Defending Critical Infrastructures from GNSS Interference

Samuele Fantinato, Stefano Montagner, Giovanni Gamba, Andrea Dalla Chiara, Oscar Pozzobon

Qascom S.r.l., via O. Marinali 87, Bassano del Grappa, VI, 36061 Italy Phone: (+39) 0424 525473, Fax: (+39) 0424 230596

e-mails: {name.surname}@qascom.it

Filippo Rodriguez

Telespazio S.p.a. Via Tiburtina 965 Phone (+39) 06 40796336, Fax: (+39) 06 40999607

e-mail: filippo.rodriguez@telespazio.com

Abstract

This paper presents an innovative GNSS interference monitoring system architecture, designed and engineered by Qascom starting from a set of requirements defined by Telespazio, with focus on critical infrastructures. The system is composed by a set of high grade sensors, based on software defined radio (SDR) technology, synchronization module and a wideband omnidirectional antenna. All the sensors are connected to a powerful central processor capable to collect data to determine the location of the interference accurately. The system monitors multi GNSS bands in parallel and in real time and it has been optimized to provide to the service operator high reliability, high sensitivity, low time to alarm, low time to locate and it is ready for automatic identification and classification of interference features (e.g. bandwidth, power, modulation). The paper describes also a fully configurable system level simulator to provide the service operator with the capability of properly dimensioning and characterizing the interference monitoring system before the deployment on field. The tool allows to emulate the monitoring system behavior in terms and architecture functionalities and signal processing algorithms with realistic modelling of sensor hardware, antenna patterns and channel impairments. Results from the testing campaign performed in the radio navigation laboratory are synthetized.

Introduction

Critical infrastructure are the assets, systems, and networks, whether physical or virtual, so vital to a country that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety. Reliable and Resilient GNSS based positioning and timing is essential in critical infrastructures such as satellite ground stations, airports, finance, power grids and telecommunication networks. However, it is well known that GNSS technologies are highly vulnerable to Radio Frequency Interference due to the power level of the received GNSS signals that is below the thermal noise. Defending Critical infrastructure by means of networks specialized in interference detection has become a priority in countries such as United States where the National Geospatial Intelligence agency has started the program JLOC [1] and in the United Kingdom with the GAARDIAN project that created a GPS Interference Detection & Mitigation network for mission & safety critical applications [2]. This paper describes the innovative GNSS interference monitoring system architecture, designed and engineered by Qascom for an Italian initiative led by Telespazio. The infrastructure that is being deployed by Telespazio includes a main controller that processes data from a network of GNSS and non GNSS sensors. The interference monitoring system is one of the core elements of this infrastructure and has been developed in two main phases. The first phase of the project has been focused on the design of the system including the choice of sensor type, the network topology and complexity (dependent on the degree of intelligence of the individual probes) and the interface with the main processor. In this phase also a fully configurable system simulator has been developed to predict the system behavior. In parallel the state of art detection (time domain and frequency domain) and location techniques have been selected and assessed to optimize the detection probability for various type of Jamming signal in open and urban propagation environments. The second phase of the project has been dedicated to the real time SW implementation of the interference processing techniques, hardware integration and testing in radio navigation laboratory. In the final phase an extensive in-field testing campaign of the full system is planned to be performed in authorized bands.

The GNSS Interference Threat

The system has been designed to monitor intentional and unintentional interference with power that might affect the GNSS operations. Unintentional comprises the set of vulnerabilities introduced by accidental interference that is created by external sources: harmonic emissions from high power transmitters, mobile satellite services, television, ultra-wideband radar and personal electronic devices. A detailed review of the systems impacting GNSS bands (E1, E5, E6) is available in [3]. Intentional interference can be categorized on the base of the objective of the attack:

Denial of service of position and time (jamming).

Deception of position and time (spoofing and meaconing)

Deception has not been considered in this work. Denial of Service attacks can disrupt the operations of different stages of a GNSS receiver. In particular, jamming impacts the receiver front-end, that is the interface between the physical RF signal and the digital baseband domain. In literature many works analyzed and compared commercial available jammers. Recalling the results reported in [9], commercial Jammers can be categorized in:

Continuous wave (CW) signal (Class I).

