CEN/TR 17475:2020

SLOVENSKI STANDARD
01-julij-2020
Vesolje - Ugotavljanje položaja z uporabo sistema globalne satelitske navigacije
(GNSS) pri inteligentnih transportnih sistemih (ITS) v cestnem prometu -
Specifikacija preskusnih naprav, definicija preskusnih scenarijev, opis in
ovrednotenje postopkov za terensko preskušanje varnosti terminalov GNSS za
ugotavljanje položaja
Space - Use of GNSS-based positioning for road Intelligent Transport System (ITS) -
Specification of the test facilities, definition of test scenarios, description and validation of
the procedures for field tests related to security performance of GNSS-based positioning
terminals
Spezifikation der Testeinrichtungen, Definition von Testszenarien, Beschreibung und
Validierung der Verfahren für Feldtests in Bezug auf die Sicherheitsleistung von GNSS-
basierten Ortungsterminals
Espace - Utilisation de la localisation basée sur les GNSS pour les systèmes de
transports routiers intelligents (ITS) - Spécification des installations d’essais, définition
des scénarios d’essais, description et validation des procédures d'essais sur le terrain en
matière de performances de sécurité des terminaux de positionnement basés sur les
GNSS
Ta slovenski standard je istoveten z: CEN/TR 17475:2020
ICS:
35.240.60 Uporabniške rešitve IT v IT applications in transport
prometu
49.140 Vesoljski sistemi in operacije Space systems and
operations
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL REPORT
CEN/TR 17475
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
April 2020
ICS 33.060.30; 03.220.20; 35.240.60

English version
Space - Use of GNSS-based positioning for road Intelligent
Transport System (ITS) - Specification of the test facilities,
definition of test scenarios, description and validation of
the procedures for field tests related to security
performance of GNSS-based positioning terminals
Espace - Utilisation de la localisation basée sur les Spezifikation der Testeinrichtungen, Definition von
GNSS pour les systèmes de transports routiers Testszenarien, Beschreibung und Validierung der
intelligents (ITS) - Spécification des installations Verfahren für Feldtests in Bezug auf die
d'essais, définition des scénarios d'essais, description Sicherheitsleistung von GNSS-basierten
et validation des procédures d'essais sur le terrain en Ortungsterminals
matière de performances de sécurité des terminaux de
positionnement basés sur les GNSS

This Technical Report was approved by CEN on 7 March 2020. It has been drawn up by the Technical Committee CEN/CLC/JTC
5.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. CEN/TR 17475:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 4
1 Scope . 5
1.1 Purpose of the document . 5
1.2 Overview of the document . 5
2 Normative references . 5
3 Terms and definitions . 6
4 List of acronyms . 10
5 GNSS Threats overview . 11
5.1 General . 11
5.2 Denial of service: jamming . 11
5.3 Deception of service: spoofing and meaconing . 13
6 Security metrics . 16
6.1 General approach . 16
6.1.1 Introduction . 16
6.1.2 Notes on empirical CDF . 17
6.1.3 ECDF with loss of samples . 19
6.2 Considered metrics . 22
6.2.1 General . 22
6.2.2 Accuracy . 22
6.2.3 Integrity . 24
6.2.4 Availability and continuity . 28
6.3 Other metrics . 30
6.3.1 Time To Fist Fix (TTFF) . 31
6.3.2 Excluded metrics . 31
6.4 Robustness concept: a summary metric . 32
7 Test approach . 32
7.1 SDR concept . 33
7.2 Interference hardware impact . 33
7.2.1 General . 33
7.2.2 Antenna-LNA . 34
