Layers of Defense:Resilient PNT Cybersecurity

For a resilient positioning, navigation and timing (PNT) solution you need to build layers of defense, which includes physical security to RF security, network security, application security and ongoing maintenance/support.

How Orolia Provides Resilient PNT Cybersecurity


Elements of PNT cybersecurity

Resilient PNT Cybersecurity

Physical Security

  • The simplest Denial of Service attack is to merely disconnect the power on the equipment by turning it off or pressing a few buttons to disable operation. So, the first step in cybersecurity is always Physical Security – protect the equipment from unauthorized or accidental manipulation.
  • But we take Physical Security a step further by designing our equipment to be robust and protected from inadvertent defeat. Our SecureSync® time servers offer fully independent, redundant power inputs (A and B side) so that our customers can secure the power entry to ensure that a single power failure will not deny operation.
  • Our products include the ability to lock the front panel access controls, so that even personnel who have physical access to the rack cannot change settings unless authorized.
  • We are ISO 9001:2015 certified – your guarantee that stringent manufacturing and quality controls are in place.

RF GNSS Security

  • We offer BroadShield™ interference and spoofing detection on received GPS signals and ThreatBlocker in-line anti-jamming and spoofing protection.
  • Our 8230AJ GPS/GNSS Anti-Jam Outdoor Antenna offers horizon blocking technology to protect against intentional or unintentional jamming or spoofing.
  • With alternate signal solutions such as STL augmentation, you can receive precise time and position information even in GPS-denied environments, and you can authenticate GPS to prevent spoofing by using an encrypted signal.
  • The GPSdome Anti-Jammer is the industry’s only non-ITAR GPS anti-jammer and provides protection against GPS jamming, ensuring continuity of autonomous navigation and operation during jamming conditions.
Network Security
 

Orolia’s resilient PNT network solutions help protect against cyberattacks with the following features:

  • Access control lists (ACL) limit network access to only authorized users.
  • We provide the ability to disable services and ports – admin level configuration to enable only those services and ports that are necessary for operation.
  • User data is not stored on our time servers – though they are servers in the general sense, they are outputting precise time, not serving a file storage function (other than activity logs), so there is no user data to be compromised.
  • Iptables: We support iptables in our time servers. With Iptables, customers can create their own set of security rules using the source and destination of the IP address and/or port numbers. Using iptables, customers can add such alternative layers of security rules to prevent unauthorized and unwanted access to the system.
  • Our SecureSync time servers are approved for use by US federal defense agencies, including DISA. SecureSync is the first and longest-standing DISA-approved time server.
Resilient PNT Application Security
 

Orolia’s Resilient PNT applications include built-in security such as:

  • AAA – Authentication, Authorization and Accounting– Our products adhere to AAA security practices. The following protocols are supported:
    • LDAP
    • RADIUS authentication
    • TACACS+ (Cisco)
  • Multi-level authorization
  • Configurable, complex passwords that expire periodically and cannot be reused
  • HTTPS — no-clear text is standard, using signed certificates (SHA256 default) with configurable cipher usage and TLS v1.1 and v1.2
  • NTP – symmetric keys and autokey. Orolia also serves on the standards setting committees for the creation of more robust protocols.
  • SSL, SSH, SCP, SFTP with public/private key support
  • Compliance with NIST standards for Personally Identifiable Information and Digital Identity Guidelines
Maintenance Process
 

We scan continuously against CVEs (Common Vulnerabilities and Exposures), and issue routine software update releases with safeguard protections.

How to Defend Against Cyberattacks that Affect PNT Data

While no solution can fully guarantee your protection against cyberattacks that affect PNT data, there are a few simple steps you can take to protect yourself against the most common threats.

  1. Use only Resilient PNT solutions that offer comprehensive layers of defense, such as those provided by Orolia.
  2. Have jamming and spoofing protection in place, such as BroadShield, Orolia’s 8230AJ GPS/GNSS Anti-Jam Outdoor Antenna, or the GPSdome Anti-Jammer.
  3. Always ensure that you have the latest Resilient PNT software updates with a complete maintenance plan. Update Your SecureSync Software Now 

Guide to Basic Cybersecurity

RMF – Risk Management Frameworkhttps://www.corsec.com/rmf/

  • Umbrella process for all cybersecurity defined by the US DoD
  • STIGs – Secure Technical Information Guide – subject specific specifications under this framework
  • Replacement for the old DIACAP

 

Certifications

  • DoDIN APL – DoD Information Network Approved Products List
  • FIPS 140-2 – US Fed standard for encryption devices and those connecting to classified nets
  • Common Criteria – ISO 15408 – EAL levels 1-7; targeting level 3 – Methodically Tested
  • NIAP – National Information Assurance Partnership – USA body responsible for CC cert

 

Other

  • CVE – Linux Common Vulnerabilities and Exposures
  • TACACS+ (Cisco) and Radius server AAA
  • EAP/TLS – 802.1x E – Extensible Authentication Protocol / Transport Layer Security
  • DoD PKI (Public Key Infrastructure) support

