NIST releases voluntary PNT Profile to mitigate potential impacts of disruption or manipulation

The U.S. National Institute of Standards and Technology (NIST) released on Tuesday a voluntary PNT Profile created by using the NIST Cybersecurity Framework, which can be used as part of a risk management program to help organizations manage risks to systems, networks, and assets that use PNT (Positioning, Navigation, and Timing) services. The PNT Profile provides a flexible framework for users of PNT to manage risks when forming and using PNT signals and data, which are susceptible to disruptions and manipulations that can be natural, manufactured, intentional, or unintentional.

As part of the U.S. Department of Commerce, the NIST produced this voluntary PNT Profile in response to Sec.4 Implementation (a) detailed in Executive Order 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing (PNT) Services, which was issued on Feb. 12, 2020. 

The executive action directed the Department of Commerce to develop a PNT Profile that will address the four components of responsible use of PNT, including identifying systems that use or form PNT data, recognizing PNT data sources, detecting disruption and manipulation of the systems that form or use PNT services and data, and managing risk regarding the responsible use of these systems. The order also calls for updates to the profile every two years or on an as-needed basis.

PNT services have been defined as ‘any system, network, or capability that provides a reference to calculate or augment the calculation of longitude, latitude, altitude, or transmission of time or frequency data, or any combination thereof. PNT service providers include government systems, such as global positioning systems (GPS), public NIST Network Time Protocol (NTP) servers, commercial services, and internal systems. The PNT Profile’s scope does not include source PNT signal generators and providers, such as a global navigation satellite system (GNSS) control segment or space segment. 

Based on NIST’s interaction with the public and private sector stakeholders and their efforts to create ‘sector-specific’ profiles, the NIST decided to create Revision 1. “No substantive changes were made to the original Foundational PNT Profile; NIST only sought comments on the changes made in this revision. Among the most noteworthy is the addition of five new Cybersecurity Framework (CSF) subcategories and the addition of two appendices; Appendix D; Applying the PNT Profile to Cybersecurity Risk Management, and Appendix E; Organization Specific PNT Profiles.”

PNT services interface with PNT systems and components operated by an organization to produce PNT data, which can take the form of position, navigation, or timing information. Responsible use of PNT services requires the stakeholder to identify the dependencies of PNT data (within their components, sub-systems, and systems), evaluate the impact should the disruption or manipulation of PNT data be realized, and manage the residual risk. 

The PNT Profile defines the responsible use of PNT services as it relates to critical infrastructure and national and economic security. In this case, responsible use by organizations includes the incorporation of risk-informed management of PNT services, risk-based approaches that minimize the potential effects of the disruption or manipulation of PNT services and data, and deliberate planning and action regarding the secure management of PNT services.

The PNT Profile supports and is informed by cybersecurity risk management processes. Using the PNT Profile, organizations can make more informed decisions, based on business needs and risk assessments, to select and prioritize cybersecurity activities and expenditures that help identify systems dependent on PNT, identify appropriate PNT sources, detect disturbances and manipulation of PNT services, manage the risk to these systems, and promote resiliency.

The PNT Profile provides a flexible approach for users of PNT to manage risks when forming and using PNT signals and data regardless of the source of the risk, including natural events, malicious actions, and human activities that have unintended consequences. It also provides a starting point from which organizations can customize their approach to managing risk to their PNT services and data. A customized approach provides the most appropriate measures, processes, and prioritization of resources for the reliable and efficient functioning of critical infrastructure applications. 

In the context of the PNT Profile, a ‘cybersecurity event’ refers to a potential for the disruption or manipulation of PNT services. Plotted to the NIST Cybersecurity Framework Core, the ‘Identify’ profile calls for developing organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify function are foundational to the effective use of the NIST CSF that enables an organization to focus and prioritize its efforts in a manner consistent with its risk management strategy and business needs.

On the ‘Protect’ axis, the profile calls for developing and implementing the appropriate safeguards to ensure the delivery of critical infrastructure services. The activities in the Protect function support the ability to limit or contain the impact of a potential PNT cybersecurity event. When it comes to the ‘Detect’ element, the PNT Profile develops and implements the appropriate activities to identify the occurrence of a cybersecurity event. The activities in the Detect function enable the timely discovery of PNT cybersecurity events. 

Covering the ‘Respond’ factor, the PNT Profile develops and implements the appropriate activities to take action regarding a detected cybersecurity event. The activities in the Respond function support the ability to contain the impact of a potential PNT cybersecurity event. On the ‘Recover’ component, the profile calls for developing and implementing appropriate activities to maintain resiliency and restore any capabilities or services that were impaired due to a cybersecurity event. The activities in the Recover function support timely recovery to normal operations to reduce the impact of a PNT cybersecurity event. When considered together, these functions provide a high-level, strategic view of the life cycle of an organization’s management of PNT cybersecurity risk.

The PNT Profile can be used to augment an organization’s pre-existing risk management program. This section further tailors the PNT Profile in the context of a few notional fault scenarios to illustrate how the guidance can be applied to assess and manage PNT-related risks in the context of a loss or degradation of PNT data or services. Organizations using the PNT data have the responsibility for mitigating temporary PNT disruptions. An effective PNT risk management strategy provides a dynamic and flexible approach to control risks in evolving environments. 

Organizations are encouraged to apply the PNT Profile with their risk management approach from concept to acquisitions to acceptance, integration, and deployment to operations and maintenance. Leveraging the organization’s existing risk management program enables a system-level shared context. Furthermore, setting priorities for privacy and security risk management affords additional assurance from component to system implementation.

Additionally, organizations evolve operational reliability and effectiveness throughout a PNT system’s lifecycle by continuously monitoring risks and assessing risk mitigation strategies, such as new techniques and technologies to improve the ability to identify, protect, detect, respond, and recover from PNT system attacks, emergence of exploitable PNT vulnerabilities, methods to mitigate vulnerabilities and operational impacts, and operational environment changes in which the PNT-dependent system is deployed to determine if updates are required to the system’s cybersecurity controls.

Creating a custom PNT profile based on the foundational profile is beneficial to an organization, especially if they are part of a critical infrastructure. Each custom PNT profile intends to capture the requirements of an organization’s PNT source and data and a prioritized set of PNT data security outcomes. The custom PNT profile can be used to inform new PNT source and services acquisitions process when researching and evaluating PNT services and sources.

The NIST released two years back a cybersecurity guidance framework for PNT services. Organizations can increase their resilience through responsible use of PNT services, as the national and economic security of the U.S. is dependent on the reliable functioning of critical infrastructure. NIST uses the CSF to develop and issue a foundational PNT profile to help organizations identify systems dependent on PNT along with appropriate PNT sources, detect disturbances and manipulation of PNT services, and manage the risk to these systems.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.