Active research material. Status: Open This page is part of Deretti Cyber Labs' open research and is currently being developed and revised. It reflects the lab's working understanding at the time of last revision, not a final or stable position. See the Active Research index for context and full listing.

Vulnerability · Active Research · 2018–2026

GNSS/GPS Spoofing and Timing Disruption

PNT Resilience · Electronic Warfare · Critical Infrastructure

Vulnerability Full Hardware Network Protocol Network Infrastructure Industrial Control System Radio Frequency Space Systems

Research window: 2018–2026 (ongoing, not a single incident)
Last revised: May 2026
Status: Open

Executive Summary

Over the past decade, the reliance of critical infrastructure — particularly power grids, hydroelectric dams, telecommunications, aviation, and maritime systems — on Global Navigation Satellite Systems (GNSS), primarily GPS, has evolved from an operational convenience into a severe and exploitable vulnerability. Facilities require microsecond-accurate time and meter-accurate position data to synchronize power generation, route aircraft and vessels, and timestamp transactions. Threat actors have increasingly used Electronic Warfare (EW) — jamming and spoofing — to manipulate these unencrypted space-to-ground signals.

Unlike the other entries in this archive section, GNSS/GPS spoofing is a living threat class rather than a single disclosed event. The category covers a spectrum of activity: deliberate state-sponsored EW deployments around conflict zones, collateral disruption affecting civilian infrastructure adjacent to military operations, and small-scale spoofing experiments by hobbyists with off-the-shelf Software Defined Radios (SDRs). What unites these is the structural weakness that made them possible: civilian GNSS signals are unencrypted, weak (-130 dBm at the surface), and trusted by an enormous installed base of receivers that have no built-in mechanism to authenticate them.

Operationally, this threat class is significant because it represents a paradigm shift in infrastructure defense. Attackers can achieve physical disruption of Operational Technology (OT) — tripped breakers, lost telemetry, mis-routed aircraft, corrupted timestamps — without executing malware, breaching a firewall, or moving laterally through any network. By altering the physical RF environment around a target's antennas, adversaries reach inside the operational envelope of systems that may be entirely air-gapped from the internet. The 2020 US Executive Order 13905 codified what the technical community had already begun to accept: PNT (Positioning, Navigation, and Timing) is critical infrastructure in its own right.

Why This Belongs in the Archive

This threat profile belongs in the Deretti Cyber Labs archive because it fundamentally redefined the concept of an "air gap" and forced a rethinking of what constitutes a network perimeter.

It exposed systemic infrastructure dependency on a fragile, external variable — space-based PNT — that most operators had treated as an immutable utility rather than a managed dependency.

It demonstrated a vector that completely bypasses traditional IT/OT cybersecurity controls. Firewalls, EDR, network segmentation, and intrusion detection provide essentially zero protection against an attacker manipulating the RF environment around a receiver's antenna.

It required large-scale architectural remediation, forcing the power, telecom, aviation, and maritime sectors to rethink how they ingest and trust physical sensor data. The remediation is hardware-rooted: antennas, oscillators, terrestrial fallbacks. It is not patchable in software.

It highlighted the convergence of military electronic warfare and civilian critical infrastructure vulnerability. Capabilities that were once the exclusive domain of state-level actors became accessible to anyone with a few-hundred-dollar SDR.

It produced a continuing threat trajectory rather than a closed event. Spoofing activity in 2024–2026 has been an order of magnitude higher than in 2018, particularly around active conflict zones, with measurable secondary effects on commercial aviation, maritime navigation, and grid stability.

