Managing live sky and terrestrial time sources to protect critical infrastructure against cybersecurity threats
By Greg Wolff, Microchip Technology
Critical public infrastructure systems that rely on GNSS for reception of positioning, navigation and timing (PNT) data have been identified by national security agencies across the globe as potential cybersecurity attack vectors. Late in 2020, the U.S. Department of Homeland Security (DHS) published the “Resilient PNT Conformance Framework” guidelines, providing a common reference point to help critical infrastructures become more resilient to PNT attack threats. Within the framework, a cybersecurity approach has been proposed.
Prevent. In this first layer of defense, threats are prevented from entering a system. However, it must be assumed that it is not possible to stop all threats.
Respond. Atypical errors or anomalies are detected and action taken, such as mitigation, containment and reporting. The system should ensure an adequate response to externally induced, atypical errors before recovery is needed.
Recover. The last line of defense is returning to a proper working state and defined performance.
Four Levels of Resilience
Based on the Prevent-Respond-Recover cybersecurity model, the PNT Conformance Framework document describes four levels of resilience. Note that the resilience levels build upon each other — Level 2 includes all enumerated behaviors in Level 1, and so forth.
The framework provides a clear set of PNT resilience guidelines for equipment, whether at the silicon, module or system level. Although the framework is not specific to the use of GNSS, much of the focus has centered on GNSS vulnerabilities and the ability to be resilient to GNSS outages, whether caused by unintentional disruptions or intentional threats. However, the GNSS resiliency of specific equipment or technology does not fully address the needs of critical infrastructure operators who are managing the use of PNT services over large geographical areas.
Critical Infrastructure Expansion
Critical infrastructure is typically constructed in a tiered manner, beginning with a set of core sites connected to secondary sites that are ultimately connected to remote sites. With the rollout of 5G networks, densification and massive deployment of wireless access points will improve coverage and enable higher bandwidths to support the internet of things (IoT) and related services. However, this massive scale of access points will also require accurate timing at a much larger number of endpoints.
Within the power utility infrastructure, the power grid is being augmented and expanded with alternative energy sources, such as solar and wind. The modernized smart grid is a highly distributed architecture that is dependent on accurate timing for coordination, monitoring and logging of data for operation and identification of power-outage fault detection. Additionally, power utilities rely on timing services for communications and transport of telemetry data throughout their entire operations.
To date, GNSS has been the go-to source for timing, creating an exponential increase in the dependency on GNSS. Because of this massive dependency, the impact of errors or interruptions today is more significant than ever before.
Terrestrial Time Distribution
As an alternative for delivering accurate time to large numbers of locations and reducing dependency on GNSS, critical infrastructure operators are turning to the use of terrestrial distribution using packet protocols so that high accuracy distribution can be achieved using Precision Time Protocol (PTP).
The virtual Primary Reference Time Clock (vPRTC) is a highly secure and resilient network-based timing architecture developed to meet the expanding needs of modern critical infrastructures. The vPRTC is simple in concept. It blends proven timing technologies into a centralized and protected source location, and then uses commercial fiber-optic network links and advanced IEEE 1588 PTP boundary clocks to distribute 100-ns PRTC timing where it is needed in end points that might be hundreds of kilometers away.
Just as a GNSS-satellite-based timing system distributes timing to end points using open-air transmission, the vPRTC distributes timing using a terrestrial (typically fiber) network. The difference is that the operator remains 100% in control of the network and can secure it as necessary. This network-based timing is referred to as trusted time. It can be distributed as the primary source of timing or it can be deployed as a backup to GNSS timing solutions.
Even with the many reliability and security benefits of the vPRTC approach, however, sole dependency on terrestrial time can become a single point of failure, just like a strategy dependent solely on GNSS. Because of this, critical infrastructure operators are deploying architectures that use both GNSS and terrestrial time. To do this effectively, operators find themselves with the need to have centralized management and visibility of both key sources of time. Further, to deliver on the promise of timing resiliency, a unified management system needs to include capabilities that can deliver a cybersecurity solution encompassing the Prevent-Respond-Recover DHS security guidelines across all nodes of the timing network.
Unified Time Management
Having a bird’s eye view of all nodes of a timing network is essential for providing timing security and resiliency. In the case of a GNSS anomaly or terrestrial time instability, when a problem occurs the most immediate need is to quickly identify whether the event is isolated to a specific location, affects a region, or in some cases is caused by a global situation. A centralized management and monitoring system provides a green, yellow and red threat-status indication representing different locations of interest. It is a simple way for operators to know the overall health of their timing infrastructure.
When problems surface, critical infrastructure operators next need visibility of “observables” that can quickly isolate the root cause. With today’s timing networks relying on both GNSS time and terrestrial time, the ability to see observables that represent both timing sources in a unified manner is critical.
GNSS Observables
Multipath interference, weather anomalies, jamming and spoofing are terms commonly used when referring to GNSS vulnerabilities. Gaining insights (visibility) into the details to identify the root cause, however, requires more specific characterization of the signal.
Visibility into the quality of GNSS reception is accomplished by monitoring GNSS observables. Table 1 provides a sample of key GNSS observables that can be tracked and monitored.
Terrestrial Time Observables
Characterizing the quality of terrestrial time requires time measurements between equipment interconnections within a single location (intra-office) or across nodes of a network (inter-office) — for example, comparison of equipment inputs and outputs or comparison of signals at different sites.
Additionally, with the standardized use of PTP, the ability to evaluate network timing packet metrics is needed to verify time transfer from location to location. Terrestrial time performance calls for a different set of observables to be made visible and monitored. Table 2 provides a sample of key terrestrial time observables.
When managing a large geographical area, being able to measure the phase difference between GNSS time and terrestrial time at multiple locations simultaneously enables an operator to determine how well these two sources of time compare. As described previously, critical infrastructure operators are ultimately in need of resiliency, which can best be achieved using both time sources.
Measuring the two sources against each other at multiple locations creates the highest level of trust knowing that these independent time sources are well aligned.
Conclusion
With cooperation from industry, standards organizations and government organizations such as DHS, the use of timing services has become recognized as a foundational technology for critical infrastructure operations. Leveraging industry-standard cybersecurity models will help strengthen and harden timing equipment.
Although equipment resiliency is vital, having a bird’s eye view of timing performance across the entire network is the starting point for providing complete network visibility that is critical to providing timing security and resiliency. To deliver on the promise of timing resiliency across critical infrastructure, operators need a unified management system that enables simple and complete visibility of both GNSS and terrestrial time observables.
With a unified management of these two timing sources, operators have a platform to apply Prevent-Respond-Recover to timing threats and achieve the highest levels of resiliency and cybersecurity protection.
Greg Wolff is senior product line manager of Frequency & Time Systems at Microchip Technology. He has worked in the time and frequency industry since 1988 and was an early pioneer in the marketing of network synchronization solutions to major critical infrastructure operators across the globe. He is an active contributor to emerging standards supporting PNT resiliency and most recently, as part of Microchip Technology’s Frequency and Time Systems group, launched the BlueSky GNSS Firewall. He holds a degree in engineering science from California Polytechnic State University – San Luis Obispo.