hostile control of ships via false gps signals: demonstration and detection€¦ · ·...

Hostile Control of Ships via False GPS Signals:Demonstration and Detection

JAHSHAN BHATTI and TODD E. HUMPHREYSThe University of Texas at Austin, Austin Texas

Received August 2015; Revised August 2016

ABSTRACT: An attacker’s ability to control a maritime surface vessel by broadcasting counterfeit civil GlobalPositioning System (GPS) signals is analyzed and demonstrated. The aim of this work is to explore civil maritimetransportation’s vulnerability to deceptive GPS signals and to develop a detection technique that is compatiblewith sensors commonly available on modern ships. It is shown that despite access to a variety of high-qualitynavigation and surveillance sensors, modern maritime navigation depends crucially on satellite navigation andthat a deception attack can be disguised as the effects of slowly-changing ocean currents. An innovations-baseddetection framework that optimally chooses the measurement sampling interval to minimize the probability ofa ship exceeding its alert limits without detection is developed and analyzed. A field experiment confirms thevulnerability analysis by demonstrating hostile control of a 65-m yacht in the Mediterranean Sea. Copyright ©2017 Institute of Navigation.

INTRODUCTION

Surface vessels, from fishing boats to containerships to deep-water oil rigs, depend crucially onGlobal Positioning System (GPS) signals for naviga-tion, station keeping, and surveillance [1–4]. GPS,its ground and satellite-based augmentation sys-tems, and other Global Navigation Satellite Systems(GNSS) are used as a primary maritime position-fixing system. They are an important maritime navi-gation aid even for vessels actively piloted by humanoperators, except in familiar littoral waters such asport entry and within natural or man-made chan-nels where conventional optical navigation is used.Moreover, as surface craft become more autonomous,the trend is toward increased reliance on GNSS:current autopilot systems, dynamic-positioning sys-tems, and fully unmanned surface vehicles aredesigned under the assumption that GNSS signalsare usually available and trustworthy [2, 3, 5, 6].Even autonomous underwater vehicles typicallydepend indirectly, or periodically, on GNSS [7].

Given the fragility of GNSS signals under con-ditions of signal blockage or jamming, and giventhat the signals do not penetrate underwater, thereis interest in developing GNSS-independent mar-itime navigation and control systems [2, 8]. Terrain-relative navigation has been successfully employedin autonomous submersibles [8], and could serve

NAVIGATION: Journal of The Institute of NavigationVol. 64, No. 1, Spring 2017Printed in the U.S.A.

as a backup to GNSS for surface vessels. Thistechnique has historically required high-resolution(e.g., m-level) underwater terrain maps, which areavailable for only a tiny fraction of the seafloor,but recent results indicate that coarser (e.g.,20-m-resolution) ship-based bathymetry maps maybe adequate for 10-meter-level positioning, providedsufficient terrain variability [9]. Nonetheless, for thepresent, terrain-relative navigation does not evenappear to be an active research topic for civil sur-face maritime transportation. What is more, theonly widespread radionavigation backup to GNSS,Loran-C, was abandoned by the U.S. Coast Guardin 2010 [10], and there are no official U.S. plans fora successor, despite continued lobbying for deploy-ment of its upgrade, eLoran, which is available inother parts of the world [11]. Consequently, onecan expect most maritime navigation systems torely primarily on GNSS for position-fixing for yearsto come.

By standard practice marine craft are equippedwith redundant GNSS units so that one serves asbackup if the other experiences a fault. And forextremely critical applications, an entirely GNSS-free positioning system may be available, such as theacoustic positioning system required as a backup toGNSS on dynamically-positioned deepwater drillingvessels [3]. But these fail-safe systems are designedto handle obvious faults or GNSS outages causedby signal blockage or ionospheric effects. They arelikely to fail when confronted with a sophisticatedand deliberate attacker: outlaws are different fromoutliers; fraud is different from faults.

51

A GNSS deception attack, in which counterfeitGNSS signals are generated for the purpose ofmanipulating a target receiver’s reported position,velocity, or time, is a potentially dangerous toolin the hands of a deliberate attacker. While therehave been no confirmed reports of such attacksperformed with malice, convincing demonstrationshave been conducted both in the laboratory and inthe field with low-cost equipment against a widevariety of GPS receivers [12–14]. The key to thesuccess of these so-called GPS spoofing attacksis that, whereas the military GPS waveforms areby design unpredictable and therefore resistant tospoofing, civil GPS waveforms—and those of othercivil GNSS—are unencrypted, unauthenticated, andopenly specified in publicly-available documents[15, 16]. Also, although not entirely constrainedby the GNSS signal specifications, the navigationdata messages modulating these civil waveformsare highly predictable. The combination of knownsignal structure and navigation data predictabilitymakes civil GNSS signals an easy target for spoofingattacks.

The departure point for development of a spoof-ing detection framework is the impressive corpusof fault detection and isolation (FDI) literature, theresult of more than four decades of effort. Sen-sor deception can be thought of as a special typeof sensor fault in which a strategic attacker hassome level of control over the fault behavior andapplies this control with malicious intent. Severalclasses of methods for sensor FDI in stochasticlinear dynamic systems are surveyed in [17–20].Although many sophisticated approaches have beendeveloped in this mature field, most fault-detectionmethods focus on minimizing time-to-detect withoutregard to integrity risk, as noted by Joerger [21].Integrity risk is the appropriate figure of merit fordynamic systems with clearly specified alert lim-its such as are common in aviation and maritimenavigation and in time transfer. For these systems,state estimation errors that remain within the alertlimits cause no performance degradation or height-ened safety risk, but undetected errors exceedingthe alert limit can have severe consequences.

The first attempt to address sensor deceptionby minimizing integrity risk appears to be [22],where a model-based spoofing detection method wasdeveloped for an aircraft’s GPS-aided inertial nav-igation system. However, the analysis considered abatch detection test whose batch interval is alignedwith the attack interval, a coincidence that cannotbe expected in practice. The current work adoptsa sequential detection approach, which is moreappropriate for attacks of unknown start time andduration. But as opposed to sequential detectiontechniques designed to minimize time-to-detect forfixed probabilities of false alarm and detection, such

as the sequential probability ratio test [23], the cur-rent work adopts a fixed time-to-detect approachand follows [21] and [22] in seeking to minimizeintegrity risk. More precisely, this work minimizesmean integrity risk, or integrity risk averaged overall possible attack start times.

The heart of a detection technique is the so-calleddetection statistic, a function of the sensor measure-ments that gets compared to a threshold [24]. Thiswork adopts an innovations-based detection statisticwhose performance is insensitive to the particulartime history of false differential position and velocityinduced by the attacker.

A key feature of the current work’s detectionframework is that it optimizes the measurementsampling interval; the standard innovations-baseddetection approach makes no attempt at suchoptimization [17, 25]. The optimization seeks tozminimize worst-case integrity risk over a set ofreasonable attack profiles. Measurement samplinginterval optimization was previously consideredin [26], but that work minimized time-to-detectwhereas the current work’s criterion is integrityrisk.

This paper makes three contributions. First, itdetails the pathways and effects of GNSS deceptionon maritime navigation and surveillance. Whereasmaritime transportation’s vulnerability to GNSSjamming has been previously established [2], thiswork offers the first detailed analysis of the effectsof GNSS deception on a surface vessel. Second,it develops an innovations-based spoofing detec-tion framework and optimizes the worst-case meanintegrity risk within this framework given a setof reasonable attack profiles. Third, it presents theresults of an unprecedented field experiment demon-strating hostile control of a 65-m yacht in theMediterranean Sea.