Key Facts

Item	Detail
Name	GNSS/GPS Spoofing and Timing Disruption
Aliases	GNSS spoofing, timing interference, satellite navigation disruption, PNT (Positioning, Navigation, and Timing) interference, OT timing subversion, space-to-ground EW
Date First Observed	Significant escalation noted ~2018; ongoing
Public Disclosure	Gradual industry recognition; codified in US Executive Order 13905 (2020); CISA/DHS PNT Conformance Framework (2021)
Type	RF spoofing / Electronic Warfare / signal-integrity attack / protocol abuse at the physical layer
Affected Systems	GNSS receivers, PMUs, protective relays, SCADA timing servers, PTP grandmaster clocks, NTP servers, aviation receivers, maritime AIS, telecom synchronization
Primary Impact	Loss of synchronization, protective relay tripping, navigation errors, AIS/ADS-B confusion, telemetry corruption, financial timestamp drift
Exploitation Method	RF broadcast of falsified GNSS signals overpowering legitimate satellite signals; or jamming via broadband RF noise
Patch / Fix	No software patch possible; requires hardware-level architectural changes (anti-spoofing antennas, local atomic clocks, terrestrial timing fallbacks)
Recovery Method	Fallback to internal holdover oscillators, terrestrial timing sources, or alternate constellations until RF environment clears
Attribution	Various state and non-state actors globally; specific outage attribution is usually circumstantial because EW affects geographic areas indiscriminately
Confidence	High (methodology and feasibility) / Medium (attribution of specific incidents to specific actors)

Background

Hydroelectric dams and substations generate and distribute Alternating Current (AC) power. To inject power into a regional grid smoothly, the sine waves of the generated power must perfectly match the grid's existing sine waves. If they are out of phase, the result is catastrophic physical damage to transformers and spinning turbines. To measure and align this phase angle, utilities use Phasor Measurement Units (PMUs), which take dozens of measurements per second, each timestamped with microsecond-level accuracy.

For decades, the cheapest and most reliable way to obtain that timestamp was to place a GPS antenna on the roof of the facility and let it derive time from the satellite constellation. The same approach was adopted across telecommunications (5G base stations require sub-microsecond synchronization), financial trading (regulatory timestamping requirements after MiFID II), broadcast networks, aviation (ADS-B position reporting), and maritime systems (AIS vessel tracking). Across all of these sectors, the implicit trust assumption was the same: the GPS antenna on the roof is providing real, unmanipulated time.

Civilian GNSS signals are unencrypted. They were designed in an era where the threat model was natural interference, multipath, and atmospheric distortion — not adversarial manipulation. The signals arrive at the surface at approximately -130 dBm, equivalent to viewing a 25-watt lightbulb from 10,000 miles away. A terrestrial transmitter operating at a few watts can easily overpower them.

Through the early 2010s, GPS spoofing was largely an academic curiosity. The 2013 University of Texas demonstration of spoofing a yacht's navigation system, and isolated reports from conflict zones, were noted but not widely treated as a critical infrastructure concern. As Software Defined Radios (SDRs) became cheap and ubiquitous in the late 2010s, and as open-source GNSS signal generators like GPS-SDR-SIM made it possible to broadcast a convincing fake signal with a few hundred dollars of equipment, the threat model changed.

By 2018, researchers and OT defenders began noting a sharp increase in timing anomalies across critical infrastructure, particularly in regions adjacent to conflict zones. Eastern Europe, the Middle East, the Black Sea region, and the borders of Scandinavia became hotspots. By the mid-2020s, GPS interference reports from commercial aviation had risen by orders of magnitude in some regional flight information regions, and grid operators in conflict-adjacent areas had begun aggressively deploying atomic clock holdover infrastructure.

What Happened

This section describes the failure mode and the operational shape of the threat, since there is no single triggering incident.

Beginning around 2018, defenders observed cascade alarm patterns across OT networks that had previously been stable. PTP (Precision Time Protocol) grandmaster clocks reported sudden time jumps — sometimes microseconds, occasionally hundreds of milliseconds. Downstream PMUs, ingesting this false time, reported massive, artificial phase angle shifts. Automated protective relays — hardware fail-safes designed to protect the grid from out-of-phase power surges — saw the fake data, assumed a physical grid failure was occurring, and triggered. This mechanically opened breakers, instantly dropping dams and substations off the grid.

The disruption was rapid, invisible to traditional SIEMs, and required physical intervention to safely re-synchronize and bring the generation assets back online. From an operator's chair, the SCADA dashboard showed values that looked like a major grid incident in progress, while the actual physical grid was fine — the only thing that had changed was the time being reported by the GPS receiver upstream.