7.2.3 AGC . 34
7.2.4 ADC . 34
7.2.5 Digital post-correlation processing . 35
7.3 Record and replay choice . 37
7.4 Jamming testing architecture . 38
7.5 Spoofing testing architecture. 40
7.6 File size and scenario length . 42
7.7 Hybridization issue . 43
8 Test scenarios . 43
8.1 Relevant realistic scenarios . 44
8.1.1 Nominal scenarios . 44
8.1.2 Clear sky scenario as a special case . 44
8.1.3 Scenario VS Data set VS Datafile . 45
8.1.4 Scenario-management authority . 45
8.2 Interference scenarios selection . 45
8.2.1 Jamming proposed scenarios . 46
8.2.2 Spoofing proposed scenarios . 47
8.2.3 Meaconing assessment . 49
8.2.4 Meaconing proposed scenarios . 49
9 Test facilities specification . 50
9.1 Data set record testbed. 50
9.1.1 General . 50
9.1.2 Jamming data generation. 50
9.1.3 Spoofing data recording . 54
9.2 Replay testbed . 55
9.2.1 RF transmitters calibration . 55
9.2.2 Replay testbed schemes . 57
10 End-to-end validation . 58
10.1 Devices under test . 58
10.2 Nominal scenario recording and validation . 60
10.2.1 Nominal scenario recording . 60
10.2.2 Analytical tools . 63
10.2.3 Nominal scenario validation . 65
10.3 Jamming test results . 73
10.3.1 General . 73
10.3.2 Jamming scenarios generation . 73
10.3.3 Interferences on AsteRx3 HDC . 75
10.3.4 Interferences on Ublox 8 . 92
10.4 Spoofing test results . 106
10.4.1 Spoofing scenario recording . 106
10.4.2 Spoofing on AsteRx-3 HDC . 106
10.4.3 Spoofing on Ublox 8 . 110
Annex A (informative) AGC principles and impact . 115
Annex B (informative) GNSS SDR Format standardization . 118
Annex C (informative) Spoofing insights . 120
C.1 General . 120
C.2 Range error impact . 121
C.3 Oscillator error impact . 121
C.4 Propagation channel impact . 122
Annex D (informative) Noise amplification . 124
D.1 Theory of noise amplification . 124
D.2 Experimental validation. 128
Annex E (informative) Accuracy and continuity simulations . 130
Bibliography . 135

European foreword
This document (CEN/TR 17475:2020) has been prepared by Technical Committee CEN-CENELEC/TC 5
“Space”, the secretariat of which is held by DIN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
1 Scope
1.1 Purpose of the document
This document is the CEN Technical Report WP2-D2 of the GP-START project, regarding the test
procedures for assessment of robustness to security attacks.
Starting from the definition of security attacks taxonomy and security metrics highlighted in CEN/TR
17464, this task aims to:
1. Specify test facilities to be used in the field tests. This comprises both hardware and software
equipment.
2. Define relevant test scenarios applicable to security performances. Also, the field test needed for
validation of scenarios will be properly described.
3. Define end-to-end test procedures comprising experimental validation of the whole test chain.
The results will serve as the operational basis for field testing of robustness against security attacks.
1.2 Overview of the document
The outline of the document is as follows:
• Clause 5 provides a review of security metrics, in line with the other deliverables of the project and
in particular with CEN/TR 17465 and CEN/TR 17464.
• Clause 6 consolidates the test approach with respect to jamming and spoofing oriented scenarios.
• Clause 7 provides a definition of relevant test scenarios, applicable to security testing, starting from
outcomes of CEN/TR 17464.
• Clause 8 provides an in-depth discussion regarding test facilities, focusing on both data recording
and replay.
