The Royal Academy of Engineering encountered the sensationalist nature of some sections of the British press last month after it published a report into the reliance and vulnerabilities of global navigation satellite systems (GNSS). “Sat-nav dependency spells disaster” and “Sat-navs could aid terrorist attack in Britain” screamed some of the headlines, pushing the main thrust of the report to its very limits.
That was a shame – because the report actually raised some level-headed concerns about society’s increasing dependence on GNSS systems such as GPS for deriving position, navigation and timing data. There is a very real fear that shared dependence on such systems means that a failure of satellite signals could lead to the simultaneous collapse of many services that we take for granted. Failure could be caused by deliberate or accidental interference, both man-made (such as jamming) and natural (such as solar flares). The report also put forward some constructive recommendations as to how it might be possible to increase the resilience of the services that rely on satellite signals.
Professor Martyn Thomas, chairman of the royal academy’s GNSS working group, says that the range of applications relying on satellite signals is now so broad (see illustration, right) that, without adequate independent back-up, transmission failure or interference could affect safety systems and other critical parts of the economy. He says: “GPS and other GNSS are so useful and so cheap to build into equipment that we have become almost blindly reliant on the data they give us. A significant failure of GPS could cause lots of services to fail at the same time, including many that are thought to be completely independent of each other. The use of non-GNSS back-ups is important across all critical uses of GNSS.”
GNSS is the generic term for space-based systems that transmit signals that can be used to provide three services: position, navigation and timing – known collectively as PNT. The best-known GNSS system in operation is the Global Positioning System (GPS), operated by the US military, although other systems are also being developed, most notably Galileo in Europe and Compass in China. As well as the ubiquitous sat-nav, the signals from GPS are used by data networks, financial systems, shipping and air transport, agriculture, railways and the emergency services. So they underpin our modern lives.
GPS can be split up into three areas, the ground, space and user segments. The ground, or control, segment is used to upload data to the satellites, to synchronise time across the constellation and to track the satellites to enable orbit and clock determination. The space segment consists of the GPS satellites in six orbital planes, with 24 satellites making the full constellation, although there are a total of 32 in service. Meanwhile, the user segment consists of the receivers and antennas, used to receive and decode the signal to provide PNT information.
In normal operation, GPS will give a three-dimensional position accuracy of around 5-10m, and also provides velocity to approximately 20cm/s and time to within 1µs. Different GPS applications require varying degrees of positional accuracy. In-car and personal navigation, for example, require only the standard GPS positioning accuracy, whereas more demanding applications require augmentation of the standard GPS data, be it in terms of integrity or correction information.
But the Royal Academy of Engineering report suggests that all GNSS have system-level vulnerabilities that can lead to failure, disruption and interference. The vulnerabilities can broadly be classified into three different categories: system related (including signals and receivers); propagation channel related (atmospheric and multipath); and interference related (accidental or intentional). GPS satellites, for instance, have on rare occasions broadcast dangerously incorrect signals, a reduced number of satellites visible could prevent availability of a position fix, and GNSS receivers can incorrectly process valid signals to give unpredictable results.
GNSS signals are very weak: typically less than 100W transmitted from a distance of 20,000km to 25,000km. When received at the surface of the earth, the signal strength may be as low as –160dBW (1 x 10–16 W), with a spectrum spread out effectively below the noise floor in the receivers.
“The transmissions are very weak,” says Thomas. “They are about equivalent to a light bulb shining thousands of miles away. You don’t need a lot of power to jam them over a wide area – that jamming can be done naturally, deliberately or maliciously.”
Deliberate or unintentional interference with this signal can easily defeat the signal recovery or overload the receiver circuitry. Furthermore, signals are vulnerable to disruptions in the atmospheric medium they pass through, and receivers can also unintentionally lock onto reflections of the signals, known as multipath, giving unexpectedly large errors. These causes can have quite different effects on users, such as complete loss of the positioning and timing service, poorer accuracy, very large jumps in position, velocity or time, and “hazardously misleading information” – believable data that is dangerously wrong in safety-critical applications.
