SIST EN 16803-3:2020
(Main)Space - Use of GNSS-based positioning for road Intelligent Transport Systems (ITS) - Part 3: Assessment of security performances of GNSS-based positioning terminals
Space - Use of GNSS-based positioning for road Intelligent Transport Systems (ITS) - Part 3: Assessment of security performances of GNSS-based positioning terminals
This document shall be considered as a complementary standard to EN 16803-2 that is intended to assessment of the performances of a GBPT placed in real-life or simulated road environments. This document is instead specifically targeting security attacks such as interferences, jamming, meaconing or spoofing. This document cannot be applied independently from EN 16803-2 that describes in details the general methodology of the assessment procedure.
This document provides normative information necessary to replay in the lab standardized scenarios specifically dedicated to security tests applied to GNSS.
Depending on the case (jamming or spoofing), these scenarios are composed of data sets combining either real life recorded SIS and jamming signals or simulated SIS and spoofing signals. The reason for that will be explained in Clause 6.
Although a high-level categorization of GNSS attacks is given in Annex A, a comprehensive and detailed categorization of possible GNSS attacks is out of the scope of this document.
It is not the aim of this EN to standardize the record procedure neither to define the specific requirements for the generation of the attack scenarios. The record procedure itself and its quality framework for accredited GNSS-specialized laboratories (Lab-A), with the detailed definition of standardized attack scenarios, will be totally and precisely described in EN 16803-4 (under preparation). The list of attack scenarios will have to be regularly updated considering the evolution of GNSS technologies, emerging threats, and countermeasures.
Raumfahrt - Anwendung von GNSS-basierter Ortung für Intelligente Transportsysteme (ITS) im Straßenverkehr - Teil 3: Überprüfung der sicheren Leistungen von GNSS-basierten Ortungsendgeräten
Das vorliegende Dokument muss als ergänzende Norm zu EN 16803-2 angesehen werden, die für die Überprüfung der Leistungsdaten eines GBPT in realen oder simulierten Straßenumgebungen vorgesehen ist. Dieses Dokument behandelt stattdessen speziell ausgerichtete Sicherheitsangriffe wie Störbeeinflussungen, Störsendungen, Meaconing oder Spoofing. Es kann nicht unabhängig von EN 16803-2 angewendet werden, die die allgemeine Methodik für das Überprüfungsverfahren eingehend beschreibt.
Dieses Dokument enthält normative Informationen, die notwendig sind, um genormte Szenarien, die speziell für auf GNSS zutreffende Sicherheitsprüfungen vorgesehen sind, wiederzugeben.
In Abhängigkeit vom Störfall (Störsendung oder Spoofing) setzen sich diese Szenarien aus Datensätzen zusammen, die entweder echte aufgenommene SIS und Signale von Störsendern oder simulierte SIS und Spoofing-Signale miteinander kombinieren. Die Gründe für diesen Ansatz werden in Abschnitt 6 erläutert.
Auch wenn Anhang A eine Einteilung von GNSS-Angriffen in übergeordnete Kategorien enthält, gehört eine umfassende und genaue Einteilung möglicher GNSS-Angriffe nicht zum Anwendungsbereich des vorliegenden Dokuments.
Ziel dieser EN ist weder die Normung des Aufzeichnungsverfahrens noch die Festlegung spezifischer Anforderungen für die Aufstellung der Angriffsszenarien. Das Aufzeichnungsverfahren selbst und sein Qualitätsrahmen für bevollmächtigte auf GNSS spezialisierte Labore (Lab-A) mit der genauen Definition der genormten Angriffsszenarien werden eingehend in EN 16803-4 beschrieben (in Vorbereitung). Die Liste der Angriffsszenarien muss unter Berücksichtigung der Weiterentwicklung der GNSS-Technologie, auftretender Bedrohungen und Gegenmaßnahmen regelmäßig aktualisiert werden.
