Beruflich Dokumente
Kultur Dokumente
AIRCRAFT
978-1-5090-5375-9/17/$31.00 20 17 IEEE
3C3-1
The use of information available on a network Although prior work has addressed some of the
relies on a secure network connection and timely flow issues under consideration here, it has not addressed
of information. However, influence of external networked cockpit cyber-security in a cohesive
elements may lead to tampered information that may manner. The flow of information considered here is
cause incorrect information to reach the aircraft, more than just data [4]. Future e-enabled aircraft will
leading to inefficient re-routing in case of extreme have firmware and software on the cloud. Safe
weather conditions or otherwise. accessibility of such firmware and software depends
on the challenges faced by a security system on such a
Prior work has investigated network security in
network. To understand the scope of these challenges,
future e-enabled aircraft [3-5] and cyber-physical
we need to characterize these threats and derive
security considerations due to the integration of
mitigation techniques for them.
aircraft systems with a network connection. The
security considerations in aircraft data networks This paper describes five major threats to an
(ADNs) as well as challenges in digital content aircraft network, the implications of each threat,
delivery have been outlined [4]. Security concerns that existing mitigation techniques of major security
deal with future ad hoc networks related to aircraft challenges and threats (Table 1) and modified
were dealt with by identifying threats and mitigation techniques that can be used in a security
vulnerabilities, specifying security requirements and system architecture for networked cockpits. We try
mitigation solutions [5].An adaptive security and extend the mitigation techniques that have
architecture for future aircraft communications previously been outlined for each of the threats we
involving networks [3], SecMan, has been developed describe to networked cockpits and the transfer of
and it uses an algorithm that helps segregate the data information between them.The final part of the paper
and checks for tampering. It also helps fix marginally discusses common challenges amongst the mitigation
tampered data. techniques and proposes possible solutions and to
combat them.
3C3-2
Main Implications Application project (EVITA)
ain implications The reception of bad data by the (http://www.evitaproject.org/): Car to car
aircraft can lead to various issues that can put the and car to infrastructure communication
performance of the aircraft at risk and take time and/or has potential to further decrease road
financial support to resolve. Tampering modes can be fatalities, but this opens doors to vehicle
split into five categories - spoofing, termination, intrusion threats which could threaten car
sidetracking, alteration of internal data, and selective safety functions. The objective of EVITA is
deception. Spoofing attacks transmit counterfeit data to address such threats by preventing
to mislead the recipient. Termination attacks are when unauthorized manipulation of on board
the data flow is outright terminated. These are systems. EVIT A introduced three different
conspicuous and easier to detect. Sophisticated security modules for protecting vehicles
spoofing attacks attempt to sidetrack the receiver or on-board communications, giving the
the detection system. Selective deception refers to principle for the prevention of external car
tampering nodes selectively to defraud the recipient. connection. INSIKA stands for Integrierte
Insider tampering refers to a malicious action by a Sicherheitslsung fr messwertverarbeitende
legitimate user, and it is also particular challenging to Kassensysteme (Integrated Security
deal with. [6]. Solution for reading processing POS
systems). It is a system for protecting the
Existing Mitigation Tools
digital records of cash transactions against
manipulation by means of cryptography. It
Error coding of data: [11] Error coding of is an alternative to conventional fiscal
data protects it from errors within limits memory systems.
specified by the code. Some random errors
are introduced during transmission or due Tamper resistant code encryption is
to the medium of transfer. A nested coding something that is being explored to combat
method can be used to help detect this problem. Different kinds of encryption
tampering of data in this case. The inner can be used: bulk encryption, on demand
code helps in detecting errors, whereas the encryption and a combination of these
outer code corrects them. The outer code techniques and studies have been done to
will correct errors up to a certain threshold test their robustness. In 1996 Aucsmith [8]
(both an amplitude threshold and frequency introduced a scheme to implement tamper
threshold) and if the intruder introduces resistant software. Through small, armored
errors that exceed said threshold, the inner code segments, referred to as integrity
code can easily detect them. Once detected, verification kernels (IVKs), the integrity of
the data can be discarded/rejected, or can be the code is verified. These IVKs are
run through a more rigorous algorithm to protected through encryption and digital
fix (if possible) the data entering the aircraft signatures such that it is hard to modify
from the networked connection by them. Furthermore, these IVKs can
comparing it with data from other sources. communicate with each other and across
Nested coding can be used in more than two applications through an integrity
layers for greater reliability. verification protocol. Many papers in the
field of tamper resistance base their
Distributed control scheme realized with techniques on one or more of Aucsmiths
mobile agents (such as those employed by ideas.
