Just in Time – Real-time management of sky and ground time sources to protect critical infrastructure from cybersecurity threats

Critical public infrastructure systems that rely on Global Navigation Satellite Systems (GNSS) to receive positioning, navigation and timing (PNT) data have been identified as potential cybersecurity attack vectors by national security agencies around the world. In late 2020, the U.S. Department of Homeland Security (DHS) released the "Resilient PNT Compliance Framework" guidance to provide a public reference point to help critical infrastructure become more resilient to the threat of PNT attacks. Within this framework, an approach to cybersecurity is proposed:

Prevention: In the first layer of defense, threats are prevented from entering the system. However, it must be assumed that not all threats can be prevented.

Response: Ability to detect atypical errors or anomalies and take appropriate actions such as mitigation, suppression, and reporting. The system should ensure adequate response to externally caused atypical errors before recovery is required.

Recovery: The last line of defense is restoration to normal working condition and specified performance. 

Four levels of flexibility

Based on the prevent-respond-recover cybersecurity model, the PNT compliance framework document describes four levels of resiliency. Note that the resiliency levels build on each other—Level 2 includes all behaviors listed in Level 1, and so on.

The framework provides a clear set of PNT resiliency guidelines for devices, covering both chip, module and system levels. Although the framework is not specific to the use of GNSS, much of the focus is on GNSS vulnerabilities and resilience to GNSS outages, whether caused by unintentional interference or intentional threats. However, the GNSS resiliency of a specific device or technology does not fully meet the needs of critical infrastructure operators, who may manage the use of PNT services over larger geographic areas.

Figure 1. Four levels of resiliency defined in DHS “Resilient PNT Compliance Framework” guidance

critical infrastructure expansion

Critical infrastructure is typically built in a layered fashion, starting with a set of core sites connected to secondary sites and ultimately to remote sites. As 5G networks roll out, the densification and large-scale deployment of wireless access points will improve coverage and enable higher bandwidth to support the Internet of Things (IoT) and related services. However, such large-scale access points also require precise timing on more endpoints.

Within utility infrastructure, the grid is being enhanced and expanded with alternative energy sources such as solar and wind. Modern smart grids employ a highly distributed architecture that relies on precise timing to coordinate, monitor and record operational data and identify outage fault detection. In addition, power companies rely on timing services throughout their operations to communicate and transmit telemetry data.

To date, GNSS has been the preferred source for timing, which has led to an exponential increase in dependence on GNSS. Because of this huge dependency, the impact of an error or outage is greater today than ever before.

ground time distribution

As an alternative to delivering accurate time to a large number of locations and reducing dependence on GNSS, critical infrastructure operators are turning to terrestrial distribution methods using packet protocols to enable high-precision distribution using Precision Time Protocol (PTP). 

Virtual Primary Reference Clock (vPRTC) is a highly secure and resilient network-based timing architecture designed to meet the growing demands of modern critical infrastructure. The concept of vPRTC is very simple. It blends proven timing technology into a centralized protected source location, then leverages commercial fiber optic network links and advanced IEEE® 1588 PTP boundary clocks to distribute 100 ns PRTC timing to endpoints in need that may be hundreds of kilometers away. 

Just as GNSS satellite-based timing systems use open-air transmission to distribute timing to endpoints, vPRTC uses terrestrial (usually fiber optic) networks to distribute timing. The difference is that operators have complete control of the network and can protect it as needed. This network-based timing is called trusted time. It can be distributed as a primary timing source or deployed as a backup to GNSS timing solutions.

However, even if the vPRTC approach has many advantages in terms of reliability and safety, relying solely on ground time can create a single point of failure, just like strategies that rely solely on GNSS. As a result, critical infrastructure operators are deploying architectures that use both GNSS and ground time. To do this effectively, operators found they needed to centrally manage and visualize two critical time sources. Additionally, to deliver on the promise of timing resiliency, a unified management system needs to include capabilities that provide cybersecurity solutions, including prevention-response-recovery DHS security guidance across all nodes of the timing network.

Unified time management

Having a bird's eye view of all nodes in the timing network is critical to providing timing security and resiliency. When a problem occurs during a GNSS anomaly or ground time instability, the most urgent matter is to quickly determine whether the event is isolated to a specific location, affects an area, or in some cases is caused by global conditions. The centralized management and monitoring system provides green, yellow and red threat status indicators, with different colors representing different locations of concern. This is a simple way for operators to understand the overall health of their timing infrastructure.

Figure 2. Example of timing network view of global data centers

When issues arise, critical infrastructure operators next need to visualize “observable data” that can quickly isolate the root cause. Because today's timing networks rely on both GNSS time and ground time, it is critical to be able to view observable data representing both timing sources in a unified manner.

GNSS observable data

When referring to GNSS vulnerabilities, commonly used terms include multipath interference, weather anomalies, jamming and spoofing. However, drilling down into (visualizing) the details to identify the root cause requires a more specific characterization of the signal.

Visualization of GNSS reception quality is achieved by monitoring GNSS observable data. Table 1 provides examples of key GNSS observables that can be tracked and monitored.

Table 1. Examples of key ground time GNSS observable data

Ground time observable data

Characterizing the quality of terrestrial time requires time measurements between device interconnections at a single location (intra-office) or across network nodes (inter-office)—for example, comparing device inputs and outputs or comparing signals at different sites. Additionally, as PTP becomes standardized, the ability to evaluate network timing packet metrics is required to verify the time transfer from one location to another. Ground time performance requirements enable a diverse set of observable data to be visualized and monitored. Table 2 provides examples of key ground time observables.

When managing large geographical areas, the ability to measure the phase difference between GNSS time and terrestrial time at multiple locations simultaneously allows operators to compare the two time sources. As mentioned earlier, it is best to use two sources of time to achieve the resiliency that critical infrastructure operators ultimately require. By comparing and measuring these two time sources at multiple locations, each independent time source is known to be completely consistent, which helps establish the highest level of trust.

Table 2. Key ground-based time observables that must be visualized and monitored

Figure 3. Phase difference measurement between GNSS time and ground time

in conclusion

With the cooperation of industry, standards organizations and government organizations such as DHS, timing services have become a recognized foundational technology for critical infrastructure operations. Leveraging industry-standard cybersecurity models will help harden and enhance timing devices.

While device resiliency is critical, gaining a bird's-eye view of timing performance across the entire network is the starting point for providing complete network visibility, which is critical to providing timing security and resiliency. To deliver on the promise of timing resiliency across critical infrastructure, operators need to adopt a unified management system that enables simple and complete visualization of GNSS and ground time observable data. By unified management of these two timing sources, operators gain a platform that can apply a “prevent-respond-recover” model to address timing threats and achieve the highest levels of resiliency and cybersecurity protection.