Keeping interference at bay for critical infrastructure

An international survey and analysis on GNSS interference detection and localization systems reveal the path forward for transportation and other critical infrastructure.

By José Luis Madrid-Cobos and Ana Bodero-Alonso, ENAIRE
Ignacio Fernández-Hernández and Eric Châtre, EC
Andriy Konovaltsev, DLR, and Christopher Hegarty, MITRE

An ENAIRE GNSS RFI monitor close to the Madrid-Barajas Airport in Madrid, Spain. (Photo: ENAIRE)

The received power of GPS and Galileo navigation signals at the antenna output of a user receiver is typically extremely small, from approximately –165 up to –150 dBW, which makes them inherently vulnerable to radio-frequency interference (RFI) caused by the emissions of other radio systems. This interference is often unintentional, such as from malfunctioning or spurious emission from a transmitter in the vicinity of the GNSS receiver.

However, we have seen numerous reports about the deliberate jamming of GNSS signals. The most frequent examples of such interference reports are caused by so-called personal privacy devices (PPDs) — low-power GNSS jammers used to locally disable the operation of GNSS receivers. Although the use of PPDs is illegal, they can be easily acquired on the internet. A $10 jammer with 100 mW of transmitter power is enough to degrade performance or disrupt GNSS receivers in a range of 10–100 meters. In the past decade, more complex and powerful jammers have also become available, along with spoofers — devices that create GNSS-like signals that fool receivers to provide false location or time solutions. A $100 software-defined radio bought online can be used as a spoofer.

ENAIRE (the Spanish air navigation service provider) conducted an international survey and associated analysis of GNSS RFI detection and localization systems. The survey was part of the EU–U.S. Working Group C Sept. 2017–Sept. 2019 Work Plan, with contributions of the European Commission (DG DEFIS), the German Aerospace Center (DLR), the U.S. Federal Aviation Administration (FAA), Eurocontrol, the MITRE Corporation and Stanford University. Working Group C promotes cooperation between the U.S. and EU on design and development of the next generation of civil satellite-based navigation and timing systems. The survey was conducted within the Resilience Subgroup focused on counteractions required in view of growing concerns over jamming and spoofing threats.

Manufacturers and Users

The survey was provided in two versions: one targeted to manufacturers and another to the users of interference detection systems. The two surveys were implemented online July 12–Oct. 26, 2018. There were 23 responses: 11 from manufacturers and 12 from users (see Acknowledgments below for companies that participated). Regarding the manufacturers’ responses, the nine surveyed companies represent about 50% of the market of RFI monitoring products available in 2018.

RFI Equipment Used

We present here the aggregated results of the RFI equipment manufactured and used by the participating entities.

Frequency Bands and Signals. The L1/E1 band is covered by all of the manufacturers’ and users’ surveyed products. L5/E5a and other bands are monitored in only 42% of the cases, or even less. Most RFI systems demodulate or analyze the GPS L1 C/A signal. Only 8% and 17% of users analyze GPS L5 and Galileo E5a, respectively.

Capabilities. 55% of the industry, and 25% of the users’ surveyed products, provide RFI localization capabilities, while 45% of the industry, and only 33% of the users’ surveyed products, detect some type of spoofing.

Power and Antenna Gain. Most of the systems achieve a sensitivity better than or equal to –120 dBm, meeting the International Civil Aviation Organization requirement for GPS and SBAS L1 airborne receivers to withstand interference (–120.5 dBm CW, in-band) after steady-state navigation has been established. The gain of antennas used in RFI detection systems ranges from 2 dBi up to 45 dBi.

Real-Time Bandwidth. The maximum real-time monitored bandwidth of the surveyed products ranges from 16 MHz up to 60 MHz in L1. Most of the products monitor a 20-MHz bandwidth (similar to the GPS L1 C/A reference bandwidth for pre-GPS III satellites, which is 20.46 MHz).