• Clause 9 concludes with a set of real-life tests, for a preliminary end-to-end validation of the
procedures.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN 16803-1:2016, Space — Use of GNSS-based positioning for road Intelligent Transport Systems (ITS) —
Part 1: Definitions and system engineering procedures for the establishment and assessment of
performances
ETSI TS 103 246-3, Satellite Earth stations and systems (SES) —GNSS-based location systems — Part 3:
Performance requirements
CEN/TR 17447, Space — Use of GNSS-based positioning for road Intelligent Transport System (ITS) —
Mathematical PVT error model
CEN/TR 17448, Space — Use of GNSS-based positioning for road Intelligent Transport Systems (ITS) —
Metrics and Performance levels detailed definition
CEN/TR 17464, Space — Use of GNSS-based positioning for road Intelligent Transport System (ITS) —
Security attacks modelling and definition of performance features and metrics related to security
CEN/TR 17465, Space — Use of GNSS-based positioning for road Intelligent Transport Systems (ITS) —
Field tests definition for basic performances
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in EN 16803-1:2016,
ETSI TS 103 246-3 and ISO/IEC 27001:2013 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
• ISO Online browsing platform: available at http://www.iso.org/obp
• IEC Electropedia: available at http://www.electropedia.org/
3.1
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use
of an asset
3.2
authentification
provision of assurance that the location-related data associated with a location target has been derived
from real signals associated with the location target
3.3
availability
property of being accessible and usable upon demand by an authorized entity
3.4
continuity
likelihood that the navigation signal-in-space supports accuracy and integrity requirements for duration
of intended operation
Note 1 to entry: Continuity aids a user to start an operation during a given exposure period without an
interruption of this operation and assuming that the service was available at beginning of the operation. Related to
the Continuity concept, a Loss of Continuity occurs when the user is forced to abort an operation during a specified
time interval after it has begun (the system predicts service was available at start of operation).
3.5
continuity risk
probability of detected but unscheduled navigation interruption after initiation of an operation
3.6
data
collection of values assigned to base measures, derived measures and/or indicators
3.7
electromagnetic interference
any source of RF transmission that is within the frequency band used by a communication link, and that
degrades the performance of this link
Note 1 to entry: Jamming is a particular case of electromagnetic interference.
3.8
integrity
general performance feature referring to the trust a user can have in the delivered value of a given
Position or Velocity component
Note 1 to entry: In this document, this feature is expressed by 2 (two) quantities: the Protection level and the
associated Integrity risk.
3.9
integrity risk
for Positioning terminals providing a Protection level as integrity indicator, refers to the probability that
the actual error on a given Position or Velocity component exceeds the associated Protection level
provided with this quantity
3.10
jamming
deliberate transmission of interference to disrupt processing of wanted signals (which in this case are
GNSS or telecommunications signals)
3.11
level of risk
magnitude of a risk expressed in terms of the combination of consequences and their likelihood
3.12
likelihood
chance of something happening
3.13
localisation
process of determining the position or location of a location target
3.14
performance
measurable result, performance can relate either to quantitative or qualitative findings
3.15
performance class
for a given performance metric, designates a domain delimited by 2 (two) boundaries
3.16
performance feature
a given characteristic used to qualify and quantify the service provided by a system, for example
horizontal accuracy for a Positioning system
3.17
performance metric
precise definition of the means of measuring a given performance feature of a given output of a system
Note 1 to entry: An example of accuracy metric can be the median value of an error sample acquired during a
given test following a given protocol.
3.18
protection level
estimation of an upper bound for the error made on a Position or Velocity component (e.g. the plane
position) associated with a given probability called Integrity risk
Note 1 to entry: Like the actual error, this feature can be characterized by its distribution function. The
P ε >< PL I I
protection level PL is upper bound to the position error such that: ( ) , where is the integrity
risk risk
risk and ε is the actual position error.