GNSS DEPENDENCIES OF A MODERNINTEGRATED BRIDGE SYSTEM

This section details the pathways and effectsof GNSS deception on maritime navigation andsurveillance. Besides providing a deeper under-standing of the vulnerability of maritime vessels toGNSS spoofing, this overview will identify a subsetof ship sensors that can conveniently and effectivelybe applied to the problem of spoofing detection.

Compass

The magnetic cand gyrocompass (a gyroscopedesigned to be north-seeking by taking advantageof Earth’s rotation) depend only weakly on GNSS.A magnetic compass requires knowledge of latitudeand longitude to correct for magnetic variation [27].A gyrocompass requires knowledge of latitude andspeed in the north/south direction to correct for

52 Navigation Spring 2017

“northing” error [27]. However, outside of the polarregions, position errors on the order of tens of kilo-meters and velocity errors on the order of meters persecond will only cause pointing errors on the orderof a degree. Therefore, this work will neither exploitnor model the weak coupling between GNSS andtraditional ship compasses.

However, a satellite compass [28], which providesboth the position and three-axis attitude of the ship,is fully reliant on GNSS. A common satellite com-pass comprises two GNSS receivers separated bya 0.2–10 meter baseline coupled with miniatureaccelerometers, gyros, and a magnetometer. The lowcost, size, weight, and power consumption of satel-lite compasses, and the fact that they never requirecalibration, make these devices an increasingly pop-ular compass option for surface vessels.

Collision Avoidance

The Automatic Radar Plotting Aid (ARPA) andthe view from the bridge windows are the primarymeans used for collision avoidance. The ARPA pro-cesses and displays the raw radar data in a polarazimuth-range plot, tracks targets, and computestime and distance of closest approach for each target[29]. Without the additional information that sen-sors like compass, speed log, and GNSS provide, theARPA can still perform collision-avoidance functionsbut can only display target information orientedalong the ship’s heading, the so-called heads-upmode, with relative motion. With compass infor-mation, the ARPA can present the radar data ori-ented along the ship’s velocity vector, the so-calledcourse-up mode, which prevents smearing of thereturns during course-change maneuvers. Similarly,the ARPA can present the radar data in a so-called true motion mode, where the motion is eithersea-stabilized by compass and speed log or ground-stabilized by GNSS. (An interesting effect of a GNSSdeception attack with ground stabilization enabledon the ARPA is that radar echos from land massesappear to move when they should be stationary.)GNSS information also allows the ARPA to com-pute latitude and longitude for the tracked targets.Nevertheless, convenience features such as groundstabilization and target localization that depend onGNSS signals play a relatively minor role in collisionavoidance with other moving targets.

The Automatic Identification System (AIS) allowsships to communicate their position, heading, andspeed in a self-organizing radio network to aid incollision avoidance [27]. A ship’s AIS transceivertypically relies on a GNSS-based positioning source,although it can revert to a pre-determined backupsource during a manifest GNSS failure. Under aGNSS deception attack, a ship may transmit mis-leading AIS reports and incorrectly compute the

point of closest approach to surrounding ships, rais-ing the collision risk. An ARPA can typically overlaythe AIS over the radar return, and a modern ARPAwith integrated AIS can automatically correlate AISand radar positions into a single target.

Dead Reckoning

Dead reckoning (DR) is the process of propagat-ing a known position based solely on a ship’s courseand speed, derived from compass and speed logmeasurements. An estimated position (EP) correctsa dead-reckoned position by applying approximateknowledge of the effects of environmental distur-bances such as leeway (drift due to wind), and tidaland ocean currents. Typically, the effects of envi-ronmental disturbances are lumped together intoa velocity error vector, whose angle and magni-tude are referred to as set and drift, respectively.The set and drift can be estimated by comparing adead-reckoned position to a position fix derived fromeither a GNSS receiver (typically), observations ofcelestial bodies, or radar and visual bearings. Onpaper charts, DR would be reset with a position fix atleast every hour, or as often as every three minutes,depending on the accuracy required for navigatingthe surrounding waters [27]. Electronic chart sys-tems, discussed in the next section, all have theability to automate DR, making it easier to detectGNSS faults or deception.

Electronic Chart Display and Information System

The Electronic Chart Display and InformationSystem (ECDIS) consolidates the measurementsavailable from various ship sensors and integratessystems such as ARPA, AIS, and DR as shown inFigure 1 to provide complete situational awarenessto the ship’s crew [27]. ECDIS is the primary toolfor route planning and tertiary to the ARPA andAIS for collision avoidance, as mandated by legisla-tion and made explicit in maritime training. MostECDIS allow overlaying ARPA and AIS informationon the charts and planned route for convenience.The overlay may be useful in detecting discrepan-cies that would arise due to GNSS deception of theown-ship position, e.g., failure of radar returns tomatch coastal features and buoys on the charts, orthe AIS-reported position of nearby vessels. Mar-itime training emphasizes the need to look for andinvestigate discrepancies as they normally indicatean equipment problem. But these discrepancies maysimply confuse a crew unaware of GNSS deception,despite training manuals that have begun to iden-tify GNSS deception as a potential threat [30]. Inany case, when the distance to shore exceeds therange of radar (20 km for low-frequency radar, lessfor X-band) and when there are few ships nearby,

Vol. 64, No. 1 J. Bhatti, and T.E. Humphreys: Hostile Control of Ships via False GPS Signals 53

Fig. 1–Block diagram showing relationship between sensors, actuators, and the ECDIS on a modern integrated bridge system.

GNSS deception attacks are not likely to be detectedsolely with radar. Most electronic chart systems suchas the Totem ECDIS allow configuring the resetinterval of the built-in DR and raising an alarmif the difference between the position fix and DRexceeds a threshold [31]. Section IV will develop ananalytically rigorous foundation for this approach byrelating the detection threshold to the probabilityof hazardously misleading information (HMI) for agiven false alarm rate and fix interval.

Autopilot System

Virtually, all large ships have a course autopi-lot, which maintains a prescribed heading throughrudder actuation in response to compass feedback.Some ships will additionally have a speed autopilot,which maintains a prescribed speed through waterby varying the engine thrust in response to feedbackfrom the Doppler speed log sensor. Neither of theserudimentary autopilot systems depends on GNSSdirectly. However, the course autopilot is typicallydriven by a higher-level track-keeping system thatrequires GNSS feedback. This work focuses on con-ventional PID-based control systems because theyare commonly implemented in practice and typicallyperform just as well as adaptive model-based controlsystems under nominal sea and ship conditions [32].

GNSS-Independent Sensors

Sensors which do not have any dependency onGNSS include inertial, acoustic, visual, and meteo-rological sensors. An inertial sensor found on most

ships is a gyroscope-based rate-of-turn (ROT) sen-sor, which is independent of the compass and GNSS,for derivative course control feedback. The modernspeed log uses acoustic Doppler measurements fromparticles in the water column to compute three-axisspeed through water. Other acoustic sensors includeconventional downward-looking sonar, also knownas an echo sounder, for sea depth measurementsand round-trip acoustic ranging to transpondersembedded in the sea floor for dynamic positioning[3]. Meteorological sensors provide measurementsof temperature, wind, and pressure that can helppredict, for example, the effect of leeway and sur-face currents [27]. Visual bearing measurementsof known reference points such as terrestrial land-marks or celestial bodies can be used for position-ing. Celestial navigation requires knowing the time,either from GNSS or a free-running quartz crys-tal clock, to look up the position of celestial bodiesfrom an almanac [27]. A jump in ship time by 5 sec(e.g., due to leap second spoofing) would cause a lon-gitude error of 0.02 deg. Nevertheless, errors lessthan 10 sec from either a drifting or GNSS-deceivedclock are comparable with other errors in celestialnavigation.

