Robustness Levels of Critical Infrastructures Against Global Navigation Satellite System Signal Disturbances

Presented


Introduction
Global navigation satellite systems (GNSS) have become immensely popular for providing positing, navigation, and timing (PNT) information to a wide range of applications.The popularity has a downside as well.It has been well documented (see, e.g., [1]) that GNSS-based PNT information can be easily compromised, either intentionally or accidentally.However, this kind of vulnerability knowledge of GNSS-based PNT information is not very well known outside the community of GNSS specialists.Especially for applications that control critical infrastructures, this lack of knowledge may lead to less effective operation and maintenance of the infrastructure and eventually to the potential loss of essential services and resources.
In order to better inform designers and operators of critical infrastructures, the knowledge of robustness should be better disseminated.This study describes the first results of an attempt to make this information more readily available: The resilience of applications that use PNT information for their correct operation is investigated.The assessment will be based on a resilience framework pioneered by the US Department of Homeland Security (DHS) [2].Various ways of assessing resilience are foreseen, from questionnaires to automated test approaches.The proposed approach in this study is to largely generate the assessment methods automatically using a computer program that uses a computerreadable and formalized description of the resilience framework.Resilience is obtained by the robustness of the GNSS receiver and the additional equipment to determine the PNT information.Various signal disturbances are considered, including natural radio frequency interference (RFI), jamming, and spoofing.There are many different formalisms for describing the (lack of) resilience knowledge.This study considers the "fault tree" formalism to capture the resilience knowledge.

GNSS Basics
A GNSS receiver tracks the signals of all the GNSS satellites in view.One of the indicators of the quality of the tracking process is the carrier-to-noise density (C/N0), which is expressed in decibel-Hertz (dB-Hz).Too low a value of C/N0 (typically < 25 dB-Hz) usually renders the receiver to lose its lock on the signal.The higher the values of the C/N0, the better the receiver estimates the pseudo range.

Disturbances
Unintentional interference mainly comprises natural, inter-and intra-, out-of-band, and in-band interference.Such interference can come from faulty machinery.Also, a multipath is one of the major contributors of error to satellite positioning, especially in urban canyons.
Jamming: Jamming is the process of purposefully disturbing the reception of GNSS signals by receivers in a targeted geographic-the jammed-region.In case of jamming, a powerful signal is applied to the target receiver's antenna, such that the front end will need to handle the high-power signal, thereby reducing the capability to handle the low-power authentic GNSS signal.Usually, the front end will adjust the automatic gain control (AGC) so that the processor can handle the powerful jamming signal.The effects of jamming are [3]: potential loss of tracking, decrease in measured signal strength (C/N0), adjustment of AGC values, increase in noise on pseudo range measurements (code phase and carrier phase) and position, and increase in cycle slips.
A rather new jamming technique is called systematic jamming and uses measurements of the signal-to-be-distorted to jam the signal in an intelligent way.Systematic jamming relies on a standard receiver that determines at which points in time jamming is most effective and only jams the signal briefly, e.g., to deny reception of the time of week indicator.
Spoofing: Spoofing is the transmission of forged GNSS-like signals, with the purpose of producing a false position or time at the victim's receiver without seemingly disrupting GNSS operations and thus effectively taking control of the receiver.With the advent of software-defined radio (SDR) technology, it has become a practical method to implement a spoofing system and thus could pose a real threat to the trustworthiness of GNSS-based PNT information.

Example of Critical Infrastructure Applications and Electricity Networks
Applications within critical infrastructures often require reliable and accurate PNT information.Just relying on a simple GNSS receiving system for this PNT information may not be enough to satisfy the availability and safety requirements that are imposed on the applications running in the critical infrastructures domain.
Some example applications from the electrical energy sector domain include [4]: • Sequence of Event (SoE) recording is a data logging system that stores timestamped event information.The exact order of events is essential in quickly finding the real cause of the problem in electricity systems.A fault in one system may result in a whole avalanche of events at the subsystems connected to the source of failure.These events happen so fast that it almost seems like one instantaneous event with too coarse a time resolution for the SoE recorder.The timing accuracy requirement is < 1 ms; • A phasor measurement unit (PMU) is a device used to estimate the magnitude and phase angle of an electrical phasor quantity in the electricity grid.The timing accuracy requirement is < 1 µs; • Wire fault localization using the traveling wave method.Such methods calculate fault locations by measuring the arrival times of the naturally occurring traveling waves caused by a transmission line fault.The timing accuracy requirement is < 100 ns.
GNSS-disciplined clocks are used in such applications to obtain these strict time constraints.The basic principle of these clocks is that the GNSS time information controls a local oscillator.The basic principles actually being used are often not disclosed, but in general, the frequency of the local oscillator is kept within strict bounds by one or more servo loops, such as a Phased Locked Loop (PLL).After a GNSS disturbance has occurred, the clock will still continue to operate, but the clock stability parameters will degrade over time.In case the disturbance occurs for a longer period, the clock might not meet the application's requirements.It may take minutes to hours before the clock is degraded such that it fails to meet the accuracy requirements, depending on the quality of the local oscillator.