3.19
Pseudo-Random Noise Code (PRN)
unique binary code (or sequence) transmitted by a GNSS satellite to allow a receiver to determine the
travel time of the radio signal from satellite to receiver
3.20
reference GNSS receiver
in this document, refers to a widely used and off-the-shelf high sensitivity GNSS receiver offering a good
availability and a high sensitivity to the multipath and NLOS phenomena) whose production can be
guaranteed for a long period
3.21
reference trajectory
series of time-stamped positions (and possibly speeds) of a reference point on a mobile object
(test vehicle), produced by a Reference trajectory measurement system
3.22
Reference Trajectory Measurement System (RTMeS)
term used in this document for a measurement means capable of accuracy performances better than at
least one order of magnitude than those of the Positioning terminal being tested
3.23
requirement
need or expectation that is stated, generally implied or obligatory
3.24
robustness
the degree to which a system or component can function correctly in the presence of invalid inputs or
stressful environmental conditions
3.25
security
function of a location system that aims at ensuring that the location-related data is safeguarded against
unapproved disclosure or usage inside or outside the location system, and that it is also provided in a
secure and reliable manner that ensures it is neither lost nor corrupted
3.26
spoof/spoofing
transmission of signals intended to deceive location processing into reporting false location target data
3.27
threat
potential cause of an unwanted incident, which may result in harm to a system or organisation
3.28
time-to-alert
time from when an unsafe integrity condition occurs to when an alerting message reaches the user
3.29
trajectory
series of time-stamped positions (and possibly speeds) of a mobile object
3.30
vulnerability
weakness of an asset or control that can be exploited by one or more threats
4 List of acronyms
ADAS Advanced Driver Assistance Systems
ADC Analog to Digital Converter
AGC Automatic Gain Control
CDF Cumulative Distribution Function
CEN Comité Européen de Normalization (European
Committee for Standardization)
CENELEC Comité Européen de Normalization
Électrotechnique (European Committee for
Electrotechnical Standardization)
COTS Commercial On The Shelves
DOS Denial Of Service
DUT Device Under Test
ECEF Earth Centred Earth Fixed
ETSI European Telecommunications Standards Institute
GBPT GNSS-Based Positioning Terminal
GDOP Geometrical Diluition Of Precision
GNSS Global Navigation Satellite Systems
HPL Horizontal Protection Level
IID Independent identically distributed
IMU Inertial Measurement Unit
ITS Intelligent Transport Systems
KOM Kick-Off Meeting
OCXO Oven-controlled crystal oscillator
PPK Post Processed Kinematic
PPS Pulse Per Second
PVT Position Velocity and Time
RAIM Receiver Autonomous Integrity Monitoring
RFCS Radio Frequency Constellation Simulator
RMS Root Mean Square
RTK Real Time Kinematic
SBAS Satellite Based Augmentation System
SDR Software Defined Radio
SIS Signal In Space
TCXO Temperature-controlled crystal oscillator
TTFF Time To First Fix
VPL Vertical Protection Level
VST Vector Signal Transceiver
5 GNSS Threats overview
5.1 General
In this clause, a description of the most relevant security scenarios is provided, based on what described
in CEN/TR 17464. The analysis is focused on the intentional RF threats scenarios since they represent a
worst case with respect to unintentional interference. Furthermore, intentional attacks encompass a
wide variety of cases that allow a more flexible, representative and controllable analysis.
The possible attacks on GNSS can be divided in 2 (two) macro areas:
• Denial of service (DoS):
• jamming;
• Deception of Service:
• spoofing;
• meaconing.
The jamming threats are in general based on the transmission of an interfering signal on the GNSS bands.
The disturbance impairs the receiver performance, preventing it to perform PVT operation. The jamming
is not only intentional, but it can be generated by RF equipment employed in other applications as well.
The equipment may emit signals that interfere with the GNSS band, causing unintentional jamming. DVB
harmonics CEN/TR 17464 are examples of this kind of interference.
Deception of service attacks are instead focused on making a receiver computing a false PVT solution
(position, velocity and time). This effect is achieved through the transmission of false signal generated
from fake GNSS constellation or through the re-transmission of the received Signal in Space (SIS).
5.2 Denial of service: jamming
Jamming signals are disturbing signals purposely developed to prevent the correct operation of a
receiver. In this context a number of different jammers exist. The current subclause provides a brief
overview of the jamming taxonomy.
Different kinds of jammers are designed to attack and disrupt different stage of a GNSS receiver. In
particular, jamming impacts the receiver front-end, that is the interface between the physical RF signal
and the digital baseband domain.
