1、Commercial Aviation Cyber Security Current State and Essential ReadingOther SAE Books of Interest: Commercial Aviation and Cyber Security: A Critical Intersection By Kirsten M. Koepsel (Product Code: T-132) Counterfeit Electronic Parts: Supply Chains at Risk Spotlight on Design Series (DVD and strea
2、ming video) (Product Code: SOD-001) Counterfeit Electronic Parts and Their Impact on the Supply Chain By Kirsten M. Koepsel (Product Code: T-130) For more information or to order a book, contact: SAE INTERNATIONAL 400 Commonwealth Drive Warrendale, PA 15096 Phone: +1.877.606.7323 (U.S. and Canada on
3、ly) or +1.724.776.4970 (outside U.S. and Canada) Fax: +1.724.776.0790 Email: CustomerServicesae.org Website: books.sae.orgCommercial Aviation Cyber Security Current State and Essential Reading Edited by Terry L. Davis Warrendale, Pennsylvania, USACopyright 2017 SAE International. All rights reserved
4、. No part of this publication may be reproduced, stored in a retrieval system, distributed, or transmitted, in any form or by any means without the prior written permission of SAE International. For permission and licensing requests, contact SAE Permissions, 400 Commonwealth Drive, Warrendale, PA 15
5、096-0001 USA; e-mail: copyrightsae.org; phone: +1-724-772-4095. Library of Congress Catalog Number 2016939326 SAE Order Number PT-179 http:/dx.doi.org/10.4271/pt-179 Information contained in this work has been obtained by SAE International from sources believed to be reliable. However, neither SAE I
6、nternational nor its authors guarantee the accuracy or completeness of any information published herein and neither SAE International nor its authors shall be responsible for any errors, omissions, or damages arising out of use of this information. This work is published with the understanding that
7、SAE International and its authors are supplying information, but are not attempting to render engineering or other professional services. If such services are required, the assistance of an appropriate professional should be sought. ISBN-Print 978-0-7680-8355-2 ISBN-PDF 978-0-7680-8356-9 ISBN-epub 9
8、78-0-7680-8358-3 ISBN-prc 978-0-7680-8357-6 To purchase bulk quantities, please contact SAE Customer Service e-mail: CustomerServicesae.org phone: +1.877.606.7323 (inside USA and Canada) +1.724.776.4970 (outside USA) fax: +1.724.776.0790 Visit the SAE Bookstore at books.sae.org 400 Commonwealth Driv
9、e Warrendale, PA 15096 E-mail: CustomerServicesae.org Phone: +1.877.606.7323 (inside USA and Canada) +1.724.776.4970 (outside USA) Fax: +1.724.776.0790v Table of Contents Introduction . vii Bridging the Commercial Aircraft Connectivity Gap (2006-21-0037) . 1 Brian J. Kirby, Panasonic Avionics Corpor
10、ation Securing Wireless eEnabled Airplane Applications at Airports: Challenges Tim Mitchell, Boeing Commercial Airplanes Counterfeiting, Supply Chain Security, and the Cyber Threat; Why Defending Against Counterfeit Electronics is No Longer Enough (2014-01-2125) . 15 Janice Meraglia and Mitchell Mil
11、ler, Applied DNA Sciences Inc. Novel Approach for Securing Air-Ground Communication (2012-01-2103) . 19 Aniruddha Karmarkar, Lockheed Martin Corp. Vehicle Health Monitoring System Using Secure Wireless Sensor Network (2015-01-0204) 27 Biswajit Panja and Lars Wolleschensky, Escrypt Inc. Deterministic
12、 Ethernet VPX 3U/6U Switches for Open Integrated Architectures (2015-01-2522) . 33 Mirko Jakovljevic and Jan Radke, TTTech Computertechnik AG; Perry Rucker, TTTech North America Inc. Wireless and Flexible Ice Detection on Aircraft (2015-01-2112) 41 Thomas Schlegl and Michael Moser, Eologix Sensor Te
13、chnology GmbH; Hubert Zangl, Alpen-Adria-Universitt Klagenfurt Risk-Adaptive Engine for Secure ADS-B Broadcasts (2015-01-2520) 47 Thabet Kacem, Jeronymo Carvalho, Duminda Wijesekera, and Paulo Costa, George Mason University; Mrcio Monteiro and Alexandre Barreto, Instituto de Controle do Espao Areovi
14、 Automated ATM System Enabling 4DT-Based Operations (2015-01-2539) 55 Alessandro Gardi, Roberto Sabatini, Subramanian Ramasamy, and Matthew Marino, RMIT University; Trevor Kistan, Thales Australia A Lightweight Spatio-Temporally Partitioned Multicore Architecture for Concurrent Execution of Safety C
15、ritical Workloads (2016-01-2067) . 63 Qingchuan Shi and Kartik Lakshminarashimhan, University of Connecticut; Christopher Noll and Eelco Scholte, UTC Aerospace Systems; Omer Khan, University of Connecticut About the Editor 71vii Introduction Recently, the International Institute for Counter-Terroris
16、m released a report on “Trends in Aviation Terrorism” which included a section on the “Cyber Terrorism Threat.” Although covering cyber threats, it concluded with the statement: “Nevertheless, experts in the field estimate that, at this stage, terrorist organizations are not capable of executing cyb
17、er attacks at the magnitude of an attack on civilian aircraft” (1). Unfortunately, this has been widely quoted in the press, although most cyber-security professionals would not support this view. This is especially true in light of the technical capabilities terrorist organizations have demonstrate
18、d in physical attacks around the world, and their active recruitment of cyber talent. Every new commercial aircraft model entering service in the last 25 years has cyber-attack surfaces, or apertures, as the Federal Aviation Administration (FAA) refers to them, and each succeeding model has increase
19、d the number and complexity of these apertures. These include loadable software, airline modifiable interfaces (AMIs), legacy Air Traffic Management (ATM) and Air Traffic Network (ATN) communications, and onboard wireless systems for both passengers and crew, to mention just some of the major ones.
