Interview: Ernest Wong, DHS S&T

An interview with Ernest Wong, the PNTPosition, Navigation, and Timing: PNT and map data combine to create the GPS service. Technical Lead at the Department of Homeland Security Science and Technology Directorate.

We discuss:

• Viewing PNT as a Cybersecurity Issue
• The PNT Conformance Framework
• How Zero Trust Architecture principles apply to PNT

The resources Ernest mentions on this episode are available at: https://www.dhs.gov/science-and-technology/pnt-program

 

TRANSCRIPT

Erik Oehler:

You can start by if you can introduce yourself and how you describe what you do.

Ernest Wong:

All right. So I’m Ernest Wong. I am the PNT technical lead at the Department of Homeland Security Science and Technology director at otherwise known as DHS S&T. So in my role, I provide strategic direction for the PNT activities that we do at S&T and also provide technical policy advice to DHS leadership on issues relating to PNT cyber security, as well as good infrastructure resilience to PNT vulnerabilities.

EO:

All right. So the reason I wanted to have you on is the context of this episode is really around the public’s understanding of PNT. And when you zoom out a little bit beyond, frankly, just our customer base, I find there isn’t a ton of awareness that these technologies were grouped like this. And what I’ve loved about your approach is you use the familiar. So you made an analogy in a webinar last year on treating the GPSGlobal Positioning System is a navigation satellite system. See also receiver as an open port. And that struck a chord with me because I think it’s helpful in guiding IT-minded individuals in navigating PNT as a cyber security problem. So I’d like to know your assessment on the state of awareness of PNT in the private sector and where do you think we need to improve.

EW:

Yeah, that’s a really good question. And, we don’t have perfect information here. But I think over the number of years, probably since we started this program at S&T and around 2015, we’ve made a pretty big effort to conduct public outreach to raise awareness of this issue. I’ve worked with industry vendors, owners and operators, where applicable. And I think certainly on the manufacturer’s side, the awareness is definitely… it’s way different than five years ago, say. And now we see various companies like Orolia and others in the field offering these resilient PNT systems. So on that end, when it comes to the solution providers, I think the awareness is really there.

I think where we probably still need more work is on the owner and operator end, in terms of the communication sector, the electric grid, those areas. I think the awareness of the problem is probably inconsistent. It depends on who you talk to, right? There are some people that are really plugged into this, and then there are others that are aware. Like, “Yeah, we use GPS, but it’s in the closet somewhere in our facility, don’t really look at it.” And that’s the extent of their awareness. So I think there’s definitely some work there to be done. But on the whole, it’s certainly very different from when we started this effort.

EO:

Yeah. And I think you’ve certainly done more than your part in DHS on disseminating things like the Conformance Framework. And I saw you’ve got some great resources in the PNT Integrity Library, the Epsilon Algorithm Suite. Do you have a sense of how industry has received those? What’s some of the feedback you’ve gotten?

EW:

Yeah. So when it comes to best practices, the PNT or the GPS best practices document, we do see, for instance, equipment developers actually looking at that guidance and trying to develop equipment with that, with those best practices in mind. So this was even before we had published a Conformance Framework. And then after the Conformance Framework was published, we did see various, again, solution providers touting that they met certain requirements in the Conformance Framework. So there’s uptake, I think, on the solution provider end. We also have these various open source algorithms. If those are hard to gauge in terms of who’s actually downloading them, we can’t really see. It’s a privacy issue, so we don’t really know who’s looking at those and forking them. But people are looking at them. Maybe some of these are academic endeavors, where they’re forking it to do their own development for research, not quite clear.

But again, I think the trend is on the technology provider side. There’s definitely uptake on the owner and operator side. I think it varies when… I’ve heard various stories in terms of when they face a problem, say in an urban area, urban canyon, where GPS is not really doing so well for wherever they have their application, they may be looking to improve that through various ways. So I think it’s more of a, if the owner operator is experiencing problem or has been made aware of the problem, then they go seek out potential solutions.

So it’s still, I think, something that we could as an industry we could probably still improve upon in terms of raising that awareness across the board.

