Inside GNSS Media & Research

SEP-OCT 2018

Issue link:

Contents of this Issue


Page 56 of 67 S E P T E M B E R / O C T O B E R 2 0 1 8 Inside GNSS 57 pared to communication and surveillance. e primary client of navigation is the aircra and the pilot, and positioning sys- tems have a direct link to flight guidance systems. For com- munication and surveillance systems, the primary client is air traffic control, using it as a tool to ensure aircra separation. So if an attacker wants to affect the path flown by an aircra rather than just causing confusion, navigation systems are the obvious target. GNSS Spoofing and Aviation Navigation Systems Introducing the notion of path illustrates that this can be done in two possible ways: either change the desired path or change the indicated position. In the first case, a new desired path can be defined, where the navigation system will accurately lead the aircra to its falsified destination. In the second case, the falsi- fied position needs to be controlled in a way that its interaction with the defined path leads to the desired wrong path. So for an aircra on a final approach, the indicated position could be increased in altitude in order to cause flight control commands which make the aircra descend below path. Both of these mechanisms quickly reveal the significant benefit of indepen- dent altitude and heading, be it barometric or a radio altimeter, or from a gyro-compass (horizontal heading), respectively. In general it can be observed that the more critical the opera- tion (size of aircra / number of passengers / traffic density of airport), the more safeguards are in place, including altitude warnings in ATC systems based on surveillance sensors. Due to controlled flight into terrain (CFIT) being one of the major safety risks, many safeguards have been developed which are also efficient against security threats. The importance of safeguarding the reference path has already been recognized in GBAS standards. e objective of a precision approach guidance system is to get the aircra as close as possible to the right spot on the ground, at a location with a runway, into the so-called touchdown box. GBAS broad- casts the Final Approach Segment (FAS) definition to its users through the VHF Data Broadcast (VDB). A relatively obvious target is for a spoofer to try and inject a false path and send it to an aircra in a VDB message slot. Due to this, an authen- tication scheme has been developed that will make spoofing GBAS very difficult. e scheme is a requirement for Cat II/III operations and a recommendation for Cat I. In other GNSS- based approach and landing systems, the path is defined using an aeronautical database, where numerous integrity checks are performed in a relatively closed data chain, limiting path defi- nition falsification to insider attacks. But what about other, non-GNSS-based approach and land- ing guidance systems? e ICAO GNSS Manual contains the following statement: "It is considered that the spoofing of GNSS is less likely than the spoofing of traditional aids because it is technically much more complex" [7, section 5.3.5]. Indeed, expert judgement (without a detailed analysis and actual test- ing) suggests that spoofing an ILS is simpler than spoofing GNSS. But even that is not as trivial as a rough evaluation sug- gests. Many of the same safeguards are in place for ILS also, including an independent barometric altitude check. Falsifying ILS guidance was even a topic of a major Hollywood movie: "Die Hard 2" and Windsor Airlines Flight 114. Not surpris- ingly, it contains many inaccuracies, while in many decades of actual global operations, no attempts of ILS spoofing have been recorded. A sensitive topic such as spoofing aviation navigation and guidance systems can't be taken lightly and must be updated as the security situation evolves. Relying on a long history without any events may not be reliable indicator of the future, especially as it is very difficult to monitor for spoofing threats. How do we know we have been spoofed? We may observe some anomaly but it is very difficult to find out if it was a simple equipment malfunction or a targeted spoofing attack. e only thing that can be said with reasonable certainty is that there is no civil record of targeted spoofing attacks which actually lead to accidents. All aircra accidents are investigated thoroughly and typically include a long list of contributing factors. It is unlikely that an attacker manages to select a flight ahead of time which is experiencing several safety issues just to mask a major security issue. Nonetheless, the GNSS Manual statement above may need to be revised at some point: yes, it is technologically a lot more advanced to spoof GNSS. However, with advances in digital signal processing, capabilities are becoming available where not much specialized radio frequency engineering knowledge is needed anymore for an attack. Traditional, old-fashioned avia- tion navigation systems still use a lot of very specific, analogue technology, which is not appealing to tech-savvy experiment- ers. GNSS on the other hand is a lot more soware-centric and in use by many different applications in many different contexts. is results in a cross-domain risk where capabili- ties developed for other GNSS purposes could be modified and used against aviation. Closing Open Doors: Threat Scenario Analysis So how do we apply due diligence to mitigate against GNSS spoofing risks in this evolving aviation CNS context, taking into account its inherent limitations? e first step is to assess threats and risks and then close any doors which can reason- ably be closed. But how does one know which doors to pick, especially when accurate threat data is hard to obtain? While many things can and are being done at the operational level, the remainder of this article will discuss what could be done in next generation, DFMC GNSS receivers. is needs to consider the operational context of aviation GNSS receivers: the mul- tipath environment is relatively benign and dynamic, accuracy requirements are generally not demanding with common use of carrier smoothing, and tracking loops need to be able to deal with normally encountered dynamics effects. Another key aspect is that it is difficult to access an aircra GNSS antenna directly, so most spoofing injection scenarios will be non- coherent and may oen follow a first jam, then spoof pattern. Even if the attack does not foresee a jamming first, getting the spoofing signal level just right at the aircra antenna is not trivial, therefore leading to spoofing attacks which may first jam the receiver.

Articles in this issue

Links on this page

view archives of Inside GNSS Media & Research - SEP-OCT 2018