Resilience Framework
In the previous section, the various ways to disturb GNSS signals were introduced, as well as how these can affect various applications within the electricity-critical infrastructure.There is great interest in the development and analysis of resilient implementations.One of the approaches is the Resilience Framework by the US Department of Homeland Security (DHS) [2].This framework could be seen as a set of very useful guidelines to achieve a certain level of resilience during the implementation of PNT sources for applications.The framework defines the following concepts: PNT System: The components, processes, and parameters that collectively produce the final PNT solution for the consumer.Note that this is not necessarily restricted to GNSS components.
PNT Source: A PNT system component that is used to produce a PNT solution.Examples include GNSS receivers, networked and local (stable) clocks, inertial navigation systems (INS), and/or timing services provided over a wired or wireless connection.
PNT Solution: The full solution provided by a PNT system or source, including time, position, and velocity.A PNT system or source may provide a full PNT solution or a part of it.For example, a GNSS receiver with a clock may provide a full PNT solution, while a local clock only provides a timing/frequency solution.
Component: A part or element of a larger PNT system with well-defined inputs and outputs and a specific function.Examples may include individual PNT sources or subsystems of PNT sources, discrete software functions that implement resilient PNT processing algorithms, hardware modules providing a supporting function internal to the PNT system, antennas, firewalls (between antenna and receiver), and external detectors such as those based on SDR technology.
Recover from atypical errors to return to a proper working state and defined performance.Then, the framework identifies four levels of resilience (see Table 1).The framework is not necessarily geared towards GNSS-PNT in particular but is agnostic with respect to a particular technology that is being used.Furthermore, although the framework provides guidelines to assess the resilience of PNT solutions, in reality, the assessment will not be straightforward.For example, the effectiveness of identifying compromised PNT sources (point 4 in Table 1) will vary from one implementation to another.By further detailing the conditions for the resilience levels (as can be part of the formalization process), one can better identify why a certain solution fails to qualify for a certain resilience level.

Reference Architectures
The framework [2] also describes a reference architecture for acquiring Level 1 and Level 2 resilience.For Levels 3 and 4, no reference architecture is given yet.A PNT solution with resilience Level 3 may experience a bounded level of degradation when operating in a threat environment, whereas a Level 4 solution should not experience that degradation.The framework also provides guidelines for assessing the resilience level of a particular solution and defining testing procedures compliance for a certain level.The objective of the study presented in this paper is to largely automate these tasks, as described in the next section.

Formal Description of PNT Resilience
The following section will focus on the formalization of the framework.Such a formalization will ease the automatic processing by a computer as such a formalization can be used to generate computer programs performing a certain analysis task.One of the goals is to construct a computer-assisted resilience assessment and an automatic testing system that is able to generate test data to test resilience.
There are various types of formalisms that describe events (failures and exceptional conditions) and their impact on system behavior.One of these formalisms (and, maybe, conceptually, one of the simplest to comprehend) is the modeling of system behavior by fault trees [5].This section briefly describes the fault tree (FT) formalism and then how it can be used to capture the resilience knowledge.

