SIST-TP CEN/TR 17475:2020

SLOVENSKI STANDARD
kSIST-TP FprCEN/TR 17475:2020
01-februar-2020
Vesolje - Ugotavljanje položaja z uporabo GNSS za cestne inteligentne transportne
sisteme (ITS) - Specifikacija preskusnih naprav, definicija preskusnih scenarijev,
opis in ovrednotenje postopkov za terensko preskušanje varnosti terminalov
GNSS za ugotavljanje položaja
Space - Use of GNSS-based positioning for road Intelligent Transport System (ITS) -
Specification of the test facilities, definition of test scenarios, description and validation of
the procedures for field tests related to security performance of GNSS-based positioning
terminals
Spezifikation der Testeinrichtungen, Definition von Testszenarien, Beschreibung und
Validierung der Verfahren für Feldtests in Bezug auf die Sicherheitsleistung von GNSS-
basierten Ortungsterminals
Espace - Utilisation de la localisation basée sur les GNSS pour les systèmes de
transports routiers intelligents (ITS) - Spécification des installations d’essais, définition
des scénarios d’essais, description et validation des procédures d'essais sur le terrain en
matière de performances de sécurité des terminaux de positionnement basés sur les
GNSS
Ta slovenski standard je istoveten z: FprCEN/TR 17475
ICS:
35.240.60 Uporabniške rešitve IT v IT applications in transport
prometu
49.140 Vesoljski sistemi in operacije Space systems and
operations
kSIST-TP FprCEN/TR 17475:2020 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
kSIST-TP FprCEN/TR 17475:2020

---------------------- Page: 2 ----------------------
kSIST-TP FprCEN/TR 17475:2020


TECHNICAL REPORT
FINAL DRAFT
FprCEN/TR 17475
RAPPORT TECHNIQUE

TECHNISCHER BERICHT

November 2019
ICS

English version

Space - Use of GNSS-based positioning for road Intelligent
Transport System (ITS) - Specification of the test facilities,
definition of test scenarios, description and validation of
the procedures for field tests related to security
performance of GNSS-based positioning terminals
Espace - Utilisation de la localisation basée sur les Spezifikation der Testeinrichtungen, Definition von
GNSS pour les systèmes de transports routiers Testszenarien, Beschreibung und Validierung der
intelligents (ITS) - Spécification des installations Verfahren für Feldtests in Bezug auf die
d'essais, définition des scénarios d'essais, description Sicherheitsleistung von GNSS-basierten
et validation des procédures d'essais sur le terrain en Ortungsterminals
matière de performances de sécurité des terminaux de
positionnement basés sur les GNSS


This draft Technical Report is submitted to CEN members for Vote. It has been drawn up by the Technical Committee
CEN/CLC/JTC 5.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.

Warning : This document is not a Technical Report. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a Technical Report.

---------------------- Page: 3 ----------------------
kSIST-TP FprCEN/TR 17475:2020
FprCEN/TR 17475:2019 (E)
Contents Page

European foreword . 4
1 Scope . 5
1.1 Purpose of the document . 5
1.2 Overview of the document . 5
2 Normative references . 5
3 Terms and definitions . 6
4 List of acronyms . 10
5 GNSS Threats overview . 11
5.1 General . 11
5.2 Denial of service: jamming . 11
5.3 Deception of service: spoofing and meaconing . 13
6 Security metrics . 16
6.1 General approach . 16
6.1.1 Introduction . 16
6.1.2 Notes on empirical CDF . 17
6.1.3 ECDF with loss of samples . 19
6.2 Considered metrics . 22
6.2.1 General . 22
6.2.2 Accuracy . 22
6.2.3 Integrity . 24
6.2.4 Availability and continuity . 28
6.3 Other metrics . 30
6.3.1 Time To Fist Fix (TTFF) . 31
6.3.2 Excluded metrics . 31
6.4 Robustness concept: a summary metric . 32
7 Test approach . 32
7.1 SDR concept . 33
7.2 Interference hardware impact . 33
7.2.1 General . 33
7.2.2 Antenna-LNA . 34
7.2.3 AGC . 34
7.2.4 ADC . 34
7.2.5 Digital post-correlation processing . 35
7.3 Record and replay choice . 37
7.4 Jamming testing architecture . 38
7.5 Spoofing testing architecture. 40
7.6 File size and scenario length . 42
7.7 Hybridization issue . 43
8 Test scenarios . 43
8.1 Relevant realistic scenarios . 44
8.1.1 Nominal scenarios . 44
8.1.2 Clear sky scenario as a special case . 44
2