Espace - Utilisation du positionnement GNSS pour les systèmes de transport routier intelligents (ITS) - Partie 3 : Evaluation des performances de sécurité des terminaux de positionnement GNSS
Vesolje - Uporaba sistemov globalne satelitske navigacije (GNSS) za ugotavljanje položaja pri inteligentnih transportnih sistemih (ITS) v cestnem prometu - 3. del: Ocenjevanje varnostnih tehničnih lastnosti terminalske opreme za določanje položaja, ki uporablja GNSS
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
SIST EN 16803-3:2020
01-december-2020
Vesolje - Uporaba sistemov globalne satelitske navigacije (GNSS) za ugotavljanje
položaja pri inteligentnih transportnih sistemih (ITS) v cestnem prometu - 3. del:
Ocenjevanje varnostnih tehničnih lastnosti terminalske opreme za določanje
položaja, ki uporablja GNSS
Space - Use of GNSS-based positioning for road Intelligent Transport Systems (ITS) -
Part 3: Assessment of security performances of GNSS-based positioning terminals
Raumfahrt - Anwendung von GNSS-basierter Ortung für Intelligente Transportsysteme
(ITS) im Straßenverkehr - Teil 3: Überprüfung der sicheren Leistungen von GNSS-
basierten Ortungsendgeräten
Espace - Utilisation du positionnement GNSS pour les systèmes de transport routier
intelligents (ITS) - Partie 3 : Evaluation des performances de sécurité des terminaux de
positionnement GNSS
Ta slovenski standard je istoveten z: EN 16803-3:2020
ICS:
03.220.20 Cestni transport Road transport
33.060.30 Radiorelejni in fiksni satelitski Radio relay and fixed satellite
komunikacijski sistemi communications systems
35.240.60 Uporabniške rešitve IT v IT applications in transport
prometu
SIST EN 16803-3:2020 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST EN 16803-3:2020
---------------------- Page: 2 ----------------------
SIST EN 16803-3:2020
EUROPEAN STANDARD
EN 16803-3
NORME EUROPÉENNE
EUROPÄISCHE NORM
September 2020
ICS 03.220.20; 33.060.30; 35.240.60
English version
Space - Use of GNSS-based positioning for road Intelligent
Transport Systems (ITS) - Part 3: Assessment of security
performances of GNSS-based positioning terminals
Espace - Utilisation du positionnement GNSS pour les Raumfahrt - Anwendung von GNSS-basierter Ortung
systèmes de transport routier intelligents (ITS) - Partie für Intelligente Transportsysteme (ITS) im
3 : Évaluation des performances de sécurité des Straßenverkehr - Teil 3: Überprüfung der sicheren
terminaux de positionnement GNSS Leistungen von GNSS-basierten Ortungsendgeräten
This European Standard was approved by CEN on 15 June 2020.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN 16803-3:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.
---------------------- Page: 3 ----------------------
SIST EN 16803-3:2020
EN 16803-3:2020 (E)
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 7
2 Normative references . 7
3 Terms, definitions and acronyms . 8
3.1 Terms and definitions . 8
3.2 Acronyms . 10
4 Description of the general logic of security tests . 11
4.1 Record and Replay principle . 11
4.2 Specificity of security tests based upon the R & R approach . 12
4.3 Jamming testing Architecture. 12
4.4 Spoofing/meaconing testing architecture . 14
5 Definition of the metrics with respect to security performances . 16
5.1 General . 16
5.2 Accuracy metrics . 16
5.3 Availability and continuity metrics . 17
5.4 Integrity metrics . 18
5.4.1 Protection Level performance metrics . 18
5.4.2 Misleading Information metrics . 19
5.5 Timing metrics . 19
5.5.1 Timestamp resolution . 19
5.5.2 Nominal output latency . 19
5.5.3 Nominal output rate . 19
5.5.4 Output latency stability . 19
5.5.5 Output rate stability . 20
5.5.6 Time to first fix . 20
6 Description of the test procedures and the test equipment . 21
6.1 Scope . 21
6.2 Setting-up of the replay test-bench . 21
6.2.1 Replay device calibration . 21
6.2.2 Replay testbed architecture . 24
6.3 Validation of the data processing HW and SW by the RF test laboratory . 25
6.4 Replaying of the data . 26
6.4.1 General . 26
6.4.2 Jamming scenarios . 26
6.4.3 Spoofing and meaconing scenarios . 26
6.5 Computation of metrics degradation . 27
6.5.1 General . 27
6.5.2 Jamming scenarios . 27
6.5.3 Spoofing and meaconing scenarios . 28
6.6 Establishment of the final test report . 28
7 Validation procedure . 28
2
---------------------- Page: 4 ----------------------
SIST EN 16803-3:2020
EN 16803-3:2020 (E)
8 Definition of the synthesis report: how to report the results of the tests . 28
Annex A (informative) Analysis of the GNSS attacks taxonomy . 36
A.1 General . 36
A.2 Categorization of GNSS attacks . 36
A.3 GNSS attack models . 37
A.3.1 General . 37
A.3.2 Interference and jamming attacks . 37
A.3.3 Meaconing attacks . 38
A.3.4 Spoofing attacks . 38
Annex B (informative) Security-specific metrics (authentication capabilities, spoofing and
jamming detection flags, etc.) . 40
Annex C (informative) Scenarios proposition . 42
C.1 General . 42
C.2 Jamming/interference proposed scenarios . 42
C.3 Spoofing proposed scenario . 43
C.4 Meaconing proposed scenarios . 46
Annex D (informative) Spoofing insights . 48
D.1 General . 48
D.2 Range error impact . 49
D.3 Oscillator error impact . 49
D.4 Propagation channel. 50
Annex E (informative) Data set record testbed . 52
E.1 General . 52
E.2 Jamming data generation . 52
E.3 Spoofing data recording . 56
Bibliography . 57
3
---------------------- Page: 5 ----------------------
SIST EN 16803-3:2020
EN 16803-3:2020 (E)
European foreword
This document (EN 16803-3:2020) has been prepared by Technical Committee CEN-CENELEC/TC 5
“Space”, the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by March 2021, and conflicting national standards shall be
withdrawn at the latest by March 2021.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document has been prepared under a mandate given to CEN and CENELEC by the European
Commission and the European Free Trade Association.
