Inside GNSS Media & Research

SEP-OCT 2018

Issue link:

Contents of this Issue


Page 55 of 67

56 Inside GNSS S E P T E M B E R / O C T O B E R 2 0 1 8 must admit that when thinking through the worst case, sophis- ticated terrorist spoofing attack scenario, these defenses may be insufficient. erefore, it has been agreed between ICAO, RTCA and EUROCAE to improve robustness against RFI and spoofing in next generation GNSS avionics. e only problem is to define what this "improvement" should look like. A number of aviation GNSS and security working groups are currently working on this. A 100% guarantee of safety and security is only possible if flying is stopped altogether. erefore, a residual security risk will always remain when operating an aircra, including any risks posed by GNSS spoofing. e question is, what level of risk is acceptable and responsible. In many everyday situations, wearing a bullet-proof vest would be more secure. Most people have unconsciously decided that given the perceived magnitude of the security risk, this is not necessary. In most regions of the globe, experience justifies this decision. While the spoofing threat can appear to be less likely than a stray bullet, for a public commercial activity of flying multiple passengers through the air in large metal tubes at high speeds, a more structured and reasoned approach by appropriate experts is necessary. For safety assessments, aviation uses a risk assessment matrix ( Figure 3 ). The greatest risk reduction priority is on issues which have both a high probability of occurrence and severity of impact. In security assessments, it can be very dif- ficult to accurately estimate the probability of occurrence, since this is in large part driven by random decisions of humans with above average irrationality. An easier and more productive method is to replace the probability of occurrence axis with fea- sibility. e view that can be taken is that if a certain threat sce- nario can be easily accomplished while causing a severe impact, sooner or later some single ignorant individual or hostile orga- nization may try it (i.e., setting the probability of occurrence to 1 in terms of risk management). Expert security risk assessment teams review all possible threats and evaluate what barriers can mitigate those threats, implementing or strengthening them through a security risk management system if necessary. An important principle is to limit the "success probability" of an attack: if the likelihood of being able to achieve a serious impact is low while the risk of exposure or detection is high, the sce- nario should lose attractiveness even for deviant personalities. While this logic has merit, security experts need to remem- ber that people will always do unexpected things, without fully realizing the consequence of their actions. A good example are powerful laser pointers, which some people have pointed at aircra in flight without realizing the dangers they can cause to flight crews. But a laser pointer is also a much simpler consumer product which can be purchased and used without any effort. Purchasing a spoofer kit online and upgrading it to point with a directional antenna at an aircra carrying passengers and crew quickly leaves innocent territory. In some cases, mitigations can be surprisingly innovative. In a recent case near a major European airport, a "bored indi- vidual" pretended to be an Air Traffic Controller, talking to aircra on final approach using a hand-held VHF transceiver. A very pragmatic solution was implemented during the several weeks needed to track down the individual. Because "the kind of people that do these things are usually men" (as stated by a colleague close to the investigation), only female Air Traffic Controllers were assigned to manage the approach in question, and pilots requested to only talk and listen to instructions from a female controller. Therefore, when analyzing future spoofing mitigation mechanisms in next generation, aviation GNSS receivers, some inherent constraints need to be accepted: • Barring premature replacement due to rising oil prices, a typical transport category aircra lasts 30 years, with at most a minor avionics upgrade around mid-life. Some manufacturers are still selling SA-unaware GPS receivers! Given the much faster evolution of spoofing threats and associated technical capabilities, some anti-spoofing mea- sures could lose their effectiveness relatively quickly. Avia- tion will always lose a technology cat and mouse race. • Even security measures are subject to cost constraints. For example, additional drag (fuel consumption) and installa- tion complexity means that advanced technology such as Controlled Radiation Pattern Antennas (CRPA) will not become a realistic option for civil air transport aircra. • More generally, civil anti-spoofing technology should not rely on advanced military technology subject to ITAR (International Traffic in Arms Regulation). • Any adopted measure should not risk causing additional harm. An example is the strengthening of cockpit doors and access control post the 9/11 attacks. These played a contributing role in the crash of Germanwings flight 9525 in 2015 . Some spoofing mitigation measures could reduce simple jamming robustness or continuity of service. • In general, solutions need to be globally interoperable, accessible to all, and safe. Another aspect is balance across all CNS systems. Any effort spent on GNSS, as increasingly relevant as it is, needs to be balanced against other vulnerabilities. Making an analogy to securing a house, it makes no sense to spend a fortune on a double bolted steel front door if there is a back door which remains completely open. e comparison is useful but has its limits, because navigation has some different features com- GPS SPOOFING AND AVIATION FIGURE 3 ICAO Safety Risk Assessment Matrix and Security Context High impac t L ow impact Easy to do Difficult to do (skill & resources) Feasibility Risk severity Risk Probability

Articles in this issue

Links on this page

view archives of Inside GNSS Media & Research - SEP-OCT 2018