The National Institute of Standards and Technology (NIST) is pleased to announce the release of Draft NISTIR 8323, Cybersecurity Profile for the Responsible Use of Positioning, Navigation and Timing (PNT) Services .
Taking another step toward strengthening the nation’s critical infrastructure, NIST drafted guidelines for applying its Cybersecurity Framework to critical technologies such as the Global Positioning System (GPS) that use positioning, navigation and timing (PNT) data. These cybersecurity guidelines accompany recent NIST efforts to provide and test a resilient timekeeping signal that is independent of GPS.
The PNT profile will join the growing list of profiles created to help apply the NIST Cybersecurity Framework to particular economic sectors, such as manufacturing, the power grid and maritime industry. The scope of the profile includes any system, network or other asset that uses PNT services, including systems that receive and rebroadcast PNT data.
The PNT cybersecurity profile is part of NIST’s response to the Feb. 12, 2020, Executive Order 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services. The order notes that “the widespread adoption of PNT services means disruption or manipulation of these services could adversely affect U.S. national and economic security. To strengthen national resilience, the Federal Government must foster the responsible use of PNT services by critical infrastructure owners and operators.”
NIST has developed this PNT cybersecurity profile to help organizations identify systems, networks, and assets dependent on PNT services; identify appropriate PNT services; detect the disruption and manipulation of PNT services; and manage the associated risks to the systems, networks, and assets dependent on PNT services. This profile will help organizations make deliberate, risk-informed decisions on their use of PNT services.
NIST is seeking comments on the draft PNT cybersecurity profile. Comments must be received no later than November 23, 2020. All relevant comments will be posted publicly.
We encourage you to organize and submit your comments using our comment template. Email comments to: firstname.lastname@example.org.
This request for review presents several topics for which NIST is requesting federal agency and industry review and comment for potential changes or additions to the current text. Reviewers may respond to any of these topic areas as they choose. There is no requirement to include any of the topic areas in submitted comments.
NIST is particularly interested in comments and recommendations on the following topics:
- Gaps in existing standards, guidelines and practices associated with the responsible use of PNT services.
- Additional guidance on the application of the Cybersecurity Framework that can be provided as examples in the Appendix.
- The degree to which the Cybersecurity Framework functions, categories, and subcategories adequately address the broad scope of cybersecurity concerns regarding the responsible use of PNT services.
- Additional informative references such as standards and guidance documents that can be implemented into the core.
- Whether the controls and informative references are adequate and appropriate.
The Executive Order also delegates to the Department of Commerce the critical task of providing a source of Coordinated Universal Time (UTC) that is independent of GPS. To this end, NIST also recently conducted initial tests of aspecial calibration service for companies, utilities or other organizations that wish to receive NIST’s version of the global time standard, UTC(NIST), through commercial fiber-optic cable. The service aims to provide a time reference directly traceable to UTC(NIST) with an accuracy of 1 microsecond — good enough for telecom networks, the power grid and financial markets, and thereby boosting the resilience of accurate time distribution and the infrastructure sectors and subsectors that use timing services.
The initial link is a collaboration between NIST and OPNT, a commercial time-service provider based in Amsterdam, the Netherlands. While the work was led by researchers at NIST’s Boulder, Colorado, campus, the dedicated optical fiber connects the reference time scale at NIST headquarters in Gaithersburg, Maryland, to a facility in McLean, Virginia, that will ultimately serve as the hub for East Coast distribution of timing data.
OPNT has extended the initial fiber link to Atlanta, Georgia, about 800 kilometers from McLean. Preliminary data suggest that this link will be able to support the requirements of the Executive Order. NIST and OPNT have also begun a study of a West Coast link that will provide similar fiber-based time service to San Jose, California, and other locations in Silicon Valley from the NIST time scale in Boulder, Colorado.
Any extensive disruption to GPS signals would be highly disruptive to critical infrastructure in the United States, as would the sort of spoofing and manipulation of timing data that the PNT profile is designed to mitigate. As technologies that depend on trustworthy location and timing data grow more commonplace — such as interconnected Internet of Things devices and automated transportation — identifying and protecting these systems and data from cyber threats will only grow in importance.
“The ultimate goals are to identify systems that use PNT data and to detect disturbances to it,” said NIST official Jim McCarthy. “Doing so can help mitigate the risk of misuse of PNT data affecting our critical infrastructure, public health and national security.”
Email Comments to: email@example.com