In literature many works analysed and compared commercial available jammers. Even if these jammers
are low-cost jammers, it can be assumed that the basic principles also apply in the design of more complex
and expensive ones.Recalling the results reported in Software-defined radio based roadside jammer
detector: Architecture and results, Position, Location and Navigation Symposium (ref. Bibliography [1]),
commercial jammers can be categorized in:
1. Continuous wave (CW) signal (Class I).
2. Chirp signal with 1 (one) saw-tooth function (Class II).
3. Chirp signal with multi saw-tooth functions (Class III).
4. Chirp jammer with frequency bursts (Class IV).
The chirp signal is essentially a pure tone whose carrier frequency follows a saw-tooth like behaviour,
sweeping from a minimum frequency to a maximum frequency in a linear fashion in a well-defined
period.
The bandwidth of chirp jammer signals varies in a range from 10 MHz to 30 MHz. If the chirp bandwidth
exceeds the bandwidth of the front-end it appears within the receiver as a pulsed chirp signal with a duty
B
front end
cycle of .
DT =
B
chirp
Chirp jammers, with pulsed capability, could represent all the major categories. Frequency Burst
(wideband component) can be modelled as wideband noise.
Chirp signals can be modelled (as normalized complex baseband equivalent) as:
t
j2π fd(ττ)
∫
−∞
y t =e
()
i
(1)
ft
Where () accounts for frequency modulation. The equation for modulating signal is (basic of
analog FM)
f t f + ∆ ⋅K tf,
() ( )
cf m
(2)
The main parameters are hereinafter described:
f
• Central carrier set the central operating frequency of the jammer [Hz];
c
∆
• Sweep Band, i.e. span of the carrier during time, is set to [Hz];
f
f
• Sweep Rate, i.e. the frequency of repetition of the basic waveform (in frequency) [Hz/s];
m
• shape of the modulating signal can be (K(⋅)):
• SAWTOOTH (LINEAR CHIRP),
• SQUARE (DUAL HOP),
• SIN (CLASSICAL ANALOG FM).
Figure 1 reports a pictorial representation of a linear chirp, highlighting both time and frequency
features. The picture reports a time plot, where the change in frequency is clearly visible, the spectrum
plot, where the spectrum occupation is visible, and the spectrogram view, where time-frequency
dynamics are reported.
=
Figure 1 — Chirp signal (not to scale)
Several types of jamming signals that can be generated following an SDR approach are described in 9.1.2.
5.3 Deception of service: spoofing and meaconing
Instead, about deception of service, an additional division on top of spoofing and meaconing can be
applied. Figure 2 shows the taxonomy about deception of service attacks.

Figure 2 — Deception of Service taxonomy
Several types of attacks to GNSS can be grouped under the spoofing label, aimed at impacting different
aspects of the GNSS system such as data or signals:
• Channel spoofing: this type of attack changes the dynamics of a GNSS channel introducing a Doppler
or Pseudo-range offset with respect to the authentic signal; this type of attack hardly impairs the PVT
computation because the use of RAIM (Receiver Autonomous Integrity Monitoring) can easily
exclude the channel under attack. However, a continuous sweeping of the relative spoofing code
phase could be introduced, leading to a denial of service on a specific channel limiting the probability
of detection compared to a standard jamming attack. Additionally, a channel spoofing attack on many
GNSS channels can force the receiver to bad PVT solutions, since it cannot recognize authentic and
non-authentic signal.
• Trajectory spoofing: this type of attack is a generalization of the channel spoofing, but aimed to the
falsification of the whole constellation. Specifically, the attacker generates the overall constellation
corresponding to the fake position and transmits to the receiver the spoofing signal. In summary, this
attack coordinates coherently several channels, so that they lead to compute a false PVT solution.
• Data level spoofing: the attacker does not apply modifications to the authentic signal dynamics, but
it changes the navigation data transmitted, for impairing the PVT solution. This kind of attack can be
very effective with SBAS signals.
All spoofing attacks are not straightforward to carry out, because the attacker shall be able to estimate
the user receiver position for compensating the attacker-attacked dynamics. Consequently, the attacker
shall generate the signals with the correct dynamics. Moreover, the attacks, depending on the capability
of the attacker of aligning with the signal phase and delay at the receiver, can be synchronous or
asynchronous. The synchronous attacks are very difficult to perform in a realistic scenario, because the
attacker shall able to estimate the correct carrier phase and delay for each GNSS channel at the receiver
side and generate the signal in accordance. Figure 3 shows an example of a spoofing ACF getting the lock
from the authentic signal, in both synchronous and asynchronous case. Specifically, the spoofer ACF shall
slowly transit over the authentic one and get the receiver lock, transmitting with slightly higher power.