Chirp signal with one saw-tooth function (Class II).

Chirp signal with multi saw-tooth functions (Class III).

Chirp jammer with frequency bursts (Class IV)

Depending on its power and modulation of the Jammer the GNSS receiver is impacted at different levels:

Antenna-LNA: for power levels above a certain threshold, antenna and LNA may be damaged mainly for electric discharge (electric overstress EOS) or thermic phenomena. Typically, the maximum RF input for commercial receivers is about 20 dBm, therefore only a very powerful jammer of about 60 dBm (considering at least 40 dB attenuation for space loss in the first meter) would be able to disrupt the frontend of a receiver.

AGC: if the jammer dynamic are slower than the AGC recovery time (i.e. the time window used to estimate the signal power in the AGC circuitry), a high jammer pulse can trigger the modification of the AGC gain. Therefore, in case of jamming, the AGC levels are lower than the nominal values.

ADC: ADC is heavily affected by the presence of a jammer. The behavior changes depending on AGC availability. In case of fast AGC that is able to trigger to the highest power level, the weak GNSS signal and noise are discarded by the effect of the quantization, since typically only 2-4 bits are available. High resolution 8-16 bit ADC suffer less this effect. In case of slow AGC a higher signal would lead to saturation of the ADC.

Digital Signal Processing: Jamming has a quite important effect also if its power is comparable with the noise floor. In this case jamming affects both the acquisition and the tracking stage of a GNSS receiver, causing C/N0 degradation and PVT errors.

Interference Detection and Location System Design

Requirements

For the system design the following assumptions have been considered:

Monitoring Area: the system has to detect and locate interference for an area of two kilometers of radius. Even if typical critical infrastructure to be monitored are in an open environment, to grant the same level of detection probability in an urban environment the area size has to be reduced.

Time to Alarm: the system has been designed to provide the main processor warnings within 6 seconds. Simulation results have confirmed the feasibility of this requirement for a Jamming to Noise power ration (J/N) higher than -15 dB at the sensor input

Synchronization: the location techniques (in particular TDOA measurements) requires a tight synchronization between the sensors (below 250 ns). This accuracy is achievable with GPS timing however in case of jamming this source of synchronization would not be available. A back up system is therefore being introduced in the sensor: among the possibilities investigated there are a GNSS disciplined OCXO and the exploitation of the synchronization of other telecommunication systems such as LTE or DVB-SH.

Interface with the Main Processor: the central processor of the detection and location system

has to interface with the Main Processor to report information about the Jamming events including the event time, the impacted band, the estimated interference central frequency, the estimated power and location information.

Sensor Number and Layout: bidimensional Localization requires a minimum of number of three sensors. However four sensors have been selected to achieve an increased accuracy. The assessment on the performance of the localization techniques requires an analysis also on the disposition of the sensors in the monitoring area. Homogeneous disposition of the sensors would optimize the detection probability. The positioning performances, that can be expressed as the product of the GDOP at a point and the root-mean-square error (RMSE) of the ranging errors from stations to the target, following [5], can be optimized deploying the four sensors with the “Y-shape” disposition.

System Architecture

In Figure 1 the proposed system architecture is reported. It is composed by four sensors with the following elements:

Antenna: a wideband and isotropic antenna has been selected for the collection of GNSS signals and interference, in E1, E6 and E5 band.

High End RF Digitizer: the board is capable of sampling RF signals with a high resolution ADC (12 bits). The digitizer can process a bandwidth up to 40 MHz with a configurable sampling rate up to 125 Ms/s. This module has in input an external synchronization signal (hardware trigger) and commands coming from the embedded PC unit (connection based on Gigabit Ethernet). The acquired IQ batches of a configurable length are sent to the Embedded PC.

Time Synchronization Module: it is capable to output a stable PPS signal and a stable reference (10 MHz) to be fed to the data acquisition board. The Baseline time synchronization solution includes a GNSS receiver, optimized for single‑satellite timing.

Embedded PC: it is device that run software to perform the interference detection and communication with the central processor.

Wideband Modem (3G and 4G): it is charge to transmit the IQ data and the processing results (including event data) to the central processor.

The system includes also a Central processor that is a rack PC for collecting all the detection information from each single sensor and the IQ data to estimate the jammer location. It manages also the interface with the main processor.

