The impact of GNSS interference on aviation has significantly increased over the last years [1]. The causes for this are widespread: They reach from illegal Personal Privacy Devices (PPD’s), GNSS repeaters, mis-operated test equipment down to very sophisticated spoofing and jamming equipment [2]. In most events, civil aviation does not appear to be the primary target of these actions but rather “collateral damage”.
While most scenarios are characterized by jamming, which leads to a degradation or loss of GNSS information, the phenomenon of spoofing can be more subtle. A GNSS spoofer aims to replicate a plausible GNSS signal combination and thus trick a receiver into a false position or time reference [3]. So far, the industry reacted by issuing airspace alerts and NOTAMs. Both measures are clearly not satisfying in the long term, therefore industry-wide efforts are under way to make aeronautical navigation more resilient.
The GNSS vulnerability
Satellite navigation has been around for decades and enabled an abundance of services around the globe, mainly due to the unprecedented coverage and accuracy of the service. At the same time, there have always been concerns about the vulnerability of these systems to interference, whether created intentionally or not. The signal level of a typical GNSS signal when received on Earth is around -160 dBW [3]. For those not familiar with dBW, this is comparable to trying to see the light of a household lightbulb that is 20’000 km away.
Bottom line: It does not take much “jamming power” to significantly disrupt GNSS signals in a large area.
Stuck in the 80’s
The problem with current civil aviation satellite navigation is that the technical standards only cover the GPS L1 signal using C/A code. This is essentially one of the first GPS signals that were available in the 80’s. Meanwhile, GPS has been modernized and there are other constellations available, such as Galileo, GLONASS or Beidou. Ironically, your cellphone can make use of these new signals while your aircraft is “stuck in the 80’s”. This makes the aviation community very vulnerable to signal disruptions. There is ongoing work to create new technical standards for civil aviation that cover Dual-Frequency-Multi-Constellation (DFMC) receivers, but these are only expected around 2025. See here for an earlier article covering that topic.
Do we need GNSS?
The short answer: Yes.
While the industry scrambles to develop alternatives to GNSS, there is simply no comparable service available at this time. See here for a paper written by the author looking at GNSS alternatives. The paradigm-shift towards Performance-Based-Navigation (PBN) was aimed to “disconnect” procedures from specific navigation systems by stipulating a certain “navigation performance”. Unfortunately, quite often GPS is the only system available in today’s aircraft that can provide the required accuracy and integrity and so these procedures become entangled with a specific system again. Recently, Eurocontrol published the “GNSS Contingency/Reversion Handbook for PBN Operations” [4].
This document conveys two key points:
1: The reliance on GNSS will increase significantly over the coming decade
2: The “conventional navaids” can only partially serve as a backup
To be clear: aircraft can still fly without GNSS, but depending on the systems involved certain procedures can no longer be executed and this will result in a significant increase of workload for flight crews and air traffic controllers ultimately leading to an unacceptable system degradation.
More and more procedures rely on GNSS as a navigation system, while at the same time “conventional navaids” are being removed. Typically, transport aircraft have inertial and DME/DME RNAV systems at their disposal, which can serve as a solid reversion, but they cannot fully compensate for a loss of GNSS. For smaller aircraft, GNSS is typically the sole sensor for RNAV capability, so these aircraft will need to rely on VOR/DME information or ATC assistance [4].
It is obvious from Table 1 above that conventional navaids cannot compensate for a loss of GPS, as todays only approved GNSS. Interesting to note is the fact that the NDB’s do not provide any benefit for PBN, as they cannot be used by RNAV computers. Even VOR’s provide only very limited benefits due to their poor navigation performance as indicated above. Not included in the table above is the ILS, which will remain one of the primary approach and landing systems for the foreseeable future, but it cannot be used for enroute navigation. These facts compound the need for GNSS interference mitigation in the near and distant future.
So, what kind of interference are we talking about?
Fernández-Hernández et al. [2] proposed the following categorization of GNSS interference:
As an example, an illegal personal privacy device would fall into category J1. A GNSS repeater used inside a hangar would be category S1 [2]. A detailed description of the categories can be found in [2]. From a user’s perspective, the categorization has little relevance, the more interesting question is: What are the effects and how to detect GNSS interference? This is what we look at below.
What do jammers do?
The most primitive jammers such as (illegal) personal privacy devices usually create a “sweeping noise signal” that covers the GPS L1 frequency and part of the adjacent spectrum. This makes it hard/impossible for a GPS receiver to track the authentic GPS signals [5].