EO:

Yeah. And I know I, personally, with our products, I feel a sense of urgency there to get that message out because it seems that the stakes are getting higher, the number of potential threats and potential vectors for attack get higher, the more open ports, I would say. And yet I don’t see a similar trend in taking best practices as seriously as some industry should. I know the Conformance Framework was developed as private-public partnership. You had a lot of good contributors in that mix. Can you speak to some of the challenges you had in developing that framework? I imagine it was a pretty unique experience professionally to develop something on that scale. What were some of the big decision points or big challenges that you had through the process?

EW:

Yeah. One of the big differences in this sort of effort where you’re working with industry and you’re trying to get industry buy-in is that you may have a plan at the beginning and through. We had changed some of our focus areas, for instance, as we’re going through this to include not just GPS, but also other PNT sources. So we had to make it source-agnostic. And it was a good change. So I think this is one of the benefits of having… just like with open source development, if we go back to cyber, for example, right? Open source development benefits from this larger community of ideas. So when we do this on the PNT side of things, performance framework, it’s a very similar thing where we have more people providing input. We get more good ideas. Of course the challenges is when you get more ideas, they don’t all work together. Right? Some of them clash, some things might be really good ideas but they just don’t fit within the scope of what we’re trying to do within a certain timeframe.

So those are definitely some of the challenges and trade offs in this sort of effort. And I think that’s certainly going to continue as this effort continues on IEEE under P1952. You’re going to see more of that, I believe, just because now the group is even bigger, right. I don’t mean this in a disparaging way, but there’s a lot of cooks in the kitchen. Right. You have a lot of opinions and stakeholders and interested parties. And that’s all great, right, because it’s good to see so many people interested in this. But it does make it challenging to come to a consensus. And that’s, I think, the biggest challenge in these sorts of group activities where you have a lot of players involved with stakeholders involved.

EO:

I imagine a lot of the ideas that get pitched, you have to run through the lens of, like you said, is this solution agnostic? I think the other one of the other principles there was outcome based in the Conformance Framework. It’s got to be a tough vetting process to stick to those principles throughout.

EW:

Yeah. And this is actually one of the biggest, I think, limitations of the Conformance Framework is the fact that it’s very much a outcome-based, non-prescriptive framework. So when people think about, oftentimes… it’s not just PNT, but oftentimes across the board, when people are thinking of how to solve a problem, they’re starting from what they already know in terms of, I know how to build this. Right. And that’s the mentality that we would have, and I’d be the same way in terms of how do I build a resilient PNT receiver? Well, I have some ideas about that and that’s what the reference architecture is for. But when we’re talking about the Conformance Framework where we’re trying to provide language and definitions that are not going to constrain any innovative ideas that no one’s actually thought of yet, that is a real challenge.

And I think that’s also part of the struggle in terms of when you look at the Conformance Framework and the language, it’s broad intentionally because we’re trying to make sure that there’s room for innovation. But then there’s the challenge of, okay, how do we tie this expected behavior into what we know right now, like the existing product lines, of how people typically build resilient receivers. And that’s why we have this follow-on product called the Resilient PNT Reference Architecture that gets at that because the Conformance Framework, it’s a little more broad, perhaps you could say abstract, that the reference architecture provides some more concrete implementation examples. So that it can get more clearly at the intent behind some of the definitions and the Conformance Framework and clarify things like detection capabilities. Yes. That’s something we’d probably expect in most resilient receivers.

We just don’t explicitly call it out in the Conformance Framework because who knows, maybe there’s some innovative way to be resilient and mitigate these threats without needing to actually determine that there’s something there. I think there probably is. Right. But that’s also not really the way that we would expect to build device right now. So that’s what the reference architecture tries to address. But then the second part of the reference architecture is introducing these broader cyber security concepts and looking at how do we actually incorporate these into PNT resilience, things like zero trust architectures, defense and depth, attack surfaces, all these good things that come from a very mature body of security work and looking at how they can apply to PNT.

