Safety and Security in Upcoming Flight Control Systems
Safety in Practice - Avionics Systems
As engineering experts know, it takes highly developed technical skills and precise attention to detail to design intricate, complex, and safety-critical systems such as those deployed in aircraft fly-by-wire controls. In this post, we review why security is vital when designing embedded systems for WAIC (Wireless Avionics Intra-Communications) systems, how to ensure the highest standards of safety and what the best approaches are to reduce risk.
Modern aircraft systems
Fly by wire has long been the norm in avionics. Gone are the days of the earliest commercial airliners when pilots feet exerted the necessary yaw control forces from rudder pedals that were directly linked to hydraulic actuators and ultimately to aircraft tail fins. Nowadays, precisely engineered transponders sense foot movements, simulate tactile feedback forces, and then make the appropriate changes in the flight control actuators and external airframe surfaces all on an indirect basis. Nonetheless, aircraft such as the A320 Airbus retain backup mechanisms.
In today's new airliners, engineers aim to reduce the overall weight of systems and, therefore, to improve operational efficiency while also adding extra functionality, including the ability to obtain data from control surfaces and onboard systems. These enhancements come using WAIC.
According to some startling statistics presented to an International Civil Aviation Organization (ICAO) conference, an Airbus A380-800 airframe contains more than 100,000 electrical wires. These weigh 5,700 kilograms and would stretch 470 kilometers if laid end-to-end; the substantial quantity of fixings required to mount these wiring harnesses to the aircraft structure adds even more weight.
In the above study, carried out in 2012, around 30 percent of electrical cabling was a candidate for wireless substitution. The attraction is definite: reducing wiring looms to 70 percent of their previous bulk and weight delivers increased fuel economy and better aircraft performance.
Additionally, the new technology offers extra flexibility and reconfigurability. WAIC not only improves reliability and mitigates common mode failures through redundant radio links and route segregation, but also enables the reliable monitoring of moving and rotating parts such as landing gear position, tire pressures, and brake temperatures. Pilots can see all this data on the flight deck instruments, in real time.
On a less positive note, however, security specialists have observed weaknesses and new challenges surrounding the introduction of these wireless avionics controls.
Threats, attacks and precautions
Various types of threat exist, including hacking or other interference as detailed below and which might:
- reduce AWN (Aircraft Wireless Network) efficiency and transmission capability.
- modify commands or instructions in a way that allows the adversary to achieve their objective(s).
- compromise an existing network node (or nodes), so the intruder can read all unencrypted data.
- introduce a new AWN node as a trusted node, then collect vital operational information.
- attempt to take control of critical aircraft systems, if connected to the AWN.
One popular attack method that may occur in AWN environments is ARP (Address Resolution Protocol) spoofing, whereby adversaries try to associate MAC (Media Access Control) addresses with the IP address of a valid node. Countermeasures focus on the predefined binding of MAC addresses to IP addresses and node authentication using asymmetric cryptography.
Another attack scenario, MAC spoofing, sees the adversary trying to change the MAC address of the intruding device to an address used by a particular device. However, if the nodes and MAC address bond securely from the outset using encryption, the possibility of such an attack succeeding is minimal.
In replay attacks, a potential intruder captures a message or a communication session and then plays it back to one of the original participants. The idea is to trick one of the original members of the exchange into accepting the adversary's device as the same genuine communication partner. Encrypted session keys generated at the start of the session can help to prevent this from succeeding, by detecting repeated message indicators, improper decryption or incorrect message sequence numbers.
These types of attack mean adversaries could become an active part of AWNs and cause severe risks to aircraft safety. Consequently, the broader introduction of WAIC in passenger and cargo aircraft requires increased security measures.
Other security measures
Firmware updates need to be as straightforward and uncomplicated as possible to avoid concealed code with ulterior malicious motives. They also require thorough documentation and proper authorization.
It is necessary to restrict unauthorized physical access to aircraft wireless devices and transponders, to help prevent their possible compromise. Notably, node devices should be tamper-resistant by design.
The AWN should reject unauthorized connection requests or unauthenticated communication packets, to ward off remote attacks. Cryptographic keys should be unique to each node and network link, whether logical or physical.
DDoS (Distributed Denial of Service) attacks are notoriously difficult to prevent. Characterized by attempts to stress communication channels and the computational capabilities of the target node(s), these incursions aim to downgrade or remove system security, reduce QoS (Quality of Service) or even force a shutdown. Nonetheless, the extra capacity offered by dissimilar redundancy under WAIC systems provides the potential to change wireless channels and thereby mitigate the impact of DDoS attacks.
To avoid any data loss or acquisition by unauthorized parties during the decommissioning of AWN nodes, any hardware or firmware security credentials should be blacklisted.
An integrated approach
The most secure approach is to embed security into aircraft systems from the outset. Therefore, security-related measures have to be incorporated, managed, and followed during every stage of the AWN system lifecycle.
At the design stage, memory protection and on-chip MMUs (memory management units) protect against corruption of programming threads and processes. Additionally, real-time operating systems (RTOS) mean that threads do not share the same memory space, preventing the intentional or unintentional loss of data due to stack errors or errant pointers. Although memory look-up tables constitute an overhead, the benefits are considerable: no inadvertent or malicious corruption across process boundaries. Furthermore, the fail-safe system states should be simplified to limit the likelihood of unforeseen conditions.
Security measures during the manufacture and deployment of aircraft nodes include tightly controlled delivery, secure operating system installation, and strong safeguards to prevent disclosure of information and operating parameters.
During flight operation, AWNs should be in the lock-down mode and changes to security settings not permitted.
Finally, after firmware updates, the software and hardware require testing and sign-off.
New WAIC technology presents extra security challenges. In order to maintain functional safety and the correct performance and integrity of avionics systems, it is essential to detect potentially dangerous security breaches, prevent hazardous events, and mitigate their effect(s) whenever necessary. From initial design through to deployment and post-installation updates, safe aviation systems require high memory availability and built-in fault tolerance. Additionally, adequately secured embedded aircraft systems require the authentication of endpoints, human operators, and data.