Figure 3 — Synchronous (top) and asynchronous (bottom) spoofing attacks
In the described scenario a good alignment between the authentic signal and spoofing is essential for the
success of the attack. Mainly three phases can be identified during a spoofing attack:
• Trusted Phase: no spoofing signal is transmitted over the authentic; this phase is purely theoretical,
because it is not verifiable in real environment, only in controlled scenarios such as constellation
simulators;
• Attack phase: the spoofing ACF overlaps to the reference one, its amplitude should be comparable
with the authentic in order to avoid unexpected power changes;
• Spoofed phase: the last phase of the attacks that can be considered starting from the moment when
the spoofing ACF is outside the correlation window of the authentic, with delay higher than one chip.
The receiver can then assume three states:
• Spoofed: the attack is successful and the receiver is tracking the spoofing signal;
• Normal operation: the attack was not effective and the receiver keeps tracking the authentic
signal;
• Loss of Lock: the attack was not effective, but it disturbed the tracking operation, therefore the
receiver losses the lock on the authentic signal; the spoofer acts as a jammer.
Figure 4 shows a general scheme of the three phases of the spoofing attack.

Figure 4 — Phase of spoofing attack
A much more straightforward approach is combining jamming and spoofing. Specifically, the attacker
transmits a jamming signal with significant power to force the receiver to a loss of lock. Afterwards, it
generates the false signal with slightly higher power with respect to the GNSS authentic signal.
This attacking approach is very straightforward and works well for basic receivers. However, it is really
easy to detect, because the spoofing procedure starts right after a receiver loss of lock. Typically, the focus
of an attacker is spoofing the GPS system, because it usually has the highest priority in the GNSS receiving
system. The complexity of acting also on the Galileo system is within the spoofer implementation,
specifically more lines of code that simulate Galileo system as well. Concerning GLONASS instead, many
commercial simulators that generate the Russian system are available, therefore it could be spoofed as
well, even though it requests additional bandwidth, so higher quality radio peripherals. However, since
it is transmitted over a different centre frequency the attacker’s approach could be jamming it and
spoofing GPS and Galileo systems, in order to not raise inconsistencies within the spoofed receiver.
Meaconing (Masking Beacon) identifies the repetition of a received GNSS signal in real-time or in post-
processing. The attacker receives the GNSS signal and retransmits all the batch to the receiver. If the
receiver locks on the delay signal, it experiences degradation on the time solution, because all the GNSS
signals arrives in delay with respect to the reference. Moreover, since the attacker’s position is different
with respect to the receiver, also the position procedure is impaired. 2(two) types of meaconing attacks
can be identified:
• Real-time Meaconing: it foresees the retransmission of the received GNSS signal in real-time, with a
slight delay with respect the real signal. The delay can be roughly estimated in a range below 1 ms;
• Record and Replay Meaconing: it foresees the record of a GNSS batch and the retransmission after
some time: in this case the delay is in principle arbitrary, from seconds to days).
This type of attack, especially the real-time meaconing, is potentially able to overcome the Spreading
Code Encryption (SCE) protection, because the attacker repeats all the SIS, including the encrypted
signals. The attacker could start to replay the signal with low delay, in order to make the receiver lock on
the fake signal, and afterwards trying to delay it more and more, in order to have a considerable impact
on the clock bias and therefore on the time estimation.
6 Security metrics
6.1 General approach
6.1.1 Introduction
Security metrics are necessary to assess the robustness of the receiver against jamming and spoofing
threats. The behaviour of the DUT under intentional and non-intentional interference shall be evaluated
in a quantitative manner, to state whether the receiver fulfils the standards for jamming/spoofing
resilience. The general approach is to analyse the degradation of the metrics taken into account in the
basic performance case, well described in CEN/TR 17448 and CEN/TR 17465.
