Logan Scott, LS Consulting logan.scott@geocodex.com

23 September 2011 LS Consulting 1

23 September 2011 2 LS Consulting

I sure am glad I bought that

jammer before I stole this car.

Newark Liberty Airport Offender Caught with A $33 200 mW GPS Jammer

Situational Awareness Is the First Step

23 September 2011 LS Consulting 3

23 September 2011 LS Consulting 4

VB

0

-VB

3

1

-1

-3

1

0

0

-1

1

1

-1

-1

Bits: 2 1.5 1

GA

+

- VB

D-Type FlipFlop

A/D Converter Clock

+

- 0

D-Type FlipFlop

+

- -VB

D-Type FlipFlop

Low IF Analog Signal

J/N Reading Pickoff

For 1.5 bit ADC Want ~ 40% “1” & “-1”

∑N

N1-

+

GAGC VT%

s1

D/A

Vi

iVA eG βα=

+

- 1.3VB

D-Type FlipFlop

Constant Envelope Detection Channel (CW, Swept CW,

Gold)

LPF (correlator)

23 September 2011 LS Consulting 5

acq/AGC.m CE Detection Channel (x2)

ON

OFF

CW Not CW

1 2

3

4

5 Jammer

23 September 2011 6 LS Consulting

CTIA Semi-Annual Wireless Industry Survey (http://www.ctia.org/advocacy/research/index.cfm/AID/10316)

302 million wireless subscriber connections in the US

253,086 cell sites

$310 billion cumulative capitol investment

Use Y/M-code Must Obtain & Key Receiver

Signal Checks Use J/N meter to check for above normal energy levels Monitor C/No meter for Consistency / Unexpected C/No Deep Acquisition to Look for Weak, Real Signals Tracking Loop Capture Detection Agreement between L1/L2/L5 Signals Monitor Phase Difference Between Antenna Elements Add Civil Signal Cryptographic Authentication Features

23 September 2011 LS Consulting 7

Can Detect Most

Spoofers

22 September 2011 Property of Logan Scott Only 8

Compare “Internal Watch Time” with “External Signals Time”

Continuity Checks in Time and Position Movement Checks for Stationary Receivers RAIM/FDE Type Functions Anomalous Time Bias & Time Bias Rate States Large Residuals, Particularly in Differential

Correction Channel(s) Consistency with other Navigation Sensors

23 September 2011 LS Consulting 9

Receiver Certification: A Simple Receiver Selection Criteria

23 September 2011 LS Consulting 10

Certified

Start With Basic Situational Awareness Standard RTCM Standard? DHS Sponsor?

Level 1 Certification Tests For: J/N Measurement Jammer Type Identification Basic Spoofing Detection PVT Discontinuity Detection

Up to Manufacturer On How to Pass the Tests

Level 1 Draft Attached posted at http://logan.scott.home.comcast.net/~logan.scott/ 23 September 2011 LS Consulting 11

Must Report with Maximal Effort •Display/Alarm

Reports J/N Level Reports Jamming Type (CW detection) Needs Spoof Detection Algorithms

23 September 2011 LS Consulting 12

Table from: u-blox 6 Receiver Description Including Protocol Specification, GPS.G6-SW-10018, 9 December 2010

23 September 2011 13 LS Consulting

To Prevent Test Gaming Scenarios Are Equal Length Scenarios Are Presented In Random Order In Some Scenarios, Nothing Happens

23 September 2011 14 LS Consulting

23 September 2011 LS Consulting 15

National Instruments PXIe-5672 2.7 GHz Vector Signal Generator 250 kHz to 2.7 GHz 32, 256, or 512 MB

memory 20 MHz real-time

bandwidth Full bandwidth

stream-from-disk capability

-145 to +10 dBm output power

Level 2 (Crypto & Out of Band Rejection) Level 1 + Software/Map Authentication Attestation & Provenance (Proof of Origin) Cryptographic Signal Authentication Out of Band Interference Rejection

Level 3 (Physical Security) Level 2 + Physical Security (FIPS-140?)