Parallel observations came from other sectors. Commercial aviation experienced a sustained rise in GPS interference reports, particularly over the eastern Mediterranean, Black Sea, and Baltic regions. Pilots reported ADS-B position drift, autopilot disengagement, and in some cases received "spoofed" position data placing the aircraft hundreds of miles from its actual location. Maritime AIS reports from vessels in the Black Sea, eastern Mediterranean, and Persian Gulf showed clusters of vessels appearing in physically impossible locations (the so-called "circle spoofing" pattern, where multiple ships appeared to be sailing in tight circles around airports — a signature of crude spoofing implementations).

What made response difficult, across all these sectors, was the structural problem that the symptom appears far from the source. Operators first see time drift, failed synchronization, navigation anomalies, or weird location data. The actual issue is in the radio-frequency layer, several abstraction levels below where defenders normally operate. By the time the RF cause is identified, the damage — tripped relays, diverted aircraft, corrupted logs — is already done.

The immediate workaround in most cases has been forcing receivers into "holdover" mode, where the device relies on its internal lower-quality clock and ignores the manipulated GPS signal until the RF environment clears. Holdover is a stopgap; the longer it lasts, the more drift accumulates.

Technical Overview

A civilian GPS receiver works by listening to signals from the GPS satellite constellation, calculating time-of-flight from each satellite based on the embedded timestamp, and triangulating both position and time from at least four satellites. The L1 C/A signal — the standard civilian channel — is broadcast in the clear, with a publicly documented format, no authentication, and no encryption.

Two attack modes dominate.

Jamming broadcasts broadband RF noise on the GNSS frequency bands (1.575 GHz for GPS L1, plus the bands used by GLONASS, Galileo, and BeiDou). The receiver loses lock entirely and falls back to its internal clock or rejects the signal as unusable. Jamming is detectable — the receiver knows it has lost the signal — but it still removes the timing source, forcing the receiver into holdover.

Spoofing is more sophisticated and more dangerous. The attacker positions an SDR and an amplifier within RF range of the target's antenna. Distances vary; effective spoofing has been demonstrated from a few hundred meters to several kilometers depending on power and target receiver sensitivity. The attacker transmits a perfectly formatted GPS L1 signal, initially synchronized with the real time. The target receiver, seeing two signals on the same frequency, locks onto the stronger one — which is the attacker's, because terrestrial transmitters have an enormous advantage over orbital ones. Once locked, the attacker slowly introduces a drift, pulling the time forward or backward by microseconds, or pulling the apparent position away from the receiver's actual location. Because the drift is gradual, the receiver's internal sanity-check logic does not reject it.

The corrupted time then cascades from the GPS receiver to the network time servers (NTP, PTP grandmaster), down to the PMUs, protective relays, telecom synchronization equipment, or whatever systems consume the time. The SCADA, telecom, or aviation systems that consume this time are blind to the RF layer; they process the malicious timing data as valid telemetry.

Detection at the receiver level is possible with anti-spoofing-aware receivers, but most fielded equipment predates the threat. Detection at the network level requires comparing GNSS-derived time against independent references — local atomic clocks, alternate timing networks, neighbor-facility cross-checks. Most environments do not have these independent references in place.

The fundamental constellation context matters: civilian GPS is unencrypted, but the encrypted military M-code signal is not available to civilian receivers. The European Galileo constellation includes the Open Service Navigation Message Authentication (OSNMA) feature, providing cryptographic authentication of Galileo navigation data, but most fielded civilian equipment does not use it. China's BeiDou and Russia's GLONASS provide alternate constellations but face the same fundamental signal-integrity issue. Multi-constellation receivers (GPS + Galileo + BeiDou + GLONASS) are harder to spoof than GPS-only receivers because the attacker must simulate all relevant constellations consistently.

Affected Systems, Sectors, and Equipment

Unlike a typical malware or vulnerability disclosure, the affected list for GNSS spoofing is best framed by sector and equipment class rather than vendor. Any GNSS-dependent system is, in principle, exposed; the practical exposure depends on the receiver's sophistication, the operational consequences of corrupted PNT, and the local RF environment.