Spectrum Refresh Time. The time needed by the RFI detector to capture and process a plot of the RF spectrum in a specific band to look for interference signals ranges from 1 microsecond to 2 seconds.

Jamming Detection Techniques. The most widespread jamming detection technique is RF power monitoring (45% industry, 92% users), followed by digital beamforming (CRPAs), carrier-to-noise-density ratio (C/N0) monitoring and spectral analysis/transforms (see Figure 1). Note that RF power monitoring and automatic gain control (AGC) monitoring are in essence the same detection technique: AGC voltage levels — after calibration with a reference RF generator — can be converted into RF input power levels.

Figure 1a. Jamming detection techniques used by industry.
(Chart: RFI survey)

Figure 1b. Jamming detection techniques of users. (Chart: RFI survey)

Spoofing Detection Techniques. The most widespread spoofing detection techniques are PVTF consistency monitoring (industry products, 27%) and correlation peak monitoring (users, 25%), followed by digital beamforming (CRPAs), C/N0 monitoring and spectral analysis/transforms (see Figure 2).

Figure 2a. Spoofing detection techniques used by industry.
(Chart: RFI survey)

Figure 2b. Spoofing detection techniques of users.(Chart: RFI survey)

Localization. The most widespread RFI localization technique is direction/angle of arrival (DOA/AOA): 55% in industry products and 25% in users’ systems. AOA techniques used are correlative interferometer (phase-difference), Watson-Watt (amplitude-difference) and array signal processing. The AOA accuracy of surveyed products ranges from ±3° to ±10°.

Event Recording. For an interference event, most products record the time stamp, received power, central frequency, frequency spectrum, the spectrogram (frequency versus time plot) and the jammer type. Only 8% of surveyed users perform spoofing event recording (see Figure 3). 92% of users record RFI/spoofing events; half also report them to their national spectrum administration. Users have from one to 11 jammer detectors. Only four users have been registered with spoofing detectors, each using one.

Figure 3a. RFI events recording/database used by industry. Jammer classifications: Class I — continuous wave signal; Class II — chirp signal with one saw-tooth function; Class III — chirp signal with multi saw-tooth functions; Class IV — chirp signal with frequency bursts. (Chart: RFI survey)

Figure 3b. RFI events recording/database of users. Jammer classifications: Class I — continuous wave signal; Class II — chirp signal with one saw-tooth function; Class III — chirp signal with multi saw-tooth functions; Class IV — chirp signal with frequency bursts. (Chart: RFI survey)

Event Sharing. 75% of surveyed users are willing to collaborate in the creation of an international RFI and spoofing events common database, but the remaining 25% explicitly do not want to share their databases.

Future RFI Monitoring Equipment

Based on the analysis of the aggregated results from the survey, we identified some recommendations for improving RFI monitoring:

L5/E5a band. To be ready for introduction of the L5/E5a band into aviation operational use (expected by 2025), it is suggested that aviation organizations increase efforts to monitor and analyze the RFI situation in the L5/E5a band.

Spoofing detection. National organizations in charge of critical infrastructures should increase their efforts to detect spoofing (at least at the same level as jamming detection). Multi-constellation and dual-frequency spoofing detection should be promoted (not only L1/E1 spoofing).

GNSS RFI monitoring with enough bandwidth: The maximum real-time monitored bandwidth of the surveyed products ranges from 16 MHz to 60 MHz, while most of the products monitor only a 20-MHz bandwidth. The receiver reference bandwidth for E1 is 24.552 MHz, while for L1 GPS III it is 30.69 MHz. U.S.-EU GNSS RFI detection systems for critical infrastructures should be designed to monitor at least 31 MHz of bandwidth in the L1/E1 band, with 50 MHz recommended to cope with typical –3 dB bandwidth of pre-low-noise-amplifier (LNA) GNSS L1/E1 receiver filter. The same rule should be applied to other GNSS bands. Even more bandwidth for monitoring could be needed to cope with rare interferers, such as a high-power source, whether intentional or unintentional, radiating in near-band L1/E1 but not in the passband frequencies, bypassing the rejection of the receiver’s filters and degrading the GNSS signal reception.

