TL;DR
- ▸Every OTA ships with a u-blox LEA-F9T multi-band, multi-constellation GNSS receiver — L1/L2/L5 configurable, GPS+Galileo+GLONASS+BeiDou simultaneously. Incumbent single-band units have no coherent spoof-detection model.
- ▸Galileo OSNMA is implemented at two layers: the receiver firmware validates the Galileo signal chain, and TimeBeat's Trust Bridge validates the receiver's own authentication chain from outside the receiver via an independent NTRIP feed. An attacker would need to compromise both simultaneously.
- ▸For a three-unit Shelf, that means three independent multi-band receivers, three independent antennas, three independent OSNMA validation chains — plus the Trust Bridge cross-check running on every unit. The jamming or spoofing event that takes this topology out simultaneously is not a thing that exists in the field today.
Why single-band L1 is obsolete
Most incumbent timing hardware installed before 2020 uses single-band L1 GPS-only receivers. This was defensible when L1 was the only civilian signal at scale, when jamming hardware was exotic and expensive, and when spoofing was a theoretical attack requiring nation-state resources. None of those conditions hold any longer.
Drone-mounted GPS jammers cost less than a mid-range graphics card. Field-deployable spoofers have been demonstrated by multiple academic teams and are documented in commercial incident reports — most notably in maritime and aviation contexts, but increasingly in fixed-site financial and critical infrastructure environments. Ionospheric activity is increasing as the solar cycle peaks, producing scintillation events that degrade single-frequency receivers disproportionately. The combined effect is that a single-band L1-only receiver in 2026 is a load-bearing failure mode on a timing platform that should have been replaced years ago.
Multi-band, multi-constellation is the new floor for any grandmaster intended for critical timing. Multi-band gives the receiver an independent measurement of ionospheric delay, eliminating a major source of systematic error that single-frequency receivers can only approximate. Multi-constellation makes coherent spoofing exponentially harder — an attacker transmitting plausible GPS signals is not simultaneously transmitting plausible Galileo, GLONASS and BeiDou signals, so a receiver tracking all four can detect the inconsistency.
The practical floor
A modern timing-grade GNSS receiver should support, at minimum: L1 plus L2 (or L5) frequency bands; at least three of GPS, Galileo, GLONASS, BeiDou; continuous multi-constellation integrity monitoring; and signal authentication where available. Single-band L1-only is not the floor — it is the ceiling of 2010s-era hardware.
What the u-blox LEA-F9T gets you
Every Open Time Appliance ships with a u-blox LEA-F9T receiver — which means every unit on a three-unit Shelf has its own independent LEA-F9T, its own independent antenna cable, and its own independent signal chain. The LEA-F9T is a multi-band, multi-constellation timing receiver with 2.5 nanosecond differential and 5 nanosecond absolute accuracy to UTC, tracking sensitivity of −167 dBm, and a 24-second cold start across all constellations.
Frequency bands are configurable — L1 + L2 or L1 + L5 — so the receiver can compute dual-frequency ionospheric corrections rather than relying on a Klobuchar model. All four major constellations can be tracked simultaneously: GPS (L1CA, L2C, L5), Galileo (E1, E5a, E5b), GLONASS (L1, L2), BeiDou (B1, B1C, B2, B2a). Secondary constellations QZSS and NavIC are supported where the deployment site has geometry to see them, and SBAS correction channels are processed continuously.
Continuous multi-constellation integrity monitoring runs in the receiver firmware. Per-satellite signal flags — pseudorange used, carrier range used, Doppler used, health, authenticated — are computed per observation and streamed out alongside the fix. Cross-constellation cross-checks identify signals that are individually plausible but collectively inconsistent, which is the signature of a coherent spoof attempt against a single constellation.
OSNMA — layer one at the receiver
Galileo Open Service Navigation Message Authentication became operational in July 2023 and is the first and currently only operational GNSS authentication service at civilian scale. OSNMA authenticates the Galileo navigation messages cryptographically using the TESLA (Timed Efficient Stream Loss-tolerant Authentication) protocol, with keys published in the navigation message itself on a delayed schedule — so any receiver can verify that the signals it received in the last authentication window were genuinely transmitted by Galileo satellites.
The LEA-F9T implements OSNMA in receiver firmware. Status fields exposed to Sync Insight include NMA status, CPKS (Current Public Key Status), DSM (Data Sequence Message) authentication state, TESLA key authentication state, per-SV authentication results (including auth_status, IODE and sequence number), SV auth success and failure counts, and TIM (Time Interval Message) sync status. Every satellite signal the receiver is tracking produces an authenticated/unauthenticated flag on a per-observation basis, streamed to the observability layer as the GNSS telemetry for that unit.
In a jamming or spoofing event, OSNMA's contribution is the definitive answer to 'is this signal what it claims to be?'. A spoofer that can generate plausible-looking raw signals cannot reproduce the OSNMA authentication chain because it does not hold the signing keys. The receiver firmware will flag the signals as unauthenticated, Sync Insight will raise the alert, and the unit will de-weight the spoofed constellation from its timing solution automatically.
OSNMA — layer two at the platform (Trust Bridge)
Receiver-level OSNMA is strong but not unbreakable. A sufficiently capable adversary who has compromised the receiver firmware — either through a supply chain attack or through exploitation of a receiver vulnerability — can cause the receiver to report that signals are authenticated when they are not. The receiver's own attestation is, in security terms, self-signed from the perspective of the platform.