Power Sector

The most consequential affected category is grid synchronization equipment.

Phasor Measurement Units (PMUs): SEL (Schweitzer Engineering Laboratories) PMU and protective relay product lines, ABB / Hitachi Energy PMU equipment, GE Multilin family, Siemens SIPROTEC family, Arbiter Systems, and others. Most PMUs ingest time from a GPS receiver and produce C37.118 phasor data that is consumed by Wide-Area Monitoring Systems (WAMS).
Protective relays: SEL relays (the dominant North American family), ABB REL/REC series, Siemens 7SA/7SD/7SS series, GE family, Toshiba, and others. Protective relays typically receive time from the same GPS source as PMUs.
PTP grandmaster clocks for substation timing: Microchip / Microsemi (formerly Symmetricom) SyncServer family, Meinberg LANTIME family, Oscilloquartz, Hirschmann, Arbiter Systems. These are the upstream timing source for substation networks.
Hydroelectric generation control systems: Turbine governor controls, automatic generation control (AGC) systems, automatic voltage regulators (AVRs) — all of which can rely on GNSS-derived time.

Telecommunications

5G base stations: Sub-microsecond synchronization is required for 5G timing-mode operation, particularly for time-division duplex (TDD) and coordinated multi-point (CoMP) transmission. Major 5G equipment vendors — Ericsson, Nokia, Huawei, Samsung, Mavenir, ZTE — all support GNSS-based synchronization paths.
Telecom backhaul timing infrastructure: PTP/SyncE deployments using GNSS as the primary master.
Cell-site routers and small cells with embedded GNSS receivers.

Aviation

GPS receivers in commercial and general aviation aircraft: Honeywell, Garmin, Collins Aerospace (formerly Rockwell Collins), Universal Avionics, and others. Modern aircraft increasingly rely on GPS-derived position for ADS-B Out reporting, RNP (Required Navigation Performance) approaches, and other safety-relevant operations.
Ground-based augmentation systems (GBAS) and Wide Area Augmentation Systems (WAAS) receivers.

Maritime

Bridge GPS receivers and integrated bridge systems: Furuno, JRC, Raymarine, Garmin marine, Simrad, and others.
AIS (Automatic Identification System) transponders that derive vessel position from GPS.

Financial Services

Regulatory timestamping infrastructure: MiFID II in Europe and similar regimes elsewhere require microsecond-accurate timestamping of trades. GPS-disciplined oscillators are the dominant primary source.
High-frequency trading colocation timing.

Broadcast and Media

DVB and ATSC broadcast network timing.
Production and distribution timecode infrastructure in studio environments.

General Patterns

The pattern across all these sectors is the same: a GNSS antenna feeding a receiver, feeding a timing distribution layer (NTP, PTP, IRIG-B), feeding a population of consumer systems that trust the time without further verification. Replacement of any single layer is possible but expensive; replacement of the whole stack requires sustained capital investment.

Vendors that have responded most aggressively with anti-spoofing-aware products include Microchip / Microsemi (SyncServer series with multi-constellation and anti-jamming options), Meinberg, Spectracom / Orolia (now Safran), Trimble (resilient timing receivers), and Septentrio (advanced multi-frequency receivers with spoofing detection). However, the installed base of older, single-constellation, no-anti-spoofing receivers vastly outnumbers the modern equipment in most sectors.

Impact

Operational Impact

Service Disruption: Automated tripping of generator breakers causing localized power generation loss; aviation route deviations and ATC workload increases; AIS-driven maritime confusion; cellular and 5G synchronization degradation.

Telemetry Corruption: SCADA screens display false grid-state data to operators, making incident response confusing and dangerous. Operators may take actions based on false information.

Forensic Degradation: Log files across the OT and IT network receive corrupted timestamps. Timeline reconstruction of any concurrent or subsequent event becomes nearly impossible. Cross-system correlation breaks down because different systems may have drifted by different amounts.

Manual Recovery Burden: Restoring service often requires physical site visits to validate equipment, reset breakers, and confirm that the timing environment is safe before re-synchronizing.

