Applying NIST Cybersecurity Framework to positioning, navigation and timing systems
In recognition of how much of the United States economy, public health, military and infrastructure relies on reliable and secure positioning, navigation and timing (PNT) systems, the National Institute of Science and Technology (NIST) created a detailed mapping of their Cybersecurity Framework (CSF) for organizations to use to secure these vital technologies.
NIST’s work, which is guided by the U.S. Department of Commerce, was driven by executive order 13905, “Strengthening National Resilience Through Responsible Use of Positioning, Navigation and Timing (PNT) Services,” [EO 13905] which was issued on Feb. 12, 2020. That executive order (EO) sought to drive the U.S. government to develop standards and guidelines to:
“protect the national and economic security of the United States from the disruption or manipulation of systems that form or use PNT data and information vital to the functioning of U.S. critical infrastructure and technology-based industries.”
So just how does the NIST CSF map to securing PNT services and how can organizations leverage it?.
Overview of positioning, navigation and timing systems
According to EO 13905, a PNT service is defined as “any system, network or capability that provides a reference to calculate or augment the calculation of longitude, latitude, altitude or transmission of time or frequency data, or any combination thereof.”
More specifically, a PNT is a system that can provide the following services:
- Positioning: the ability to accurately and precisely determine one’s location and orientation.
- Navigation: the ability to determine current and desired position (relative or absolute) and apply corrections to course, orientation and speed to attain a desired position.
- Timing: the ability to acquire and maintain accurate and precise time from a standard (Coordinated Universal Time, or UTC), anywhere in the world.
The resulting service, when combined with map data or mapping tools, such as traffic, weather or flight data, results in what is better known as the Global Positioning System (GPS).
Overview of the NIST CSF PNT Profile
To help organizations understand and apply the NIST CSF to their own GPS tools or their use of them, NIST developed what is called a PNT Profile.
The PNT Profile is “designed to be used as part of a risk management program in order to help organizations manage risks to systems, networks and assets that use PNT services.” When applied to a PNT system, the development of a PNT Profile can help an organization understand the risks to their PNT-related data and related systems, such as if it was modified or made unavailable on purpose or because of unintentional reasons, and then prioritize necessary mitigating controls based on their business objectives.
However, NIST emphasizes that the PNT Profile is “not intended to serve as a solution or compliance checklist that would guarantee the responsible use of PNT services.”
Using the NIST Cybersecurity Framework PNT Profile
Any organization that uses PNT services, even if they do not already have a cybersecurity component or use the NIST CSF, can leverage the PNT Profile.
At a high level, this will help an organization to:
- Identify systems that use or form PNT data
- Identify PNT data sources
- Detect disruption and manipulation of the systems that form or use PNT services and data
- Manage risk regarding responsible use of these systems
These functions are then aligned against the NIST CSF, which is comprised of five high-level functions:
The result is a set of guidance that organizations can apply, at a minimum, to their PNT services.
The identify function provides key elements which should be given strong consideration in this analysis. Consideration of the threat environment and the organization’s purpose, assets and vulnerabilities will have a significant influence on the overall risk.
- Identify the business/operational environment and organization’s purpose
- Identify all assets, including applications dependent on PNT data
- Identify sources and infrastructure that provide PNT information
- Identify the vulnerabilities, threats, and impact should the threat be realized to assess the risk
The protect function includes the development, implementation and verification measures to prevent loss of functionality in the case of PNT disruption or manipulation.
- Protect the systems forming, transmitting and using PNT data to support the needed level of integrity, availability and confidentiality based on application needs
- Protect the deployment and use of PNT services through adherence to cybersecurity principles, including understanding the baseline characteristics and application tolerances of the PNT sources, data and any contextual information, providing sufficient resources, managing the systems development life cycle, as well as deploying needed training, authorizations and access control
- Protect users and applications dependent on PNT data, should a threat be realized, by enabling users and applications to maintain a sufficient level of operations through verified response and recovery plans
- Protect organizations relying on PNT services and data with respect to business and operational needs
The detect function addresses the development and deployment of the appropriate activities to monitor for anomalous events and notify downstream users and applications.
- Enabling detection through monitoring and consistency checking
- Establishing a process for deploying and handling detected anomalies and events
The respond function addresses the development and implementation of the appropriate activities to respond to a detected cybersecurity (and/or anomalous) event. The activities in the respond function support the ability to contain the impacts of a potential cybersecurity or anomalous event.
- Contain PNT events using a verified response procedure
- Communicate to PNT data users, applications and stakeholders the occurrence and impact of the event on PNT data
- Develop processes to respond to and mitigate new known or anticipated threats and/or vulnerabilities
- Evolve response strategies and plans based on lessons learned
The recover function develops and implements the appropriate activities to maintain plans for resilience and restore any capabilities or services that were impaired due to a cybersecurity event. The activities in the recover function support timely recovery to normal operations and return the organization to its proper working state after a disruption or manipulation to PNT services has occurred.
- Restore systems dependent upon PNT services to proper working state using a verified recovery procedure
- Communicate to PNT data users, applications and stakeholders the recovery activities and status of the PNT services
- Evolve recovery strategies and plans based on lessons learned
The result of the mapping of the NIST CSF to the objectives of the executive order, using the objectives and guidance above, is a comprehensive table of tools or steps (listed in the second column) that an organization can use to mitigate or understand their PNT risk.
Take the next step in NIST cybersecurity
While not designed to be an end-to-end tool or methodology that an organization can use to fully capture all of their PNT-related risks and develop comprehensive mitigations, the NIST PNT Profile goes a long way toward helping an organization begin to categorize and understand their PNT footprint.
Once they have a better idea of how PNT-related systems and data are used and stored for their business objectives, they can make more informed decisions about how to protect them and how their business can adapt if these are disruptions to them, malicious or not.
Positioning, Navigation and Timing (PNT) & Spectrum Management, U.S. Department of Transportation