20、They are just the beginning of the transformation of commercial aircraft into full digital systems. In the next decade, commercial aviation will see Next Generation ATM (NextGEN), Single European Skies ATM Research (SESAR), and others utilizing Internet-based air-to-ground communication links for ad
21、vanced “air traffic control” (ATC) communications, which may include direct links into the aircraft flight-critical systems. It will also see remote electronic maintenance, virtual “line replaceable units” (LRUs) taking the spot of many traditional hardware units, and cloud technology for onboard co
22、mputing. These will include flight-critical functions, inflight diagnostic assistance, and (very possibly) some other advanced technologies like real-time voice translation for controller- pilot communications. This technical paper collection and introduction will touch on challenges to legacy ATM a
23、nd ATN communications, and to securing the new generation of advanced ATC communications over Internet-based air-to-ground links. 1. Existing or Legacy Commercial Aviation Communications The understanding of distinction between ATM and ATN for ATC communications is needed to grasp some of the root c
24、yber-security issues in both. ATM This is the definition of the ATM from Wikipedia: “Air traffic management is an aviation term encompassing all systems that assist aircraft to depart from an aerodrome, transit airspace, and land at a destination aerodrome, including air traffic control (ATC), air t
25、raffic safety electronics personnel (ATSEP), aeronautical meteorology, air navigation systems (aids to navigation), Air Space Management (ASM), Air Traffic Services (ATS), and Air Traffic Flow Management (ATFM), or Air Traffic Flow and Capacity Management (ATFCM). The increasing emphasis of modern A
26、TM is on interoperable and harmonized systems that allow an aircraft to operate with the minimum of performance change from one airspace to another. ATC systems have traditionally been developed by individual states that concentrated on their own requirements, creating different levels of service an
27、d capability around the world. Many Air Navigation Service Providers (ANSPs) do not provide an ATC service that matches the capabilities of modern aircraft, so ICAO has developed the Aviation System Block Upgrade (ASBU) initiative in order to harmonize global planning of technology upgrades” (2). Fo
28、r a full view of the document, please click on the link below: http:/www.icao.int/Meetings/acli/Documents/ Galotti_23October-am.pdf ATM services are carried by the Aircraft Communications and Reporting System (ACARS) communication systems globally. ATM ACARS communications are not considered “safety
29、 of flight services” by International Civil Aviation Organization (ICAO), the FAA, or other ANSPs. Thus, any failure, interference, or compromise of these links and services is, by definition, an issue affecting only pilot and controller workloads and not “safety of flight.” ATN ATN services are car
30、ried over VDL-2 and Satcom networks primarily, but include some VDL-4. This is not the same as ACARS. This is a link on the ATN from the FAA Tech Center: http:/www.tc.faa.gov/its/cmd/factsheets/data/ACT-300/atn. pdf ATN services include Future Air Navigation System (FANS) and Controller Pilot Data L
31、ink Communications (CPDLC) which are considered “safety of flight” services and thus, by definition, any failure, interference, or compromise in them can result in a “safety of flight” incident. Collision of Uses For various reasons, FANs and CPDLC communications are allowed to be transmitted over A
32、CARS. As a consequence, you have “safety of flight” communications carried on a communications network that is defined as insecure. This conflict goes back almost 20 years and has never been resolved.viii 1.1 Cyber Concerns For background, again because ACARS is not “safety of flight”-grade, impacts
33、 to receiving systems of bad, corrupt, or spoofed data are not an ACARS issue. But it does represent an issue of the specific receiving systems which need to detect and discard such erroneous messages. Since ACARS, FANs, CPDLC, ADS-B (Automatic Dependent Surveillance-Broadcast), Mode-S Transponder b
34、roadcast, and ADIS (Automated Data Interchange System) all utilize the same basic communications technology, they all have the same root vulnerabilities at a system level. Message Authenticity: Their communications are all unauthenticated and unsigned. Thus, messages can be subject to spoofing attac