According to the CEN-CENELEC Internal Regulations, the national standards organisations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia,
Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland,
Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North
Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United
Kingdom.
4
---------------------- Page: 6 ----------------------
SIST EN 16803-3:2020
EN 16803-3:2020 (E)
Introduction
The EN 16803 series of CEN-CENELEC standards deals with the use of GNSS technology in the intelligent
transport domain and addresses more particularly the issue of performance assessment.
As recalled in the generic functional architecture of a road ITS system based on GNSS, two main sub-
systems can be considered: the positioning system (GNSS-based positioning terminal (GBPT) + external
sources of data) and the road ITS application processing the position quantities output by the terminal to
deliver the final service to the user.
Figure 1 — Generic functional architecture of a Positioning-based road ITS system
This document is the third one of the EN 16803 series.
EN 16803-1 standard proposes a method called “Sensitivity analysis” to assess the adequacy of the
GBPT’s performances to the end-to-end performance of the road ITS system. In addition, this first EN
defines the generic architecture, the generic terms and the basic performance metrics for the Positioning
quantities.
EN 16803-2 proposes a test methodology based on the replay in the lab of real data sets recorded during
field tests, assuming no security attack during the test.
This document, EN 16803-3, proposes a complement to this Record & Replay (R&R) test methodology
to assess the performance degradation when the GNSS signal-in-space (SIS) is affected by intentional or
5
---------------------- Page: 7 ----------------------
SIST EN 16803-3:2020
EN 16803-3:2020 (E)
unintentional radio-frequency (RF) perturbations. Next sections below stress the importance of this
assessment in the context of the security threats.
The number of applications in road Intelligent Transport Systems (ITS) relying on Global Navigation
Satellite System (GNSS) technologies has shown an impressive growth in recent years. At the same time,
as many of those applications can be considered safety-critical or liability-critical, the need to increase
the robustness and the security of the GNSS-Based Positioning Terminal (GBPT) is becoming a critical
point. Civil GNSS signals and receivers are known to be vulnerable not only to natural impairments
(e.g. atmospheric effects, presence of multipath and obstacles) or unintentional interference, but also to
attacks of intentional nature. For instance, in the case of road ITS, it is widely discussed how users hoping
to perpetrate fraud on road tolling applications might attack an on-board GNSS receiver in order to elude
a payment. In this scenario, the malicious user can try to disrupt the receiver functionalities (typically
through jamming), making it either unable to compute a Position, Velocity, and Time (PVT) information,
or even forcing it to output counterfeit PVT data (e.g. through spoofing attacks). While in past years these
types of GNSS attacks were considered as feasible but requiring significant technical means, it is not the
case today considering that illegal jammers are available on the market for just a few euros and basic
spoofing attacks can be carried out at relatively low cost.
GNSS positioning threats have intensely interested the research community and the industry over the
last decade, motivating the increasing awareness on the GNSS vulnerabilities and the development of
suitable countermeasures. For instance, the reader can refer to the following recent publications, see
Bibliography [5] [6] [7] [8] [9] [10].
In this context, device manufacturers have started to implement new technologies to make their
positioning modules robust against GNSS attacks. In addition, major advances have been done in the GNSS
security aspects in Europe, especially those related to the development of new GNSS capabilities for the
Galileo system (i.e. civil authentication services provided by means of cryptographically protected
signals, see Bibliography [12] [13] [14] [15]).
These trends motivate a standardization effort in order to identify, harmonize, and properly define GNSS
attack scenarios and test procedures. In this sense, a first important step is to define a common
categorization of relevant GNSS attacks.
For this reason, Annex A of this standard aims to provide a high-level categorization of GNSS attacks (A.1)
and a brief description of possible attack models in each category (A.2). It is important to read carefully
Annex A to understand correctly the meaning of this document. It is informative in the sense that it
provides informative material related to the attack scenarios that shall be used in a R & R process for
security tests, compatible with the quality required for high-level standards. In fact, a wide number of
possible attacks have been proposed in past years and new threats continue to emerge, not just based on
controlled simulations done by GNSS security experts and researchers in their laboratories, but also with
an impressive number of reported real world accidents (e.g. see Bibliography [16] and [17]).
6
---------------------- Page: 8 ----------------------
SIST EN 16803-3:2020
EN 16803-3:2020 (E)
1 Scope
This document is a complementary standard to EN 16803-2 that is intended to assessment of the
performances of a GBPT placed in real-life or simulated road environments. This document is instead
specifically targeting security attacks such as interferences, jamming, meaconing or spoofing. This
document cannot be applied independently from EN 16803-2 that describes in detail the general
methodology of the assessment procedure.