Jamming attacks are brute force attacks intended for Denial of Service (DoS), being it a loss of accuracy
below a certain threshold or a complete loss of lock and, consequently, loss of PVT estimation. These kind
of attacks therefore can impair accuracy, and if strong enough, they can disrupt availability and
continuity. A typical jammer performs little or none concealment countermeasure at all to avoid detection
by the receiver. The transmission of high power signals can likely cause the disruption of service and it is
necessary to assess how the receiver reacts to these threats.
Instead, spoofing attacks target mainly the accuracy and integrity of the service. In fact, the deception of
service threat pursues the non-detection objective, therefore the continuity and availability of the
GNSS service is in principle not impaired if the attack is carried out properly.
In summary, jamming and spoofing attacks impact the accuracy, availability, integrity and continuity of
the GNSS service. These attacks can also impact Time to First Fix.
The degradation analysis is based on comparison of statistical estimates under attack with respect to the
ones estimated in basic scenarios.
The most meaningful information requested for the degradation analysis are:
• reference trajectory for the whole recording time;
• reference velocity for the whole recording time;
• performance assessment in the basic case.
As above introduced, the mathematical assessment for comparison of different statistical estimates are
reported in CEN/TR 17447. One of the most used statistical estimator is the Empirical Cumulative Density
Function (ECDF). 6.1.2 and 6.1.3 provide some insights on the correct calculation of the ECDF, especially
when considerable losses of data are experienced, as during jamming/spoofing attacks.
6.1.2 Notes on empirical CDF
One of the most widely used statistical estimator used to assess performance, as per EN 16803-1:2016,
is the empirical Cumulative Density Function (ECDF).
In this paragraph, some important theoretical derivations are reported, together with an assessment on
the minimum number of samples needed to estimate the CDF with a given error bound. This assessment
could help choosing the minimum number of samples to be collected in a given scenario, and hence
provide guidelines on the minimum length of each test scenario.
X XF ~
Suppose to have ,…, independent identically distributed (IID) samples, where
1 N
F x P X ≤x
( ) [ ] is the distribution function. The Empirical Cumulative Density Function (ECDF) is
i
calculated as follows:
N
ˆ
Fx=⋅≤I X x
( ) ( )
∑ i
N
i=1
. (3)
Where I(·) is the indicator function, i.e. I X ≤=x 1 with probability PX ≤=x F x and
( ) ( ) ( )
i i
I X ≤=x 0 with probability PX>=x 1−F x . This implies that I X ≤ x is a Bernoulli
( ) ( ) ( ) ( )
i i i
Fx X
random variable with “success” probability ( ). Provided that are independent,
i
N
Y I X≤ x ~,Bin x F x
( ) ( ) and hence the ECDF is distributed as:
( )
Ni∑
i=1
ˆ
Fx( ) ~,Bin N Fx( )
( )
N
(4)
ˆ

EFx =Fx
( ) ( )

ˆ

Var Fx Fx⋅−1 Fx
( ) ( )( ( ))

(5)
Ung the normal approximation of the Binomial, i.e. Bin N,p →− Np,1Np p , that is valid in
( ) ( ( ))
case N is great (with CDF estimation, N>100 tipically):
ˆ
Fx ~ Fx ,1Fx ⋅−Fx
( ) ( ) ( )( ( ))
( )
(6)
The plot of Figure 5 reports a simulation, with empirical percentiles and approximated bounds (cyan and
green) calculated using normal approximation. Normal approximation could fail near 0 and 1, hence a
saturation should be considered, since the following limits and bounds shall always hold:
ˆ
01≤Fx ≤
( )
ˆ
lim Fx =1
( )
x→+∞
ˆ
lim Fx( )= 0
x→−∞
(7)
Another important theorem is the Dvoretzky-Kiefer-Wolfowitz inequality, that states, for any > 0 :
=
=
=
 −2N
ˆ
P sup
...