---------------------- Page: 4 ----------------------
kSIST-TP FprCEN/TR 17475:2020
FprCEN/TR 17475:2019 (E)
8.1.3 Scenario VS Data set VS Datafile . 45
8.1.4 Scenario-management authority . 45
8.2 Interference scenarios selection . 45
8.2.1 Jamming proposed scenarios . 46
8.2.2 Spoofing proposed scenarios . 47
8.2.3 Meaconing assessment . 49
8.2.4 Meaconing proposed scenarios . 49
9 Test facilities specification . 50
9.1 Data set record testbed. 50
9.1.1 General . 50
9.1.2 Jamming data generation. 50
9.1.3 Spoofing data recording . 54
9.2 Replay testbed . 55
9.2.1 RF transmitters calibration . 55
9.2.2 Replay testbed schemes . 57
10 End-to-end validation . 58
10.1 Devices under test . 58
10.2 Nominal scenario recording and validation . 60
10.2.1 Nominal scenario recording . 60
10.2.2 Analytical tools . 63
10.2.3 Nominal scenario validation . 65
10.3 Jamming test results . 73
10.3.1 General . 73
10.3.2 Jamming scenarios generation . 73
10.3.3 Interferences on AsteRx3 HDC . 75
10.3.4 Interferences on Ublox 8 . 92
10.4 Spoofing test results . 106
10.4.1 Spoofing scenario recording . 106
10.4.2 Spoofing on AsteRx-3 HDC . 106
10.4.3 Spoofing on Ublox 8 . 110
Annex A (informative) AGC principles and impact . 115
Annex B (informative) GNSS SDR Format standardization . 118
Annex C (informative) Spoofing insights . 120
C.1 General . 120
C.2 Range error impact . 121
C.3 Oscillator error impact . 121
C.4 Propagation channel impact . 122
Annex D (informative) Noise amplification . 124
D.1 Theory of noise amplification . 124
D.2 Experimental validation. 128
Annex E (informative) Accuracy and continuity simulations . 130
Bibliography . 135


3

---------------------- Page: 5 ----------------------
kSIST-TP FprCEN/TR 17475:2020
FprCEN/TR 17475:2019 (E)
European foreword
This document (FprCEN/TR 17475:2019) has been prepared by Technical Committee CEN-
CENELEC/TC 5 “Space”, the secretariat of which is held by DIN.
This document is currently submitted to the vote on TR.
4

---------------------- Page: 6 ----------------------
kSIST-TP FprCEN/TR 17475:2020
FprCEN/TR 17475:2019 (E)
1 Scope
1.1 Purpose of the document
This document is the CEN Technical Report WP2-D2 of the GP-START project, regarding the test
procedures for assessment of robustness to security attacks.
Starting from the definition of security attacks taxonomy and security metrics highlighted in
FprCEN/TR 17464:2019, this task aims to:
1. Specify test facilities to be used in the field tests. This comprises both hardware and software
equipment.
2. Define relevant test scenarios applicable to security performances. Also, the field test needed for
validation of scenarios will be properly described.
3. Define end-to-end test procedures comprising experimental validation of the whole test chain.
The results will serve as the operational basis for field testing of robustness against security attacks.
1.2 Overview of the document
The outline of the document is as follows:
• Clause 5 provides a review of security metrics, in line with the other deliverables of the project and
in particular with FprCEN/TR 17465:2019 and FprCEN/TR 17464:2019.
• Clause 6 consolidates the test approach with respect to jamming and spoofing oriented scenarios.
• Clause 7 provides a definition of relevant test scenarios, applicable to security testing, starting from
outcomes of FprCEN/TR 17464:2019.
• Clause 8 provides an in-depth discussion regarding test facilities, focusing on both data recording
and replay.
• Clause 9 concludes with a set of real-life tests, for a preliminary end-to-end validation of the
procedures.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN 16803-1:2016, Space — Use of GNSS-based positioning for road Intelligent Transport Systems (ITS) —
Part 1: Definitions and system engineering procedures for the establishment and assessment of
performances
ETSI TS 103 246-3, Satellite Earth stations and systems (SES) —GNSS-based location systems — Part 3:
Performance requirements
FprCEN/TR 17447:2019, Space — Use of GNSS-based positioning for road Intelligent Transport System
(ITS) — Mathematical PVT error model
FprCEN/TR 17448:2019, Space — Use of GNSS-based positioning for road Intelligent Transport Systems
(ITS) — Metrics and Performance levels detailed definition
5