These GNSS-independent sensors feed into alter-native position sources that could be used to cross-check GNSS in a modern integrated bridge system.However, a subtle-enough spoofing attack can beconsistent with dead reckoning or celestial naviga-tion and thus escape detection. Also, acoustic posi-tioning is only useful for vessels operating in thesmall neighborhood of the transponders. Although


this work’s focus is on GNSS deception, it is worthmentioning that radar and acoustic sensor systemson modern civil surface vessels are also vulnera-ble to deception and jamming. Thus, although thesesystems are assumed herein to be trustworthy andpotentially useful for detecting GNSS deception, amore thorough security analysis would need to con-sider a coordinated, self-consistent attack on GNSS,radar, and acoustic sensors.

Summary of GNSS Deception Vulnerabilities

The ship’s crew can cross-check GNSS with the (1)compass, (2) speed log, (3) ship dynamics model, (4)radar returns compared with AIS from other ships,(5) radar returns off buoys and coastlines comparedwith charts, (6) echo sounder, and (7) meteorolog-ical sensors. But, as will be shown later on, evenan optimal combination of (1)–(3), which amounts tosophisticated DR, would not be sufficient to reliablydetect a subtle attack before the ship’s position-ing error exceeds a reasonable hazardous conditionthreshold. If (4) and (5) are properly and fullyexploited, then the security situation improves sig-nificantly. But alignment of charted objects such asthe shoreline and buoys with radar returns is oftenquite poor even under normal conditions becauseof (i) shoreline changes with tide, (ii) inadequateresolution of charts, and (iii) positioning, bearing,and radar-ranging errors. Consequently many ships’crews either do not attempt radar overlay or wouldnot consider it a trustworthy cross-check for own-ship positioning errors. Also, comparing radar withAIS from other ships is not trustworthy because AISdata can be easily manipulated and AIS-repeatedlocation data ultimately depend on GNSS.

For avoidance of collisions with radar-reflectiveobjects, the ARPA remains trustworthy and itscollision avoidance function does not depend onGNSS. But cross-track ship excursions outside theplanned corridor are nevertheless dangerous pre-cisely because some threatening objects (e.g., under-water hazards) are not visible to radar and will notbe detected by downward-looking sonar. Moreover,along-track errors in a ship’s position can also behazardous because such errors can confuse the inter-pretation of radar returns or cause a ship to over- orunder-shoot the location of a planned maneuver.

Illustrative Example: The Grounding of the RoyalMajesty

For us to appreciate the possible effects of a GNSSdeception attack on a surface vessel, it is instruc-tive to consider the grounding of the 174-m cruiseliner Royal Majesty [33, 34]. Shortly after the shipdeparted Bermuda for Boston in June of 1995, thecable connecting its GPS antenna to the unit on the

bridge became detached, forcing the GPS unit totransition to a DR mode in which the ship’s locationwas extrapolated from the last known good locationbased solely on gyro compass and water speed mea-surements. The crew and autopilot, unaware of thetransition to DR mode, accepted the position indi-cated on the radar display’s map as truthful even asthe ship accumulated a 31 km cross-track naviga-tional error. As the ship approached Nantucket, thecrew misidentified one buoy and ignored the absenceof another. The ship’s GPS-based navigation systemhad performed so utterly reliably in the past thatthe crew’s trust in the ship’s displayed position wasnot shaken even as a lookout sighted blue and whitewater ahead. Minutes later, the ship ran aground onshoals invisible to its radar and sonar system.

In the aftermath of the Royal Majesty grounding,integrated bridge systems were modified to moreclearly indicate loss of GNSS signals, and redun-dant GNSS units became standard. In addition,the incident is used as an important lesson on thedangers of over-reliance on GNSS in maritime train-ing colleges since the crew of the Royal Majestyclearly acted in a manner inconsistent with propertraining, a contributing cause to the incident. Nev-ertheless, the risk of a repeat of the Royal Majestygrounding, or a similar incident, caused by delib-erate, strategic GNSS deception remains becausethere would be no apparent loss of GNSS, the DRwould appear to remain consistent with GNSS, andbecause primary and backup GNSS units would beequivalently affected.

Having offered an overview of the possible effectsof GNSS deception on surface vessels, this papernow turns to developing a framework for analysisof GNSS spoofing detection based on comparisonof GNSS data with a modified version of DR. Thisdetection strategy is appealing because of its broadapplicability: all sizable surface vessels can performat least rudimentary DR, and the DR techniqueworks both far from shore and in littoral waters. Thenext two sections introduce the dynamics model andthe detection framework.

SHIP AND SPOOFING MODEL

Consider a simplified ship dynamics model witha conventional track-keeping guidance system. Aconventional track-keeping system attempts to zerothe ship’s cross-track position using a proportional-integral (PI) controller wrapped around a courseautopilot, as shown in Figure 2.

Ship Dynamics

The ship dynamics model presented here,although simple compared to a more expressive


Fig. 2–Conventional track-keeping system based on an existing course autopilot system [32, p. 293]. Here, d is the desired heading angle, ıis the rudder angle, U is the ship speed through water, is the heading angle, b is the along-track position, and e is the cross-track position.

six degree-of-freedom model, captures the low-frequency ship motion relevant for control andspoofing. The ship’s steering dynamics is describedby a first order Nomoto model [32],

TPr + r = Kı + rb,

where T is the ship’s time constant (s), K is therudder gain (1/s), ı is the rudder angle (rad),r is the ship’s turn rate (rad/s), and rb is a slowly-varying parameter that models environmental dis-turbances (rad/s). The rudder angle ı and angularrate Pı are physically constrained by saturation con-ditions |ı| < ımax and | Pı| < Pımax, respectively, butthe controller is designed such that the rudder angledynamics remain linear under typical conditions.The ship’s kinematics are given by [32]

P = rPx = U cos + dx

Py = U sin + dy,

where U is the ship’s speed through water (m/s), dxand dy model errors due to drift caused by slowly-varying environmental disturbances such as oceancurrents and wind (m/s), x and y are the ship’s nor-thing and easting (m), respectively, and is theship’s heading (rad). Zero heading is defined to bedue north with increasing heading clockwise. Theenvironmental disturbance parameters are modeledas Gauss-Markov processes,

Pdx = –1

Tddx + vx

Pdy = –1

Tddy + vy,

where Td is the disturbance time constant and vxand vy are additive white Gaussian noise (AWGN)sources with intensity �2

d (m2/s3).

Ship Control Laws

Only conventional controllers are considered inthe sequel because they perform just as well asadaptive and non-linear model-based controllersunder nominal sea and ship conditions [32]. A con-ventional course autopilot controls the ship’s head-ing to a desired approximately-constant heading d using a proportional-integral-derivative (PID)

control law. In modeling the course control law thatfollows, and the track-keeping control law presentedthereafter, the measurements are assumed to benoiseless and continuous since the low-bandwidthcontrollers and ship dynamics act to suppress theeffects of real-world discretization and measure-ment noise at the output of each closed-loop controlsystem. The measurements (t) and r(t) from thecompass and ROT sensor, respectively, control therudder angle ı(t) according to

ı(t) = Ki

Z t

0

� d – (�)

�d� + Kp

� d – (t)

�– Kdr(t),

where Ki is the integral gain, Kp is the propor-tional gain, and Kd is the derivative gain. Followingconventional PID control design of second-order sys-tems [32, p. 261], these gain parameters are derivedfrom a chosen natural frequency !n and relativedamping ratio � of the closed-loop system; the latteris typically chosen in the interval 0.8 � � � 1.0. Theclosed-loop bandwidth, !b, defined as

!b , !n

r1 – 2�2 +

q4�4 – 4�2 + 2,

is chosen such that

1T

< !b < !ı ,

where !ı ,Pımaxımax

is the rudder servo bandwidth.Finally, the PID gains are related to !n and � by

Kp =TK!2

n

Kd =1K

�2T�!n – 1

�Ki =

TK!3

n10

.