the CONFIDANT): These include
encapsulation, validated transactions, Challenges for Existing Tools
interlocking, scrambling, redundancy,
Existing conventional tools to mitigate tampering
pulse-taking, distinct inception, and
risks do not take into consideration the unique
mandatory obsolescence. [6]
challenges faced by aircraft data networks. The
The EVIT A and INSIKA projects : The accuracy of data transmitted through these networks is
E-safety Vehicle Intrusion proTected a critical aspect as this data could affect major
3C3-3
decisions taken by the airplane. If data tampering is not receive data for a particular time step, it can be
not detected, then the aircraft can make bad decisions written down as data delay. This could lead to systems
based on incorrect data, which can put the and protocols not working properly, leading to
performance of the aircraft at risk. cancellations of flights and other issues. The
transmission of data through the Internet follows a set
As mentioned in [9] Security systems tend to
of protocols and they do not function well when data is
affect the performance of the system, by needing more
delayed. The TCP delivers data in transmission order
bandwidth or increasing processing time/delay and
and any delay results in decreased throughput,
reducing the throughput. In an ADN (Aircraft Data
reducing the transmission efficiency. If the latency
Network) a complex security mechanism may affect
exceeds the duration of communication, then no data
the performance of the aircraft, like it's ability to make
will flow at aI1.[10]
fast decisions. The quality of air traffic is affected by
the satellite link and the security mechanism.
Existing Mitigation Tools
Performance enhancement proxies improve TCP
based application performance, but do not work well Delay tolerant networks: [10] DTNs enable
in the presence of network layer encryption (which is communication where connectivity issues
one of the methods used to mitigate and prevent data lead to delay of data. DTN research aims to
tampering) . This is because PEPs require transport provide a network architecture which can
layer information to work and a network layer apply to cases in high end delays, frequent
encryption hides all the information from intermediate network disruptions.
nodes. Kalman filtering: [11] Unscented Kalman
filtering and the EKF can be tools to
Recommendations for Mitigation combat intermittent observations by
Possible solutions could be that network estimating the missing values using the
encryption and IPsec based security can be sensor data and the measurements given.
used selectively, and whatever needed Modeling the arrival of the observation as a
enhancement can skip encryption, random process, we can study the statistical
establishing multiple IPsec associations. convergence properties and show the
We could also use other encryption existence of a critical value for the arrival
techniques like SSLlTLS.[12] rate of the observations.
Digital signatures : A digital signature
Challenges for Existing Tools
accompanied with network layer
encryption could also be a viable method of Aircraft networks have special characteristics,
mitigation. and the primary objective of most delay tolerant
networks is to keep a live connection between the two
Data Delay
parties despite delay of data, and allocate the right data
to the right time stamp. With an aircraft data network,
Security vulnerabilities of data links may lead to apart from solving these two problems, there is also
signal jamming and/or unavailability of the frequency the challenge of proper functioning of aircraft
necessary to communicate flight data. Data can be systems, despite data delay. Some aircraft systems
delayed due to other reasons like poor signal strength may be dependent on data transmitted through the
or connectivity issues which slows down the number network for making important decisions like course
of packets sent per unit time. When data travels along direction and heading, and trajectory planning based
unreliable communication channels in a large wireless on weather data or air traffic control maps they receive
network, communication delays and loss of from the ground at regular intervals. A missing data
information in the control loop can happen. set could lead to incorrect mapping or no mapping of
an incremental element of a trajectory, that can put the
Main Implications performance of the aircraft at risk.