---------------------- Page: 7 ----------------------
kSIST-TP FprCEN/TR 17475:2020
FprCEN/TR 17475:2019 (E)
FprCEN/TR 17464:2019, Space — Use of GNSS-based positioning for road Intelligent Transport System
(ITS) — Security attacks modelling and definition of performance features and metrics related to security
FprCEN/TR 17465:2019, Space — Use of GNSS-based positioning for road Intelligent Transport Systems
(ITS) —Field tests definition for basic performances
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in EN 16803-1:2016,
ETSI TS 103 246-3 and ISO/IEC 27001:2013 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
• ISO Online browsing platform: available at http://www.iso.org/obp
• IEC Electropedia: available at http://www.electropedia.org/
3.1
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use
of an asset
3.2
authentification
provision of assurance that the location-related data associated with a location target has been derived
from real signals associated with the location target
3.3
availability
property of being accessible and usable upon demand by an authorized entity
3.4
continuity
likelihood that the navigation signal-in-space supports accuracy and integrity requirements for duration
of intended operation
Note 1 to entry: Continuity aids a user to start an operation during a given exposure period without an
interruption of this operation and assuming that the service was available at beginning of the operation. Related to
the Continuity concept, a Loss of Continuity occurs when the user is forced to abort an operation during a specified
time interval after it has begun (the system predicts service was available at start of operation).
3.5
continuity risk
probability of detected but unscheduled navigation interruption after initiation of an operation
3.6
data
collection of values assigned to base measures, derived measures and/or indicators
6

---------------------- Page: 8 ----------------------
kSIST-TP FprCEN/TR 17475:2020
FprCEN/TR 17475:2019 (E)
3.7
electromagnetic interference
any source of RF transmission that is within the frequency band used by a communication link, and that
degrades the performance of this link
Note 1 to entry: Jamming is a particular case of electromagnetic interference.
3.8
integrity
general performance feature referring to the trust a user can have in the delivered value of a given
Position or Velocity component
Note 1 to entry: In this document, this feature is expressed by 2 (two) quantities: the Protection level and the
associated Integrity risk.
3.9
integrity risk
for Positioning terminals providing a Protection level as integrity indicator, refers to the probability that
the actual error on a given Position or Velocity component exceeds the associated Protection level
provided with this quantity
3.10
jamming
deliberate transmission of interference to disrupt processing of wanted signals (which in this case are
GNSS or telecommunications signals)
3.11
level of risk
magnitude of a risk expressed in terms of the combination of consequences and their likelihood
3.12
likelihood
chance of something happening
3.13
localisation
process of determining the position or location of a location target
3.14
performance
measurable result, performance can relate either to quantitative or qualitative findings
3.15
performance class
for a given performance metric, designates a domain delimited by 2 (two) boundaries
3.16
performance feature
a given characteristic used to qualify and quantify the service provided by a system, for example
horizontal accuracy for a Positioning system
7

---------------------- Page: 9 ----------------------
kSIST-TP FprCEN/TR 17475:2020
FprCEN/TR 17475:2019 (E)
3.17
performance metric
precise definition of the means of measuring a given performance feature of a given output of a system
Note 1 to entry: An example of accuracy metric can be the median value of an error sample acquired during a
given test following a given protocol.
3.18
protection level
estimation of an upper bound for the error made on a Position or Velocity component (e.g. the plane
position) associated with a given probability called Integrity risk
Note 1 to entry: Like the actual error, this feature can be characterized by its distribution function. The
P ε >< PL I I
protection level PL is upper bound to the position error such that: ( ) , where is the integrity
risk
risk
risk and ε is the actual position error.
3.19
Pseudo-Random Noise Code (PRN)
unique binary code (or sequence) transmitted by a GNSS satellite to allow a receiver to determine the
travel time of the radio signal from satellite to receiver
3.20
reference GNSS receiver
in this document, refers to a widely used and off-the-shelf high sensitivity GNSS receiver offering a good
availability and a high sensitivity to the multipath and NLOS phenomena) whose production can be
guaranteed for a long period
3.21
reference trajectory
series of time-stamped positions (and possibly speeds) of a reference point on a mobile object
(test vehicle), produced by a Reference trajectory measurement system
3.22
Reference Trajectory Measurement System (RTMeS)
term used in this document for a measurement means capable of accuracy performances better than at
least one order of magnitude than those of the Positioning terminal being tested
3.23
requirement
need or expectation that is stated, generally implied or obligatory
3.24
robustness
the degree to which a system or component can function correctly in the presence of invalid inputs or
stressful environmental conditions
3.25
security
function of a location system that aims at ensuring that the location-related data is safeguarded against
unapproved disclosure or usage inside or outside the location system, and that it is also provided in a
secure and reliable manner that ensures it is neither lost nor corrupted
8

