Safeguarding Critical Infrastructure: NIST Releases Draft Cybersecurity Guidance, Develops GPS-Free Backup for Timing Systems

Taking another step toward strengthening the nation’s critical infrastructure, the National Institute of Standards and Technology (NIST) has drafted guidelines for applying its Cybersecurity Framework to critical technologies such as the Global Positioning System (GPS) that use positioning, navigation and timing (PNT) data. Part of a larger NIST effort to implement a recent Executive Order to safeguard systems that rely on PNT data, these cybersecurity guidelines accompany recent NIST efforts to provide and test a resilient timekeeping signal that is independent of GPS.

Formally titled the Cybersecurity Profile for the Responsible Use of Positioning, Navigation and Timing (PNT) Services (NISTIR 8323), the new guidelines are designed to help mitigate cybersecurity risks that endanger systems important to national and economic security, including those that underpin modern finance, transportation, energy and additional economic sectors. The agency is requesting public comment on the draft by Nov. 23, 2020.

The draft profile is part of NIST’s response to the Feb. 12, 2020, Executive Order 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services. Earlier this year, NIST sought public input regarding the general use of PNT data. 

What is PNT?

The PNT profile will join the growing list of profiles created to help apply the NIST Cybersecurity Framework to particular economic sectors, such as manufacturing, the power grid and the maritime industry. The scope of the profile includes any system, network or other asset that uses PNT services, including systems that receive and rebroadcast PNT data.

While its scope does not include ground- or space-based source PNT signal generators and providers (such as satellites), the profile still covers a wide swath of technologies. Partly for this reason, NIST’s Jim McCarthy said that it is intended to be a foundational set of guidelines that PNT users can customize. 

“The profile is meant to help a broad set of users address their cybersecurity needs,” said McCarthy, one of the draft’s authors. “Rather than focus on a single economic sector, we designed it to apply to all users of PNT. Agencies and companies can tailor it to their needs based on their particular cybersecurity risk and other sector-specific factors.” 

As directed by the Executive Order, the profile can help organizations accomplish four tasks: 

• Identify systems that use PNT data, and/or that propagate this data based on a source signal.
• Identify PNT data sources, such as a GPS signal.
• Detect disturbance to and manipulation of systems that use PNT services.
• Manage the risks that come with responsible use of these PNT services.  

“Our premise is that there are organizations that may not realize they are using PNT data, or know how they are using it,” McCarthy said. “Part of our goal is to help them make these connections so they can protect their operations more effectively.”

The Executive Order also delegates to the Department of Commerce the critical task of providing a source of Coordinated Universal Time (UTC) that is independent of GPS. To this end, NIST also recently conducted initial tests of a special calibration service for companies, utilities or other organizations that wish to receive NIST’s version of the global time standard, UTC(NIST), through commercial fiber-optic cable. The service aims to provide a time reference directly traceable to UTC(NIST) with an accuracy of 1 microsecond — good enough for telecom networks, the power grid and financial markets, and thereby boosting the resilience of accurate time distribution and the infrastructure sectors and subsectors that use timing services. 

The initial link is a collaboration between NIST and OPNT, a commercial time-service provider based in Amsterdam, the Netherlands. While the work was led by researchers at NIST’s Boulder, Colorado, campus, the dedicated optical fiber connects the reference time scale at NIST headquarters in Gaithersburg, Maryland, to a facility in McLean, Virginia, that will ultimately serve as the hub for East Coast distribution of timing data. 

OPNT has extended the initial fiber link to Atlanta, Georgia, about 800 kilometers from McLean. Preliminary data suggest that this link will be able to support the requirements of the Executive Order. NIST and OPNT have also begun a study of a West Coast link that will provide similar fiber-based time service to San Jose, California, and other locations in Silicon Valley from the NIST time scale in Boulder, Colorado.

Any extensive disruption to GPS signals would be highly disruptive to critical infrastructure in the United States, as would the sort of spoofing and manipulation of timing data that the PNT profile is designed to mitigate. As technologies that depend on trustworthy location and timing data grow more commonplace — such as interconnected Internet of Things devices and automated transportation — identifying and protecting these systems and data from cyber threats will only grow in importance. 

“The ultimate goals are to identify systems that use PNT data and to detect disturbances to it,” McCarthy said. “Doing so can help mitigate the risk of misuse of PNT data affecting our critical infrastructure, public health and national security.”

NIST is accepting comments on the draft profile via email no later than Nov. 23, 2020. Submission details are available at the profile website.