This document provides normative information necessary to replay in the lab standardized scenarios
specifically dedicated to security tests applied to GNSS.
Depending on the case (jamming or spoofing), these scenarios are composed of data sets combining
either real life recorded SIS and jamming signals or simulated SIS and spoofing signals. The reason for
that will be explained in Clause 6.
Although a high-level categorization of GNSS attacks is given in Annex A, a comprehensive and detailed
categorization of possible GNSS attacks is out of the scope of this document.
It is not the aim of this document to standardize the record procedure neither to define the specific
requirements for the generation of the attack scenarios. The record procedure itself and its quality
framework for accredited GNSS-specialized laboratories (Lab-A), with the detailed definition of
standardized attack scenarios, will be totally and precisely described in EN 16803-4 (under preparation).
The list of attack scenarios will have to be regularly updated considering the evolution of GNSS
technologies, emerging threats, and countermeasures.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN 16803-1, Space - Use of GNSS-based positioning for road Intelligent Transport Systems (ITS) - Part 1:
Definitions and system engineering procedures for the establishment and assessment of performances
EN 16803-2:2020, Space — Use of GNSS-based positioning for road Intelligent Transport Systems (ITS) —
Part 2: Assessment of basic performances of GNSS-based positioning terminals
7
---------------------- Page: 9 ----------------------
SIST EN 16803-3:2020
EN 16803-3:2020 (E)
3 Terms, definitions and acronyms
3.1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
• ISO Online browsing platform: available at http://www.iso.org/obp
• IEC Electropedia: available at http://www.electropedia.org/
3.1.1
electromagnetic interference
source of RF transmission that is within the frequency band used by a communication link, and that
degrades the performance of this link
[SOURCE: ETSI TS 103 246-3]
3.1.2
jamming
deliberate transmission of interference to disrupt processing of wanted signals (which in this case are
GNSS or telecommunications signals)
Note 1 to entry: Jamming is a particular case of electromagnetic interference.
[SOURCE: ETSI TS 103 246-3]
3.1.3
spoof/spoofing
transmission of signals intended to deceive location processing into reporting false location target data
[SOURCE: ETSI TS 103 246-3]
3.1.4
threat
potential cause of an unwanted incident, which may result in harm to a system or organization
[SOURCE: ISO/IEC 27001]
3.1.5
vulnerability
weakness of an asset or control that can be exploited by one or more threats
[SOURCE: ISO/IEC 27001]
3.1.6
GBPT
GNSS Based Positioning Terminal
Term used to define the component that basically outputs PVT
8
---------------------- Page: 10 ----------------------
SIST EN 16803-3:2020
EN 16803-3:2020 (E)
3.1.7
DUT
Device Under Test
term used to define a device that is assessed
Note 1 to entry: In the context of EN 16803-2, DUT refers to GPBT.
3.1.8
test scenario
composed of GNSS SIS data and potential sensor data resulting from field tests, complemented by a
metadata description file; a test scenario is a non-empty combination of UTS that allows to assess a GBPT
in the desired environments
Note 1 to entry: Data inside a Test Scenario are raw data, either RF signals from GNSS satellites, or raw data from
other embedded sensors.
Note 2 to entry: A Test Scenario is the whole package that a GNSS-specialized test laboratory delivers to a
Generalist RF test laboratory in charge of performance assessment tests according to the EN 16803 series.
Note 3 to entry: Considering the 6 (six) different environments as defined in EN 16803-1, there’s a combination
of 2^6–1 = 63 possible test scenarios; from let’s say “Rural only” test scenario up to “All environment” test scenario
that covers the 6 (six) different environments.
3.1.9
Unitary Test Scenario (UTS)
elementary brick of a Test Scenario, resulting from a specific field test; in other words, a Test Scenario is
composed of a concatenation of several Unitary Test Scenarios
3.1.10
Uniform Environment Data Set (UEDS)
output of the DUT collected after a replay in laboratory sorted by environment; it is a concatenation of
the output of the DUT for all UTS restricted to a unique environment
Note 1 to entry: Considering the 6 different environments as defined in EN 16803-1, there is the same number of
UEDS ; i.e. 6 (six).
Note 2 to entry: Data composing a Uniform Environment Data Set are PVT data, as they are output by a GBPT.
Note 3 to entry: Uniform Environment Data Sets are the data sets to which the metrics shall be applied to assess
the performances of the device under test.