Missing data is easy to detect. If a system (ground
A Kalman filtering algorithm or anything similar
or airborne) expects data at regular intervals, and does
can fix this problem temporarily by estimating the
3C3-4
position of the weather anomaly or the position of the Telecommunications Network (A TN), will allow each
other aircraft based on its previous heading and speed. civilian aircraft to engage in distributed air traffic
A level of redundancy could also include another form control concepts/procedures and share data with
of recelvmg data, through ground station ground systems as well as with each other. An
communication (A TC) or pre-determined trajectories adversary can also passively eavesdrop and or record
the flight has to follow irrespective of the change in conversation and track the position of aircraft.
data flow.
3C3-5
Existing Mitigation Tools utility of data should be mostly preserved
through the transformation.
Cryptographic encryption - can help
mitigate privacy risks by controlling access
to sensitive or private data in A TN. Network AttackslMalware
Protect both address ways. Also the NBAA If the intruder with access to the Aircraft Data
Network succeeds in tampering the data and
(National business aviation association)
came up with an algorithm called BARR - uploading undetected malicious software on to the
network, a lot more undetectable damage can be done
Block aircraft registration request which
to the systems of the aircraft. Malware or malicious
prevents public from accessing a private
software is software created by an attacker/intruder to
aircraft's flight tracking data etc.
compromise the security of data in the
network/system. Different types of malware
Challenges for Existing Tools
(Figure 3) include :
Working with cryptographic encryption is hard,
because ADS-B traffic beacons and IP network
physical layer transmissions must remain openly
accessible. Cryptography and encryption still is
widely used only by military aircraft operations.
Encrypting civilian or non-military aviation is
considered counter-productive, because the ADS-B
normally assumes open availability of information in
the air traffic management system. [14] Also,
complicated encryption may take some time to
decrypt, which may cause delay of time sensitive data
which may lead to delayed decision making. Using
pseudonyms might also prove counter-productive as Figure 3. Different Types of Malware [17]
trusting an anonymous pseudonym with aircraft
information is not ideal. Worms: Malware that propagates itself
from one infected host to other hosts via
Recommendation for Mitigation exploits in the OS interfaces typically the
system-call interface.
Encrypt messages and share an encryption
key with the ATC and use this key to Viruses: Malware that attaches itself to
encrypt emitted ADS-B messages.Data running programs and spreads itself
privacy by using different encryption key is through users' interactions with various
outlined in [15]. systems.
3C3-6
used to mask the activity of other malicious preventing any kind of new connections from being
software. [18] established.
3C3-7
Main Implications threat is identified. The mitigation module makes
Denial of service can create various other important decisions as to whether the data should be
problems during data transfer. It can lead to data discarded or fixed and sent to the control systems
delay, or interruption of data. Sometimes, data waiting (with the algorithms present in the module).
on an open gate can be over written or which can lead The mitigation module is designed with
to deletion of data. This can be detrimental to an knowledge of previous solutions. The challenge lies in
aircraft relying on ADNs and other such networks for finding existing solutions that can be expanded to
time sensitive information. include the constraints that come with networked
aircraft cockpits. With networked aircraft, we are not
Challengedfor Existing Tools only interested in transmission of data, but in the
It's hard to trace the attack back to perpetrator. future we hope to run entire programs on the network
Also, the implementation of algorithms (used for and derive outputs from the same. To design such a
normal internet connections and such) for ADNs can vast and digital-heavy security architecture, we build
be hard and challenging. Taking into account the upon algorithms that have already been implemented
existing safety algorithms, building and implementing like error coding of data, cryptographic encryption, or
or nesting algorithms for a specific problem (like SYNKILL. There have been networks implemented
connection flooding) can be time consuming. This specifically to deal with particular aspects of security
algorithm will also have to be updated constantly as like Delay tolerant Networks and projects that work
attackers/ adversaries constantly keep coming up with with land vehicles to mitigate data tampering (EVIT A
new code and new algorithms to block effective and and INSIKA projects). Our objective is to outline the
timely transmission of correct data. major attacks that can happen on a network and form a
consolidated solution to help mitigate and prevent
Recommendation for Mitigation these attacks.