Security Impact

Air-Gap Bypass: This is the defining property of the threat. Systems that are entirely disconnected from the internet, with no remote management interface and no network path from the outside, are still vulnerable through the antennas on their roofs.

Plausible Deniability: RF signals leave no malware artifacts on disk. There is nothing for forensics to reverse-engineer. Attribution depends on RF-direction-finding evidence collected during the event itself, which most defenders do not have.

Trust-in-Sensor Compromise: When the time source is corrupted, the integrity of all downstream sensor data is in question. This includes data feeding security controls — log timestamping, replay-protection windows, certificate validity checks, MFA tokens.

Weakening of Time-Dependent Security Controls: Kerberos has clock-skew tolerance limits. TLS certificate validation depends on the client's clock. TOTP-based MFA depends on time agreement. Disrupted time can break security controls in ways that look like benign operational issues.

Business / Continuity Impact

Downtime: Substantial time is required to manually verify grid stability and physically reset breakers; comparable validation requirements exist in aviation and maritime contexts.

Hardware Wear: Emergency load-shedding and sudden turbine disconnections place immense mechanical stress on hydroelectric infrastructure. Repeated incidents accelerate equipment degradation.

Insurance and Regulatory Exposure: Sectors with timing requirements (financial services, aviation, telecom) face regulatory scrutiny when timing infrastructure fails, regardless of whether the cause was malicious or natural.

Capital Expenditure: Architectural remediation — atomic clocks, CRPA antennas, terrestrial timing fallbacks — represents significant unplanned capital cost.

What This Was Not

Not a network breach: Attackers did not penetrate firewalls, exploit IT vulnerabilities, or move laterally through any network.

Not ransomware: No data was encrypted, no ransom was demanded, no extortion mechanism was involved.

Not malware: No malicious code executed on PLCs, servers, or any other endpoint. The attack operates entirely in the RF environment.

Not easily preventable by IT controls: Antivirus, EDR, network segmentation, IDS/IPS, firewalls, and zero-trust network architecture provide essentially zero protection against this attack vector.

Not always deliberately targeted: Much of the observed civilian-infrastructure impact is collateral damage from military EW operations conducted without civilian targets in mind. The vector's viability for targeted sabotage is fully proven, but most documented impact has been incidental.

Not a single incident or campaign: Unlike Ripple20, Spectre/Meltdown, or VPNFilter, GNSS spoofing has no single disclosure date, no single CVE, no single threat actor. It is a structural condition of the civilian PNT ecosystem.

Evidence and Source Notes

Evidence Type	Source	Date	Relevance	Confidence
Government Order	US Executive Order 13905 — "Strengthening National Resilience through Responsible Use of Positioning, Navigation, and Timing Services"	2020-02-12	Formal recognition of PNT vulnerability as a critical infrastructure issue	High
Government Guidance	CISA / DHS Resilient PNT Conformance Framework	2021	Established baseline resilience frameworks for PNT-dependent systems	High
Public reporting	RNT Foundation threat assessments	2018 onward	Outlines systemic grid fragility and surveys observed spoofing activity	High
Industry analysis	EPRI (Electric Power Research Institute) reports on timing alternatives	2024	Sector-specific guidance on timing resilience	Medium/High
Internal notes	Deretti Lab Field Notes	2023–2024	Observed PMU drift during RF interference exercises and live events	Medium/High
Aviation reporting	EASA, FAA, IATA bulletins on GNSS interference in commercial aviation	2022 onward	Documents rise in spoofing reports across multiple flight information regions	High
Maritime reporting	MARAD advisories, US Coast Guard NAVCEN, regional maritime authorities	2018 onward	Documents AIS and GPS anomalies in conflict-adjacent waters	High
Vendor advisory	SEL, Microchip, Meinberg, Spectracom/Safran, Septentrio	Various	Confirms anti-spoofing equipment availability and recommended architectures	High

Evidence is organized by proximity to the event. Government orders and frameworks formally recognize the severity of the threat. Internal response notes preserve operational context regarding how these events manifest on SCADA screens and OT networks. Sector advisories from aviation and maritime authorities support cross-sector framing. Specific incident attribution is treated as Medium confidence; the methodology and feasibility of the attack class are treated as High confidence.

