NIST Releases Draft Cybersecurity Guidance for Technologies Using PNT
Friday, October 23, 2020 | Comments

The National Institute of Standards and Technology (NIST) has drafted guidelines for applying its cybersecurity framework to critical technologies such as GPS that uses positioning, navigation and timing (PNT) data.

The guidance is part of a larger NIST effort to implement a recent executive order to safeguard systems that rely on PNT data, these cybersecurity guidelines accompany recent NIST efforts to provide and test a resilient timekeeping signal that is independent of GPS.

Formally titled the “Cybersecurity Profile for the Responsible Use of Positioning, Navigation and Timing (PNT Services (NISTIR8323),” the new guidelines are designed to help mitigate cybersecurity risks that endanger systems important to national and economic security, including those that underpin modern finance, transportation, energy and additional economic sectors. The agency is requesting public comments on the draft by Nov. 23.

The PNT profile will join a growing list of profiles created to help apply NIST’s cybersecurity framework to particular economic sectors, such as manufacturing, the power grid and the maritime industry. The scope of the profile includes any system, network or other asset that uses PNT services, including systems that receive and rebroadcast PNT data.

While its scope does not include ground- or space-based source PNT signal generators and providers, such as satellites, the profile still covers a wide swath of technologies. Partly for this reason, the profile is intended to be a foundational set of guidelines that PNT users can customize.

“The profile is meant help a broad set of users address their cybersecurity needs,” said NIST’s Jim McCarthy. “Rather than focus on a single economic sector, we designed it to apply to all users of PNT. Agencies and companies and can tailor it to their needs based on their particular cybersecurity risk and other sector-specific factors.”

As directed by “Executive Order 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation and Timing Services,” the profile can help organizations accomplish four tasks:
• Identify systems that use PNT data and/or that propagate this data based on a source signal
• Identify PNT data sources, such as a GPS signal
• Detect disturbance to and manipulation of systems that use PNT services
• Manage the risks that come with responsible use of these PNT services
“Our premise is that there are organizations that may not realize they are using PNT data, or know how they are using it,” said McCarthy. “Part of our goal is to help make these connections so they can protect their operations more effectively.”

The executive order also delegates the critical task of providing a source of Coordinated Universal Time (UTC) that is independent of GPS to the Department of Commerce. To this end, NIST also recently conducted initial tests of a special calibration service for companies, utilities or other organizations that wish to receive NIST’s version of the global time standard, UTC(NIST), through commercial fiber-optic cable.

The service aims to provide a time reference directly traceable to UTC(NIST) with an accuracy of 1 microsecond — good enough for telecom networks, the power grid and financial markets, and thereby boosting the resilience of accurate time distribution and the infrastructure sectors and subsectors that use timing services.

The initial link is a collaboration between NIST and OPNT, a commercial time-service provider based in Amsterdam, the Netherlands. While the work was led by researchers at NIST’s Boulder, Colorado, campus, the dedicated optical fiber connects the reference time scale at NIST headquarters in Gaithersburg, Maryland, to a facility in McLean, Virginia, that will ultimately serve as the hub for East Coast distribution of timing data.

OPNT has extended the initial fiber link to Atlanta, Georgia, about 800 kilometers from McLean. Preliminary data suggest that this link will be able to support the requirements of the executive order. NIST and OPNT have also begun a study of a West Coast link that will provide similar fiber-based time service to San Jose, California, and other locations in Silicon Valley from the NIST time scale in Boulder, Colorado.

Any extensive disruption to GPS signals would be highly disruptive to critical infrastructure in the United States, as would the sort of spoofing and manipulation of timing data that the PNT profile is designed to mitigate. As technologies that depend on trustworthy location and timing data grow more commonplace, such as interconnected internet of things (IoT) devices and automated transportation, identifying and protecting these systems and data from cyber threats will only grow in importance.

“The ultimate goals are to identify systems that use PNT data and to detect disturbances to it,” McCarthy said. “Doing so can help mitigate the risk of misuse of PNT data affecting our critical infrastructure, public health and national security.”

Find the full draft profile here.

Would you like to comment on this story? Find our comments system below.




 
 
Post a comment
Name: *
Email: *
Title: *
Comment: *
 

Comments

No Comments Submitted Yet

Be the first by using the form above to submit a comment!


Education







Events
May 2021

18 - 19
Nexus: The NG 9-1-1 Experience Reimagined
Washington, D.C.
https://www.apconexus.org/

More Events >

Site Navigation

Close