Air Navigation

In the EU, performance-based navigation (PBN) will become the norm in all flight phases, and GNSS (with or without SBAS) will be the main position source, by June 2030. A similar scenario is being developed in the U.S. Conventional procedures and ground-based navigation aids will be used only in contingency situations. GNSS RFI can degrade the current GBAS CAT I (GAST-C) service in airports and could jeopardize safe operation of upcoming GBAS CAT II-III (GAST-D) service. GNSS also is the key enabler for ADS-B.

Therefore, it is critical for air transportation to improve its capability to detect radio frequency interference to GNSS and mitigate its harmful effects, both on the ground and in the air.

Ground Detection and Localization. These systems should be installed at and around all airports. ENAIRE has recently deployed an AOA RFI detection and localization system around the Madrid airport called DYLEMA. It consists of nine AOA RFI and spoofing detectors, two spoofing-only detectors, an IP communication network and a GNSS monitoring center operated 24/7. From this center, ENAIRE will report RFI events to the Spanish spectrum agency. Similar systems will be deployed in other large Spanish airports in the next years. In small airports, ENAIRE is deploying single-unit RFI detectors (one detector per airport, currently without the AOA feature). These systems are complemented by handheld and airborne spectrum analyzers equipped with directional antennas and RFI AOA features, used if an RFI event of high power or duration takes place.

Airborne Detection and Localization. Several initiatives are under study or initial design for airborne detection and localization systems, using current avionics receivers with no hardware modification or new hardware such as additional antennas in the aircraft. Future airborne RFI detection systems should include indoor coverage to detect jammers and spoofers in the airplane itself. EUROCONTROL is leading one of these initiatives using ADS-B. Given a reliable ADS-B data feed with suitable coverage information, a search algorithm could scan for outages. If the data is dense enough, it is possible to locate the source, even if the GNSS airborne antenna is omnidirectional with no AOA features. Another commercial initiative, GATEMAN, uses new GNSS antennas and components to provide AOA detection and localization features.

UAV-Embedded Detection and Localization. Detection and localization systems embedded in UAVs are not widely commercially available, but they will be useful to complement fixed or ground RFI monitoring systems, especially to detect fast moving mobile jammers and spoofers. A jammer moving at high speed could be found by a fixed detector, trigger the UAV take-off (collocated with the detector or close to it), and start tracking the target. If equipped with a camera, it could identify the vehicle carrying the jammer or spoofer. Such a system has to function in GNSS-denied scenarios, and needs to use sensors other than GNSS. Stanford University has recently developed a prototype of such a system.

Other Sectors

Shipping. RFI detection systems should be installed at and around harbors, where positioning requirements are the most stringent. Mobile AOA detectors can be installed in vessels. A DLR experiment integrated its GALANT GNSS RFI detector on a ship sailing from Spain to South Korea and back.

Railroads. Detection and localization systems should be installed at train stations and main railway junctions or switches. It is possible to install mobile detectors in trains to detect jammers inside the train apart from outdoor coverage to detect jammers outside the train.

Roads. Most PPD jammers in use are on roadways. Jammers not only jeopardize aviation and timing systems; they can jeopardize the safety of the coming autonomous road vehicles. We strongly recommend that police and road surveillance systems include jammers and spoofers as a daily target, to detect, localize and punish their users.

Supporting proposals include installing fixed detectors at tollbooths, road gantries or other points near roads; and using mobile detectors — for example, on police vehicles for locating a car that carries a jammer. Public transport services with enough vehicles (such as taxis or busses) could also detect RFI.