For more information on cybersecurity standards, refer to the following resources:
DISA RMF site
NIST RMF site
BSI Consulting RMF site
Gossamer Labs
NIST 800-53
NIST-800-37
NIST 800-122 Personally Identifiable Information
NIST 800-63 – Digital Identity guidelines
CEA Tech Cybersecurity
Tenable / Nessus

6 Steps to Protecting Your System


Cybersecurity - Six Steps

Resources

Resilient PNT: How to Detect, Protect and Prevent Disruption of GPS/GNSS/PNT Signals and Sources



Tech Brief Resiliency in PNT:
Cybersecurity

Author David Sohn

David Sohn is a Solution Architect at Orolia, designing and developing solutions leveraging the organization’s precision timing solution portfolio, including their flagship SecureSync and VersaSync products, and contributing to its entire portfolio of resilient PNT solutions. He has more than 10 years of experience designing, developing, and managing precision timing solutions and holds a BS in computer engineering from The Pennsylvania State University.

Continuously Validate Your Cyber Defenses

Even with advanced firewall technology, intrusion prevention systems (IPS), and a wide array of security tools in place, businesses still miss clues and suffer major security breaches every day.

In a recent survey, 50% of respondents said that they have experienced a security breach because one or more of their security products was simply not working as expected. Sound familiar?

Keysight, recently announced Threat Simulator with the simple goal of validating that your security tools and processes are working properly. Within minutes you can test that your rules are triggering, and your investments in security are fully optimized.

Safely create the entire “kill chain” an attacker would use to breach your defenses. Simply choose from a library of real-world attacks… we’re talking phishing, dynamic user behavior, malware transmission, infection, Command & Control, and even lateral movement. Threat Simulator then shows you exactly what and where things happened, the good, the bad, the ugly… oh, and step-by-step remediation instructions so you can get to fixing!

You can try a free trial and test some use cases like:

  • Safely simulate the entire kill chain using real-world malware and techniques.
  • Accurately measure your SIEM rules and detection capabilities
  • Quickly fix misconfigurations to optimize existing investments
  • Automatically stay in front of new attacks and changes with continuous audits
  • Save money by maximizing effectiveness of existing security controls and processes.
Threat Armour Free Trial

What Makes a Network TAP the Right Tool for Monitoring

In today’s connected world, your network is one of your most important assets. An underperforming network is something you cannot afford, be it from a performance or from a security standpoint, because it can greatly hinder your business’s capabilities.In order to ensure optimum performance and security at all times, network engineers need a clear, detailed and continuous picture of the network. Network Visibility is your greatest tool to prevent potential problems.

And what does visibility mean? It means that you need to see and analyze all the data that flows through your network. And that analysis is only as good as the information you extracted in the first place. Analyzing this data is done usually either via a network TAP (Test Access Point), or through a switch’s port mirroring (SPAN). It has been already proved that TAPs give the best and most accurate results for network visibility.  See Network TAPS vs SPAN Ports

So, what makes a network TAP the right tool for monitoring these days?
VisibilityThe first and main difference between a TAP and another monitoring tool (for example, a SPAN port) is the type of data that is actually passed to the analyzer. Other tools only copy select parts of the traffic going through the switch and drop the rest.

TAPs, on the other hand, copy everything they see, including layer 1 & 2 errors, bad CRC, VLAN tagged frames, short frames, jumbo frames, etc. Additionally, SPAN ports may alter the traffic it does pass to the analyzer, such as changing the packets’ timing or adding delay. A TAP keeps the traffic intact, allowing for a more accurate analysis of the network data.

Performance

Most of the other packet capture technologies require some of the switch’s processing power. This can lead to performance issues, for example, a SPAN port can drop the traffic when the switch is overloaded. In some situations, SPAN port operation may even interfere with the switch’s primary function of delivering traffic between network equipment. The higher the network traffic rates increase, the less are SPAN ports able to cope.

SecurityTAPs isolate monitoring devices from the network unlike their primary competition – SPAN ports. TAPs have no IP or MAC address, cannot be hacked, and have virtually no effect on the monitored network.

A TAP device and its connected analyzers are essentially invisible and have no real “presence” on the network, protecting both the network and the monitoring system from unwanted intrusions and unnecessary interferences.

Cost

In many situations you may come to think that a SPAN port have no additional hardware cost than that of the switch itself. They do, however, have multiple short-, medium-, and long-term costs. Costs which TAPs don’t have.

TAPs are placed in-line, and don’t use any of the network’s resource, plus they don’t need any configuration of the switch by a network engineer, because they are plug-and-play devices.

Besides all of this, maybe the most crucial costs can appear from the fact that using a SPAN gives only partial visibility and can translate into performance and security issues.

If you are in search of a tool that can give you all these benefits, then check out this article Network TAPs Overview: The Start of Visibility Architecture.  A TAP will fully capture 100% of the traffic without any loss of packets or lag in packet-timing.


Tap VS Span read the whitepaper