3.1.11
GNSS-specialized test laboratory
laboratory in charge of producing test scenarios for generalist RF test laboratories
3.1.12
Generalist RF test laboratory
laboratory in charge of assessing the performances of GBPTs thanks to Test Scenario
3.1.13
Benchmark Unitary Test Scenario (B-UTS)
dedicated UTS used specifically for the validation procedure as defined in Clause 7
9
---------------------- Page: 11 ----------------------
SIST EN 16803-3:2020
EN 16803-3:2020 (E)
3.1.14
Benchmark Uniform Environment Data Set (B-UEDS)
each of the UEDS obtained with the benchmark receiver at the GNSS specialised lab (used by the
generalist lab to validate their test platform and procedures)
3.2 Acronyms
For the purposes of this document, the following acronyms apply.
Acronym Description
ACAI Availability, Continuity, Accuracy, Integrity
ADC Analog to Digital Converter
ADS Attacked Data Set
AGC Automatic Gain Control
CEN European Committee for Standardization
CENELEC European Committee for Electrotechnical Standardization
CSAC Chip Scale Atomic clock
CW Continuous Waves
DAC Digital to Analog Converter
DUT Device Under Test
ETSI European Telecommunications Standards Institute
GBPT GNSS-Based Positioning Terminal
GNSS Global Navigation Satellite Systems
I/Q In-phase and Quadrature – I/Q format is an efficient way to store RF signals so that it is
possible to reproduce RF signals in laboratory after modulation. I/Q format is the
format used to store GNSS UTS.
IMU Inertial Measurement Unit
ITS Intelligent Transport Systems
J/S Jamming to Signal ratio
LNA Low Noise Amplifier
Lab-A GNSS-specialized test laboratory
Lab-B Generalist RF test laboratory
MIR Misleading Information Rate
NDS Nominal Data Set
OCXO Oven-controlled crystal oscillator
PA Power Amplifier
PPS Pulse Per Second
PVT Position Velocity and Time
RAIM Receiver Autonomous Integrity Monitoring
10
---------------------- Page: 12 ----------------------
SIST EN 16803-3:2020
EN 16803-3:2020 (E)
Acronym Description
RF Radio Frequency
RFCS Radio Frequency Constellation Simulator
RMS Root Mean Square
R&R Record and Replay
SBAS Satellite Based Augmentation System
SDR Software Defined Radio
SIS Signal In Space
SNR Signal to Noise Ratio
TCXO Temperature-controlled crystal oscillator
TIR Target Integrity Risk
TTFF Time To First Fix
UTS Unitary Test Scenario
UEDS Uniform Environment Data Set
4 Description of the general logic of security tests
4.1 Record and Replay principle
Security tests in EN 16803-3 are based on the same methodology as the tests described in EN 16803-2,
designed for assessing the basic performance features Availability, Continuity, Accuracy, Integrity (ACAI)
and Time-To-First-Fix (TTFF) of the PVT information.
This methodology is called Record & Replay (R & R). The rationale for this choice and the advantages of
this methodology are explained in details in EN 16803-2:2020, 4.1.1 and 4.1.2.
Different test approaches exist. To be effective and widely accepted, test procedures shall be:
— representative;
— repeatable;
— rapid;
— affordable.
R & R approach consists in replaying in a laboratory GNSS Signal-In-Space (SIS) data, and potentially
additional sensor data or assistance/correction data, recorded in specific operational conditions thanks
to a specific test vehicle. The dataset comprising GNSS SIS data and potential sensor or
assistance/correction data resulting from these field tests, together with the corresponding metadata
description file, is called a “test scenario”.
This approach is:
— representative of the reality, when the proper set of scenarios is identified. The representativeness
is for sure much higher than fully simulated environment;
11
---------------------- Page: 13 ----------------------
SIST EN 16803-3:2020
EN 16803-3:2020 (E)
— repeatabl
...
SLOVENSKI STANDARD
oSIST prEN 16803-3:2019
01-april-2019
9HVROMH8SRUDEDVLVWHPRYJOREDOQHVDWHOLWVNHQDYLJDFLMH*166]DXJRWDYOMDQMH
SRORåDMDSULLQWHOLJHQWQLKWUDQVSRUWQLKVLVWHPLK,76YFHVWQHPSURPHWXGHO
2FHQMHYDQMHYDUQRVWQLKWHKQLþQLKODVWQRVWLWHUPLQDOVNHRSUHPH]DGRORþDQMH
SRORåDMDNLXSRUDEOMD*166
Space - Use of GNSS-based positioning for road Intelligent Transport Systems (ITS) -
Part 3: Assessment of security performances of GNSS-based positioning terminals
Raumfahrt - Anwendung von GNSS-basierter Ortung für Intelligente Transportsysteme
(ITS) im Straßenverkehr - Teil 3: Überprüfung der sicheren Leistungen von GNSS-
basierten Ortungsendgeräten
Espace - Utilisation du positionnement GNSS pour les systèmes de transport routier
intelligents (ITS) - Partie 3 : Evaluation des performances de sécurité des terminaux de
positionnement GNSS
Ta slovenski standard je istoveten z: prEN 16803-3
ICS:
03.220.20 Cestni transport Road transport
33.060.30 Radiorelejni in fiksni satelitski Radio relay and fixed satellite
komunikacijski sistemi communications systems
35.240.60 Uporabniške rešitve IT v IT applications in transport
prometu
oSIST prEN 16803-3:2019 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
oSIST prEN 16803-3:2019
---------------------- Page: 2 ----------------------
oSIST prEN 16803-3:2019
EUROPEAN STANDARD
DRAFT
prEN 16803-3
NORME EUROPÉENNE
EUROPÄISCHE NORM
February 2019
ICS 03.220.20; 33.060.30; 35.240.60
English version
Space - Use of GNSS-based positioning for road Intelligent
Transport Systems (ITS) - Part 3: Assessment of security
performances of GNSS-based positioning terminals
Espace - Utilisation du positionnement GNSS pour les Raumfahrt - Anwendung von GNSS-basierter Ortung
systèmes de transport routier intelligents (ITS) - Partie für Intelligente Transportsysteme (ITS) im
3 : Evaluation des performances de sécurité des Straßenverkehr - Teil 3: Überprüfung der sicheren
terminaux de positionnement GNSS Leistungen von GNSS-basierten Ortungsendgeräten
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 5.