Fault Trees
One of the possible formalisms that can capture the failed operation of system components and, to a certain level, the sequence of occurrence of those failures is fault trees.Fault tree analysis (FTA) is a type of failure analysis in which an undesired state of a system is examined.This analysis method is mainly used in safety engineering and reliability engineering to understand how systems can fail, identify the best ways to reduce risk, and determine (or obtain a feeling for) event rates of a safety accident or a particular system-level (functional) failure.The main elements of a fault tree are a TOP event, which is the description of the critical system event, such as the tracking loss lock; Basic events are the lowest level of identified causes, such as excessive RFI or atmospheric scintillations; and Logic gates, such as OR or AND gates, which give the logical relationship between the TOP event and the basic events.
The AND gate is used to model redundancy in a system design or alternative test methods.A redundant system's function will only not be realized if all the alternatives fail.The OR gate is used to model serial dependencies in a system design or test method.If one of the components fails, then the overall system functionality fails to be realized.Given system components 1, 2, and 3 for a hypothetical system, then layer (i) of Figure 1 depicts the OR gate of these components, layer (ii) the AND gate of these components, and layer (iii) a combination of the OR and AND gates.
ponents and, to a certain level, the sequence of occurrence of those failures is fault trees.Fault tree analysis (FTA) is a type of failure analysis in which an undesired state of a system is examined.This analysis method is mainly used in safety engineering and reliability engineering to understand how systems can fail, identify the best ways to reduce risk, and determine (or obtain a feeling for) event rates of a safety accident or a particular systemlevel (functional) failure.The main elements of a fault tree are a TOP event, which is the description of the critical system event, such as the tracking loss lock; Basic events are the lowest level of identified causes, such as excessive RFI or atmospheric scintillations; and Logic gates, such as OR or AND gates, which give the logical relationship between the TOP event and the basic events.
The AND gate is used to model redundancy in a system design or alternative test methods.A redundant systemʹs function will only not be realized if all the alternatives fail.The OR gate is used to model serial dependencies in a system design or test method.If one of the components fails, then the overall system functionality fails to be realized.Given system components 1, 2, and 3 for a hypothetical system, then layer (i) of Figure 1 depicts the OR gate of these components, layer (ii) the AND gate of these components, and layer (iii) a combination of the OR and AND gates.There are several analysis methods that can be applied to the FT structure.One such method is the dependency analysis, or the estimation of the minimal set (minimal: deletion of one element from the minimal set invalidates the defining property) of Basic Events, causing the Top Event to be True.Such a minimal set gives the combination of events that renders the resilience to be invalid.Thus, it will be important to check that this combination will not happen during the lifetime of the PNT system.A well-known graph algorithm, the minimal cut set algorithm, exactly corresponds to solving this dependency analysis problem.Another analysis is the computation of the Probability of a Failure (PoF).There are several analysis methods that can be applied to the FT structure.One such method is the dependency analysis, or the estimation of the minimal set (minimal: deletion of one element from the minimal set invalidates the defining property) of Basic Events, causing the Top Event to be True.Such a minimal set gives the combination of events that renders the resilience to be invalid.Thus, it will be important to check that this combination will not happen during the lifetime of the PNT system.A well-known graph algorithm, the minimal cut set algorithm, exactly corresponds to solving this dependency analysis problem.Another analysis is the computation of the Probability of a Failure (PoF).If the probability of the Basic events can be determined and independence of events is assumed, the probability of the Top Event can be determined by propagating the probabilities in a bottom-up fashion.

Formalisation of the Resilience Framework
The fault tree method will not be applied to a particular system design (as in the usual case of applying fault trees) but will be used to encode the requirements of the resilience framework.One could say that the fault tree will basically model the robustness behavior of a reference architecture for a certain resilience level.Each of the resilience levels of the framework has attached a number of requirements that must be satisfied in order to qualify the PNT system to the corresponding resilience level.Furthermore, the resilience framework contains various high-level requirements for which the formalization may need to be made more specific to allow the automatic and effective generation of assessment applications (questionnaire and test program generation).Different fault trees can be defined for these requirements.For example, the framework specifies the rather high-level Requirement 4 of Level 2: "Must identify compromised PNT sources and prevent them from contributing to erroneous PNT solutions."For this the concept of "compromised PNT sources" and "prevent them from contributing" must be specified.Compromised PNT can mean various things, for example, Compromised by Jamming, Compromised by Spoofing, and Compromised by Antenna position.Concentrating further on the case of "Compromised by Jamming", the basic events would include, for example, "lock lost" and "increased code and carrier noise".However, these events can also come from other than jamming events.Jamming detection can be performed by inspecting the RF samples or monitoring the receiver observations, such as the carrier-to-noise density (C/N0).Once jamming has been detected, the effects of jamming can be mitigated using, e.g., signal processing techniques (such as the adaptive notch filter (ANF)) or spatial filtering (such as the controlled reception pattern antenna (CRPA)).The "Loss of Lock" fault tree for the Jamming Case could look like the one given in Figure 2.

Formalisation of the Resilience Framework
The fault tree method will not be applied to a particular system design (as in the usual case of applying fault trees) but will be used to encode the requirements of the resilience framework.One could say that the fault tree will basically model the robustness behavior of a reference architecture for a certain resilience level.Each of the resilience levels of the framework has attached a number of requirements that must be satisfied in order to qualify the PNT system to the corresponding resilience level.Furthermore, the resilience framework contains various high-level requirements for which the formalization may need to be made more specific to allow the automatic and effective generation of assessment applications (questionnaire and test program generation).Different fault trees can be defined for these requirements.For example, the framework specifies the rather highlevel Requirement 4 of Level 2: "Must identify compromised PNT sources and prevent them from contributing to erroneous PNT solutions."For this the concept of "compromised PNT sources" and "prevent them from contributing" must be specified.Compromised PNT can mean various things, for example, Compromised by Jamming, Compromised by Spoofing, and Compromised by Antenna position.Concentrating further on the case of "Compromised by Jamming", the basic events would include, for example, "lock lost" and "increased code and carrier noise".However, these events can also come from other than jamming events.Jamming detection can be performed by inspecting the RF samples or monitoring the receiver observations, such as the carrier-to-noise density (C/N0).Once jamming has been detected, the effects of jamming can be mitigated using, e.g., signal processing techniques (such as the adaptive notch filter (ANF)) or spatial filtering (such as the controlled reception pattern antenna (CRPA)).The "Loss of Lock" fault tree for the Jamming Case could look like the one given in Figure 2. "Loss of lock" can also be caused by the antenna position, due to the fact that the line of sight to the satellite is obscured.This can be caused by buildings that block the view.A