Remediation

Immediate Actions: 0–24 Hours

Validate timing alarms. Do not blindly trust SCADA dashboards if phase angle anomalies correlate with GPS signal loss, signal-strength changes, or constellation-geometry warnings.
Physically switch critical timing infrastructure to "holdover" mode, relying on the hardware's internal crystal or atomic oscillators until the RF environment clears.
For aviation operators, consult relevant NOTAMs and operational bulletins for known interference areas before flight planning.
For maritime operators, treat AIS and GPS data as advisory rather than authoritative in known interference zones; rely on radar and visual cross-checks.
Document anomalies thoroughly while they are happening — RF events leave no on-disk artifacts and must be captured in real time.

Short-Term Actions: 1–7 Days

Audit all critical OT, IT, and operational networks to identify every device that relies directly on external GPS/GNSS for timing or position.
Configure alerting for time-drift deviations between internal reference clocks and external satellite feeds.
Implement basic cross-checks: compare GPS-derived time against NTP from peer facilities, against local atomic or quartz oscillators, and against expected satellite constellation geometry.
Inventory antenna installations: location, type, exposure, line-of-sight to potential ground-based interference sources.

Medium-Term Actions: 1–4 Weeks

Replace standard, omnidirectional GPS antennas at critical sites with Controlled Reception Pattern Antennas (CRPAs) or choke-ring antennas. These physically filter signals arriving from low elevation angles (where ground-based spoofers operate) and accept signals only from directly overhead.
Deploy multi-constellation receivers (GPS + Galileo + BeiDou + GLONASS) where supported. Spoofing all four constellations consistently is significantly more difficult than spoofing GPS alone.
Update relay and PMU firmware to support graceful degradation rather than immediate tripping upon loss of precise time. SEL, ABB, Siemens, GE, and other major vendors have published firmware updates with improved holdover behavior.
Where the receiver supports it, enable Galileo OSNMA (Open Service Navigation Message Authentication) for cryptographic verification of navigation data.

Long-Term Actions: 1–6 Months

Architectural shift: Deploy high-quality atomic oscillators (Rubidium or Cesium) at critical sites. Rubidium clocks can maintain microsecond accuracy for hours to days without a satellite signal; Cesium clocks extend that to weeks or longer. This is the single most effective long-term mitigation for fixed sites.
Terrestrial fallbacks: Implement Precision Time Protocol (PTP — IEEE 1588) over dedicated, terrestrial dark fiber networks to distribute time independently of space systems. Sites linked by fiber can share an atomic clock's signal without depending on individual GNSS receivers.
Backup national systems: Where available, integrate eLORAN or equivalent terrestrial radio-navigation systems as a secondary timing source independent of GNSS.
Diversification: Adopt the principle that resilient PNT requires three independent sources: space-based (GNSS), terrestrial (eLORAN, fiber-distributed PTP), and local (atomic oscillator). No single layer can be trusted alone.
Sector-specific resilience exercises: Include GNSS denial scenarios in tabletop exercises and operational drills. Most existing OT incident-response plans do not contemplate this scenario.
Procurement updates: New receiver and synchronization equipment purchases should require multi-constellation support, anti-spoofing detection capability, and integration with local holdover oscillators.

Timeline

Date / Time	Event	Source / Evidence
2013	University of Texas demonstration of GPS spoofing against a yacht; academic-community awareness of the threat	UT Austin research
2017	Black Sea AIS / GPS spoofing incident: dozens of vessels report positions clustered at unusual coastal locations; widely cited as the first large-scale civilian GPS spoofing observation	Maritime advisories, security research
2018	Reports of wide-area GPS spoofing in Eastern Europe affecting non-military civilian systems; OT defenders begin tracking timing anomalies	Security research, industry observation
2019	Pattern recognized as a critical-infrastructure threat class by US/EU defender communities	Industry observation
2020-02-12	US Executive Order 13905: Strengthening National Resilience through Responsible Use of Positioning, Navigation, and Timing Services	Whitehouse.gov
2021	CISA releases foundational PNT Conformance Framework for infrastructure	CISA
2021–2022	Surge in collateral GPS spoofing observed affecting infrastructure in Eastern Europe; significant overlap with active conflict zones	CISA / industry reports
2022–2024	Elevated spoofing activity globally; aviation interference reports rise sharply; utility sectors aggressively adopt atomic holdover architectures	Industry observation, aviation authority bulletins
2024–2025	Accelerated adoption of atomic holdover clocks in US hydroelectric and bulk-electric sectors; commercial aviation incident reports continue to climb	ICS vendor sales/updates, aviation reporting
2026	Threat class continues; no consolidated international response to civilian-infrastructure GNSS resilience yet established	Ongoing