35、ks. This has three specific sub- categories which have different impacts and different degrees of difficulty: Replay Message spoofing Undetected message tampering Denial of Service: All these communications are carried on open, although allocated, spectra which are easily jammed. None utilizes techn
36、ologies like frequency hopping or spread spectrum to provide provable communications reliability. 1.2 ATC Message Authentication Vulnerability Evolution As initially developed in the 1970s, air traffic control network communication systems and protocols had inherent security due to the complexity of
37、 radio design and software, and the associated large computer labs required to support its development. Together, they represented a requirement for a large, highly technical staff. And they literally used millions of dollars of computers and radio hardware in order to build these aviation communica
38、tion units for ACARS, FANS, CPDLC, and ADS-B. As a consequence, only government and large industrial firms had the capability to develop them, limiting the threat actors while also increasing the likelihood of detection. For the following primary reasons, these original security components of air tr
39、affic control systems no longer exist: Moores law has overcome the requirement for large computer facilities. In fact, the required software today can be run on most laptops or tablet computers. The requirement for skilled computer programmers and protocol experts has been replaced by the Internet.
40、Every software component required to communicate with the existing air traffic control networks exists online, and is available to everyone. The radio capabilities and expertise needed has been overcome by Software Defined Radio (SDR). SDR requires almost no expertise in order to tap into existing r
41、adio communications. An SDR radio unit is the size of a USB stick, and uses a USB interface. The SDR units and associated signal amplifiers are available on the Internet for under US$100. Additional drivers, tuners, aircraft ID tables, and eavesdropping software are available on the web at several o
42、pen sources sites, which are free. So, assumptions about the security of current ATC protocols from cyber attacks are invalid. ACARS, ADS-B, FANS, and ADIS transmissions can all be spoofed with a tablet computer, an SDR radio, and a small antenna (3). The U.S. Air Force (USAF) has produced two offic
43、ial papers on these problems as have the Europeans. It also has implemented ARINC 823, “Protected ACARS,” on its command fleet. One further proof of the vulnerability is the issuance of these Notice to Airmen (NOTAM) on September 1, 2015 that state that, due to a Department of Defense (DoD) exercise
44、, Automatic Dependent Surveillance Broadcast (ADS-B) and Traffic Collision Avoidance System (TCAS) would be unreliable from 1 a.m. EDT (0500z) September 2 until midnight EDT (0459z) on October 1: 5/2817 New York Center (ZNY) 5/2818 Washington Center (ZDC) 5/2819 Jacksonville Center (ZJX) 5/2820 Miam
45、i Center (ZMA) 5/2834 NY Oceanic (ZWY) TCAS, ADS-B Unreliable in Southeast U.S. Beginning September 2 https:/www.nbaa.org/ops/airspace/regional/20150901- tcas-adsb-unreliable-in-southeast-united-states-beginning- september-2.php These NOTAMs were subsequently cancelled on September 9, 2015 after pro
46、tests from the Air Line Pilots Association (ALPA). Their cancellation, however, does not change the reality that the DoD fears that ADS-B and the ATC protocols could be spoofed. 1.3 Message Replay ATC and ATN message traffic can be readily replayed minutes, days, or weeks after it was recorded with
47、minimal technical difficulty. Most serious HAM radio operators have the capability to create this attack. This was documented in the year 2000 timeframe with ACARS online. It is readily detectable as the message numbers will not be correct on the acknowledgement. However, there do not appear to be s
48、ystems in place on the ground or in the aircraft to filter out replayed messages. This can create serious controller/ pilot workload issues, especially in the terminal control areas, and a general distrust of the system by both, which is the larger problem. Replaying them in other terminal control a
49、reas is potentially the most disruptive as aircraft transponder codes could be seen in multiple air spaces. It can affect systems like En Route Automation Modernization (ERAM). Replaying ATS airport operational status hours or days later when conditions are different is an equally disruptive situation, which adds to the distrust. Any HAM radio operator has the basic capability to record and playback messages. The source of prolonged or repeated attacks would be identified once technical resources were available to trace it. However, single or random attack