EO:

Coming back to it, I think that’s a very helpful lens to frame it in because I don’t think, as you mentioned earlier, a lot of IT professionals, if they’ve served their whole life there, they may know that they have a timing server, but they’ve never taken care to harden it or anything. Do you find it a challenge? Because PNT still sort of sits separately from cybersecurity everywhere I see, even in industry publications. Your techcrunches, anybody covering the cybersecurity industry is almost never talking about PNT. So there is still an awareness that I know we’re trying to do internally to hitch PNT to that conversation because the people who have to implement it are usually in IT working in data centers. I don’t know if we have a question here. But how do we do better there? How do we broaden the awareness of it as a cybersecurity problem and frame it that way? Some of your analogies are helpful, but what’s the next level to this? And maybe it’s the reference architecture. Maybe you answered it.

EW:

So I think the reference architecture can certainly help with making those connections to cybersecurity, but as far as getting PNT added to cybersecurity checklists, for example, the feasibility of that, the effectiveness of that, I think that, at least to me, is a bit unclear. Because there is already a lot on those checklists already, so whether we think that will help get PNT the attention we think it would need, I don’t know. But there is certainly value in helping to translate these PNT threats into language that cybersecurity professionals can understand.

So, for example, you can look at the MITRE ATTACK framework, and this is a framework that contains a set of tactics and techniques for how cybersecurity attacks are conducted, consistent with an exploit chain. But we can look at the traditional PNT threats through this lens. For example, jamming, measurement spoofing, and data spoofing. They would fall under some of these tactics and techniques under the impact category on the ATTACK framework.

So jamming would be a denial of service technique. Measurement spoofing would be a manipulation technique. And data spoofing could be multiple, depending on how it’s done, because it’s data.

So helping to translate these PNT issues into cybersecurity technology that cybersecurity professionals would understand, I think that would help with at least getting these issues on their radar.

EO:

I’ll go on to a concept you mentioned earlier, zero trust architecture, and I know you’re expanding on that idea recently. Can you say a little bit more about how the ZTA principles map to PNT?

EW:

Yeah. This is my favorite topic when it comes to the reference architecture. So the Resilient PNT Reference Architecture, there’s a lot of things in there. There are various resilient concepts that are defined, and then there are also different categories of resilience, resilient techniques. And not going to go through all of them, because it takes a long time. But the zero trust architecture portion of it underlines a lot of it because it has to do with how we look at trust in designing our systems.

So the first question is what is zero trust architectures? Right. That’s probably the most important question. And at least in the past, I think it meant different things to different people. And more recently it’s become a pretty big buzzword because of the executive order that was issued last year. And if you were to say Google zero trust architectures, what you’ll probably see very frequently is mention of access controls. And some people may think, “Oh, so zero trust architectures is all about implementing access controls.” Right? And that’s one way to implement it. It’s not the only way. And even if you implement access controls, that’s not sufficient.

So I think it gets back to the real question of what are we trying to achieve with zero trust architectures. And I think the heart of zero trust architectures is really based on two things. The first is that you’re making the assumption that not only will your systems be attacked, but that those attacks aren’t going to penetrate your defenses and compromise components of your network, let’s say, for cyber, or of your system, a PNT system. So that’s the first part. The attacks won’t make it through.

And the second portion of it is looking at, okay, now that we are basing this on the assumption that attacks are going to actually enter our system, we have to make sure that we can contain the impacts of those attacks, so that we can continue to function normally. And when we look at how do this apply to PNT, it really goes around two things. One is heavy emphasis on verification, and the second is component isolation. And I think above both of these concepts, there’s a big concept of trust, right? So I think we spoke about open ports earlier in the attack surfaces.