Figure 1 System Architecture

Detection Approach

In literature [6], [7] and [8] a number of techniques devoted to interference detection have been proposed. A first classification separates techniques between Parametric and Non Parametric techniques.

Parametric or Features based techniques

This class of algorithm is especially useful when there is some degree of knowledge of underlying interference signal features. In particular this class has received a huge focus with the cognitive radio that aim at finding dynamic and optimum spectrum allocation by means of time-frequency agility. This class is hardly applicable for super-imposed signals or when it is not feasible to properly discriminate each signal source in some domain (time, frequency or both). A whole branch of statistical testing is devoted to parametric test of variance, with major or minor modifications. Cyclostationarity is one of the main features that can be exploited for digitally modulated signals, since modulation induces cyclostationary features.

Non parametric techniques

Such class encompasses various approaches agnostic with respect to the signal structure. These techniques are based on amplitude or energy of the signal, especially in the frequency domain. The goal of detection algorithms is to establish a statistical estimation procedures which are capable of revealing a signal anomaly with a given level of confidence, i.e. specifying a probability of false alarm. A number of interference detection tests are available in the literature, but in this project only tests that do not rely on a priori knowledge of the interferers have been used. Non-parametric approaches are based on a two-step algorithm using a preliminary calibration phase, to be used as a reference and an evaluation phase, where estimation is compared to calibration phase.

The assumptions are the following:

An anomaly persist for a number of samples, i.e. it is stationary process within a single data batch. Given a batch of maximum 50-100 ms , this assumption is reasonable

Interference is completely unknown. A number of classes, are considered:

The distributions between the assessment and evaluation window may not be identical, including the variances between the two population groups.

An anomaly-free signal period is available to perform a statistical assessment of the process.

The proposed algorithms are based on T-TEST and CHI SQUARED hypothesis test, that is performed on a Constant False Alarm Rate (CFAR) rate policy, as reported in [7].

The detection techniques that have been selected for the system have been analyzed considering: Sensitivity, Dynamic Range, Dynamic Response and Fingerprinting ability (capability to discriminate a jammer respect to another, in terms of amplitude dynamics, frequency dynamics). The proposed approaches are based on IQ samples.. The raw samples that are elaborations of the IQ samples 𝑆𝑖 , are input to the detection test engine .The following processing have been implemented:

AGC Monitoring: it measures the VGA gain or equivalent voltage. The AGC gain is used and

𝐺𝑖 is the output of a complex non-linear operator within the AGC. Power Monitoring: it represents a digital estimation of received in-band power. IQ samples

are fed into a squaring element, prior to be fed into the detector. Histogram Goodness of Fit: estimates the empirical histogram from the collected IQ data.

Theoretical histogram is Gaussian, given the AWGN is the dominant signal (GNSS signal is 20 dB weaker and hence can be neglected). If a jammer is present, the histogram is distorted.

PSD Estimation: estimates the power spectral density using FFT over a given window of samples. Transformed Domain techniques exploits the property of jamming that in some frequencies have spectral density of a narrowband jammer is typically much higher than the noisy-like PSD of the authentic GNSS signal (that is buried in noise), even for low power jammers.

In order to output a single detection flag, a “binary integration” approach has been employed.

Figure 2: Selected Detection Algorithms

Location Approach

Two different methods TDOA and RSS have been investigated in the frame of the project. The main advantages of these methods of processing are the following:

A single antenna per sensor is required as opposed to an array for interferometric and similar processing methods that relay on the intersection of Line of Bearings (LOBs) to determine the Position Fix

Normally higher precision and more accuracy can be obtained with quadratic processing

This report investigates the TDOA and RSS algorithms in the following fashion:

TDOA standalone: TDOA techniques are based on the estimation of the difference of the arrival times of the signal from the source at multiple sensors. This is usually accomplished by taking a snapshot of the signal at a synchronized time period at multiple sensors.

RSS standalone: Received signal strength (RSS) is defined as the voltage measured by a receiver’s received signal strength indicator (RSSI) circuit. Often, RSS is equivalently reported as measured power, i.e., the squared magnitude of the signal strength. Power measures are typically performed on a batch of IQ digitized data. In the RSS localization method the pathloss model is considered known a priori assuming either the channel is perfect free-space or an extensive channel measurement and modelling, prior to system deployment. The wrong modelling of the path loss has a considerable impact on RSS estimations.