Position integrity is usually not affected here, as the GPS position information is simply no longer available. It then depends on the equipment of the aircraft, to what extent that affects the navigation capability. Most transport category aircraft will revert to DMD/DME, VOR/DME, IRS or a similar combination and thus there will only be limited effects in the enroute/terminal phase. The ability to perform an RNP approach, will be lost with today’s GPS receivers [4]. For GA aircraft relying on GPS L1 to achieve RNAV capability, the effects will be much more pronounced. While VOR/DME can serve as a backup for position determination, ATC assistance will often be required [4]. Some low-cost AHRS systems also rely on GPS for attitude aiding and these systems may suffer from a performance degradation.
Spoofing principle
As mentioned earlier, a spoofer attack is much more sinister. It aims to replicate authentic GNSS signals and thus cause the receiver to establish a misleading position or time reference [3]. A typical setup is depicted in Figure 4.
Depending on the sophistication of the spoofing attack, the spoofer signals may also arrive from different angles, however this is not typical due to the complexity of such an attack. The significant difference compared to jammers: A spoofer transmits “replicas” of authentic GNSS signals. This explains, why the existing RAIM capability will not detect such an attack, as the signals will look authentic to a conventional RAIM algorithm because it was never designed for spoofing detection [2]. In many cases, the spoofing signals come from one transmitter, which enables spoofing detection, as described later. The effects on aircraft are strongly dependent on the installed avionics and little data is available in the public domain about specific aircraft types. It is however clear, that aircraft featuring IRS have a strong capability to detect a spoofed GNSS position in many scenarios [2]. Without IRS, all is not lost: There are still ways to detect a spoofed signal as described below. The good news is that it is not so easy to create consistent “authentic looking” GNSS signals for a moving aircraft and therefore the exposure time to a spoofed position is usually limited [3]. This is different for jamming, which may be present over a long time without great technical difficulty.
Spoofing detection – new standards are on the way in
New technical standards are under development by RTCA and EUROCAE. Further, the RTCA special committee SC-159 stated in its “terms of reference” that the threat of spoofing will be addressed “to the extent practicable”, mainly involving a detection capability [7]. So, what techniques might be used for that? Here are some options:
Automatic Gain Control (AGC) monitoring
A typical GNSS receiver setup is depicted below. As the signals are very weak and vary depending on the environment, the receiver constantly adjusts the amplification of the incoming signals through a circuit called “automatic gain control”. As a spoofer will generally require a “power advantage” to blank the authentic signals, there will be a “jump” in signal level and thus in gain required, the moment the spoofer starts operating. This can be used to identify a spoofing attack [8]. Note, that this only works at the initiation of the spoofing action and only of the spoofer does not use any sophisticated methods such as jamming, followed by spoofing.
Carrier-to-Noise density ratio (C/N0) monitoring
Like AGC monitoring, the technique to track changes in the carrier-to-noise density ratio aims to identify changes that occur when the spoofer becomes active. This ratio relates the carrier power to the noise power density [7]. It will most likely differ for a spoofer compared to a satellite. Hegarty et al. [7] have investigated this method using a Challenger 605 aircraft equipped with an ANTCOM G8Ant-743A4T1-A2 antenna and an ICEPOD-6.5 data collection system. Results showed that C/N0 values were not only affected by the spoofing action, but also by aircraft maneuvering, making it impracticable for reliable spoofing detection [7].
Cross Ambiguity Function (CAF) monitoring
The receiver generates so-called “replicas” of the satellite PRN sequences and correlates them in time with the received signal. This is known as “code-phase tracking”. The CAF is a two-dimensional analysis of Doppler-shift and code-phase and under normal conditions yields one “peak” [9]. In the presence of spoofing, multiple peaks will appear in the CAF, as shown in Figure 6. A key difficulty in CAF monitoring is to distinguish between spoofer-related observations and multipath effects [7].
CAF monitoring can be implemented as “serial” or “parallel” correlation, depending on the hardware constraints of the receiver. It can serve as a valuable tool to identify spoofed conditions, except where the spoofed peak is “very close” to the authentic peak in the CAF [7].
Navigation Message Authentication (NMA)
This cryptographic feature will be available in Galileo Open Service (OS) and ensures that only authentic data is used for navigation. A similar concept is under study for GPS [2]. The underlying principle is public key cryptography. Galileo’s OSNMA is entering service in 2023 and tests have demonstrated very promising results with good coverage and accuracy [10]. The underlying cryptographic processes are somewhat complex, and the interested reader is referred to [10] for more information. One aspect of any public-key system is the key distribution. For Galileo OSNMA this can be achieved through a web-terminal or through the Galileo signal itself. Figure 7 below depicts the anticipated time delay for a first fix, if the receiver has to obtain the cryptographic public key through the Galileo message. Once this is done, the service availability is comparable to un-authenticated Galileo [10].
