CORDIS - EU research results

First Operational, Secured and Trusted galilEo Receiver for ITS

Periodic Reporting for period 2 - FOSTER ITS (First Operational, Secured and Trusted galilEo Receiver for ITS)

Reporting period: 2016-07-01 to 2018-07-31

Increasing trust in positioning and timing (P&T) information is gaining importance in particular with the advent of connected, self-driving vehicle as well as for applications relying on GNSS to charge users. Recent evolution of Software Defined Radio (SDR) technologies and availability of low cost SDR board provide easy and affordable solutions to counterfeit GNSS signal in real-time. Detecting and mitigating GNSS attacks is therefore required to limit and control the impacts of forged GNSS information in many applications.

The FP7 TACOT project, supported by EC/GSA and coordinated by FDC, demonstrated in the frame of a Proof Of Concept, the capacity to use GNSS data as a secure and trustworthy source of Position, Velocity and Time (PVT) information, for one of the most stringent ITS applications: a Digital Tachograph. Leveraging on this momentum, FDC, STMicroelectronics, Novacom Services and Navcert started in 2015 the H2020 FOSTER-ITS project with the aim to develop the first secure GNSS module, resilient to jamming and spoofing attempts with the clear intention to commercialise the solution after the end of the project.
The project activities gave birth to a fully integrated and secure Multi-GNSS module, able to detect GNSS signal spoofing, jamming attempts and interference, protected against cyber-attack and delivering authenticated information to the application. When an inconsistency or anomaly is detected, the application is warned and the module enters into dead reckoning navigation providing an estimate of the true position. Besides, it provides ciphered or digitally signed information ensuring authenticity and integrity of the delivered information.

The module integrates in a single casing a multi-constellation GNSS chipset (TESEO III from STMicroelectronics), a secure MCU (ST33 from STMicroelectronics) and several motion sensors. It offers a set of interfaces such as CAN bus to take advantages of external information depending on the application context.

Module key features include:
- GNSS spoofing, jamming/interference detection,
- GNSS anti-replay protection,
- PVT Level of Confidence (LOC) indicator,
- Estimate of true position under attack (dead reckoning support),
- Firmware and hardware integrity control,
- Secure memory for sensitive data,
- Secure firmware upgrade and module configuration,
- Secure NMEA stream data (digitally signed),
- Fully compliant with Smart DT ISO7816-4 protocol.

The development started with the specification, design and development of a breadboard, representative of the final module but freed from the hardware integration constraints. The breadboard was used to test concurrent technologies, validate the module design and easily test and debug the hardware on a large size board. It was also used to early start the firmware development. 8 breadboards were manufactured in 3 batches, each implementing corrections and/or evolutions according to technology and architectures trade-offs and selection.

Based on the return on experience achieved with the breadboard, the module was specified, designed and developped. 25 module samples were manufactured in 2 generations.

In parallel, a dedicated standalone evaluation board (EVB) was developped. It offers several serial communication interfaces and is designed to ease vehicle field tests. 7 EVBs were manufactured in 2 generations supporting respectivelly the module first and second generation.

The specification, design and development of the firmware (FW) and software (SW) progressed in parallel to the hardware. The module FW includes the GNSS part and the Secure part. The GNSS part manages the detection of attack attempts and characterization, the computation of PVT Level of Confidence (LOC) and the provision of an estimate of true position under attack. The Secure part manages in particular boot sequence, FW integrity protection, crypto operation and the interface with application. In addition, several test tools SW were developped to test the module performances such as jamming and spoofing generation, record and replay of GNSS and CAN data, display of specific module information.

The final development step consisted in merging the validated SW and FW on the module hardware and in performing validation and qualication activities. In addition to laboratory tests, a car was equipped with a module and several thousands km of road field tests were performed in France and Italy. The tests results were used to validate, calibrate and tune the FW algorithms. The module was also tested in collaboration with the EC JRC EMSL in Ispra in February 2017. All attacks launched on the module were detected, even high grade attacks. Besides, Navcert successfully performed Radio Equipment Directive and UNECE Advanced Emergency Call System Regulation type-approval pre-testing activities.

Last but not least, the module was integrated into a geo-location on-board unit (OBU) adapted to Novacom’s business solutions in order to be tested in the field for:
- tranport of critical dangerous goods, increasingly worried about potential threats (terrorism, theft) in which GNSS deception techniques (jamming, spoofing) can be used (French transporter),
- humanitarian missions, often impacted by GNSS jamming events in conflit zones (World Food Programme in Afghanistan).
The pilots preparation included user needs and requirements analysis, new system and service specification, solution design, development, test and validation. 4 units were sent for installation in trucks operating in France and Afghanistan. The 4 months pilot operation provided high quality results and confirmed that the tracking service leveraging on the FOSTER module is a robust solution. GNSS attacks detection and alerting worked well and positioining was stable even under attack.

The module commercial exploitation was carefully prepared with its market potential analysis consolidation, a thorough industry and competitive analysis, the product range and value proposition in the target markets definition. Finally, the business and exploitation plan was matured and strategic partnerships carefully defined.

Various activities were carried to promote the project progress and key results, including the development of a project website, 2 scientific papers for the ITS WC 2005 and ION GNSS 2017congresses, a flyer and a leaflet, at least 4 videos and the module promotion at the most relevant GNSS, ITS and Electronic component trade fairs. Last but not least, a module showcase event was organised during the ITS World Congress 2018 in Copenhagen.

In conclusion, the FOSTER-ITS project gave birth to the first Secure GNSS prototype module, resilient to GNSS jamming and spoofing threats and responds to the increased demand for security in the ITS market and beyond. FOSTER module samples and evaluation kit are available for testing. The module commercialisation is expected from 2019.
FOSTER-ITS module integrates for the first time in a single casing, advanced secure MCU technologies, GNSS chipset and MEMs sensors. It follows state-of-the-art electronic implementation and provides innovative features such as LOC in the GNSS data, digital signature of the computed PVT, advanced dead reckoning function. The module aims to become a design reference for secure GNSS Rx, able to respond to the spoofing / jamming threats but also to secure the whole chain from the PVT computation to the operational usage.