Indicators, Artifacts, or Detection Notes

Indicators

Traditional IT indicators (IPs, hashes, file artifacts) do not apply to RF-layer attacks. Detection requires telemetry from the RF and timing layers themselves.

Type	Value	Notes
Telemetry	C37.118 phasor data	Look for sudden, synchronized phase angle shifts across multiple PMUs that share a GPS source
Hardware Log	Receiver Signal-to-Noise Ratio (SNR)	Sudden, unexplained increases in SNR on GPS receivers — spoofed signals are often substantially louder than authentic ones
Hardware Log	Satellite ID / constellation geometry	Receiver locking onto an impossible satellite constellation, or onto satellites that should not be visible from the receiver's location
Hardware Log	Time jumps	Sudden microsecond or millisecond-scale time corrections that exceed normal disciplined-oscillator behavior
Hardware Log	Position jumps	For mobile receivers, sudden position changes that are physically impossible
Network	NTP/PTP drift	Cross-comparison between GNSS-derived time and other timing sources showing unexpected divergence
AIS/ADS-B	Cluster patterns	Multiple vessels or aircraft reporting positions at the same impossible location, or in tight circular patterns around airports

Detection Logic

Detection requires monitoring the delta between multiple time sources. If GPS-derived time suddenly diverges from a local network NTP server, an adjacent facility's PTP time, or a local atomic oscillator by more than a few microseconds, spoofing or jamming is likely occurring. Single-source monitoring cannot detect this class of attack — by definition, the manipulated source is the one being trusted.

For sites with anti-spoofing-capable receivers, the receiver itself reports spoofing detection events. These should be aggregated and alerted on with the same priority as any other security event.

For sites without dedicated anti-spoofing equipment, the practical detection layer is:

Multi-source comparison (GPS time vs. local oscillator vs. peer facility time)
Receiver-quality monitoring (SNR, satellite count, constellation geometry)
Downstream effect monitoring (PMU phase angles, SCADA timestamps, application time-drift errors)

Tooling

Vendor receiver telemetry (SEL, Microchip, Meinberg, Spectracom/Safran, Septentrio, Trimble — all expose detailed receiver health data)
Open-source NTP/PTP monitoring tools for cross-source drift detection
C37.118 PMU stream analyzers
Custom Python scripts for SNTP/PTP drift detection (referenced in Deretti Lab field notes 2024)
ADS-B Exchange and similar flight-tracking data for aviation-side anomaly observation

Any scripts or tools referenced here are preserved for historical context unless explicitly marked as current.

Infrastructure Defense Lessons

1. What defenders should remember

Space is part of the Operational Technology environment. If a physical process relies on invisible telemetry from a satellite, the attack surface extends to orbit. Time itself is a security dependency, not an engineering convenience — every authentication, replay protection, log forensic, and synchronized control system trusts that the clock is honest.

2. What organizations underestimated

The blast radius of Electronic Warfare. Many infrastructure operators assumed that because they were not military targets, no one would expend million-dollar EW capabilities on them. They underestimated how cheap SDRs made this attack accessible (under $1000 of equipment for a viable spoofer), and how wide a geographic area a single high-power spoofer can affect collaterally — often hundreds of square kilometers.

The other consistently underestimated factor was single-source dependence. Most affected sites had a single GPS antenna feeding a single timing chain, with no architectural redundancy. The assumption was that GPS was a free utility that always worked. The threat model that justified this assumption — natural interference, atmospheric effects, equipment failure — did not include adversarial manipulation, and the architecture had been built accordingly.