If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.
This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own
language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany,
Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania,
Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.
Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.
---------------------- Page: 3 ----------------------
oSIST prEN 16803-3:2019
prEN 16803-3:2019 (E)
Contents Page
European foreword . 5
Introduction . 6
1 Scope . 8
2 Normative references . 8
3 Terms and definitions . 8
3.1 Definitions . 8
3.2 Acronyms . 10
4 Description of the general logic of the security tests . 12
4.1 Record and Replay principle . 12
4.2 Specificity of security tests based upon the R&R approach . 12
4.3 Jamming testing Architecture . 13
4.4 Spoofing/meaconing testing architecture . 14
5 Definition of the metrics with respect to security performances . 16
5.1 General . 16
5.2 Accuracy metrics . 16
5.3 Availability and continuity metrics . 18
5.4 Integrity metrics . 18
5.4.1 Protection Level performance metrics . 18
5.4.2 Misleading Information metrics . 19
5.5 Timing metrics . 19
5.5.1 Timestamp resolution . 19
5.5.2 Nominal output latency . 19
5.5.3 Nominal output rate . 19
5.5.4 Output latency stability. 20
5.5.5 Output rate stability . 20
5.5.6 Time to first fix . 20
6 Description of the test procedures and the test equipment . 21
6.1 Scope . 21
6.2 Setting-up of the replay test-bench . 22
6.2.1 Replay device calibration . 22
6.2.2 Replay testbed architecture . 24
6.3 Validation of the data processing HW and SW by the RF test laboratory . 25
6.4 Replaying of the data . 26
6.4.1 General . 26
6.4.2 Jamming scenarios . 26
6.4.3 Spoofing & meaconing scenarios . 26
6.5 Computation of metrics degradation . 27
6.5.1 General . 27
6.5.2 Jamming scenarios . 27
6.5.3 Spoofing & meaconing scenarios . 28
6.6 Establishment of the final test report . 28
7 Validation procedure . 28
8 Definition of the synthesis report: how to report the results of the tests . 28
2
---------------------- Page: 4 ----------------------
oSIST prEN 16803-3:2019
prEN 16803-3:2019 (E)
Annex A (informative) Analysis of the GNSS attacks taxonomy . 35
A.1 General . 35
A.2 Categorisation of GNSS attacks . 35
A.3 GNSS attack models . 36
A.3.1 General . 36
A.3.2 Interference and jamming attacks . 36
A.3.3 Meaconing attacks . 37
A.3.4 Spoofing attacks . 37
Annex B (informative) Security-specific metrics (authentication capabilities, spoofing and
jamming detection flags, etc.) . 39
Annex C (informative) Scenarios proposition . 41
C.1 General . 41
C.2 Jamming/interference proposed scenarios . 41
C.3 Spoofing proposed scenarios . 42
C.4 Meaconing proposed scenarios . 45
Annex D (informative) Spoofing insights . 47
D.1 General . 47
D.2 Range error impact . 48
D.3 Oscillator error impact . 48
D.4 Propagation channel impact . 49
Annex E (informative) Dataset record testbed . 51
E.1 General . 51
E.2 Jamming data generation. 51
E.3 Spoofing data recording . 55
Bibliography . 56
List of Figures
Figure 1 — Generic functional architecture of a Positioning-based road ITS system.6
Figure 2 — Jamming recording architecture including SDR jamming generator. 14
Figure 3 — Jamming testing high-level architecture . 14
Figure 4 — Spoofing recording architecture performing live spoofing . 15
Figure 5 — Spoofing recording architecture including RFCS . 15
Figure 6 — Spoofing testing high-level architecture . 16
Figure 7 — Accuracy degradation metrics . 17
Figure 8 — Scheme of gain contribution for calibration . 23
3
---------------------- Page: 5 ----------------------
oSIST prEN 16803-3:2019
prEN 16803-3:2019 (E)
Figure 9 — Calibration table construction high-level architecture, to estimate the DEVICE
GAIN . 23
Figure 10 — Spoofing/Nominal replay testbed architecture . 25
Figure 11 — Jamming replay testbed architecture . 25
Figure 12 — NDS and ADS position in the jamming testing architecture . 26
Figure 13 — NDS position in the spoofing testing architecture . 27
Figure 14 — ADS position in the spoofing testing architecture . 27
Figure A.1 — GNSS attacks taxonomy. 35
Figure C.1 — CW typical jamming scenario . 42
Figure C.2 — Chirp typical jamming scenario . 42
Figure C.3 — Spoofing relative position/velocity dynamics . 43
Figure C.4 — Spoofing relative power profile . 44