---------------------- Page: 10 ----------------------
kSIST-TP FprCEN/TR 17475:2020
FprCEN/TR 17475:2019 (E)
3.26
spoof/spoofing
transmission of signals intended to deceive location processing into reporting false location target data
3.27
threat
potential cause of an unwanted incident, which may result in harm to a system or organisation
3.28
time-to-alert
time from when an unsafe integrity condition occurs to when an alerting message reaches the user
3.29
trajectory
series of time-stamped positions (and possibly speeds) of a mobile object
3.30
vulnerability
weakness of an asset or control that can be exploited by one or more threats
9

---------------------- Page: 11 ----------------------
kSIST-TP FprCEN/TR 17475:2020
FprCEN/TR 17475:2019 (E)
4 List of acronyms
ADAS Advanced Driver Assistance Systems
ADC Analog to Digital Converter
AGC Automatic Gain Control
CDF Cumulative Distribution Function
CEN Comité Européen de Normalization (European
Committee for Standardization)
CENELEC Comité Européen de Normalization
Électrotechnique (European Committee for
Electrotechnical Standardization)
COTS Commercial On The Shelves
DOS Denial Of Service
DUT Device Under Test
ECEF Earth Centred Earth Fixed
ETSI European Telecommunications Standards Institute
GBPT GNSS-Based Positioning Terminal
GDOP Geometrical Diluition Of Precision
GNSS Global Navigation Satellite Systems
HPL Horizontal Protection Level
IID Independent identically distributed
IMU Inertial Measurement Unit
ITS Intelligent Transport Systems
KOM Kick-Off Meeting
OCXO Oven-controlled crystal oscillator
PPK Post Processed Kinematic
PPS Pulse Per Second
PVT Position Velocity and Time
RAIM Receiver Autonomous Integrity Monitoring
RFCS Radio Frequency Constellation Simulator
RMS Root Mean Square
RTK Real Time Kinematic
SBAS Satellite Based Augmentation System
SDR Software Defined Radio
SIS Signal In Space
TCXO Temperature-controlled crystal oscillator
TTFF Time To First Fix
VPL Vertical Protection Level
VST Vector Signal Transceiver
10

---------------------- Page: 12 ----------------------
kSIST-TP FprCEN/TR 17475:2020
FprCEN/TR 17475:2019 (E)
5 GNSS Threats overview
5.1 General
In this clause, a description of the most relevant security scenarios is provided, based on what described
in FprCEN/TR 17464:2019. The analysis is focused on the intentional RF threats scenarios since they
represent a worst case with respect to unintentional interference. Furthermore, intentional attacks
encompass a wide variety of cases that allow a more flexible, representative and controllable analysis.
The possible attacks on GNSS can be divided in 2 (two) macro areas:
• Denial of service (DoS):
• jamming;
• Deception of Service:
• spoofing;
• meaconing.
The jamming threats are in general based on the transmission of an interfering signal on the GNSS bands.
The disturbance impairs the receiver performance, preventing it to perform PVT operation. The jamming
is not only intentional, but it can be generated by RF equipment employed in other applications as well.
The equipment may emit signals that interfere with the GNSS band, causing unintentional jamming. DVB
harmonics FprCEN/TR 17464:2019 are examples of this kind of interference.
Deception of service attacks are instead focused on making a receiver computing a false PVT solution
(position, velocity and time). This effect is achieved through the transmission of false signal generated
fro
...