An outer control loop for track-keeping is typi-cally wrapped around the course autopilot. In somecases, a human operator in the loop may take therole of track-keeping controller. Whether mechani-cal or human, the controller can be modeled as a PIcontroller. The track, or rhumb line, can be approx-imated in the local Cartesian coordinates by a ray,which is parametrized by an angle 0 (rad) andstart position x0 and y0 (m). The along-track andcross-track position, b and e, respectively, are given


byb = (x – x0) cos 0 + ( y – y0) sin 0

e = ( y – y0) cos 0 – (x – x0) sin 0.

The relationship between the global and trackcoordinates is illustrated graphically in Figure 3.

Because GNSS is the most accurate positioningsource, nearly always available, and assumed to bereliable when available, it is typically the primarypositioning source [2]. The GNSS receiver’s cross-track position measurement, which is taken to beequivalent to e(t), is fed back with a PI control lawgiven by

d(t) = 0 – K 0i

Z t

0e(�)d� – K 0pe(t),

where K 0i is the integral gain and K 0p is the propor-tional gain. The gains are chosen so that the innercourse control loop and the outer track-keeping loophave significant time scale separation, with theinner loop faster, a typical practice for marine andaerial vehicle cascaded controller design [32, 35].Thus, from the perspective of the outer loop, one canassume � d, and the full closed-loop cross-trackdynamics can be approximated by a first-order sys-tem with bandwidth !0b = UK 0p � !b. Note that thealong-track position is not controlled by a feedbacklaw but instead proceeds open-loop according to anapproximate crew-selected velocity setpoint.

Spoofer Control Law

In a spoofing attack, the ship’s GNSS receiver willreport the position commanded by the spoofer. To

Fig. 3–Coordinate systems for ship global position (x, y) and trackposition (b, e). The track coordinate system’s origin and rotationwith respect to the global coordinate system is given by (x0, y0) and 0, respectively. The ship’s orientation with respect to the globalcoordinate system is given by heading angle .

remain covert, the spoofer will typically commandpositions that are gentle deviations, convenientlyrepresented in along-track and cross-track coordi-nates, from the ship’s true position. Cross-trackdeviations will prompt a response from the ship’strack-keeping controller whereas along-track devia-tions will elicit no response unless the ship’s trackchanges. Along-track spoofing can be an effectivestrategy from the point of view of the attacker, butthis paper will focus on cross-track spoofing becauseit is equally effective yet requires less knowledge ofthe ship’s route.

In a cross-track spoofing attack, the spoofer gen-erates a GNSS signal whose implied coordinatesare the attacker’s estimate of the ship’s actualalong-track position Oba(t) and a spoofed cross-trackposition es(t). The latter can be written as the dif-ference of two parts, the attacker’s estimate of theship’s true cross-track position Oea(t) and a spoofer-induced cross-track modulation em(t) so that es(t)= Oea(t)–em(t). The modulation em(t) is also called theattack profile, as it represents the spoofer-intendeddeparture from the cross-track position. Note that toform Oea(t), the attacker must continuously estimateboth the ship’s position and its rhumb line. Thisassumption is not particularly demanding: other-ship position estimation via radar is both accurateand routine, and surface vessels typically follow aroute consisting of waypoints connected by readily-estimable lines of constant bearing.

The attacker’s goal is to force the ship to tracka spoofer-commanded cross-track position, denotedNe, as quickly as possible without being detected. Heevades detection by generating a subtle em(t) withlimited velocity and acceleration magnitudes:

|Pem(t)| � vmax, |Rem(t)| � umax (1)

Solving the following minimum-time optimal-control problem yields the attack profile em(t) thatachieves the spoofer’s goal. Here, tf is the final time,and the control input u(t) enters through the secondderivative of em(t) as part of the dynamic constraint:

minu(t)

tf

s. t. Rem(t) = u(t)em(0) = 0, Pem(0) = 0em(tf) = Ne, Pem(tf) = 0|Pem(t)| � vmax

|Rem(t)| � umax.

(2)

For Ne!1 and tc , vmaxumax

, the solution is given by

em(t) =

(12umaxt2 0 < t � tc12umaxt2c + vmax(t – tc) tc < t


An attack profile generated as a solution to (2)is easily disguised as the effect of ocean currents.But it may not be optimal from the point of viewof the attacker; i.e., it may not be the most haz-ardous undetectable profile. The optimal profile inthis sense actually depends on the defender’s partic-ular detection test. Strategies for generating em(t)that are more directly related to plausible detectiontests are considered in [36, Appendix A]. Nonethe-less, the strategy outlined in (2) has the virtue ofbeing intuitive and readily implementable yet gen-erates em(t) profiles similar to those produced by themore complex strategies.

The maxima vmax and umax are assumed to besufficiently small that em(t) is slow compared to thetime constant of the ship’s track-keeping control law,ensuring the attacker can dictate the ship’s truecross-track position e(t) with only modest errors—errors due to the spoofer’s imperfect estimate of theship’s true position and of the rhumb line, and to theship’s own estimation and control errors. Under thisassumption, the spoofer needs not adapt em(t) to theship’s response but may simply generate em(t) openloop. A closed-loop spoofing controller is also possi-ble, but its attacks are more difficult to maintaincovert, as illustrated in [14].

DETECTION FRAMEWORK

The detection framework developed in this paperattempts to minimize the mean integrity risk NIR,defined subsequently, for a given continuity riskCR , 1/MF, where MF is the mean time betweenfalse alarms. This framework borrows concepts fromGNSS integrity monitoring in aviation applications[21] and the fault detection literature [17], whichare applied here to the “fraud detection” problem.The introduction of mean integrity risk, which is amarginal probability, departs from the usual defi-nition of integrity risk as adopted by the aviationcommunity. However, it is a necessary adaptation toaccount for an uncoordinated spoofer and defender,as will be shown clearly in the sequel. Typically, theintegrity and continuity risk are specified in terms ofthe probability of hazardously misleading informa-tion (HMI) per approach and the false-alarm rate,respectively.

Overview

The schematic in Figure 4 offers a graphicoverview of the detection problem. Time t = 0denotes the beginning of an approach, or part of ajourney, such as the final approach to a harbor. Ateach time tk = kTs, k = 0, 1, ..., a detection test is per-formed to decide between two hypotheses—the nullhypothesis H0 indicating nominal operating condi-tions, and the alternative hypothesis H1 indicating

Fig. 4–A graphical overview of the detection problem: A spoofingattack with cross-track profile em(t) begins at time t0, which isunknown to the defender. The attacker attempts to drive the shipto exceed the alert limit L, beyond which lie potential hazards,without detection. At every time tk = kTs, k = 0, 1, ..., a GNSS mea-surement is taken and used to form the detection statistic q(k). Thetime instants tk are unknown to the attacker, though the measure-ment period Ts may be known. If q(k) exceeds the threshold �, thealternative hypothesis H1 (spoofing attack) is declared; otherwise,the null hypothesis H0 is assumed.

a spoofing attack is underway. At the beginning ofthe approach, H0 is true; at some time t0 � 0, atransition to H1 occurs. After t0, the attack contin-ues until either hazardous conditions occur or theattack is detected. In this framework, the constanttime between tests Ts is a key parameter: it is takenas the free parameter for the integrity optimizationproblem.

The detection strategy envisioned here is decou-pled from the ship’s track-keeping controller, whichis assumed to ingest GNSS measurements atits usual rate—typically much faster than 1/Ts—without regard for the the periodic detection testsoccurring in parallel. A joint control-and-detectionframework is possible and would have slightly supe-rior performance compared to the proposed frame-work, but a disjoint framework is simpler and hasthe benefit of being applicable to existing shipswithout re-certification of their integrated bridgesystems.