Smartphone Platforms. Initiatives are using smartphone crowdsourcing platforms to detect interference based on C/N₀ or AGC measurements. At this time, only prototype apps for Android phones are available. The Apple iOS does not allow access to GNSS raw data. Android applications can include localization capabilities based on Time Difference Of Arrival (TDOA) or Power Difference Of Arrival (PDOA). Having a detection system in a mass-market product would create millions of detectors around the world. Reward programs by national or local administrations would encourage use of the app. User consent to obtain the data will be needed.

Space-Based Detection. Space-based detection is feasible to find medium- to high-power jammers and spoofers. Several projects have performed simulations, such as the ground to space threat simulator from Qascom and Spirent Communications. In this project, simulations achieved an error of less than 1.5 km using a medium-Earth-orbit (MEO) satellite as the RFI sensor and a 20-dBm static jammer on Earth, with 15 minutes of observation time. Also, an experimental program from the International Space Station has demonstrated that RFI can be detected from low Earth orbit.

The main issue of such detection systems is the cost to deploy all the satellites needed to have a global coverage with a low response time (2 hours or less to detect RFI). The performance of a space-based RFI system is better when using a LEO constellation (as, compared to an MEO system, it detects RFI with a lower transmitted power). One such system by HawkEye 360 was deployed in 2019. The company plans to operate a fleet of 30 satellites in LEO orbit, enabling it to gather new signals from any point on the planet within 30 to 45 minutes.

General Recommendations

Increased Effort Needed. Public administrations and transport service providers should increase their efforts to deploy GNSS RFI detection and localization systems. In parallel, governments should punish individuals or organizations using jammers or other types of illegal transmitters or emissions. Jamming and spoofing is illegal in the EU and the U.S. An increased RFI monitoring effort should be coordinated at the national or regional level to find synergies and avoid duplications.

Planned Interference. Government agencies, including national radiofrequency spectrum agencies, should coordinate nationally and internationally with air, rail, road, maritime and other critical infrastructure entities before any planned intentional interference is conducted, such as military exercises or protection of special events from potential terrorist attack. This coordination includes an analysis of the estimated area and airspace volume affected by the RFI, the associated notification to the GNSS users before and during the RFI radiation period (such as a NOTAM, Notice to Airmen), as well as the indication to use established alternative procedures (non-GNSS).

A Common Database. The creation of an international common database of GNSS RFI events could boost the fight against GNSS RFI. A specific action could define a standard of the RFI data format to be registered and shared in an international database, including a possible RFI classification (also defined and agreed to as part of the standard). One initiative related to the creation of an international GNSS RFI threats database was proposed by the EU-funded STRIKE 3 project in 2017.

Acknowledgments

The work presented in this report has been performed under the U.S.-EU Agreement on GPS-Galileo Cooperation, Working Group C, Resiliency Subgroup. The authors thank the participants of the Working Group and the Resiliency Subgroup — in particular, Eurocontrol and the FAA for distribution of the survey in the EU and the U.S., respectively. The authors also thank the organizations that participated in the survey: Spirent Communications, GMV, Centum Solutions, THALES, IDS AirNav, Chronos Technology, Innovationszentrum für Telekommunikationstechnik (IZT), Collins Aerospace, German Aerospace Center (DLR), Netherlands Aerospace Centre (NLR), Deutsche Flugsicherung (DFS), Direction des Services de la Navigation Aérienne (DSNA), Polish Air Navigation Services Agency (PANSA), Belgocontrol, ENAV and ENAIRE.

José Luis Madrid-Cobos is the technical manager of GNSS interference detection and localization systems at ENAIRE, the Air Navigation Service Provider in Spain. Ana Bodero-Alonso is the head of the Satellite Navigation Department at ENAIRE. Ignacio Fernández-Hernández is responsible for Galileo high accuracy and authentication at the European Commission. Eric Châtre is the head of the GNSS Exploitation and Evolutions Sector at the European Commission. Andriy Konovaltsev is a research assistant at Institute of Communications and Navigation of the German Aerospace Center (DLR). Christopher Hegarty is a technical fellow with The MITRE Corporation.