Figure D.1 — Propagation in Free Space and Hata Channel models . 50
Figure E.1 — CW jammer . 52
Figure E.2 — LFM chirp jammer . 52
Figure E.3 — NLFM chirp jammer . 52
Figure E.4 — Radar jammer . 53
Figure E.5 — Frequency hopping fast jammer . 53
Figure E.6 — Frequency hopping slow jammer . 53
Figure E.7 — Noise Narrowband jammer . 54
Figure E.8 — Noise broadband jammer . 54
Figure E.9 — Jamming recording architecture . 55
Figure E.10 — Spoofing recording architecture . 55
List of Tables
Table C.1 — Four types of jamming scenarios . 41
Table C.2 — Spoofing scenarios. 44
Table C.3 — Meaconing scenarios . 45
Table D.1 — Attacker Technology to estimate User Distance . 48
Table D.2 — Range Estimation Error . 48
Table D.3 — Oscillator summary . 49
Table D.4 — Power Estimation Error due to the environment . 50
4
---------------------- Page: 6 ----------------------
oSIST prEN 16803-3:2019
prEN 16803-3:2019 (E)
European foreword
This document (prEN 16803-3:2019) has been prepared by Technical Committee CEN-CENELEC/TC 5
“SPACE”, the secretariat of which is held by DIN.
This document is currently submitted to the CEN Enquiry.
This document has been prepared under a mandate given to CEN and CENELEC by the European
Commission and the European Free Trade Association.
5
---------------------- Page: 7 ----------------------
oSIST prEN 16803-3:2019
prEN 16803-3:2019 (E)
Introduction
The EN 16803 series of CEN-CENELEC standards deals with the use of GNSS technology in the intelligent
transport domain and addresses more particularly the issue of performance assessment.
As recalled in the generic functional architecture of a road ITS system based on GNSS, two main sub-
systems can be considered: the positioning system (GNSS-based positioning terminal (GBPT) + external
sources of data) and the road ITS application processing the position quantities output by the terminal to
deliver the final service to the user.
Figure 1 — Generic functional architecture of a Positioning-based road ITS system
This EN is the third one of the EN 16803 series.
EN 16803-1 standard proposes a method called “Sensitivity analysis” to assess the adequacy of the
GBPT’s performances to the end-to-end performance of the road ITS system. In addition, this first EN
defines the generic architecture, the generic terms and the basic performance metrics for the Positioning
quantities.
EN 16803-2 proposes a test methodology based on the replay in the lab of real data sets recorded during
field tests, assuming no security attack during the test.
This standard, EN 16803-3, proposes a complement to this Record & Replay (R&R) test methodology to
assess the performance degradation when the GNSS signal-in-space (SIS) is affected by intentional or
unintentional radio-frequency (RF) perturbations. Next sections below stress the importance of this
assessment in the context of the security threats.
The number of applications in road Intelligent Transport Systems (ITS) relying on Global Navigation
Satellite System (GNSS) technologies has shown an impressive growth in recent years. At the same time,
as many of those applications can be considered safety-critical or liability-critical, the need to increase
the robustness and the security of the GNSS-Based Positioning Terminal (GBPT) is becoming a critical
6
---------------------- Page: 8 ----------------------
oSIST prEN 16803-3:2019
prEN 16803-3:2019 (E)
point. Civil GNSS signals and receivers are known to be vulnerable not only to natural impairments (e.g.
atmospheric effects, presence of multipath and obstacles) or unintentional interference, but also to
attacks of intentional nature. For instance, in the case of road ITS, it is widely discussed how users hoping
to perpetrate fraud on road tolling applications might attack an on-board GNSS receiver in order to elude
a payment. In this scenario, the malicious user can try to disrupt the receiver functionalities (typically
through jamming), making it either unable to compute a Position, Velocity, and Time (PVT) information,
or even forcing it to output counterfeit PVT data (e.g. through spoofing attacks). While in past years these
types of GNSS attacks were considered as feasible but requiring significant technical means, it is not the
case today considering that illegal jammers are available on the market for just a few eurosand basic
spoofing attacks can be carried out at relatively low cost.
