Towards Cyber-Secure GBAS: Initial Experimental System Validation

Kurzfassung

The Ground Based Augmentation System (GBAS) provides differential corrections and ensures the integrity of the navigation solution for aircraft flying precision approaches based on the use of Global Navigation Satellite Systems (GNSS). Operational GBAS ground stations today only provide corrections for the L1 signals of GPS, but development towards the use of a second frequency (L5/E5a) and at least two core constellations is actively underway. While these developments are helping to improve the global availability of GBAS and thus increase its market share, recent years have shown that there is a growing need to address the issue of cybersecurity in GNSS-based systems. Particularly in the last year, an increasing number of incidents have been reported, not only but especially around crisis areas, with a new quality of successful spoofing attacks on aircraft in contrast to the previously often encountered GNSS outages due to jamming in certain areas for example in the Eastern Mediterranean region. As a GNSS based system, GBAS relies entirely on the availability (degraded by interference/jamming) and trustworthiness (compromised by spoofing) of the underlying GNSS signals to enable its safe and reliable precision approach guidance. If the underlying GNSS signals themselves are compromised or disturbed, the system becomes unusable. Several solutions are currently being investigated to improve the cyber security of GNSS, e.g. signal authentication on the system side, such as the recently launched OSNMA (Open Service Navigation Message Authentication) for the European Galileo system. On the user side, for example, various types of array processing with corresponding multi-element antennas have been proposed and studied over the years. Such solutions can enable GNSS reception even under jamming and spoofing conditions, as has been shown in the past. This work is based on the combination of DLR developed prototypes of the aforementioned array antennas and receivers on both the airborne and ground side of an experimental GBAS prototype. Based on an extensive data collection campaign, including multi-day flight trials, we present initial results to validate the feasibility of a fully cyber-secure GBAS. The test hardware on the ground consisted of three identical installations equipped with multi-frequency (L1/L5) array antennas and receivers capable of tracking GPS and Galileo. On board the aircraft, a DLR-developed array antenna with a typical aeronautical footprint was connected to an array receiver similar to that used on the ground. The airborne system also had the capability to record raw IF (intermediate frequency) samples for detailed post-processing analysis as well as the generation of interference signals during the flights to assess the system resilience. The studied test cases included both nominal conditions on the ground as well as in the air, but also different kinds on intentional interference to both the GBAS ground station but also the aircraft. In parallel to the resilient hardware, conventional commercial GNSS hardware was operated both on the ground and in the air for comparison during all tests. Figure 1 depicts the used ground hardware as well as the installation for the flight tests at the DLR research airport (Cochstedt, EDBC) in central Germany. Based on the data collected, initial models were derived to assess the nominal performance of the resilient prototype hardware with respect to GBAS, including preliminary models for both ground and airborne noise and multipath. Initial analysis was also carried out to assess the behaviour of various GBAS integrity monitors for the tested hardware, both under nominal conditions and in the presence of interference. As the current interference scenarios focus on the L1 band (among other reasons to preserve the L5 signals for reference measurements), the current studies focus on classical single-frequency L1 processing modes (30s/100s carrier smoothing) for positioning, while the L5 band is only used for dual-frequency ionospheric monitoring. As an exemplary result, Figure 2 shows the achieved single frequency, multi-constellation protection level (H0) during repeated approaches in nominal conditions. In these initial analyses and GBAS post-mission assessments, the new system demonstrated the expected level of resilience to various types of intentional interferences, while conventional reference receivers lost most satellites during the jamming attacks and became unavailable or were misled by the spoofed signals. While the limitations of the current prototypes in terms of the number of tracked channels do not allow a definitive assessment of quantitative performance, the characteristics in terms of tracking stability and other satellite-based metrics achieved in the tests suggest that a future system could be sufficiently accurate to meet the requirements of automated landing systems. Based on the results achieved so far, the demonstrator's hardware and software will continue to be improved for further testing and validation campaigns planned in 2024 and 2025, with the ultimate goal of conducting a full real-time demonstration.