We invite you to either listen to the article or read the below.
The Security of Critical Infrastructure Act 2018 (SOCI Act) establishes a framework for managing risks to Australia’s critical infrastructure, including the need to address security risks comprehensively.
Owners and operators of critical infrastructure face a diverse range of security risks, and amongst these is Positioning, Navigation, and Timing (PNT) which is a crucial, often overlooked risk area.
Given PNT’s fundamental enabling role across SOCI sectors including energy, telecommunications, and transportation, we strongly recommend that organisations assess whether PNT vulnerability mitigations are integrated into their Critical Infrastructure Risk Management Program (CIRMP).
Failure to address PNT risks could result in severe operational, economic, and safety consequences, underscoring the urgency of proactive management in this domain.
What is the problem?
PNT is a fundamental enabler of most, if not all, critical infrastructure sectors. In aviation and maritime, PNT helps guide airplanes during landing approaches and navigating ships through narrow channels in ports. In energy, telecommunications, finance, and data, PNT enables and satisfies strict time synchronisation requirements at the micro-nanosecond level for effective operational, connectivity, and trading activities. Disruptions to PNT on which these critical systems rely could lead to significant economic and social consequences.
The US Global Positioning System (GPS) is the primary PNT source for Australian critical infrastructure. However, GPS is susceptible to a range of kinetic and non-kinetic, malicious and non-intentional, natural and physical threats, and so our dependence on GPS makes our systems and operations extremely vulnerable.
Is the threat real?
The threat is real, let us examine a few case studies.
Drivers using GPS jammers to avoid vehicle tracking by their employers have caused signal disruptions to aircraft landing systems at airports. Two such cases at Newark Airport (USA) in 2014[1] and Lyon (France) airport in 2023[2]have received widespread coverage. The disruptions posed a significant risk of aviation accidents.
In 2022, unintentional radio frequency (RF) interference led to two significant GPS disruption events in Denver and Dallas. The Denver incident occurred on January 21st due to an accidental RF transmission from a government facility. The transmission affected aircraft within a 50-nautical-mile radius of the Denver airport and lasted for 33 hours before the source was located and deactivated. The Dallas incident started on October 17th and impacted aircraft within a 110-nautical-mile range. Interference lasted for 24 hours before it ceased on its own, with the source remaining unidentified[3].
Space weather events, such as solar storms, can cause major disruptions to Global Navigation Satellite System (GNSS) signals. A solar storm in May 2024 affected GNSS leading to degraded GPS signals worldwide impacting agriculture and construction equipment[4], aerial drones, and led to declaration of a ‘grid emergency’ in New Zealand[5].
GPS jamming in conflict areas has impacted commercial flights in East Europe, though such instances have also happened closer to home. In 2023, Qantas aircraft experienced radio interference and GPS jamming in the Asia-Pacific region, including when flying over the South China Sea, Philippine Sea, and even the north-west shelf of Australia[6]. Many of these disruptions have been attributed to Chinese military activities, compromising aircraft navigation systems and reducing in-air situational awareness.
What does this mean?
In November 2024, the Cyber and Infrastructure Security Centre (CISC) in the Department of Home Affairs (DHA) released a Factsheet for Critical Infrastructure: Positioning, Navigation and Timing that provides high level information on PNT risks and guidance for mitigation. Implicit in the factsheet is a call to critical infrastructure owners and operators to make PNT security part of their CIRMP.
Some organisations may already be taking action to mitigate PNT vulnerabilities. These actions could include expanding from sole reliance on GPS to other GNSS, acquiring more robust GNSS devices, or accessing new civil GNSS frequencies that are less susceptible to jamming and unintentional RF interference. The key question is the extent to which these activities are conducted solely at the system level – that is, treating PNT in isolation from broader risk management.
You still may be harbouring a key vulnerability if your enterprise is lacking a comprehensive assessment of how the latest off-the-shelf device integrates with other PNT systems, what will fail when GPS signals are lost for an extended period, and the cascading effects on key assets and operations with the consequences that could stem from this.
Challenges
Threats to safety-of-life in GNSS-denied environments can be high profile, and many of the better known examples featured above are related to aviation. However, risks to PNT, which underpin essential operations across sectors,present vulnerabilities for critical infrastructure operators as well. Many organisations lack awareness of their reliance on PNT systems, leaving them vulnerable to disruptions caused by jamming, spoofing, or system failures.
Over-reliance on single sources like GPS further exacerbates this risk. PNT failures can have cascading impacts across interdependent sectors, such as financial services relying on precise timing or grid synchronisation in energy networks. Additionally, the integration of PNT systems with broader operational technology (OT) and information technology (IT) networks exposes them to cybersecurity threats. Addressing these challenges requires a proactive and comprehensive approach within the framework of a CIRMP.
A cyber security approach to PNT security risk management
A cyber security approach is recommended for robust, systematic and comprehensive PNT security risk management. The US National Institute of Standards and Technology’s (NIST) PNT Profile provides critical infrastructure sectors with general guidance to voluntarily Identify, Protect, Detect, Respond, and Recover.
Other sectors with unique needs could borrow from this guidance. Cyber risk management in the energy sector is governed by the Australian Energy Sector Cyber Security Framework (AESCSF). A tailored PNT Profile could be developed through the AESCSF domains, including in Risk Management; Asset, Change, and Configuration Management; Identify and Access Management; Threat and Vulnerability Management; and Supply Chain and External Dependencies Management.
Applying a cyber security lens to PNT allows its security to be integrated into enterprise risk management and, for SOCI entities, the CIRMP. This approach not only facilitates effective audits to identify natural, physical, governance, asset, and supply chain threats and vulnerabilities to PNT, it also enables organisations to introduce appropriate resilience measures to Protect, Toughen, and Augment their critical infrastructure.
Collaborating for Resilience
FrontierSI is developing a PNT Security Risk Assessment service to tackle the real risk of disruptions to PNT services and technologies relevant to critical infrastructure.
As part of this initiative, FrontierSI will be running a pilot program in collaboration with Pentagram Advisory to trial the PNT Security Risk Assessment. This pilot aims to provide tailored guidance to critical infrastructure owners and operators, equipping them with tools and strategies to mitigate PNT vulnerabilities effectively.
Interested in learning more or taking part in the pilot program? Join us for a free online workshop, ‘SOCI Workshop: Positioning, Navigation, and Timing (PNT) Systems – Security Risk to Critical Infrastructure Sectors,’ on 11 February 2025 from 2:30 to 3:30 (AEDT). REGISTER HERE
By addressing PNT vulnerabilities through a structured, integrated, and proactive approach, organisations can safeguard critical infrastructure, maintain compliance, and ensure long-term resilience in an evolving threat landscape.
[1] https://www.cnet.com/culture/truck-driver-has-gps-jammer-accidentally-jams-newark-airport/
[2] https://trans.info/en/gps-jammer-that-brought-disruption-to-lyon-airport-353510
[3] https://rntfnd.org/2024/06/04/study-gps-disruptions-in-aviation-show-importance-of-backups-u-s-and-europe-may-be-headed-in-the-wrong-direction/
[4] https://www.cbc.ca/radio/asithappens/solar-storm-farm-gps-1.7207999
[5] https://static.transpower.co.nz/public/bulk-upload/documents/Event%204457%20-%20Gannon%20geomagnetic%20storm%20response%20summary%20and%20lessons%20learnt.pdf?VersionId=me4cehwLgGVV3f7V2ha0JafZhmikj1om
[6] https://www.gpsworld.com/australian-aircrafts-gps-receiver-jammed-by-alleged-chinese-warships/