System configuration improvements could be One common problem that emerged was the
easy to implement, without any special hardware optimization of digital space. Most of the digital space
requirements. Using built in algorithms as well as available was to be used for uploading systems and
encrypting messages with proper ICAO codes and data, and adding a security system architecture would
requirements could be a basic fix to this problem. result in slower throughput of data as well as
Configuring external and internal interfaces to block overloading frequencies that transmit said
packets that have different source addresses so the information. Another pressing issue is the update rate
host's resources aren't exhausted can be a solution. of the systems implemented to mitigate the threats
Improving memory and computation requirements to outlined in this paper. Even after a security system
install firewalls and implement algorithms like architecture is designed and implemented, it needs to
SYNKILL [24] can also be a solution. [24] discusses be maintained and updated constantly, as new strains
the pros and cons of SYNKILL and it can be modified of viruses and malware are constantly engineered. The
to fit our requirements. design of the security system should be such that the
update rate of the system is optimal. A solution to that
Discussion could be simpler algorithms, that can be preloaded
into the aircraft's control system, and updated
Based on the threat taxonomy described above,
regularly by people who monitor the network
important characteristics of a security system
connection. Uploading the security software to the
architecture for such a network can be described. The
cloud can also help decrease the load on the aircraft,
security system can be designed in a loop with a
thus increasing computation efficiency.
checking module, followed by a mitigation module.
The checking component runs through a series of
encryption and firewall steps to check if the data has Conclusion
been tampered with. If the result comes back negative, This paper established a taxonomy of the threats
the data is allowed to go through to the aircraft's that face a networked aircraft cockpit. The threats
control systems, otherwise it goes through the were segregated based on type and their implications,
mitigation module, where it is segregated, and the and methods to counter them were outlined. The
3C3-8
drawbacks and constraints of the mitigation methods Mobile Agents, " Computers and Security, vol. 23, no.
were also outlined. On the basis of these constraints, 1, pp. 31-42, 2004.
possible solutions for each challenge were described.
[7] S. C. Kak, "How to Detect Tampering of Data,
Finally, based on this taxonomy, important
Subhash C. Kak, " vol. 20, no. February, pp. 109-110,
characteristics of a security system architecture for
1985.
such a network were described.
[8] J. Cappaert, B. Preneel, B. Anckaert, M. Madou,
Recommendations for further work include better
and K. De Bosschere, "Towards Tamper Resistant
understanding and the improvement of
Code Encryption: Practice and Experience, " Lecture
aforementioned security algorithms. This progresses
Notes in Computer Science (including subseries
towards building the ordered system architecture, and
Lecture Notes in Artificial Intelligence and Lecture
establishing ideal update rates for such code to run for
Notes in Bioinformatics), vol. 4991 LNCS, pp.
extended periods of time. Implementing and testing
86-100, 2008.
such a system for security breaches in real time could
further help improve the system. An ultimate goal [9] R. Pendse, N. Thanthry, M. S. Ali, R. Pendse, R. P.
would be to implement this on a networked aircraft Security, I. Connectivity, and A. D. Networks,
and attack the network to test the utility and efficiency "Security, Internet Connectivity and Aircraft Data
of such a security system in real time. Networks, " Electrical Engineering and Computer
Science, vol. 21, no. 5, pp. 12-16, 2006.
References [10] P. R. Pereira, A. Casaca, J. J. P. C. Rodrigues, V.
[1] N. Alexandrov, B. J. Holmes, and A. S. Hahn, "A N. G. J. Soares, J. Triay, and C. Cervell-Pastor, "From
Benefit Analysis of Infusing Wireless into Aircraft Delay-Tolerant Networks to Vehicular
and fleet Operations, " Tech. Rep. Delay-Tolerant Networks, " IEEE Communications
NASA/TM2016-219360, December 2016. Surveys and Tutorials, vol. 14, no. 4, pp. 1166-1182,
2012.
[2] "NASA, FAA Demonstrate Wireless
Communication with Aircraft, " [11] B. Sinopoli, L. Schenato, M. Franceschetti, K.
https://www.nasa.gov/press-release/nasa-faa-demonst Poolla, M. I. Jordan, and S. S. Sastry, "Kalman
rate-wireless-communication-with-aircraft, Accessed Filtering with Intermittent Observations, " IEEE
March 15, 2017. Transactions on Automatic Control, vol. 49, no. 9, pp.
1453-1464, 2004.