Hybrid TDOA-RSS: it is possible to combine the techniques discussed above to offer a more reliable and accurate position location service than what can be offered by using just one of these techniques. A viable solution to improve localization accuracy is to merge different raw measurement and fed them into a hybrid location engine. In [12], a comprehensive analysis of different schemes of hybrid localization is offered.

Sequential Approaches: the sequential localization approach is based on a Kalman filter that estimates and propagates the position and velocity of jammer. In particular the input and output of Kalman are the position of the jammer, and the states of the Kalman are position and velocity in a two dimensional space. Kalman filter, if properly tuned, is also able to “predict” and “propagate” a model, once properly initialized and if the jamming position dynamics does not change greatly during prediction.

Matlab System Architecture Simulator

A fully configurable system simulator was developed to predict the system behavior. This is a sample-level true simulator, which works on baseband equivalent or IF–down-converted version of the system. This engine has been developed to evaluate the performance and parameters for detection and location algorithms with a Montecarlo approach. This tool is also capable to determine the number, type and position of the probes, for a defined environment and jammer type. This simulator is fully configurable; in particular channels are modelled including the shadowing and two propagation models: path loss and Hata model.

The sensors are modeled with realistic features retrieved from the datasheet:

Antenna Pattern

GNSS front-end is constituted of the following blocks: o Low Noise Amplifier (LNA). o Automatic Gain Control (AGC). o Analog to digital Converter (ADC). o Digital Processing.

Position in the monitoring area

Detection algorithm Parameters

As for the sensors, the Jammer is fully configurable with realistic features:

Antenna Pattern (directional or omnidirectional)

The modeling of the jammer signal is based on the following criteria: o Simplicity, flexibility, and capability to cover real-world jammers o Comprise various jammers, such as CW, AWGN and CHIRP. o Capture pulsed interference behavior.

Position (or dynamic) in the monitoring area

Figure 3 shows the output graphic interface of the simulator. Starting on the top left graphic, the position of sensors, jammer position behavior and estimate jammer position are reported on a map, while on the top middle the geometric view of sensors, jammer and GNSS receiver is depicted. The figure on top right reports the 𝐶𝑁0 degradation. Furthermore, on the bottom left, the location estimation error is shown and the detection flag for all sensors and algorithms are reported in the bottom middle graphic. Finally, the bottom right figure reports the instantaneous detection flag for one sensor.

Figure 3 Output graphic interface of the simulator

Test Results

In order to validate the simulation results a test bed has been set in order to test the detection algorithms with a real batch of transmitted data samples instead of a simulated one. The test bench is composed of a software define radio (SDR) board transmitting RF signals toward a signal analyzer (SA) through a RF cable having a 70dB attenuator component. The samples obtained are then used to run the detection algorithms and obtain the processing results. The main target of this assessment is the

evaluation of the detection performance. In Figure 4 is shown an example of a Wideband interference

acquisition.

Figure 4 System test bench during the acquisition of a wideband signal.

In Table 1 the test results are summarized for various interference signal types and received interference power. The PSD test is outperforming among others reaching very low power signal detection.

AGC Power Histogram PSD

Noise X X X X

Chirp -80 dBm ✓ ✓ ✓ ✓

Chirp -95 dBm X ✓ X X

CW -80 dBm ✓ ✓ ✓ ✓

CW -95 dBm X ✓ ✓ ✓

WB -80 dBm ✓ ✓ ✓ ✓

WB -95 dBm X ✓ X ✓

Pulsed CW -70 dBm ✓ ✓ ✓ ✓

Pulsed CW -80 dBm ✓ ✓ ✓ ✓

Pulsed CW -85 dBm X ✓ ✓ ✓

Pulsed WB -70 dBm ✓ ✓ ✓ ✓

Pulsed WB -80 dBm X ✓ ✓ ✓

Pulsed WB -85 dBm X ✓ X ✓ Table 1 Detection Performance Results

In Figure 5 the performance improvement with a Sequential approach are reported, in the case of wide band jammer, of the three localization method (RSS, TDOA and Hybrid). In the figure, batch method has solid curves whereas the sequential method that uses a Kalman filter has dashed curves. It is shown that with a sequential approach, higher location accuracy can be achieved.

