivers capable of receiving and decoding the M-code signal. A variety of receivers designed for different platforms will be built from a handful of M-code cards, each of which is designed for either ground use or aviation and maritime use. Each of those cards is based on an M-code ASIC [application-specific integrated circuit] developed by one of three suppliers.
Jamming and spoofing
Because a GPS receiver relies on signals broadcast from satellites in medium earth orbit, signal strength at the receiver is low and vulnerable to disruptions from interference or jamming. The low signal strength is primarily a function of the distance, because the receive signal strength follows the inverse square law with respect to distance from the satellite. The resulting minimum power received from the Coarse Acquisition (C/A) code is only about 160 dBW (10-16 W). The P code used by the U.S. military is only about -163 dBW, which is half the power of the C/A code.
GPS jamming can be mitigated at the receiver using digital beamforming, which is deployed on many U.S. military aircraft. Beamforming nulls the jamming signal, while reception lobes are locked onto good satellite signals. Modern military aircraft are able to null multiple GPS jamming signals at the same time.
The other solution is to increase the transmit power from the satellite, which is precisely what the M-code transmitters do on the new GPS III satellites. M-code will be broadcast from a high-gain directional antenna in addition to a wide-angle antenna covering the entire Earth. The directional antenna can be aimed at a specific region to provide a 20 dB (100-time) increase in local signal strength.
Low signal strength also leaves the receiver susceptible to spoofing, which occurs when someone uses a radio transmission to send a counterfeit GPS signal that overpowers a GPS satellite signal. GPS spoofing can direct aircraft, ships, or ground forces off-course and into danger. The best solution to spoofing is encryption: Current military GPS receivers use a selective availability anti-spoofing module (SAASM) to decrypt the P(Y)-code. M-Code upgrades that encryption using the modernized NAVSTAR security algorithm (MNSA), making M-code-enabled receivers virtually impervious to spoofing. Civilian GPS receivers can only access the unencrypted signal, so those are susceptible to spoofing, but that can be partially solved by spoofing-detection software. Although that does not enable access to a valid GPS signal, it does prevent taking action based on erroneous signals. Spoofing detection effectively reduces a spoofing attack to a denial of service (DoS) attack.
Another solution for jammed or spoofed GPS is to use alternative sources of PNT. Alternative PNT generally starts with an atomic clock for relative time and an inertial navigation system (INS), which calculates the location, orientation, and velocity of a moving object using accelerometers and gyroscopes. An INS is an autonomous, self-contained unit after initialization, so it is highly resistant to any type of jamming. However, an INS is susceptible to small errors in measuring the acceleration and orientation that can accumulate over time and become significant. Therefore, the vehicle position needs to be corrected periodically with help from a different navigation system.
A variety of sensors and technologies can provide complementary navigation to INS (Figure 2). Visual navigation (VisNav) compares imagery from onboard sensors to a database of terrain features or landmarks to calculate vehicle position. Sensors can include EO/IR, vision, Doppler radar, sonar, and lidar; each can be used individually or combined by sensor fusion technology. Automated celestial navigation (CelNav) images the sky and analyzes the orientation of stars and satellites. Signals of opportunity (SoOP) measure a variety of local radio-frequency signals (e.g., cellular networks and broadcast TV) and calculate the relative distance between an aircraft and the signals’ origin. Magnetic anomaly navigation (MagNav) measures variations in the Earth’s magnetic field as an aircraft travels over the earth and compared with geomagnetic reference maps to determine the aircraft’s location. Although some of those sensors can be temprorarily blinded by electromagnetic attack, such complementary navigations are relatively resilient yet remain susceptible to hacking.
[Figure 2 | Different sets of alternative navigation technologies can be used based on the platform and the mission. Source: GAO report.]
Hacking and security
Hacking is a grave concern for a ground-control station, as a hacker could gain control of one or more satellites. The hacker could not only cause denial of service or transmission of false information but could also change the orbit or cause physical damage to the satellite. The OSX next-generation operational control segment specifically includes a complex set of cybersecurity requirements.
Like any other computer system, a GPS receiver is also susceptible to hacking. A hacked GPS receiver could be disabled at a particularly inopportune time or provide erroneous position and navigation information similar to spoofing. Although the GPS modernization program does not directly address hacking receivers, all military GPS receivers are designed with some amount of cybersecurity. It is possible to go further and make a receiver virtually unhackable through a combination of hardware and software security architectures.