Each of the three segments – ground, space and user – has vulnerabilities. The ground segment is responsible for maintaining the system time, controlling the satellites, uploading navigation data that will be broadcast to users from satellites, and monitoring the signals broadcast across the globe. The satellites carry clocks, signal generation units and amplifiers and antennas to broadcast the signals, modulated with the navigation data.
These systems are designed with high reliability in mind, and, in the case of GPS, the ground segment and satellites are designed to be resistant to military attack, but nevertheless there are vulnerabilities, says the academy report. One is too few satellites owing to simultaneous failure of old spacecraft combined with the late delivery of next-generation satellites. As the number of satellites drops to below the specified minimum of 24, users would experience a reduction in service, position outages and worse accuracy owing to less favourable satellite geometry.
The user segment, meanwhile, comprises equipment such as GPS receivers, and is diverse and uncoordinated. These vary from decryption-capable military receivers through to receivers embedded in mass-market mobile phones. The common thread is that all receivers are designed to interface with the broadcast GNSS signals. The diversity means that systematic vulnerabilities in GNSS receivers will not affect all users, but could affect one particular user sector badly, possibly globally, where receivers from one manufacturer with a software bug are used widely.
Other factors also come into play. The lowest and densest region of the earth’s atmosphere, containing our weather systems, is the troposphere. Here weather systems can affect GNSS signals, causing modest variations in signal delay, introducing an error term, rather than a threat. However, the ionised upper region of the atmosphere known as the ionosphere can also cause disruptions to GNSS signals and if uncorrected introduce the largest errors. The variability of the ionosphere, especially at high and low latitudes and at times close to the peak of the sunspot cycle, can be highly problematical to GNSS.
Accidental interference such as harmful emissions from commercial high-power transmitters, ultra-wideband radar and personal electronic devices can interfere with GNSS. An example of this effect was noticed in 2002 when a poorly installed CCTV camera system in Douglas on the Isle of Man caused GPS within 1km of the installation to be blocked.
Other instances can be malicious: the crudest form of jamming simply transmits a noise signal across one or more of the GNSS frequencies, raising the noise level or overloading the receiver circuitry and causing loss of lock. Circuits and assembly instructions for GPS jammers are widely available on the internet, and commercial jammers can be bought for less than £20. Commercial jammers are increasingly sophisticated: some are designed to fit into a pocket, some into car lighter sockets; and most jammers are designed to block GPS and Galileo signals, even before the Galileo network is operational. “The fact is that jammers are far too easily available and the risk from them is increasing all the time,” says Thomas.
So what are the chances of a major failure of GNSS systems? And what can be done to overcome this multitude of issues? Thomas says that the use of GNSS has become so convenient and ubiquitous that there is a strong tendency among users to treat it as a given. At every level, examples of reliance on GPS for positional, navigational and timing uses without fully tested and exercised non-GPS back-ups have been observed. In the great majority of cases, the loss of these services in an individual application will cause only local or isolated inconvenience, but the possibility exists for wider, single mode or common mode failures with more serious consequences.
The risk of a common mode failure affecting an entire GNSS constellation or even multiple constellations cannot be ruled out, says the royal academy report. The earth is subject to extreme solar events from time to time and these have the potential to disrupt the GNSS signals, and the satellites themselves. The disruption may be temporary or may cause complete satellite failure. Such super-storm events are not predictable, but studies estimate that these so-called “Carrington events” will occur with a probability in the order of 1 in 100 per year.
Space weather events of lesser magnitude will occur more frequently. More than once per decade, at UK latitudes, there may be an interruption to high-accuracy GNSS services. There should be no direct “safety of life” issues if the integrity subsystem informs the users that the navigation solution is degraded, but the absence of the service will have varying levels of impact, which could be mitigated if an alternative navigation system is available.