So long as the detection statistic q(k) remainsbelow a threshold �, the detector assumes H0; oth-erwise, it declares H1 and continuity is broken asthe crew attempt to neutralize the potential spoofingthreat. The threshold � is chosen to satisfy

P�q(k) > �|H0

�= Ts/MF = CRTs

to maintain the prescribed false-alarm rate. Notethat it will be shown that the probability distribu-tion of q(k) under H0 is independent of k, so � neednot depend on k.


Integrity Risk

Leading up to a definition of mean integrity riskNIR, it will be useful to define what is meant byhazardous conditions and by a so-called local HMIevent. Let the total system error of a certain stateelement of interest be denoted �(t). The total systemerror is the departure of the true state element fromthe controller’s desired value of that state element,and includes both estimation and control errors.Hazardous conditions are said to occur when |�| > Lfor an alert limit L > 0. Although the ship may notbe in immediate danger if |�| > L, control deci-sions based on such divergent estimates are highlyrisky. In this paper, the state of interest is the cross-track position e(t), and a typical value for L may be1 km. To account for worst-case control error, L mustbe substantially smaller than the distance that theship’s route clears charted hazards.

Assuming GNSS measurements are continuouslyavailable, as in the ship’s control model, and thatcontrol errors remain small, then under H1, �(t) �em(t). This deterministic approximation is a keysimplifying assumption: it prevents the total sys-tem error from being correlated with the detectionstatistic. Lack of correlation greatly simplifies theexpression for the mean integrity risk, as will beshown subsequently.

A local HMI event E(t) for t > t0 is definedas hazardous conditions under a spoofing attackthat has not been detected. Mathematically, E(t) isexpressed as

E(t) ,�|em(t)| > L

�^

0@ ^

k2St

q(k) < �

1A ,

where St ,˚k|t0 < kTs < t

�. The boolean event G

indicates whether a local HMI event has occurred atany time t > t0 during an approach:

G ,_t>t0

E(t).

Let the first time hazardous conditions occur undera spoofing attack be denoted tL and let SL ,˚k|t0 < kTs � tL

�. Then G can be reformulated as

G =^

k2SL

q(k) < �.

Integrity risk is defined for a particular start timet0 as

IR(t0) , P�G|H0

�P�H0�

+ P�G|H1, t0

�P�H1�

,

where P(H0) and P(H1) = 1 – P(H0) are the priorprobabilities for H0 and H1.

In this work, the integrity risk is assumed to bedominated by P

�G|H1, t0

�for the purposes of the

optimization problem defined in the sequel since

we are maximizing the integrity risk with respectto the spoofer attack parameters. An attack withP�G|H1, t0

�< P

�G|H0

�is not particularly effec-

tive, so the probability of a spoofing attack P�H1�

isconservatively assumed to be unity. Of course, caremust be taken to verify that the inequality conditionis actually true, which is ensured by a sufficientlylarge value of L.

In aviation applications, the integrity risk is typ-ically accompanied by a time-to-alarm requirement.In the previous formulation, the time-to-alarm tA isimplicitly zero seconds, which is the strictest pos-sible requirement. However, a non-zero tA can beaccounted for by simply modifying

SL ,˚k|t0 < kTs � tL + tA

�.

Taking all spoofing start times to be equally likelyand assuming the attack is time-invariant, the meanintegrity risk can be defined as

NIR ,Z 1

0P(G|H1, t0 = ˇTs) dˇ. (3)

The time-invariance property stems from thedeterministic approximation of �(t) made in thebeginning of this section so that for any non-negative integers l, m and 0 � ˇ � 1,

P(G|H1, t0 =�l + ˇ

�Ts) = P(G|H1, t0 = (m + ˇ) Ts).

Detection Statistic

Detector performance depends strongly on thedetection statistic q(k). If the attack profile em(t)were precisely known to the defender a priori, thena detection statistic could be optimally tailored tothe known profile. The statistic would amount toprocessing estimator innovations through a filtermatched to the known profile [36, Appendix A]. Ifsome attack profile parameters remained unknown,such as t0 and vmax, then the generalized likelihoodratio approach would be reasonable [17]. However,the stronger the defender’s assumptions are aboutthe attack profile, the more vulnerable he becomesto an attacker who violates those assumptions.

One recognizes a zero-sum game in the simul-taneous incentive: the defender has to optimizeq(k) for the attacker’s choice of em(t) and theattacker has to optimize em(t) for the defender’schoice of q(k). If an equilibrium pair {q?(k), e?m(t)}were found to exist for this game, such that nei-ther attacker nor defender benefits by unilateraldeparture from the equilibrium, then q?(k) could betaken as an equilibrium-optimal detection statistic[37, 38]. However, the authors were unable to dis-cover such an equilibrium; its existence remains anopen question. Instead, a normalized-innovations-squared (NIS) statistic [17, 25, 39] is adopted here.


This statistic is not optimal in the sense of q?(k) butis robust in that it makes no assumptions about theattack trajectory; rather, it penalizes all departuresfrom the assumed model.

The innovation sequence �(k) on which q(k) isbased is generated by a Kalman filter ingestingGNSS measurements every Ts seconds. A simplifiedmodel for the Kalman filter is developed below inpreparation for determining the probability distri-bution of q(k). First, consider the continuous-timeship dynamics model

P�(t) = A�(t) + Bu(t) + Qv(t),

where

� =�

x y dx dy�T is the state vector,

A =

"0 I20 – 1

TdI2

#, B =

�I20

�, =

�0I2

�,

u = U�sin cos

�T is the control, and

Qv =�vx vy

�T is AWGN with intensity Qc = �2dI2,

with In the n-by-n identity matrix and 0 anappropriately-dimensioned zero matrix. The controlu(t) is derived from the ship’s compass and speedlog measurements. The potentially-spoofed GNSSmeasurements are sampled from

z(k) = H�(kTs) – zm(kTs) + w(k),

where w(k) is a discrete AWGN sequence withcovariance R = �2

p I2, H =�I2 0

�, and zm(t) is the

deterministic spoofer-induced two-dimensional posi-tion modulation for which, by definition, zm(t) = 0for t < t0.

The a priori and a posteriori Kalman filter esti-mates N�(k) and O�(k) are related to the correspondingestimation errors by N�(k) , �(k) – N�(k) and O�(k) ,�(k) – O�(k). The filter innovation �(k) , z(k) – H N�(k) isequivalent to

�(k) = H N�(k) – zm(kTs) + w(k).

The recursion equations for the estimation error’smeans and covariances are given by

E�N�(k)

�= FE

�O�(k – 1)

�NP(k) , E

hN�(k)N�T(k)

i= FP(k – 1)FT + Q

E�O�(k)

�=�I – K(k)H

�E�N�(k)

�– K(k)zm(kTs)

P(k) , EhO�(k)O�T(k)

i= (I – K(k)H) NP(k),

where

F = eATs ,

Q =Z Ts

0eA�Qc

TeAT�d� ,

S(k) = H NP(k)HT + R,

K(k) = NP(k)HTS–1(k), and

E�N�(0)

�= 0.

Moving forward, it is assumed that the estimationerror covariances have reached their steady-statevalues, which can be found by solving a discrete-time algebraic Riccati equation, and so the indexk is dropped from P, NP, S, and K. Note that dur-ing a spoofing attack, a nonzero zm(kTs) biases theestimation error and innovation.

The NIS detection statistic q(k) , �T(k)S–1�(k)is distributed under H0 as 2 with two degrees offreedom, as shown by [39], given �(k) is a 2 � 1vector. Similarly, under H1, q(k) is distributed asnon-central 2 with two degrees of freedom andnoncentrality parameter ı(k) = N�T(k)S–1 N�(k), where

N�(k) , HE�N�(k)

�– zm(kTs)

is the mean of innovation at index k. Since theinnovation sequence is white, each detection test isindependent when conditioned on H0 or H1, whichsimplifies calculation of NIR because the integrand in(3) can be written as the product of the marginalprobabilities for the events q(k) < �, k 2 SL.

