Today’s critical infrastructure sectors (such as aerospace, finance, energy networks, precision agriculture) rely heavily on PNT (positioning, navigation and timing) systems. These systems can and need to be resilient to disturbances with varying strictness. For example, the flight guidance system of a plane requires extreme trustworthiness and resilience. The first step towards resilience is realizing the extent to which your organization relies on PNT information, and what the capabilities are of your current system. It is crucial to be aware of your organization’s current capabilities, and of the remaining areas of improvement, to ensure a sufficiently resilient infrastructure for your application.

This questionnaire is aimed at providing an estimation of the resilience level of your organization’s PNT system. It will take you through approximately 40 questions, and in the end will provide you with:

• An estimation of the overall resilience of your PNT system
• Indicative sub-scores in different key aspects of resilience

Because of the potentially sensitive nature of the information required to complete the questionnaire, your data is not collected or shared in any way. The answers are only temporarily stored in your browser to allow you to take breaks and come back directly to where you stopped. The questionnaire is expected to take between one and two hours to complete.

This questionnaire is intended for people familiar with basic concepts of GNSS and PNT systems, as well as with the PNT system of their organization.

The questions are not always easy to answer. To help you in the process, several resources and courses (including a GNSS masterclass) are available on this website if you need to refresh and complete your knowledge, starting from here. In addition, we advise that the questionnaire is completed with the input of the person(s) operating your organization’s PNT system.

In order to help you get started with the questionnaire, we provide two example systems representing two different resilience levels. Both describe a timing system based on a GNSS receiver. The purpose of these examples is to showcase what a PNT system may look like in real life, and to serve as an inspiration by showing how one might answer the questions for this specific case.

The example cases are not ideal systems, nor the most common setups; just examples of some of the functionalities one should search for in their own system to be able to fill in the questionnaire.

A simple and complex example can be viewed under their tabs below. The answers corresponding to each example can be accessed during the questionnaire by hovering your mouse cursor over this icon: ℹ️

Once you have completed the questionnaire, we invite you to further look into the areas of improvement that may have been highlighted. Information is available on this website to assist you here.

Please note that the questionnaire is only a tool intended to provide an estimation of the resilience of your organization’s PNT system and does not constitute a diagnostic or validation of its actual resilience. If you require further analysis of the outcome of the questionnaire or want to act upon it, please contact info@gnss-coe.eu

It can be helpful to save and print the results of the questionnaire for this purpose.

The following levels of resilience we set by US Resilient Positioning, Navigation, Timing Conformance Framework and they have a cumulative structure, meaning that each level requirements are incorporated to the next. The ascending order is aligned with the level of resilience but not all applications require the maximum level 4.

• Level 0: Does not meet the criteria of Level 1, and is thus considered a non-resilient system.

This level characterizes the system as non-resilient for possible acceptance and/or usage of unverified input (eg. Spoofing), and for requiring manual intervention for enabling the recovery process.

• Level 1: Ensures recoverability of solution after the removal of the threat

As a first level of resilience recovery to the nominal behaviour is the goal, after the failure or non-existence of previous lines of defence (prevention, response etc.).  This can lead to data system outage when recovering. The main level requirements are:

1. Verification of input data based on compliance with international standards.
2. Ability to apply full system recovery with memory reset, return to operational status with nominal performance.
3. Secure ability of firmware update.

• Level 2: Provides a solution (possibly with unbounded degradation) during threat

This level incorporates the requirements of level 1. The system should be able to provide even degraded PNT solutions under theat, which are not bounded by thresholds. Moreover it should fulfil the following requirements.

4. Identification of malware PNT sources (eg. Spoofers) and neglection of their contribution to false PNT solution.
5. Support of automatic system recovery.

• Level 3: Provides a solution (with bounded degradation) during threat

This level, adds for the first time in the ascending level chain, the system threat response option, resulting in a continuous PNT solution which can be degraded but bounded by certain performance thresholds. To build such a systems is a comple procedure which might lead to software and hardware development.  The following additional requirements are:

6. The system can isolate corrupted from not corrupted data coming from different sources.
7. The system can apply cross-verification techniques between multiple PNT sources.

• Level 4: Provides a solution without degradation during threat.

This is the highest level of GNSS resilience and it comes with “No degradation to Performance” criterion, which requires the following requirement with some important notes:

8. PNT source  diversification for threat mitigation.

Note: Increase of PNT sources does not ensure system resilience as new vulnerabilities can potentially be added. Therefore separate criteria testing for each new PNT source shall be met.

