Blog Editor’s Note: A fairly comprehensive article focusing on commercial users. One item we had not seen before – a mention that some companies may look to business-interruption insurance to cover their losses from GPS disruptions, but generally it is not covered.
CISOs take notice as GPS vulnerabilities raise alarms
GPS has been extraordinarily reliable, but there’s a growing chorus of experts who say it’s time to assess GPS security and consider protective strategies.
A collection of orbiting satellites used to triangulate location, the U.S. global positioning system is best known for its ability to locate things on or above the Earth’s surface. Whether it’s a mapping application, a truck fleet monitoring system or a family car, use of GPS services has become ubiquitous and indispensable.
GPS also serves as the de facto world clock, transmitting accurate time everywhere. The precision timing powers and coordinates communication networks and electrical grids; GPS timestamps drive financial transactions determining, for example, which “buy” order was first.
But GPS vulnerabilities and the growing reliance on this technology have raised security concerns. U.S. prosecutors charged three Chinese nationals in November with hacking and attempted theft of trade secrets from Moody’s Analytics, Siemens AG and Trimble, which is developing a new global navigation satellite system.
Mother Nature (solar flares) or bad actors with free online tools or inexpensive equipment can jam or alter local GPS reception. Hostile states could potentially shutdown all or part of the GPS system. And where backups once existed — atomic clocks for timing and long range navigation (Loran) — secondary systems are becoming rare, a victim of cost cutting.
“GPS is increasingly a core service for all of our networked systems, some would argue for our entire society, and it is still far too exposed,” said Nathaniel Gleicher, head of cybersecurity strategy at Illumio, a cloud security company in Sunnyvale, Calif., and the former director of cybersecurity policy for the National Security Council.
For security decision-makers, GPS vulnerabilities present a dangerous problem. Time signal interruption could cause business systems to fail or become unmanageable. Financial transactions could snarl or simply not occur. Not to mention the possibility that electrical grids and communications systems could shut down.
CenturyLink, based in Monroe, La., is a critical infrastructure provider with more than 40,000 employees and 600,000 miles of internet backbone. The global communications and IT services provider is not focused on GPS security “though we are broadly aware of the issues,” CSO David Mahon said. Like many security decision-makers, Mahon is more concerned about common problems like denial of service and ransomware issues.