Optimization

A natural question arises in sequential detection:How often should the detection test be executed? Ingeneral, the detection test could be based on M mea-surements over a detection interval Tdet, i.e., Tdet= MTs. An initial simulation study has shown that,for the problem studied here, M = 1 yields the mostpowerful test for a given mean time between falsealarms MF. Thus, Ts will be taken as equivalent toTdet hereafter. An analytical proof that M = 1 is opti-mum remains an open problem. If Ts, is too small,then no innovation �(k) will appear particularly sur-prising under H1. As Ts is made longer, innovationsunder H1 become more obviously biased. But if Tsis too long, the attacker may begin an attack andachieve his goal of reaching hazardous conditions allwithin the span between consecutive detection tests.

A distinguishing feature of the current frameworkis that it optimizes Ts to minimize NIR over a rangeof possible vmax. Figure 5 shows how NIR varies as afunction of Ts and vmax for an example scenario. Theoptimal Ts is a minimax solution which minimizesthe maximum NIR over the range of vmax considered,in this case 0.1 m/s to 1 m/s. More formally, a robust


Fig. 5–Mean integrity risk NIR vs. sampling time Ts for variouschoices of vmax. The optimal sampling time T?s that minimizesthe worst-case mean integrity risk is approximately 100 minutes,yielding NI?R � 0.6727. Note that the worst-case attack is given byeither vmax = 0.1 or 1 m/s. Other parameters are umax = 0.03 m/s2,MF = 1 month, Ne � L = 3 km, �p = 6 m, Td = 200 s, and�d = 0.02 m/s1.5.

Fig. 6–Minimax mean integrity risk NI?R vs. the hazardous condi-tion threshold L. For L � 400 m, the worst-case attack will likelycause HMI since NI?R > 0.9. On the other hand, L � 7 km main-tains an integrity risk near zero for any reasonable attack. Otherparameters are set to the values indicated in Figure 5.

optimizer for Ts would be

minTs

maxvmax2Vumax2U

NIR, (4)

where V and U are bounded sets containing rea-sonable values for the attack parameters. vmax isbounded from below under the assumption thatthe attacker wishes to cause hazardous conditionsbefore the end of a typical approach. If the averageduration of an approach is NTapp, then vmax � L/ NTapp,reasonably assuming a linear relationship betweenthe approach’s alert limit and average duration.vmax is bounded from above because induced veloc-ities greater than 1 m/s would lead to physicallyimpossible set and drift values that are not cap-tured by the Gauss-Markov disturbance model andbreak the small control error assumption. Lastly, theimpact of umax on NIR is small for the Ts values con-sidered because acceleration only affects the attack

Fig. 7–Minimax mean integrity risk NI?R vs. L and MF. Depend-ing on the alert limit and continuity risk requirements of theapproach, the detector’s mean integrity risk ranges from high(black region), in which HMI is likely under H1, to low (whiteregion). Other parameters are set to the values indicated inFigure 5.

profile for a short period of time in the beginning ofthe attack. Therefore, the integrity risk optimizationis not particularly sensitive to the choice of umax,which is fixed to a value of 0.03 m/s2 for the rest ofthe analysis.

A closed form solution to (4) does not appear pos-sible, but the optimal Ts can be found numericallybased on the definition of NIR and on the knowndistributions for q(k) under H0 and H1. Minimaxresults for two example scenarios are shown inFigures 6 and 7.

SIMULATION

The spoofer control law and integrity risk calcu-lations were verified with Monte-Carlo simulations.The simulations take into account the Nomoto shipmodel, closed-loop ship controller, and open-loopspoofer controller developed in Section III, with Ne�L. Two representative ship trajectories are shownin Figure 8. The simulation-based mean integrityrisk is determined by counting the number of HMIevents over 20 simulations with random measure-ment and process noise per attack profile and over100 uniformly-spaced sampling phases per simula-tion. As shown in Figure 9, the simulation-basedmean integrity risk for different values of vmaxagrees well with the values predicted by the theorydeveloped in Section IV.

DEMONSTRATION

Hostile control of a surface vessel by GPS spoof-ing was demonstrated in the Mediterranean Sea inJune of 2013. The authors were invited to conduct


Fig. 8–Trajectory resulting from simulation of ship dynamicsunder nominal conditions (a) and a spoofing attack (b). e and are the ship’s cross-track position and heading, respectively.Note that under the spoofing attack, there is a slight change inthe average heading after the attack begins. The time-correlatedheading offset may not look unusual to the crew depending onthe expected time constants of ocean currents or wind in the area.Model parameters were T = 39.94 s, K = 0.211s–1, U = 8.23m/s,Kp = 1.4415, Ki = 0.0126, Kd = 21.6904, K0p = 0.0028, K0i =1.8949 � 10–5. Other parameters were set to the values indicatedin Figure 5.

Fig. 9–Theoretical vs. simulated mean integrity risk for differentvalues of vmax. Other parameters were set to the values indicatedin Figure 5.

the unprecedented experiment aboard the WhiteRose of Drachs, a 65-m superyacht. A key compo-nent of the experimental setup was a portable GPSspoofing device developed at the University of Texasat Austin [14]. The spoofer continuously receivedauthentic GPS signals from an antenna on the ship’supper aft deck, and transmitted counterfeit GPS sig-nals toward the ship’s GPS antennas, located abovethe bridge as shown in Figure 10.

Once a safe route was established, the captain andhis deck crew piloted the ship within a prescribedcorridor along a series of rhumb lines. Periodic con-trol actions were required to maintain course due tosuch disturbances as wind and ocean current, whichwere not measured directly. Instead, a lumped setand drift were measured indirectly from gyrocom-pass, Doppler speed log, and GPS measurements.

The spoofing attack was designed to cause a cross-track drift in the ship’s apparent position that couldbe explained as the effect of an ocean current. Theexperiment was composed of three stages: (1) asubtle-attack stage with spoofer-induced cross-trackvelocity v = 0.5 m/s and umax = 0.03 m/s2; (2) anaggressive-attack stage starting at e = 200m withv = 2 m/s and umax = 0.1 m/s2; and (3) a parallel-track stage starting at e = 700 m during which v wasreset to zero with umax = 0.1 m/s2. Throughout theattack, the captain performed correction maneuversto maintain the apparent (spoofed) ship position

Fig. 10–Sketch of the spoofer setup on the White Rose of Drachs.


within a ˙200 m corridor; the ship’s actual positiondiverged along the spoofer-intended track shown inFigure 11.

The ship’s GPS-reported position and gyrocom-pass - reported heading were logged to a file duringthe spoofing attack. The ship’s Doppler log was notfunctional during the experiment, but the ship’sengine throttle control was held constant at “fullahead,” so the ship’s speed through water U wasassumed to be a nominal 15 knots. The ship’s trueposition was computed by the spoofer using the

Fig. 11–Comparison of the ship’s reported actual position dur-ing the spoofing attack. The thin solid lines mark a ˙200 m safecorridor.

authentic signals received by an antenna with suffi-cient isolation from the spoofed signals as shown inFigure 10.

The logged measurements were fed post-facto intothe innovations-based spoofing detector developedin Section IV. To determine the optimal samplingtime T?s for the experiment, many of the sameparameter values indicated in Figure 5 were used,except that 0.5 m/s � vmax � 2 m/s and L = 200 m.Even though the ship was traveling in open waters,a narrow “safe” corridor was chosen to simulate asituation with tight maneuverability bounds such asa harbor approach bordered by underwater hazards.The resulting minimax optimization yielded T?s �250 s and mean integrity risk NI?R = 0.8956 for theworst-case attacks. The subtle attack demonstra-tion shows that for an alert limit less than 200 m,the navigation solution from the sampling-time-optimized system described in the paper becomesunavailable for any mean integrity risk specificationless than 0.89. If the system is unavailable, the nav-igator can improve the integrity risk of the existingsystem by trying to improve the model (i.e., reduceuncertainty), increase the continuity risk limit, oruse another system to navigate the approach.