Notice that NMA constitutes a strong defence against spoofers but does not protect against jammers.
Spatial processing
This technique makes use of the fact that spoofed signals usually arrive from a direction that differs from the expected one. This is a very powerful spoofing and jamming mitigation and has been demonstrated successfully in the past, especially in military applications. The key element in this procedure is to be able to measure the direction of arrival of the satellite signals. This may be done using a Controlled Reception Pattern Antenna (CRPA) or by using multiple distributed antennas [6] [7]. Due to relatively high cost and export restrictions, CRPA’s have been rarely used for civil aircraft GPS applications. Figure 8 below demonstrates the process: The system obtains the “expected” directions of arrival from the constellation data (ephemeris, red). The algorithm then measures the observed direction of arrival (blue).
The observed differences give a clue, if spoofing is present. Notice, that there are other possible reasons for differences, such as multi-path (satellite G11) in this example. See in Figure 8, how satellites G5 and G23 are received from inconsistent directions. Here, the spoofer appears to be located on a relative bearing of 060°. As a side-note, the ephemeris data is translated to a local North-East-Down (NED) coordinate frame, while the measured data is in the antenna coordinate frame. This can be resolved by using attitude information or by statistical means [6].
The key point is this: If a significant portion of satellite signals arrive from the same direction, while they should arrive from different angles according to the ephemeris, spoofing is likely present.
This can also be observed in Figure 4, where a spoofer sends multiple satellite signals from one location.
Sensor data fusion
This is probably the most powerful mitigation against jamming and spoofing, albeit also the most expensive one. A typical combination of sensors is a GNSS with IRS. As most transport category aircraft have IRS at their disposal, this can serve as a solid jamming and spoofing detection and even provide “coasting”, i.e.: provide reliable and accurate position data even during periods of GNSS jamming or spoofing [2] [3]. See here for an article describing the principle of sensor data fusion. For obvious reasons, most manufacturers are limiting the amount of information on how exactly their algorithms perform this sensor data fusion. Practical experiments such as described in [1], have shown that a typical transport aircraft was able to successfully “coast through” periods of denied GPS reception.
Conclusion
Recent years have shown that GNSS interference is becoming a regular phenomenon. We have also seen that the reliance on GNSS is going to increase over the coming decade. It is therefore essential that new standards for GNSS equipment encompass multiple constellations and jamming / spoofing detection capability. From a user’s perspective it all comes down to the capability of the navigation computer to deal with these threats. Only a resilient aircraft-level navigation capability will enable reliable PBN operations in a GNSS interference environment.
References
[1] O. Osechas, F. Fohlmeister, T. Dautermann und M. Felux, «Impact of GNSS-Band Radio Interference on Operational Avionics,» NAVIGATION, Bd. 69(2), 2022.
[2] Ignacio Fernández-Hernández et al., «Increasing International Civil Aviation Resilience: A Proposal for Nomenclature, Categorization and Treatment of New Interference Threats,» DLR, European Commission, FAA, MITRE, Stanford University, 2019.
[3] F. Dovis, GNSS Interference Threats and Countermeasures, Norwood: Artech House, 2015.
[4] Eurocontrol, «European GNSS Contingency/Reversion Handbook for PBN Operations,» Eurocontrol, 2021.
[5] F. Dovis und L. Musumeci, «Use of the Karhunen–Loeve Transform for interference detection and mitigation in GNSS,» ICT Express, Bd. 2, pp. 33-36, 2016.
[6] Fabian Rothmaier et al., «GNSS spoofing detection through spatial processing,» NAVIGATION, Bd. 68, Nr. 2, pp. 243-258, 2021.
[7] C. Hegarty et al., «Spoofing Detection for Airborne GNSS Equipment,» MITRE corporation, 2018.
[8] L. Meng et al., «A Survey of GNSS Spoofing and Anti-Spoofing Technology,» Remote sensing, Bd. 14, Nr. 4826, 2022.
[9] K. Zarrinnegar et al., «Improving Cross Ambiguity Function Using Image Processing Approach to Detect GPS Spoofing Attacks,» Iranian Journal of Electrical and Electronic Engineering, Bd. 19, Nr. 1, 2023.
[10] M. Götzelmann et al., «Galileo Open Service Navigation Message Authentication: Preparation Phase and Drivers for Future Service Provision,» NAVIGATION, Bd. 70, Nr. 3, 2023.