GNSS-Time-Denied Critical Infrastructure

What This Application Specifies

A mesh-time deployment under this primitive treats every credentialed unit on the operating network as a contributor to a consensus clock. Phasor measurement units in a transmission substation, the OCXO-disciplined timing card in a colocation data center, the eNodeB or gNodeB at a cell site, the precision time protocol grandmaster in a control house: each of them already maintains an internal frequency reference and each of them already observes an external reference (GPS, eLORAN, a fiber-delivered PTP path, an upstream NTP stratum). Mesh-time treats those references as observations rather than authorities. Each observation is signed, scoped to the unit's role, and entered into a multi-attester consensus that produces an operating time independent of any one source surviving.

Per-agent learned drift models compose with the consensus. A timing card with three years of holdover history under known thermal cycles contributes a tighter posterior than a freshly provisioned unit; the consensus weighs each attester by demonstrated performance rather than by nominal stratum. When GNSS is present and unjammed it remains the dominant input. When GNSS is denied the consensus continues against the remaining observations, and the architecture surfaces the degraded-confidence interval to operators and to downstream systems that need to know whether the timestamp they just consumed is good to a microsecond, a millisecond, or only to a second.

Anti-spoofing also composes naturally with the credentialed observation model. A spoofed GNSS signal, whether produced by a meaconing rebroadcast, a generated pseudorange replay, or a coherent simulator, presents to the receiver as a valid signal that is inconsistent with the rest of the mesh. The consensus is not asked to authenticate the satellite signal; it is asked to weigh the receiver's reported time against the other attesters' reported times, and a spoofed receiver is detectable as a peer that has suddenly diverged from the credentialed ensemble. That treatment composes with whatever signal-level anti-spoofing the receiver itself implements (military-code GPS, Galileo OSNMA, the chip-scale atomic clock disciplining that some dual-mode receivers now ship with), so the architectural defense and the receiver-level defense reinforce each other rather than duplicating each other.

Cross-operator federation maps the realities of interconnected infrastructure. The Eastern Interconnection's grid time, the DTCC's settlement time, a tier-one carrier's network time, and the FirstNet emergency-services time do not need to collapse into a single broadcast to be coherent. They federate through declared cross-operator agreements that specify which attesters from which operator are admitted into which consensus, under which authority, and with what evidentiary weight. Cross-infrastructure events, the kind that PRC-002 and CIP-008 demand reconstructable evidence for, gain coherent timing without forcing any operator to surrender its authority over its own clock.

Why It Matters Operationally

The GPS-as-utility assumption is now an explicit risk in U.S. federal doctrine. EO 13905 (Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services) directed sector risk management agencies to treat PNT services as untrusted by default and to specify profiles for responsible use. NIST IR 8323 (Foundational PNT Profile) followed, organizing the response around the Cybersecurity Framework functions: identify the systems that depend on PNT, protect them from disruption, detect anomalies in the signal, respond when degradation occurs, and recover to a known-good time. The profile is explicit that detection and response require alternative observations, not faith in the receiver.

FERC-approved NERC standard PRC-005 (Protection System Maintenance) already requires registered entities to maintain the timing components of protective relays, including the GPS receivers that synchronize phasor measurements and sequence-of-events recorders. PRC-002 demands that disturbance monitoring data be timestamped to one millisecond at the bulk-electric-system level. Telecommunications carriers operate under FCC, 3GPP, and ITU-T G.8275 timing requirements that increasingly assume sub-microsecond accuracy at the radio access network. None of these regimes contemplates a graceful failure mode when the satellite signal is denied. They contemplate compliance with the receiver maintained.

The threat profile has moved past contemplation. Maritime spoofing incidents in the Black Sea and the Persian Gulf, the 2022 Newark Liberty terminal interference traced to a delivery vehicle, the documented Ukrainian electronic-warfare environment, and persistent regional jamming over the eastern Mediterranean make GNSS denial an operational reality rather than a wargame premise. A grid synchronization event, a settlement-window timestamp, or an LTE handover that depends on a denied signal does not gracefully degrade today; it cascades. Mesh-derived time turns that cascade into a degraded mode. Consensus continues against on-mesh observations, absolute-frame binding accumulates as alternative time observations become available (eLORAN, network-delivered PTP, atomic clock holdover, cross-operator federation), and the operator sees a confidence interval rather than a silent error.