Jamming
Jamming high

Loss of Lock
Jamming detection Jamming Mitigation Antenna problems "Loss of lock" can also be caused by the antenna position, due to the fact that the line of sight to the satellite is obscured.This can be caused by buildings that block the view.A similar fault tree can be constructed.For Compromised by Spoofing, the basic events would include "tracking of encrypted signals" (such as Galileo PRS [6]) and cryptographic checking of the navigation data (such as in OSNMA [7]).By correctly combining these basic events, one can encode the satisfaction conditions for this requirement.
In general, there can be several detection methods to recognize jamming, spoofing, or other disturbances.These methods will have, in general, different detection characteristics and will, therefore, trigger alarms under different conditions.

Generating a Resilience Questionnaire
The formalization of resilience knowledge can be used for various analysis techniques, such as the computer-assisted evaluation of resilience levels.The FT will be further attributed with evaluation questions.That is, for each of the "basic events", a question about the presence of the events can be assigned such that the truth value of these basic events can be established, as is depicted in Figure 3.
or other disturbances.These methods will have, in general, different detection characteristics and will, therefore, trigger alarms under different conditions.

Generating a Resilience Questionnaire
The formalization of resilience knowledge can be used for various analysis techniques, such as the computer-assisted evaluation of resilience levels.The FT will be further attributed with evaluation questions.That is, for each of the "basic events", a question about the presence of the events can be assigned such that the truth value of these basic events can be established, as is depicted in Figure 3. Now, as according to Figure 4, the FT can be evaluated as either "bottom up" or "top down".Top down starts at the TOP event and evaluates the value of the tree by descending the nodes of the tree and keeping track of the truth value of the basic events and the sub-trees.
The formalization process is rather labor intensive, but once the knowledge is formalized, the generation of questionnaires is rather straightforward.Having a formal model allows various types of analyses, including the generation of test data.

Jamming
Jamming high

Loss of Lock
Jamming detection Jamming Mitigation Jamming mitigation implemented?
Jamming mitigation present?
Jamming mitigation considered High jamming considered Now, as according to Figure 4, the FT can be evaluated as either "bottom up" or "top down".Top down starts at the TOP event and evaluates the value of the tree by descending the nodes of the tree and keeping track of the truth value of the basic events and the sub-trees.

Concluding Remarks
As the usage of GNSS-based PNT information for applications within critical structures is present, it becomes of vital importance to keep an eye on the resilie these systems.In this study, the partly automatic generation of questionnaires, and tually test programs, is researched.This approach requires the cumbersome formali of a resilience framework into a form that a computer can process.The formalization ideally has to be performed once.Still, this formalization task is laborious and pr errors.Alternative methods will be investigated in further research.The current po ity of generative Artificial Intelligence (AI) [8] seems to suggest that this technique provide an alternative to questionnaire generation.Much more research is needed The formalization process is rather labor intensive, but once the knowledge is formalized, the generation of questionnaires is rather straightforward.Having a formal model allows various types of analyses, including the generation of test data.

Concluding Remarks
As the usage of GNSS-based PNT information for applications within critical infrastructures is present, it becomes of vital importance to keep an eye on the resilience of these systems.In this study, the partly automatic generation of questionnaires, and eventually test programs, is researched.This approach requires the cumbersome formalization of a resilience framework into a form that a computer can process.The formalization work ideally has to be performed once.Still, this formalization task is laborious and prone to errors.Alternative methods will be investigated in further research.The current popularity of generative Artificial Intelligence (AI) [8] seems to suggest that this technique would provide an alternative to questionnaire generation.Much more research is needed in this direction as well.

Figure 1 .
Figure 1.Construction of a fault tree.

Figure 1 .
Figure 1.Construction of a fault tree.
Includes capabilities enumerated in Levels 1, 2, and 3 plus: 8. Must have a diversity of PNT source technology to mitigate common-mode threats.Notes: Level 0 indicates a source or system that does not meet the criteria in Level 1 and thus is considered a non-resilient system or source.** Critical infrastructure applications will likely require Level 2 resilience at a minimum.*** The output can deviate within a manufacturer-defined envelope.