So there’s a really good diagram in the Reference Architecture document that people can look at when it’s published that has a diagram showing the core of your system, that’s your trusted core. And then you also have your untrusted edge. And you want to think of where your components lie in that trust diagram, if you will. Because the PNT sources, whether it’s GPS, Galileo, GLONASS, PTPPrecision Time Protocol is a protocol used to synchronize clocks throughout a computer network. On a LAN network, PTP can enable the clocks on each server to be synchronized within a sub-microsecond range, thus making it suitable for demanding applications that require precise timing and control. PTP is standardized within IEEE-1588v2., whichever, those are all things that rely on input from the external world in order to produce a PNT solution. And those inputs from the external world are also how attacks get into your system. So that’s what defines them as attack surfaces, so they are your untrusted edge. They belong at the edge of your device, where you do not trust and that’s where they need to stay.

And then you have other components like your holdover clock and the timing system, for example, that should be in your trusted core, that you have to protect very carefully and you want to really control what sort of inputs affect your, say, holdover clock. And as you go through this process, when information goes in from the untrusted edge and deeper into your system, you’re going through the process of verification to make sure you can assess the trusted wordiness of that data. And then you also want to employ, you want to build boundaries, you want to build isolation between your components. So that if something is compromised, you can contain the spread so that it cannot travel either laterally, so say from one PNT source to another, or vertically in terms of getting deeper into your system. That’s how I think we can apply that concept to PNT systems as we look at developing and designing next gen resilient PNT equipment.

EO:

That’s great. And I would love to see a world where more companies run the hypothetical of we are going to be penetrated because we don’t really do PNT pen testing anywhere. We do GNSSGlobal navigation satellite system (GNSS): A general term describing any satellite constellation that provides positioning, navigation, and timing (PNT) services on a global or regional basis. See also simulation as far as the receiver’s impact. But like you said, those edge devices are never considered.

EW:

Yeah. And you got me thinking about a really good point, which is there’s no such thing as perfect security. So we really shouldn’t try to operate under those constraints, where we try and put up all these different defenses. I mean, it’s good to build them up, but we have to operate under the assumption, like Murphy’s law, that our defenses are going to be defeated. At some point, they’re going to penetrate a certain degree into our system. And we have to learn how to live with that. So that’s what the reference architecture tries to do. And that’s also what zero trust architectures are trying to get at.

EO:

I’ll close with just a couple more questions here. Are there any resources from DHS or NIST that you would like the public to use more? Or you wish you had more awareness? And then is there anything we can do as an industry solution partner to help advance the message more than we’re doing?

EW:

So we spoke about… the thing is that I think people know in this industry anyway, pretty well are the best practices document and the Conformance Framework. Perhaps what’s less known is something that we had released last year, there were two sets of anti-spoof detection, algorithms or suites. One is called the PNT Integrity Library. And the other one is called the Epsilon Algorithms. They both have a particular use case in terms of the PNT Integrity Library is for more of an integrated end-to-end detection suite. So it’s a little more involved to integrate. Whereas the Epsilon algorithms are a little more straightforward, they just take the PNT outputs and it’s just easier to add on.

So the reason I bring that up is that there are various companies that are definitely out on the edge in terms of looking at resilient PNT systems, but we also want to lift the whole entire playing field up a level in terms of resilience, right? So that’s the role of these open source algorithms that we’ve released, so that may be there are companies out there that are really building some sort of middleware type device and they’re not these experts in PNT and PNT resilience in additional the resource to dedicate to build that in. Well, here’s an easy resource, where you can look at these open source repositories and use the code and institute some basic verification algorithms for your product. Then that’ll be something that can add up a bit more security and overall help make the whole entire playing field more resilient. And that can be found on gps.gov in the lower right hand corner where there’s a response for use of PNT page. So that’s our resilience repository, and that you’ll find links to all the different resources there, including these algorithms.

We will also be looking to publish the Reference Architecture document. And by the end of May, early June, it’s going through our public release process right now. So people can expect that pretty soon. And then I guess last thing also, based on the Infrastructure Bill, we do have some additional activities going on for PNT coming up that. And we are also looking for additional staff, so we’ve put out some advertisements for IPA positions. And I believe those will also be mentioned at the tomorrow’s PNT advisory board meeting. So if people are interested, I would suggest that they take a look at that and encourage them to apply.

EO:

Thank you, Ernest. I really appreciate the time.

EW:

Thanks, Erik. It’s been a pleasure.