The attack profile applied during the subtle-attack stage was designed to be a worst case; unsur-prisingly, the attack remained undetectable duringthis stage. The aggressive-attack stage was designedto be obvious: even assuming the inflated parame-ters L= 700m, umax = 0.1m/s2, and vmax = 2m/s, thetheoretical mean integrity remained an insignificant

Fig. 12–NIS values generated by the detector with sampling time Ts = 250 s for the experimental data collected on the White Rose of Drachsduring a live spoofing attack. A particular sampling phase td represents the delay since the experiment start time for the first detection test.NIS time histories for five different sampling phases are shown. The shaded regions mark areas where the NIS must fall for the attack tobe detected before hazardous conditions occur, preventing an HMI event. The darker and lighter regions correspond to the first and secondstages of the attack, respectively. The lower edge of the regions corresponds to the detection threshold �.


NIR = 0.0067. The actual integrity risk was differentdue to the changes in the spoofer-induced velocityduring the attack.

The NIS values generated by the detector basedon experimental data with five different samplingphases are shown in Figure 12. Recall that the meanintegrity risk computed previously is the marginalrisk assuming a uniformly-distributed samplingphase. A realization for a particular sampling phaseleads to HMI if the associated NIS values fail tocross the detection threshold � before an attackreaches hazardous conditions. The NIS values inFigure 12 fail to cross into the dark shaded regionbefore zm > 200 m (equivalently, e > 200 m),indicating that the attack was not detected beforehazardous conditions during the subtle stage. Thesampling phase td can be related to start time ofthe spoofing attack as td , �1 – t0, where �1 is thetime of the first detection test after the onset ofspoofing. For all but one sampling phase (td = 0 s),the attack was detected during the aggressive stagebefore hazardous conditions occurred.

SENSOR-LEVEL STRATEGIES FOR MITIGATINGSURFACE VESSEL VULNERABILITY TOGNSS DECEPTION

Despite being tailored to minimize NIR, the detectordeveloped in this paper remains vulnerable to sub-tle spoofing attacks that masquerade as the effectof ocean currents, as was demonstrated vividly bythe experiment aboard the White Rose of Drachs.What is more, it is doubtful that any other detectoroperating on measurements from a GNSS receiverand from the standard dead-reckoning instruments(the gyrocompass and Doppler speed log)—or anyother navigation sensors common to today’s surfacevessels—could detect a subtle GNSS spoofing attackbefore hazardous conditions occur.

The difficulty of reliable spoofing detection at thesensor fusion level motivates a layered approach inwhich the detector proposed in this paper is com-plemented with a GNSS receiver also designed todetect spoofing. A number of promising receiver-level spoofing detection methods are surveyed in[40]. Among these, the dual-antenna techniqueadvanced in [41] seems an especially promisingoption for maritime protection because (1) it canbe implemented in the near term, and (2) itschief drawbacks relative to the other techniques—larger size and higher cost—are not so critical formarine vessels as they are for handheld devicesand small unmanned aerial vehicles, for example.Nonetheless, it will take years before this or othertechniques mature and are implemented widely.Meanwhile, there are no off-the-shelf defensesagainst GNSS spoofing.

CONCLUSIONS

Modern integrated bridge systems assume a sur-face vessel’s GNSS receivers are trustworthy whenthese report a position fix from ambient GNSS sig-nals. But such trust is misplaced in situations ofGNSS spoofing: spoofed receivers report an attacker-induced false ship position as conveyed via coun-terfeit GNSS signals. An attacker can modulatethe ship’s true along-track and cross-track positionsby feeding apparent positions to the ship’s autopi-lot system, or to its bridge crew, that are falselyoffset from the ship’s true position. Besides thissystem-level effect of spoofing, specific navigationand collision avoidance instruments are individuallyaffected: the automatic radar plotting aid, the auto-matic identification system, the dead reckoning sys-tem built into the ship’s electronic chart display andinformation system (ECDIS), and the ship’s satellitecompass can all generate hazardously misleadinginformation during a GNSS spoofing attack.

A detection framework was developed to ana-lyze and detect spoofing attacks on surface vesselsbased solely on Doppler log, gyrocompass, and GNSSmeasurements. The framework’s detector is imple-mentable in ECDIS software commonly availableon ships of significant size. The detector is basedon a dynamics model that captures the essentialfeatures of the environmental disturbances, whichare dominated by ocean currents and wind. Thedetector’s test interval was chosen to minimize themaximum mean integrity risk, or probability of haz-ardously misleading information averaged over pos-sible attack start times, for a range of goal-orientedattack profiles. Monte-Carlo simulations verified thetheoretical calculations of mean integrity risk. Anunprecedented experiment demonstrated successfulhostile control of an actual surface vessel in a livespoofing attack and detection of the attack during itsmost aggressive stage.

Just as aviation regulators have developed rigor-ous integrity risk standards for GNSS faults, mar-itime regulatory authorities can use the detectionframework analysis proposed herein to compute theminimum integrity risk given reasonable values forreal-world disturbance and attack parameters andthe maximum acceptable continuity risk.

ACKNOWLEDGEMENTS

This work was supported in part by the NationalScience Foundation under Grant No. 1454474 andby the Data-supported Transportation Operationsand Planning Center (D-STOP), a Tier 1 USDOTUniversity Transportation Center. The authorsthank the crew of the White Rose of Drachs andher captain, Andrew Schofield, for supporting the


GPS spoofing experiment. Thanks also to Dr. AndyNorris for his comments on maritime navigation andsecurity in practice.

REFERENCES

1. John A. Volpe National Transportation Systems Cen-ter, “Vulnerability Assessment of the TransportationInfrastructure Relying on the Global Positioning Sys-tem,” 2001.

2. Grant, A., “GPS Jamming and the Impact on MaritimeNavigation,” Journal of Navigation, Vol. 62, No. 2,2009.

3. International Marine Contractors Association,“Guidelines for the Design and Operation of Dynam-ically Positioned Vessels,” 2007. Available at: http://www.imca-int.com/media/73055/imcam103.pdf.

4. Thomas, M., Norton, J., Jones, A., Hopper, A., Ward,N., Cannon, P., Ackroyd, N., Cruddace, P., and Unwin,M., “Global Navigation Space Systems: Reliance andVulnerabilities,” The Royal Academy of Engineering,London, 2011.

5. Caccia, M., Bibuli, M., Bono, R., and Bruzzone,G., “Basic Navigation, Guidance and Control of anUnmanned Surface Vehicle,” Autonomous Robots,Vol. 25, No. 4, 2008, pp. 349–365.

6. Elkins, L., Sellers, D., and Monach, W. R., “TheAutonomous Maritime Navigation (AMN) Project:Field Tests, Autonomous and Cooperative Behaviors,Data Fusion, Sensors, and Vehicles,” Journal of FieldRobotics, Vol. 27, No. 6, 2010, pp. 790–818.

7. Paull, L., Saeedi, S., Seto, M., and Li, H., “AUVNavigation and Localization: A Review,” IEEE Jour-nal of Oceanic Engineering, Vol. 39, No. 1, 2014,pp. 131–149.

8. Meduna, D. K., Rock, S. M., and McEwen, R. S.,“Closed-Loop Terrain Relative Navigation for AUVswith Non-Inertial Grade Navigation Sensors,” Pro-ceedings of 2010 IEEE/OES Autonomous UnderwaterVehicles (AUV), 2010, pp. 1–8.