Source: U.S. Department of Homeland Security. (2022, May 31). ST resilient PNT conformance framework. https://www.dhs.gov/publication/st-resilient-pnt-conformance-framework

If you have any questions about resilience, please contact us via: info@gnss-coe.eu

The example below describes a very simple timing system (based on the Resiliency Level 1 example of the US-framework). The purpose of this architecture is to showcase what a PNT system may look like in real life, and to serve as an inspiration by showing how one might answer the questions for this specific case.

This is not an ideal system, nor the most common setup; just an example of some of the functionalities one should search for in their own system to be able to fill in the questionnaire.

This example is available for all questions and can be accessed by pressing the “show example” button.

The simple timing PNT system in this example is used by a company for time synchronisation of transactions. The primary output of the system is time information, provided to the company network.

The system has a small GNSS antenna located on a tall rooftop, rising high above nearby buildings. This roughly hand sized device is not visible from below, and the rooftop is only accessible to authorized personnel. The antenna is capable of receiving signals from multiple frequencies, and constellations (Galileo, GPS, GLONASS, BeiDou).

Connected to the antenna is a GNSS receiver inside the building in a secure location, connected to the antenna by a long wire. It is only accessible to authorized personnel, and authorized devices on the local network. The receiver’s output is securely stored and transferred, and not accessible through the internet or other open channels. The receiver is configured to receive only simple unencrypted GPS signals for which it verifies that the message conforms to the standard format. The system is configured to only listen to GPS L1 band signals, despite having the hardware and software capabilities to handle multiple constellations and frequency bands. There are advanced options (integrity monitoring and interference detection) implemented in the receiver, but these are not enabled. Although the advanced settings are not enabled, the receiver checks if the received signal’s strength is in the nominal range (not too high or low) which can be considered a very simple jamming detection method. There is a 10 degrees elevation mask configured in the receiver, meaning that the receiver only considers satellites that are at minimum 10 degrees elevation above the horizon.

The specifics of the hardware (antenna, GNSS receiver) or the processing software are neither public, nor general knowledge in the organization. The location of the PNT system’s components is monitored by security cameras. There is a UPS system providing power in case of an outage. Authorized personnel may restart the system (for instance reboot the GNSS receiver) in case it is needed.

There is a small group of engineers (not necessarily with deep GNSS background) responsible for maintenance, and they regularly check for software/firmware updates on the GNSS receiver’s manufacturer’s website (who continues to provide support for the device). If they have no deep GNSS knowledge, these engineers may not be aware of the advanced settings of the receiver, only the maintenance of the already functioning system.

The system outputs timing information based primarily on GPS signals, which is not cross-checked with timing servers on the internet or other local redundant timing sources.

The example below describes a more complex and resilient timing system. The purpose of this architecture is to showcase what a PNT system may look like in real life, and to serve as an inspiration by showing how one might answer the questions for this specific case.

This is not an ideal system, nor the most common setup; just an example of some of the functionalities one should search for in their own system to be able to fill in the questionnaire. It does contain significant improvements compared to the simple example given previously.

This example is available for all questions and can be accessed by pressing the “show example” button.

The timing PNT system has two small anti-jamming antennas located on a tall rooftop, rising high above nearby buildings. These devices are not visible from below, and the rooftop is only accessible to authorized personnel. The antennas are capable of receiving signals from multiple frequencies, and constellations (Galileo, GPS, GLONASS, BeiDou).

The GNSS receiver is inside the building in a secure location, connected to the antennas by long wires. It is only accessible to authorized personnel, and authorized devices on the local network. The receiver’s output is securely stored and transferred, and not accessible through the internet or other open channels. The receiver is configured to receive both simple unencrypted GPS signals and OSNMA authenticated Galileo E1 signals for which it verifies that the messages conform to the standard format. The system is configured to listen to multiple frequency bands (Galileo E1 and E5, GPS L1 and L5 signals) which allows for advanced corrections and provides extra redundancy. There are advanced options (integrity monitoring and interference detection) implemented in the receiver, which are enabled. The receiver also checks if the received signal’s strength is in the nominal range (not too high or low) which can be considered a very simple jamming detection method. There is a 10 degrees elevation mask configured in the receiver, meaning that the receiver only considers satellites that are at minimum 10 degrees elevation above the horizon.

The specifics of the hardware (antennas, GNSS receiver) or the processing software are neither public, nor general knowledge in the organization. The location of the PNT system’s components is monitored by security cameras. There is a UPS providing backup power in case of an outage. Authorized personnel may restart the system (for instance reboot the GNSS receiver) in case it is needed.

There is a small group of engineers (with GNSS background) responsible for maintenance, and they regularly check for software/firmware updates on the GNSS receiver’s manufacturer’s website (who continues to provide support for the device).

The system outputs timing information based primarily on GNSS signals, which is cross-checked with a timing-server through the internet, and a local redundant timing source (clock).