[3] M. S. Ben Mahmoud, N. Larrieu, A. Pirovano, and
A. Varet, "An Adaptive Security Architecture for [12] H. Gao, A. Jasti, and R. Pendse, "An
Future Aircraft Communications, " AIAA/IEEE intelligent network monitoring and management tool
Digital Avionics Systems Conference -Proceedings, for aircraft data networks, " Digital Avionics Systems .
pp. 1-16, 2010. .., pp. 1-7, 2005. [Online]. Available:
http://ieeexplore.ieee.orglxpls/abs{}all.jsp?arnumber
[4] K. Sampigethaya, R. Poovendran, S. Shetty, T.
=1563409
Davis, and C. Royalty, "Future E-Enabled Aircraft
Communications and Security: the Next 20 Years and [13] http://searchnetworking.techtarget.com/tip/
Beyond, " Proceedings of the IEEE, vol. 99, no. 11, pp. 80211-Security-Attacks-and-risks, accessed March
2040- 2055, 2011. 15, 2017.
[5] K. Sampigethaya, L. Bushnell, and R. Pooven [14] K. Sampigethaya, R. Poovendran, and C. S.
dran, "Security of Future eEnabled Aircraft Ad hoc Taylor, "Privacy of General Aviation Aircraft in the
Networks, " Aviation Technology, Integration, and NextGen, "AIAA/IEEE Digital Avionics Systems
Operations Conferences, pp. 1-10, 2008. [Online]. Conference Proceedings, 2012.
Available: http://www2.ee.washington.edu/research/
[15] M. Shao, S. Zhu, W. Zhang, G. Cao, and Y. Yang,
nsl/papers/atio-08.pdf
"PDCS: Security and Privacy Support for
[6] R. F. DeMara and A. J. Rocke, "Mitigation of Data-Centric Sensor Networks, " IEEE Transactions
Network Tampering Using Dynamic Dispatch of on Mobile Computing, vol. 8, no. 8, pp. 1023-1038,
2009.
3C3-9
[16] M. Hay, K. Liu, G. Miklau, J. Pei, and E. Detection, " 2005 IEEE Symposium on Security and
Terzi, "Privacy-Aware Data Management in Privacy, Proceedings, pp. 32--46, 2005.
Information Networks, " International Conference on
[21] Y. E. Sagduyu and A. Ephremides, "A
Management of Data (SIGMOD), pp. 1201-1204,
Game-Theoretic Analysis of Denial of Service
2011. [Online]. Available:
Attacks in Wireless Random Access, " Wireless
http://portal.acm.org/citation.cfm?doid=
Networks, vol. 15, no. 5, pp. 651- 666, 2009.
1989323.1989453
[22] Dake, "Hazmat2 (talk), "
[17]
https:llcommons.wikimedia.orglw/index.php?curid= 1
http://www.thepcworks.com/wp-content/uploads/201
8126366 accessed March 15, 2017.
6/02/Malware.jpg, accessed March 15, 2017
[23]
[18] J. Demme, M. Maycock, J. Schmitz, A. Tang, A.
https:llcommons.wikimedia.orglw/index.php?curid=
Waksman, S. Sethumadhavan, and S. Stolfo, "On the
810830 , accessed March 15, 2017
Feasibility of Online Malware Detection with
Performance Counters, " SIGARCH Comput. Archit. [24] C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A.
News, vol. 41, no. 3, pp. 559-570, 2013. [On Sundaram, and D. Zamboni, "Analysis of a Denial of
line].Available: Service Attack on TCP, " Proceedings. 1997 IEEE
http://doi.acm.orgll0.1145/2508148.2485970 Symposium on Security and Privacy (Cat.
No.97CB36097), pp. 208-223, 1997.
[19] S. Jana and V. Shmatikov, "Abusing file
Processing in Malware Detectors for Fun and Profit, "
Proceedings IEEE Symposium on Security and 2017 Integrated Communications Navigation
Privacy, pp. 80-94, 2012.
and Surveillance (ICNS) Conference
[20] M. Christodorescu, S. Jha, S. A. Seshia, D. Song,
April 18-20, 2017
and R. E. Bryant, "Semantics-Aware Malware
3C3-10