3. What held up well

High-end legacy analog systems that did not rely on microsecond synchronization continued to operate through GNSS denial events. Facilities that had already invested in high-end Rubidium or Cesium atomic clocks for local holdover absorbed disruption with minimal operational impact. Multi-constellation receivers performed substantially better than GPS-only receivers, particularly when the spoofer simulated only the GPS signal.

Sites with disciplined RF inventory — knowing where every antenna was, what it fed, and what alarms were available on it — recovered faster than sites without that inventory.

4. What failed or became fragile

"Smart grid" integrations. The more automated and tightly coupled the grid became to increase efficiency, the more fragile it became to minor timing perturbations. Wide-area monitoring systems (WAMS) that aggregated data from dozens of substations could be confused by spoofing at any single one of them.

Single-source GPS architectures, ubiquitous in the 2010s, became fragile in operational environments where they had previously been reliable.

Detection capabilities at most sites were inadequate. Receivers had limited or no anti-spoofing telemetry; SCADA systems trusted timestamps without cross-checking; SIEMs had no concept of RF-layer events. The first alert in a typical incident was usually a downstream consequence (a tripped breaker, a confused operator) rather than the underlying cause.

5. What this changed in practice

It forced a total architectural redesign of OT timing across the power, telecom, and aviation sectors. Modern critical infrastructure design no longer trusts a single GPS antenna. It mandates a "Zero Trust" approach to physical signals, requiring multiple, verifiable, and diverse sources of time: space + fiber + local atomic.

Procurement language for new substation, telecom, and timing equipment now routinely specifies multi-constellation support, anti-spoofing detection, and integration with local holdover oscillators. Vendor product lines have shifted to support this — the resilient-PNT product category, which barely existed in 2018, is now a recognized market segment.

The broader strategic shift is that PNT is now treated as critical infrastructure in its own right, not as a passive utility. EO 13905, CISA's PNT framework, and parallel European and Asian initiatives reflect this. The operational-resilience framing — that defenders must plan for sustained GNSS denial, not just brief outages — is now the baseline.

Key Takeaways

Physical Bypass: RF spoofing achieves physical disruption of infrastructure without requiring IT network penetration or any malware execution.
Inherent Fragility: Civilian GNSS is unencrypted and weak. A few-watt terrestrial transmitter trivially overpowers signals that have traveled 20,000 km from orbit.
Silent Failure: Corrupted time can poison telemetry and logs before operators realize anything is wrong; the symptom appears far from the cause.
Hardware Remediation: Software patches cannot fix this. Mitigation requires physical antenna upgrades, local atomic oscillators, and terrestrial timing fallbacks.
Diverse Dependencies: Resilience demands moving away from single-point dependence and using diverse terrestrial and space-based timing sources — space + fiber + local atomic.
Air-Gap Reframing: Being air-gapped from the internet does not make a system safe from external manipulation. The physical sensors are part of the attack surface.
Active and Ongoing: This is not a closed historical event. Spoofing activity has grown substantially since 2018 and is likely to continue.

References

US Executive Order 13905 — "Strengthening National Resilience through Responsible Use of Positioning, Navigation, and Timing Services" (2020-02-12).
CISA / DHS — Resilient PNT Conformance Framework (2021).
Resilient Navigation and Timing (RNT) Foundation — Threat assessments on GPS vulnerabilities (ongoing).
IEEE Power and Energy Society — Reports on PMU synchronization and grid timing resilience.
EPRI (Electric Power Research Institute) — Timing alternatives studies (2024).
EASA, FAA, IATA — GNSS interference bulletins (2022 onward).
US Coast Guard Navigation Center (NAVCEN) and MARAD — Maritime GPS and AIS interference advisories.
Vendor documentation: SEL, Microchip / Microsemi, Meinberg, Spectracom / Safran, Septentrio, Trimble — anti-spoofing receiver and timing product lines.
IEEE 1588 PTP standard documentation.
European Galileo OSNMA documentation.