The National Institute of Standards and Technology (NIST) released a cybersecurity guidance framework for positioning, navigation and timing (PNT) services. Organizations can increase their resilience through responsible use of PNT services, as the national and economic security of the U.S. is dependent on the reliable functioning of critical infrastructure, NIST said.
The agency is a part of the U.S. Department of Commerce that advances measurement science, standards and technology. Covering critical infrastructure protection for various sectors, including utilities, transportation, financial services, communications, healthcare and public health, food and agriculture, chemical and other facilities, dams, manufacturers, and emergency services, the NIST framework has been designed to address and manage cybersecurity risk in a cost-effective way based on business and organizational needs without placing additional regulatory requirements on businesses.
PNT is necessary for the functioning of the nation’s critical infrastructure. Whether for civil, commercial or military use, nearly all sectors rely on accurate PNT information to provide services, according to CISA. However, the ubiquitous use of Global Positioning Navigation (GPS) as the primary source of PNT information makes these sectors vulnerable to adversaries seeking to cause harm by disrupting or manipulating the GPS signal. When PNT is used in combination with map data and other information like weather or traffic data, it leads to GPS, the modern navigation system.
PNT services have become an invisible, but essential, utility for many critical infrastructure operations. Disruption of, or interference with, these systems have adverse effects on individuals, businesses, and the nation’s economic and national security. The existence and nature of threats to PNT services are known, with governments and organizations recognizing the need for resilient PNT equipment, which is capable of withstanding and recovering from such threats.
Responsible use of PNT services includes the deliberate, risk-informed use of PNT services, including their acquisition, integration and deployment, such that disruption or manipulation of PNT services minimally affects national security, the economy, public health, and the critical functions of the federal government.
Public and private sector entities who rely on PNT services can include owners/operators of the electrical power grid, and communication infrastructure, in addition to businesses in the transportation, agriculture, weather and emergency response sectors.
The Cybersecurity Framework (CSF) provides prioritized, flexible, risk-based, and voluntary guidance, based on existing standards, guidelines and practices, to help organizations better understand, manage and communicate cybersecurity risks. The CSF is organized by five high-level functions of Identify, Protect, Detect, Respond, and Recover. These functions provide the basis to develop guidance on cybersecurity risk management as applied to PNT services.
NIST uses the CSF to develop and issue a foundational PNT profile to help organizations identify systems dependent on PNT along with appropriate PNT sources, detect disturbances and manipulation of PNT services, and manage the risk to these systems.
NIST’s Jim McCarthy, one of the profile’s authors. said that although the profile was now finalized, NIST would continue to look for ways to keep it current. “In accordance with the Executive Order, we plan to revisit the profile every two years or as needed,” he said. “We intend to make sure it remains useful.” The framework complements federal activities required under Executive Order 13905, “Strengthening National Resilience through Responsible Use of PNT Services,” signed this month.
CISA, through the National Risk Management Center (NRMC), works with government and industry partners to strengthen the security and resiliency of the national PNT ecosystem from the risks of both intentional and unintentional threats.
The PNT profile describes the responsible uses of PNT, which have been selected for a particular system to address the potential disruption or manipulation of PNT services. It was created by using the NIST cybersecurity framework and can be used as part of a risk management program to help organizations manage risks to systems, networks, and assets that use PNT services. It is also intended to be broadly applicable and can serve as a foundation for the development of sector-specific guidance.
The PNT Profile provides a flexible framework for users of PNT to manage risks when forming and using PNT signals and data, which are susceptible to disruptions and manipulations that can be natural or manufactured.