23 September 2011 LS Consulting 16

23 September 2011 LS Consulting 17

Receiver Situational Awareness

Receiver Certification

Jammer & Spoofer Detection & Location Provides

Basis

Drives Performance Requirements

Biases Buyer’s Receiver Selection

Product Differentiation

Opportunity $

Cryptographic Signal Authentication 1. Anti-Spoofing & Authenticated Signal Architectures for Civil Navigation Systems ION GNSS 2003 2. L1C Should Incorporate Cryptographic Authentication Features May 2006 Comments on ICD-GPS-

800 3. Expert Advice - Location Assurance GPS World 2007 4. Civilian GPS Signal in Space Enhancements for AntiSpoofing and Location Authentication, presented

at JNC 2011, 28 June, 2011

J911 1. J911: The Case for Fast Jammer Detection and Location Using Crowdsourcing Approaches, paper

presented at ION-GNSS-2011, September 20-23, 2011 2. J911: Fast Jammer Detection and Location Using Cell-Phone Crowd-Sourcing in November 2010 issue

of GPS World

Receiver Certification 1. Level 1 Draft Specification attached to pdf version of this presentation and posted at:

http://logan.scott.home.comcast.net/~logan.scott/

23 September 2011 LS Consulting 18

Logan Scott

LS Consulting

8/26/2011

GPS for Critical Infrastructure Certification Standard, Level 1

version 0.101

Logan Scott, loganscott53@gmail.com Page 1

Objective GPS receivers may see jamming and/or spoofing that could be harmful in critical applications. As a first step, this standard defines a series of tests by which a receiver demonstrates basic jamming and spoofing situational awareness and an ability to report on the nature of the interference. To promote rapid automated performance characterization and testing, receivers will provide J/N, C/No, Jammer Type, PVT, Situation Reports etc. via a standardized, non-proprietary, ASCII digital RINEX style message structure to be defined in this document. A GPS receiver that successfully passes all of the tests at an accredited lab is eligible for a Critical Infrastructure Certification, Level 1 (CIC-1). The specific means by which the receiver passes the test are up to the manufacturer.

Reporting Requirements This specification is intended to cover the full spectrum of receiver types ranging from OEM chips to units with integrated map displays. GPS receivers covered by this standard are expected to make maximal effort to report status with regards to interference. Thus, an OEM chip is expected to report status at a software protocol level with high priority given when interference is detected. A receiver with display is expected to report, via the display, when it is seeing interference. Receivers with audible alarm or LED alarm capabilities are expected to report via those means.

Tests Testing will be conducted using radiated signals in an anechoic chamber. Recognizing that some receiver types (e.g. OEM chips) may not comprise complete receiving systems, those receiver types may use a standard (TBD) antenna/preamp test fixture and such attachment will be noted in the certification report.

In general, tests will be conducted using the test setup shown in Figure 1. Multiple receivers of varying types may be tested simultaneously. The radiated test signal will comprise three major elements: up to 12 true signals generated by a GPS signal generator, up to 12 false (spoofing) signals generated by a GPS signal generator, various noise sources. Absolute and relative powers of all component signals are part of the various scenarios and they will be time varying. The scenario controller component of the Test Console will initiate the various scenarios. The Results Logger component will record PVT from the receiver under test and will record situation reports from the receiver under test. The results of these logs will be post processed to make a PASS/FAIL determination for each scenario.

Logan Scott, loganscott53@gmail.com Page 2

Figure 1: Test Setup Supports Simultaneous Testing of Multiple Receivers

The requirement is for situation reports to correctly describe the operating environment with regards to spoofing, jamming, and various combinations of the two. To discourage GPS receiver manufacturers from gaming the tests, the basic automated test procedure is to run a series of specified scenarios in random order and periodically obtain situation reports and PVT measurements from the receiver under test. In some scenarios, nothing happens; neither jamming nor spoofing is introduced. In others, jamming may be followed by spoofing. In yet others, spoofing and jamming may be present simultaneously. The lengths of the various scenarios will all be identical so as to prevent the receiver under test from identifying scenarios based on duration1

Figure 2: Scenario Timeline

. The baseline structure of a scenario is shown in Figure 2.