9. Meduna, D., Rock, S. M., and McEwen, R., “AUVTerrain Relative Navigation using Coarse Maps,” Pro-ceedings of Unmanned Untethered Submersible Tech-nology Conference, 2009.

10. U.S. Coast Guard; U.S. Department of HomelandSecurity, “Terminate Long Range Aids to Navigation(Loran-C) Signal,” Federal Register, January 2010.

11. Narins, M., Lombardi, M., Enge, P., Peterson, B., Lo,S., Chen, Y. H., and Akos, D., “The Need for a RobustPrecise Time and Frequency Alternative to GlobalNavigation Satellite Systems,” Journal of Air TrafficControl, Vol. 55, No. 1, 2012.

12. Humphreys, T. E., Ledvina, B. M., Psiaki, M. L.,O’Hanlon, B. W., and Kintner, P. M. Jr., “Assessingthe Spoofing Threat: Development of a portable GPSCivilian Spoofer,” Proceedings of the 21st InternationalTechnical Meeting of the Satellite Division of The Insti-tute of Navigation (ION GNSS 2008), Savannah, GA,September 2008, pp. 2314–2325.

13. Shepard, D. P., Humphreys, T. E., and Fansler, A. A.,“Evaluation of the Vulnerability of Phasor Measure-ment Units to GPS Spoofing Attacks,” InternationalJournal of Critical Infrastructure Protection, Vol. 5,No. 3–4, 2012, pp. 146–153.

14. Kerns, A. J., Shepard, D. P., Bhatti, J. A., andHumphreys, T. E., “Unmanned Aircraft Capture andControl via GPS Spoofing,” Journal of Field Robotics,Vol. 31, No. 4, 2014, pp. 617–636.

15. GPS Directorate, “Systems Sngineering and Inte-gration Interface Specification IS-GPS-200G, ” 2012.Available at: http://www.gps.gov/technical/icwg/.

16. European Union, “European GNSS (Galileo) OpenService Signal in Space Interface Control Document,”2010. Available at: http://ec.europa.eu/enterprise/policies/satnav/galileo/open-service/.

17. Willsky, A. S., “A Survey of Design Methods for FailureDetection in Dynamic Systems,” Automatica, Vol. 12,No. 6, 1976, pp. 601–611.

18. Basseville, M., “Detecting Changes in Signals andSystems—a Survey,” Automatica, Vol. 24, No. 3, 1988,pp. 309–326.

19. Frank, P. M., “Fault Diagnosis in Dynamic SystemsUsing Analytical and Knowledge-Based Redundancy:A Survey and Some New Results,” Automatica, Vol. 26,No. 3, 1990, pp. 459–474.

20. Chen, J., and Patton, R. J., Robust Model-Based FaultDiagnosis for Dynamic Systems, Springer PublishingCompany, Inc., 2012.

21. Joerger, M., and Pervan, B., “Kalman Filter-BasedIntegrity Monitoring Against Sensor Faults,” Journalof Guidance, Control, and Dynamics, Vol. 36, 2013, pp.349–361.

22. Khanafseh, S., Roshan, N., Langel, S., Cheng-Chan, F.,Joerger, M., and Pervan, B., “GPS Spoofing Detectionusing RAIM with INS Coupling,” Proceedings of theIEEE/ION PLANS 2014, Monterey, CA, May 2014, pp.1232–1239.

23. Wald, A., “Sequential Tests of Statistical Hypotheses,”The Annals of Mathematical Statistics, Vol. 16, No. 2,June 1945, pp. 117–186.

24. Trees, H. L. V., Detection, Estimation, and ModulationTheory, Wiley, 2001.

25. Mehra, R. K., and Peschon, J., “An InnovationsApproach to Fault Detection and Diagnosis inDynamic Systems,” Automatica, Vol. 7, No. 5, 1971, pp.637–640.

26. Pelkowitz, L., and Schwarts, S., “Asymptotically Opti-mum Sample Size for Quickest Detection,” IEEETransactions on Aerospace and Electronic Systems,Vol. AES-23, No. 2, March 1987, pp. 263–272.

27. Bowditch, N., The American Practical Navigator,Bethesda, MD, National Imagery and MappingAgency, 2002.

28. GPS World Staff, “Hemisphere GPS Offers Vec-tor Compass Products for Marine Applications,”Oct. 2012. GPS World, Available at: http://gpsworld.com/hemisphere-gps-offers-vector-compass-products-for-marine-applications.

29. Radar Navigation and Maneuvering Board Manual,7th ed., Bethesda, Maryland: National Imagery andMapping Agency, 2001. Available at: http://msi.nga.mil/MSISiteContent/StaticFiles/NAV_PUBS/RNM/310ch5.pdf.

30. Norris, A., ECDIS and Positioning, Series, IntegratedBridge Systems: Nautical Institute, 2010.

31. eNav International, “Totem ECDIS and GPSSpoofing,” June 2013. Available at: http://www.enav-international.com/news/id5774-Totem_ECDIS_and_GPS_Spoofing.html.

32. Fossen, T. I., Guidance and Control of Ocean Vehicles,New York: John Wiley and Sons, 1994.

33. National Transportation Safety Board, “Marine Acci-dent Report: Grounding of the Panamanian PassengerShip Royal Majesty on Rose and Crown Shoal nearNantucket, Massachusetts June 10, 1995,” TechnichalReport, National Transportation Safety Board, 1997.


http://www.imca-int.com/media/73055/imcam103.pdf

http://www.imca-int.com/media/73055/imcam103.pdf

http://www.gps.gov/technical/icwg/

http://ec.europa.eu/enterprise/policies/satnav/galileo/open-service/

http://ec.europa.eu/enterprise/policies/satnav/galileo/open-service/

http://gpsworld.com/hemisphere-gps-offers-vector-compass-products-for-marine-applications

http://msi.nga.mil/MSISiteContent/StaticFiles/NAV_PUBS/RNM/310ch5 .pdf



http://www.enav-international.com/news/id5774-Totem_ECDIS_and_GPS_Spoofing.html

34. Lützhöft, M. H., and Dekker, S. W., “On Your Watch:Automation on the Bridge,” Journal of Navigation,Vol. 55, No. 1, 2002, pp. 83–96.

35. Kendoul, F., “Survey of Advances in Guidance, Nav-igation, and Control of Unmanned Rotorcraft Sys-tems,” Journal of Field Robotics, Vol. 29, No. 2, 2012,pp. 315–378.

36. Bhatti, J., “Sensor Deception Detection and Radio-Frequency Emitter Localization,” Ph.D. Dissertation,The University of Texas at Austin, August 2015.

37. Luce, R. D., and Raiffa, H., Games and Decisions:Introduction and Critical Survey, Dover, 1989.

38. Blackwell, D. A., Theory of Games and StatisticalDecisions, Courier Dover Publications, 1979.

39. Bar-Shalom, Y., Li, X. R., and Kirubarajan, T., Esti-mation with Applications to Tracking and Navigation,New York: John Wiley and Sons, 2001.

40. Humphreys, T. E., The GNSS Handbook, Springer,2014. ch. Interference, in preparation.

41. Psiaki, M. L., O’Hanlon, B. W., Powell, S. P., Bhatti, J.A., Wesson, K. D., Humphreys, T. E., and Schofield, A.,“GNSS Spoofing Detection using Two-Antenna Differ-ential Carrier Phase,” Proceedings of the 27th Interna-tional Technical Meeting of the Satellite Division of TheInstitute of Navigation (ION GNSS+ 2014), Tampa,FL, September 2014, pp. 2776–2800.


hostile control of ships via false gps signals: demonstration and detection€¦ · ·...

Documents