GNSS positioning threats have intensely interested the research community and the industry over the
last decade, motivating the increasing awareness on the GNSS vulnerabilities and the development of
suitable countermeasures. For instance, the reader can refer to the following recent publications, see
Bibliography [5] [6] [7] [8] [9] [10].
In this context, device manufacturers have started to implement new technologies to make their
positioning modules robust against GNSS attacks. In addition, major advances have been done in the GNSS
security aspects in Europe, especially those related to the development of new GNSS capabilities for the
Galileo system (i.e. civil authentication services provided by means of cryptographically protected
signals, see Bibliography [12] [13] [14] [15]).
These trends motivate a standardization effort in order to identify, harmonize, and properly define GNSS
attack scenarios and test procedures. In this sense, a first important step is to define a common
categorization of relevant GNSS attacks.
For this reason, Annex A of this standard aims to provide a high-level categorization of GNSS attacks (A.1)
and a brief description of possible attack models in each category (A.2). It is important to read carefully
Annex A to understand correctly the meaning of this document. It is informative in the sense that it
provides informative material related to the attack scenarios that shall be used in a R&R process for
security tests, compatible with the quality required for high-level standards. In fact, a wide number of
possible attacks have been proposed in past years and new threats continue to emerge, not just based on
controlled simulations done by GNSS security experts and researchers in their laboratories, but also with
an impressive number of reported real world accidents (e.g., see Bibliography [16] and [17]).
7
---------------------- Page: 9 ----------------------
oSIST prEN 16803-3:2019
prEN 16803-3:2019 (E)
1 Scope
This document shall be considered as a complementary standard to EN 16803-2 that is intended to
assessment of the performances of a GBPT placed in real-life or simulated road environments. This
document is instead specifically targeting security attacks such as interferences, jamming, meaconing or
spoofing. This document cannot be applied independently from EN 16803-2 that describes in details the
general methodology of the assessment procedure.
This document provides normative information necessary to replay in the lab standardized scenarios
specifically dedicated to security tests applied to GNSS.
Depending on the case (jamming or spoofing), these scenarios are composed of data sets combining
either real life recorded SIS and jamming signals or simulated SIS and spoofing signals. The reason for
that will be explained in Clause 6.
Although a high-level categorization of GNSS attacks is given in Annex A, a comprehensive and detailed
categorization of possible GNSS attacks is out of the scope of this document.
It is not the aim of this EN to standardize the record procedure neither to define the specific requirements
for the generation of the attack scenarios. The record procedure itself and its quality framework for
accredited GNSS-specialized laboratories (Lab-A), with the detailed definition of standardized attack
scenarios, will be totally and precisely described in EN 16803-4 (under preparation). The list of attack
scenarios will have to be regularly updated considering the evolution of GNSS technologies, emerging
threats, and countermeasures.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN 16803-1, Space — Use of GNSS-based positioning for road Intelligent Transport Systems (ITS) — Part
1: Definitions and system engineering procedures for the establishment and assessment of performances
prEN 16803-2:2018, Space — Use of GNSS-based positioning for road Intelligent Transport Systems (ITS)
— Part 2: Assessment field tests for basic performances of GNSS-based positioning terminals
3 Terms and definitions
3.1 Definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at http://www.iso.org/obp
Relevant definitions, extracted from ETSI TS 103 246-3, ISO/IEC 27001 and on ISO online browsing
platform (https://www.iso.org/obp/ui/#search).
3.1.1
electromagnetic interference
any source of RF transmission that is within the frequency band used by a communication link, and that
degrades the performance of this link
[SOURCE: ETSI TS 103 246-3]
8
---------------------- Page: 10 ----------------------
oSIST prEN 16803-3:2019
prEN 16803-3:2019 (E)
3.1.2
jamming
deliberate transmission of interference to disrupt processing of wanted signals (which in this case are
GNSS or telecommunications signals)
Note 1 to entry: Jamming is a particular case of electromagnetic interference.
[SOURCE: ETSI TS 103 246-3]
3.1.3
spoof/spoofing
transmission of signals intended to deceive location processing into reporting false location target data
[SOURCE: ETSI TS 103 246-3]
3.1.4
threat
potential cause of an unwanted incident, which may result in harm to a system or organization
[SOURCE: ISO/IEC 27001]
3.1.5
vulnerability
weakness of an asset or control that can be exploited by one or more threats
[SOURCE: ISO/IEC 27001]
3.1.6
GBPT
GNSS Based Positioning Terminal. Term used to define the component that basically outputs PVT
3.1.7
DUT
Device Under Test
term used to defined a device that is assessed
Note 1 to entry: In the context of EN 16803-2, DUT refers
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.