Optimizing cyber security and trusted computing on today’s connected military and commercial aircraft
BOURNEMOUTH, England – The number of data communication links and interactions between an aircraft and the ground systems supporting it are ever increasing. If not properly protected by taking trusted computing measures, every system, sensor, and module on the aircraft can create a potential vulnerability that unauthorized users can exploit to obtain confidential sensitive data or, worse, disrupt the safe operation of an aircraft.
Such threats are of paramount concern for all areas of aviation, including military aircraft and the increasingly top-of-mind unmanned aerial vehicle (UAV) market. Systems developers must safeguard the exchange of tactical information and the integrity of command and control links between ground stations and airborne platforms.
Designers also must incorporate additional cyber security features into avionics systems to minimize the number of different points at which an unauthorized user can input or extract data -- also known as the “attack surface."
The electronic connectivity onboard commercial or military aircraft includes wireless data links for downloading flight recorders or uploading terrain databases and navigation databases. On commercial aircraft, it also includes the networks within the aircraft that support passenger in-flight entertainment and passenger satellite communications (SATCOM) connectivity that enables passengers to surf the Internet while in-flight.
Related: Lowering the costs of encrypted data storage in trusted computing
Today, it’s not uncommon for aircraft pilots to use tablet computers in the cockpit. These tablets, known as electronic flight bags, connect through a Wi-Fi receiver integrated into an avionics interface device in the cockpit. This connects to various avionics databuses to transfer data from the avionics systems to the tablet, which the pilot then uses to run applications like calculating takeoff V-speeds and load sheets.
Connectivity means potential targets of opportunity for malicious actors. There may be a computer hacker flying as a passenger, who has the duration of the flight in which to attempt access to the in-flight entertainment system, or more seriously, to the avionics interface device. There also may be a disgruntled airline employee with a valid pass and access to the aircraft and its equipment, who can operate inside the wire with no questions asked. The challenge is how to protect avionics against these sorts of vulnerabilities?
Protecting data-at-rest
Nearly every aircraft operating in controlled airspace today is equipped with a flight management system (FMS). This enables flight crews fly pre-programmed routes from an onboard database containing important information such as airspace structures, ground-based navigational beacons, and airport information like runways and taxiways. The database also contains the flight trajectories for standard instrument departures (SIDs) and standard arrival routings (STARS) that can fly the airplane automatically after takeoff and during approach.
The FMS typically updates every 28 days under the aeronautical information regulation and control (AIRAC) cycle. The database content comes from official state sources by service providers, but the ultimate responsibility of data integrity rests with the end-user.
Related: A guide to international authorities for global trusted computing standards certification
FMS database updates typically are uploaded by USB memory stick as a line-maintenance function; the USB content having been downloaded from a secure website or FTP server. This crucial FMS data is stored in non-volatile memory and, if compromised, could prevent an aircraft from operating or landing safely. However, using authentication and encryption techniques, it is possible to guarantee to the end user that the data flow from the FMS service provider to the on-board aeronautical database has not been violated.
Protecting data-in-motion
Protecting data in motion on the aircraft is equally important. For the networks, there are security layers that provide authentication. Two key examples of these security layers are the security protocol suites Internet Protocol Security (IPsec) and MAC Security standard (MACsec: IEEE 802.1AE). They can be built into the network layers to ensure that end-to-end communication cannot be disrupted or hacked or tapped into.
The MACsec standard strengthens network security by identifying unauthorized local area network (LAN) connections and excluding them from communication within the network. The protocol authenticates nodes through a secure exchange of randomly generated keys, ensuring data can be transmitted and received only by MACsec-configured nodes, and provides optional point-to-point, Layer 2 encryption between devices on a virtual or physical LAN.
IPSec provides similar protection for a wide area network (WAN). It works on IP packets at Layer 3 (as opposed to Ethernet frames at Layer 2, like MACsec). For an FMS, which traditionally requires data to be uploaded manually yet can now receive such uploads via wireless technology, such protocols are important for protecting the integrity of the data during transfer.
In addition to the connected aircraft itself, with the Next-Generation Air Transportation System (NextGen) in the US and Single European Sky ATM Research (SESAR) in Europe, advanced air traffic control systems are coming online quickly to enable denser air traffic with reduced tolerance for error.
Security and next-generation air traffic control
A surveillance technology that uses GPS satellite navigation data to determine an aircraft’s position, called Automatic Dependent Surveillance-Broadcast (ADS-B), will be mandated in many controlled airspace regions from 2020. ADS-B will send out automatic position report pulses, called extended squitters, to broadcast the aircraft’s position. This information can be received by air traffic control as a replacement for secondary surveillance radar, since no interrogation signal is needed from the ground.
ADS-B also can be received by other aircraft to provide situational awareness and allow self-separation. On more advanced aircraft, it will be used to report not just the aircraft’s current position but also its flight path to destination so that the ATC system and other aircraft also can predict where the aircraft will be in the future.
This predictive data enables other aircraft in the same area to compute their own route to ensure that they don’t converge with the first aircraft’s flight path. The search acquisition radars used at airports for years are rapidly going away because they are only good for providing line-of-sight data. With today’s sophisticated onboard navigation systems, it’s now better to let separate aircraft work out amongst themselves how closely they can approach each other safely in the sky.
Related: Establishing a trusted supply chain for embedded computing design
To provide guidance for handling the threat of malicious interference with aircraft systems, the Radio Technical Commission for Aeronautics (RTCA) released DO-326A, titled “Airworthiness Security Process Specification.” This document complements other advisory material, such as the hardware and software safety certification guidance documents DO-254 and DO-178C. DO-326A outlines compliance objectives and data requirements for aircraft and airborne equipment manufacturers.
The DO-326A Airworthiness Security Process Specification
DO-326A provides guidance on the interactions between security and safety. As the DO-254 safety certifiability standard for hardware requires a plan for hardware aspects of certification (PHAC), and DO-178C requires a plan for software aspects of certification (PSAC), the DO-326A standard calls for a plan for security aspects of certification (PSecAC). Today, any new aircraft system that is connected to the outside world must address the DO-326A requirements that are flowing down from the regulators.
DO-326A covers such things as navigation databases and terrain awareness warning databases, though it doesn’t provide specific direction on how to implement required safeguards. Instead, it mandates a process under which all threat scenarios and use cases are identified and adequate measures are put in place to mitigate them.
Related: Decomposing system security to prevent cyber attacks in trusted computing architectures
Under DO-326A, a systems integrator deploying any new avionics, such as a navigation system, onto an aircraft must demonstrate that they have protection measures in place and that they’ve identified the necessary aircraft and security perimeters to mitigate against a malicious actor.
In recent years, as FAA and EASA regulators are being asked more about cyber security, there has been a growing emphasis and insistence that DO-326A processes are put into action. That makes it incumbent on avionics systems integrators to educate themselves so that they are aware of this standard, as it will only become more important in coming years.
Paul Hart is chief technology officer at Curtiss-Wright Controls Avionics and Electronics in Bournemouth, England. Contact him by email at [email protected].
Ready to make a purchase? Search the Military & Aerospace Electronics Buyer's Guide for companies, new products, press releases, and videos