How It Composes With the Domain

Each unit on a mesh-time deployment contributes credentialed time observations under the same identity primitives that govern the rest of the operating network. The credential binds the observation to the role of the issuing unit (a Class 1 PMU at a 500 kV bus contributes differently than a stratum-3 NTP server in a corporate building), to the authority of the operator that declared the unit's place in the topology, and to the evidentiary chain that supports later audit. Anti-spoofed observation rejection runs against the credentialed inputs: a unit that suddenly reports a time inconsistent with its declared drift model, with its peers, and with its prior history is structurally weighted out of the consensus rather than silently averaged in.

Multi-attester consensus timestamping produces evidentiary-grade timestamps that satisfy the reconstructability requirements of PRC-002, the audit obligations of CIP-008 and CIP-009, and the analogous obligations in financial settlement (CAT, MiFID II clock synchronization at sub-millisecond precision) and telecommunications (G.8273.2 boundary-clock performance). The timestamp is not a single value asserted by a single receiver; it is a value, an interval, an attester set, and a signed record of the inputs that produced it. Incident review, regulatory examination, and counterparty dispute all operate against the same record.

Cross-infrastructure operations admit through declared federation. A wholesale settlement that depends on a confirmed grid event, a 911 dispatch correlated against a power excursion, a financial-network outage analyzed against an upstream timing failure: each of these events crosses authority boundaries that no single broadcast can serve. Federation declares which operator's attesters are admitted into which consensus, with what evidentiary weight, under what regulatory regime. The architecture supports the multi-authority reality without forcing any party to subordinate its clock.

The drift modeling that the consensus weights against is itself an artifact of the operating environment. A timing card in a temperature-controlled control house in a transmission substation behaves differently from one mounted at a roadside cell site that swings forty degrees Celsius between July and January, and the per-agent learned model captures the difference. When GNSS denial occurs, the consensus is not falling back to a nominal holdover specification from the receiver's data sheet; it is falling back to the empirical distribution of the unit's deviations under conditions that match the present environment. That is what makes the degraded mode useful rather than nominal: the confidence interval reflects the actual unit, not the catalog. NIST IR 8323's detect function is satisfied because anomalies are scored against learned baselines; its respond and recover functions are satisfied because the architecture defines what graceful degradation and re-binding look like at the level of the substrate rather than as bespoke procedures each operator has to invent.

What This Enables

Critical infrastructure gains structurally supported timing resilience that an operator can declare to a regulator, prove to an auditor, and rely on during a denial event. The NIST IR 8323 functions of detect, respond, and recover gain a substrate: detection runs against credentialed peer observations rather than against the same receiver that is being spoofed; response is a graceful degradation rather than a silent error; recovery is a documented re-binding to absolute frame as alternative inputs return. EO 13905's responsible-use posture becomes a property of the architecture rather than a directive an operator must continually reinterpret.

Cascade events gain structural protection. The 2003 Northeast blackout, the 2015 and 2016 Ukrainian grid attacks, the May 2021 Colonial Pipeline incident, and the August 2023 UK air traffic control flight-plan event all share a common forensic problem: time across operator boundaries was not coherent, so reconstruction was slow and contested. Mesh-time produces a record that is coherent across the participating operators by construction. PRC-002 evidence, FINRA CAT submissions, FCC outage reports, and CISA incident submissions all benefit from the same substrate.

The architecture also supports infrastructure evolution. Sub-microsecond grid synchronization for inverter-dominated systems, real-time gross settlement at sub-millisecond precision, 5G ultra-reliable low-latency timing, and the emerging 6G synchronization requirements all admit through declared specification rather than through a forklift upgrade of the timing layer. eLORAN's return as a complementary PNT source, the deployment of optical clocks in regional reference networks, and the integration of network-delivered time over fiber all compose with the consensus rather than competing with it. The receiver stops being a single point of failure; it becomes one credentialed contributor among many.

Operationally, the path to deployment does not require a fleet replacement. A bulk power operator can begin by enrolling the timing receivers it already maintains under PRC-005 as credentialed attesters, layering the consensus over the existing C37.118 phasor data flow without disrupting the protective relays that depend on it. A telecommunications carrier can begin by enrolling its G.8275.1 boundary clocks alongside its GNSS-disciplined grandmasters and treating the network-delivered PTP path as a peer observation rather than as a fallback. A financial-settlement operator can begin by enrolling the stratum-1 NTP servers it operates for MiFID II and Consolidated Audit Trail compliance and treating the multi-attester record as the authoritative timestamp for the regulatory submission. In each case the migration is incremental and the GNSS receiver continues to do useful work; the architectural change is that the receiver's output is no longer treated as an oracle. That single change removes the structural vulnerability that EO 13905 named without removing any of the operational value the receiver provides when it is working.