Security depends on having a high assurance of no vulnerabilities and authentication to ensure the correct code is loaded. Each portion of the code should be designed, tested, and verified to be free from vulnerabilities, starting with any metal-masked boot ROM code, which cannot be updated easily if a vulnerability is discovered later. The highest security assurance is demonstrated through security certifications and even formal proof of correctness.
An authenticated platform starts with a hardware root of trust (RoT) and then extends a chain of trust through the software layers, each authenticating the next before loading. The main choices for a hardware RoT include a separate trusted platform module (TPM) chip, on-chip boot ROM code, and on-chip security based on a physically unclonable function (PUF). For example, a Xilinx Zynq UltraScale+ MPSoC [multiprocessor system on a chip] has a configuration security unit (CSU) that boots from on-chip, metal-masked ROM and enforces the root of trust. It validates the integrity of a user public key read from external memory by calculating a checksum using the SHA-3/384 engine and then compares it to an RSA key hash stored in an eFUSE device. If those match, the CSU loads the first-stage boot loader (FSBL) and authenticates the FSBL. The FSBL authenticates and loads the full boot loader, which authenticates and loads the operating system (OS).
Once a trusted hardware platform is established, the next step is the design of the software architecture. The most accepted path to building a trusted software environment for high-assurance applications like PNT is a Multiple Independent Levels of Security (MILS) operating environment implemented to high robustness. High robustness means resilience to extremely sophisticated and well-funded threats, such as attacks from nation-states and national laboratories.
The MILS system divides the software architecture into three layers: the separation kernel, middleware, and applications. Each layer enforces a separate portion of the security policy set, with the separation kernel the only layer executing in privileged mode. The separation kernel divides memory into partitions using a hardware-based memory management unit (MMU) and allows only carefully controlled communications between non-kernel partitions. Higher-level operating system services, such as networking stacks, file systems, virtualization, and most device drivers, execute in a partition instead of in the kernel in privileged mode (Figure 3). This enables the separation kernel to focus on providing only the four foundational-security policies required to support higher-security functionality in the middleware and applications running in user mode. Those fundamental security policies are data isolation, control of information flow, resource sanitization, and fault isolation. The narrow focus on security minimizes the code size of the separation kernel, making it easier to evaluate. It is even possible to use formal methods of mathematics to prove the correctness of the kernel.
[Figure 3 | MILS architecture with the separation kernel running in kernel mode and enforcing separation of user space partitions.]
With a secure separation kernel as the foundation of a MILS architecture, applications can enforce their own security policies, enabling application-specific security policies. Each layer and application can be evaluated separately without impact to the evaluation of the other layers and applications, making the overall system easier to implement, certify, maintain, and reconfigure.
Alternative PNT solutions can have even more demanding security requirements than a GPS receiver. Because the system may need to combine information from classified and unclassified sources, the alternative PNT solution may need to span all security enclaves on the platform.
Example of secure deployment
Operating systems from Green Hills Software have been used in each of the three GPS segments: space, control, and user. The latest GPS design-in is with Raytheon Intelligence & Space (RI&S) for its offering of the Military Global Positioning System User Equipment (MGUE) Increment (Inc.) 2 miniature serial interface (MSI) with next-generation ASIC.
RI&S is developing one MSI card for aviation and maritime systems and another MSI card for ground-based systems, and INTEGRITY-178 tuMP will be used in both solutions running on the Arm processor-based ASIC. RI&S selected the INTEGRITY-178 tuMP RTOS based on previous use and for its ability to simultaneously meet both safety and security requirements. Those requirements included the highest DO-178C design assurance level (DAL A) and the NSA-defined separation kernel protection profile (SKPP) for “high robustness” security.
The MGUE Inc. 2 MSI program is developing a smaller M-Code ASIC and receiver card that consumes less power while increasing functionality, security, and performance. The smaller card will enable use in handheld and dismounted applications as well as mounted, maritime, and aviation platforms. The GAO [U.S. Government Accountability Office] estimates that approximately 700 different types of weapon systems will ultimately require M-Code cards and M-Code-capable receivers, including ships, aircraft, ground vehicles, munitions, and handheld devices.
Richard Jaenicke is director of marketing for safety and security-critical products at Green Hills Software. Prior to Green Hills, he served as director of strategic marketing and alliances at Mercury Systems, and held marketing and technology positions at XCube, EMC, and AMD. Rich earned an MS in computer systems engineering from Rensselaer Polytechnic Institute and a BA in computer science from Dartmouth College. Readers may email him at [email protected]
Green Hills Software https://www.ghs.com/
Green Hills Software, Inc.
Santa Barbara, California 93101