Starting on the left, the “Signals OFF” portion is just that, no signals are generated by the signal generators. The receiver under test will receive a “Begin” signal from the Test Console to indicate that testing has begun. The “Clear Period” lasts anywhere from 0 to 1 minutes and provides a period of time

1 This might be revised as some scenarios really do not have to be long duration but others are.

Logan Scott, loganscott53@gmail.com Page 3

for the receiver under test to acquire and establish baseline operation. The receiver under test will not be told when the “Clear Period” ends and in some tests (e.g. acquisition spoofing), there is no “Clear Period”. During the “Scenario Period”, the various signal generators of Figure 1 will exercise the receiver under test. Core requirements are as follows:

1: Demonstrate Jamming Awareness

The requirement is to measure and report J/N with a ±3 dB accuracy for J/N in the range +10 to +50 dB.

2: Jamming Type Detection

The requirement is to correctly identify Pulse, Constant Envelope (CW/swept CW, Gold Code), and Gaussian Jamming when J/N is in the range 10 dB to 50 dB.

3: Demonstrate Situational Awareness (Spoofing / Jamming)

A series of test scenarios will use various combinations of signals and noise types in an attempt to spoof and/or jam the receiver. Of particular note, some jamming scenarios (e.g. Gold code jamming) have been known to “spoof” receivers into reporting false positions. Receiver under test PVT values will be compared with “True Signal” PVT values as part of this testing. Scenario details are TBD

4: Provide Timing & Position Discontinuity Reports

The requirement is to measure discontinuities in position and time after each signal outage and if the discontinuity is large enough report it as a possible spoofing attack. The specific objective is to detect apparent velocity greater than 75 mph and/or time bias rate greater than 10 ppm.

Interface & Report Formats TBD

Test Lab Certification Certified Test Laboratories are authorized to issue GPS Critical Infrastructure Certifications, Level 1, (CIC-1) to tested receiver types. The cellular industry routinely certifies very complex subsystems for minimum performance and interoperability using a multiplicity of independently operated, certified test labs and thus provides a model for how to create certified test labs and procedures. In the US they have established the PCS Type Certification Review Board (PTCRB) (www.ptcrb.com) to provide member supported third party testing accreditation. The European counterpart is the Global Certification Forum (GCF) (www.globalcertificationforum.org). GPS CIC-1 lab accreditation could fall under the aegis of these organizations or another organization could be established for GPS only.

Logan Scott, loganscott53@gmail.com Page 4

Open Items This section will be moved to the front of the document once development commences. Open items can be submitted by anyone active in the standards development process and these items are considered open until resolved. The process works pretty well in cellular standards development.

Current open items:

1. Should true signals include L1, L2 & L5 signals? Should spoofing signals include L1, L2 & L5 components? (Logan Scott, LSC, 8/26/2011)

2. A calibrated range can precisely control incident power levels but how should receiver under test antenna patterns be accounted for? (Logan Scott, LSC, 8/26/2011)

3. A more elaborate, multiple antenna test setup is needed for receivers using multiple antenna direction of arrival sensing to detect spoofing. These methods are important but have not been addressed in this iteration. (Logan Scott, LSC, 8/26/2011)

4. Should a scoring system be used to grade receivers on each scenario or should it be a pass fail

system? (Logan Scott, LSC, 8/26/2011)

5. Should testing scripts be based on TTCN-3 (Testing and Test Control Notation version 3) a strongly typed test scripting language used in conformance testing of communications systems that is widely used in the cellular industry? (Logan Scott, LSC, 8/26/2011)

6. Would it be more appropriate to set up a government test facility at say Holloman as we did with the LightSquared testing? One advantage is that the spoofing scenarios would not have to be publicly disclosed. (Logan Scott, LSC, 8/26/2011)

7. What statistical criteria are used to establish a PASS or FAIL on a scenario? How many times does a scenario have to be repeated in order to confidently assess whether a receiver under test can provide proper responses via situation reports. (James Farrell, Vigil, 8/30/2011)

Higher Level Certifications to Consider More stringent certifications to consider as part of level 1 but more likely as part of a higher level certification include:

Level 2 (Crypto & Out of Band Rejection) which would be Level 1 plus:

• Software/Map Authentication • Attestation & Provenance (Proof of Origin) • Cryptographic Signal Authentication • Out of Band Interference Rejection

Logan Scott, loganscott53@gmail.com Page 5

Level 3 (Physical Security) which would include Level 2 requirements plus:

• Physical Security (FIPS-140?)