Figure 5: RMS error vs Transmitted Power for Three Location Methods with and without Kalman.

Conclusions

This paper describes an innovative GNSS interference monitoring system architecture developed to protect critical infrastructure. The system is composed of a set of four high grade sensors and a central processor which performs detection and location of the interference respectively. The paper present the system architecture including the main design constraints and the selected algorithms. A comprehensive detection and location system-level simulator is also presented, capable to simulate sensor disposition impact on performance. The simulator properly models sensor features and channel impairments, together with interference features, to reliably forecast expected performance.

References

[1] GPSWorld, Jammer Location Gets NGA Attention, July 2008 [2] UK Focuses on GPS Jamming & Interference, Inside GNSS February 2010 [3] Dovis, F., L. Musumeci, N. Linty, and M. Pini, Recent Trends in Interference Mitigation and

Spoofing Detection, International Journal of Embedded and Real-Time Communication Systems (IJERTCS)

[4] Bauernfeind, R.; Eissfeller, B., Software-defined radio based roadside jammer detector: Architecture and results, Position, Location and Navigation Symposium - PLANS 2014, 2014 IEEE/ION , vol., no., pp.1293,1300, 5-8 May 2014

[5] Yan-Ping Lei,Feng-Xun Gong and Yan-Qiu Ma, “Optimal Distribution for Four-Station TDOA Location System”, BMEI, 2010

[6] A. Martino, “Introduction to Modern EW Systems”, Artech House, 2012. [7] Bauernfeind, R.; Eissfeller, B., Software-defined radio based roadside jammer detector:

Architecture and results, Position, Location and Navigation Symposium - PLANS 2014, 2014 IEEE/ION , vol., no., pp.1293,1300, 5-8 May 2014

[8] Gardner, William A; Napolitano, Antonio; Paura, Luigi; ,Cyclostationarity: Half a century of research,Signal processing,86,4,639-697,2006,Elsevier

[9] A Korenberg, M.J , ”A robust orthogonal algorithm for system identification and time-series analysis”, Biological Cybernetics February 1989

[10] Ahmed El-Shafie, Aboelmagd Noureldin, Don Mcgaughey, and Aini Hussain. 2012. Fast

orthogonal search (FOS) versus fast Fourier transform (FFT) as spectral model estimations

techniques applied for structural health monitoring (SHM). Struct. Multidiscip. Optim. 45, 4

(April 2012), 503-513.

[11] Castro, A. et al. “Modulation Classification in Cognitive Radio” 2012, Intech Open [12] Motella, B.; Pini, M.; Presti, L.L., "GNSS interference detector based on Chi-square

Goodness-of-fit test," Satellite Navigation Technologies and European Workshop on GNSS

Signals and Signal Processing, (NAVITEC), 2012 6th ESA Workshop on , vol., no., pp.1,6, 5-7 Dec. 2012

[8] Jean-Paul Poncelet, Dennis M. Akos, “A Low-Cost Monitoring Station for Detection & Localization of Interference in GPS L1 Band”, NAVITEC, 2012 6th ESA Workshop 5-7 Dec. 2012.

[9] K. G. Gromov, “GIDL: Generalized Interference Detection and Localization system”, PhD thesis, Stanford University, March 2002

[10] Poisel R., “Introduction to Communication Electronic Warfare Systems”, Artech House, 2013 [11] D. J. Torrieri, “Statistical Theory of Passive Location Systems”, IEEE Transactions on

Aerospace and Electronic Systems, vol. AES-20, no. 2, pp. 183–198, March 1984. [12] Mohamed Laaraiedh, Lei Yu, Stephane Avrillon, “Comparison of Hybrid Localization

Schemes using RSSI, TOA, and TDOA”. [13] Jin Ik Kim, Jang Gyu Lee, Chan Gook Park, “A Mitigation of Line-of-Sight by TDOA Error

Modelling In Wireless Communication System”, International Conference on Control, Automation and Systems 2008 Oct. 14-17, 2008, Seoul, Korea.