Risk from jamming is growing. As GNSS becomes more widely used for revenue generation or protection, the rewards from criminal activity aimed at disrupting the systems grow. Already it is known that criminals have used GPS jamming in connection with theft of high-value vehicles and the avoidance of road user charges. The cost of jamming equipment is low and, while users of such equipment are concerned only with the jamming of devices on a single vehicle, the area affected by that jamming signal can be large. It is expected that the introduction of Galileo, with its additional frequency bands and compatibility with GPS, will make jamming more difficult, but not significantly so for the determined criminal.
With all these factors in mind, the Royal Academy of Engineering has called for a three-pronged approach to deal with these issues – raising awareness, policy responses, and increasing resilience. In terms of raising awareness, it says that critical services should ensure that GNSS vulnerabilities are included in their risk registers and that the risks are reviewed regularly and mitigated effectively.
National and regional emergency management and response teams should review the dependencies (direct and indirect) on GNSS and mitigate the risks appropriately. And services that depend on GNSS for PNT should document this as part of their service descriptions, and explain their contingency plans for GNSS outages.
Policy response is also necessary, argues the academy. It is already illegal to place GNSS jamming equipment on the market in the EU, as it cannot be made compliant with the EMC directive. The use of jammers is also a serious offence under the UK Wireless Telegraphy Act 2006. The academy says that Ofcom also has the ability to close remaining loopholes by putting in place a banning order under the 2006 act which would prohibit import, advertisement and mere possession of jammers. The case for this is easily justified, says the academy, given the clear danger to safety of life services. So it recommends that Ofcom should introduce such a banning order, ideally in co-operation with other European legislators.
The Cabinet Office Civil Contingencies Secretariat should consider establishing a monitoring network to alert users to disruption of GNSS services and should consider whether official jamming trials of services for a few hours should be carried out, with suitable warnings, so that users can evaluate the impact of the loss of GNSS and the effectiveness of their contingency plans.
In terms of increasing resilience, the provision of a widely available PNT service as an alternative to GNSS is an essential part of the national infrastructure, says the academy. It should be cost effective to incorporate in civil GNSS receivers and free to use. Ideally it should provide additional benefits, such as availability inside buildings and in GNSS blindspots. The academy says it is particularly encouraged by progress with eLoran, an alternative to satellite-based systems being developed by the General Lighthouse Authorities.
And finally the Technology Strategy Board and the Engineering and Physical Sciences Research Council are encouraged to consider the merits of creating a research and development programme focused on antenna and receiver improvements that would enhance the resilience of systems dependent on GNSS.
“No one has a full picture of the dependency on GPS and similar systems,” says Thomas. “The risks could be managed and reduced if government and industry worked together.”
Threat of turbulent solar activity
One of the UK’s leading space experts has called for better monitoring of space weather to mitigate risks that could leave the world’s power grids and navigation systems in disarray.
As the threat of volatile solar activity increases, Professor Mike Hapgood, head of the space environment group at RAL Space, says that space weather needs to be considered in all risk assessment plans to avoid leaving infrastructure such as GPS open to threats.
Hapgood says that current systems are not sufficient to protect the global population from a severe solar flare, and he has called for more investment in creating robust systems to mitigate these risks.
He says: “As technology advances, exposure to solar threats will become more severe. Last month’s widely reported solar flare, while interesting in form, was considerably weak compared to what can happen in the future.
“While it is difficult to pinpoint when exactly such threats will occur and how severe these will be, we can look to past occurrences as a guide and prepare ourselves sufficiently to diminish further risks. Trend patterns do show that future flares may be few in number, but they also show these will become more dangerous.”
Drawing on the Y2K millennium bug as an example of how a catastrophe was averted with careful consideration, Hapgood calls for the same kind of investment and preparation in order to protect the global community.
“Many people will reflect on Y2K as somewhat of a non-event underpinned by a lot of hype. The reality is that much time and money was invested behind the scenes and as a result the crisis was prevented.
“As such, better monitoring equipment and imaging techniques are important to obtain a certain degree of advanced warning and understanding of the sun,” he says.
Recent observations have shown that solar activity has become increasingly turbulent as the sun approaches the next peak in the solar cycle in 2013.