Trust Bridge adds an independent second layer. A separate OSNMA data feed is delivered to the TimeBeat Agent via an NTRIP proxy, independent of the receiver firmware. The agent cross-validates the receiver's own authentication chain against the independently-sourced OSNMA data. If the receiver claims a set of signals are authenticated but the independent feed disagrees, the agent raises the alert and de-weights the receiver's contribution to the fused clock — regardless of what the receiver reports locally.
The practical result is that an attacker would need to simultaneously compromise the local GNSS receiver firmware (to forge the local OSNMA chain) and the independent NTRIP feed (to forge the cross-check). The two systems are operated by different organisations, run different software stacks, and receive their OSNMA data over different physical paths. The compromise of both at the same time is not in the capability envelope of the kinds of adversary TimeBeat has deployed against in the field.
Why two layers matter
A single-layer OSNMA implementation protects the Galileo signal chain. A two-layer implementation — receiver plus Trust Bridge — protects against compromise of the receiver itself. The difference is the difference between 'we trust Galileo' and 'we trust Galileo, and we can verify our own receiver is also reporting the truth about what it received'.
Trusted time cross-validation — catching silent drift
OSNMA catches signal authentication failures. It does not catch GNSS degradation where the signals are genuine but the solution is silently wrong — a receiver that is experiencing ionospheric-induced measurement errors, a site with severe multipath that is producing a biased fix, or a pointing error on the antenna mount. For those scenarios, Sync Insight's Trusted Time cross-validation provides a third independent check.
The Timebeat Agent measures the delta between its actively-synchronised clock and a trusted external reference — typically a fibre-distributed White Rabbit feed, an independent PTP reference from a different upstream, or a separate node's Clock Ensemble output. The delta is measured in milliseconds or sub-second precision depending on reference quality, and the agent emits flags (delta_time_valid, trusted_time_valid) plus an identifier of the reference system being used.
The purpose is to catch drift that passes jamming and spoofing checks but still deviates from an independent reference. A GNSS receiver that is experiencing a slow bias buildup — temperature-driven oscillator aging, antenna cable degradation producing a consistent range offset — produces no OSNMA failures and no jamming alerts; it is reporting authenticated signals, and those signals are genuine. Trusted Time validation catches this by comparing the agent's clock against an independent reference, surfacing the discrepancy as observability telemetry before it becomes a compliance or operational issue.
GNSS position integrity — a different kind of cross-check
For fixed-site grandmaster deployments, position is a relevant cross-check. An OTA that has been commissioned and surveyed into a specific ECEF XYZ position should continue to report that position. A spoof attempt that is geometrically inconsistent with the commissioned survey will produce a NAV2 position report that drifts from the surveyed fix — and Sync Insight raises a drift alert the moment the configurable threshold is exceeded.
The drift alert threshold is configurable per deployment. For a fixed rooftop grandmaster, a threshold in the low metres surfaces any spoof attempt that significantly misrepresents the receiver's location. For a mobile or temporarily-deployed unit, the threshold is typically higher or disabled. The telemetry field (distance from surveyed position) streams continuously regardless, so a subsequent investigation can scroll back to the second the drift began.
This is not a primary defence — OSNMA and Trust Bridge are the primary defences against spoofing — but it is a no-cost cross-check that catches classes of attack where the spoofer is not geometrically plausible for the target site. It is also a useful operational diagnostic: a drifting position on an otherwise healthy receiver often indicates antenna cable corrosion, mount movement, or other physical issues on the site that would not surface in any other telemetry channel.
Three layers × three units = the Shelf's real anti-spoof claim
For a single-unit deployment, the three layers — OSNMA at the receiver, Trust Bridge independent OSNMA cross-check, Trusted Time cross-validation — are each a meaningful contribution. For a three-unit Shelf deployment, the same three layers run on each of the three units independently. That means three independent LEA-F9T receivers, each running their own OSNMA authentication; three independent Trust Bridge NTRIP feeds validating each receiver's chain; and three independent Clock Ensemble outputs that Trusted Time cross-validates against.
An adversary who wanted to silently spoof a Shelf deployment would need to simultaneously spoof three geometrically-separate antennas, compromise three independent receiver firmwares, forge three independent Trust Bridge NTRIP feeds, and produce a consistent spoof that the three independent Clock Ensemble fusions would not discriminate against. At each layer the compromise is independent — failing to compromise any one of the three units at any one layer means that unit's Sync Insight telemetry will flag the anomaly, PTP² Mesh will de-weight that unit's contribution, and downstream clients will be unaffected.
This is not a theoretical attack resistance argument. It is the topology that DORA Article 11's 'documented business continuity' standard maps to in practice: not single-layer defence against sophisticated attacks, but multiple independent layers across multiple independent units, each layer testable and each unit continuously monitored. The Shelf is a documented, testable, evidenced anti-spoof posture at the hardware layer — not a compliance story retrofitted onto a single-band single-antenna incumbent.
The bottom line for procurement
An incumbent single-band single-antenna single-receiver topology has no structural defence against GNSS spoofing and very little against coherent multi-constellation jamming. A three-unit Shelf with independent receivers, independent antennas, independent OSNMA chains and independent Trust Bridge cross-checks is a different category of defence — structural, documented, testable, and monitored.

