Embedded Office Blog

Embedded Market, Basics, Functional Safety, Embedded Security

Portfolio Projects

Safety and Security in Upcoming Flight Control Systems

by Embedded Office (comments: 0)

Safety in Practice - Avionics Systems

As engineering experts know, it takes highly developed technical skills and precise attention to detail to design intricate, complex and safety-critical systems such as those deployed in aircraft fly-by-wire controls. In this post, we review why security is vital when designing embedded systems for WAIC (Wireless Avionics Intra-Communications) systems, how to ensure the highest standards of safety and what the best approaches are to reduce risk.

Modern aircraft systems

Fly by wire has long been the norm in avionics. Gone are the days of the earliest commercial airliners when pilots’ feet exerted the necessary yaw control forces from rudder pedals that were directly linked to hydraulic actuators and ultimately to aircraft tail fins. Nowadays, precisely engineered transponders sense foot movements, simulate tactile feedback forces and then make the appropriate changes in the flight control actuators and external airframe surfaces — all on an indirect basis. Nonetheless, aircraft such as the A320 Airbus retain backup mechanisms.

In today’s new airliners, engineers aim to reduce the overall weight of systems and, therefore, to improve operational efficiency while also adding extra functionality – including the ability to obtain data from control surfaces and on-board systems. These enhancements come using WAIC.

Significant benefits

According to some startling statistics presented to an International Civil Aviation Organization (ICAO) conference, an Airbus A380-800 airframe contains more than 100,000 electrical wires. These weigh 5,700 kilogrammes and would stretch 470 kilometres if laid end-to-end; the substantial quantity of fixings required to mount these wiring harnesses to the aircraft structure adds even more weight.

In the above study, carried out in 2012, around 30 per cent of electrical cabling was a candidate for wireless substitution. The attraction is clear: reducing wiring looms to 70 percent of their previous bulk and weight delivers increased fuel economy and better aircraft performance.

Additionally, the new technology offers extra flexibility and reconfigurability. WAIC not only improves reliability and mitigates common mode failures through redundant radio links and route segregation, but also enables the reliable monitoring of moving and rotating parts such as landing gear position, tyre pressures and brake temperatures. Pilots can see all this data on flight deck instruments, in real time.

On a less positive note, however, security specialists have observed weaknesses and new challenges surrounding the introduction of these wireless avionics controls.

Threats, attacks and precautions

Various types of threat exist, including hacking or other interference as detailed below and which might:

  • reduce AWN (Aircraft Wireless Network) efficiency and transmission capability.
  • modify commands or instructions in a way that allows the adversary to achieve their objective(s).
  • compromise an existing network node (or nodes), so the intruder can read all unencrypted data.
  • introduce a new AWN node as a trusted node, then collect vital operational information.
  • attempt to take control of critical aircraft systems, if connected to the AWN.

One well-known attack method that may occur in AWN environments is ARP (Address Resolution Protocol) spoofing, whereby adversaries try to associate MAC (Media Access Control) addresses with the IP address of a valid node. Countermeasures focus on the predefined binding of MAC addresses to IP addresses and node authentication using asymmetric cryptography.

Another attack scenario, MAC spoofing, sees the adversary trying to change the MAC address of the intruding device to an address used by a genuine device. However, if the nodes and MAC addresses bond securely from the outset using encryption, the possibility of such an attack succeeding is minimal.

In replay attacks, a potential intruder captures a message or a communication session and then plays it back to one of the original participants. The idea is to trick one the original members of the exchange into accepting the adversary's device as the same genuine communication partner. Encrypted session keys generated at the start of the session can help to prevent this from succeeding, by detecting repeated message indicators, improper decryption or incorrect message sequence numbers.

These types of attack mean adversaries could become an active part of AWNs and cause severe risks to aircraft safety. Consequently, the wider introduction of WAIC in passenger and cargo aircraft requires increased security measures.

Other security measures

Firmware updates need to be as straightforward and uncomplicated as possible to avoid concealed code with ulterior malicious motives. They also require thorough documentation and proper authorisation.

It is necessary to restrict unauthorised physical access to aircraft wireless devices and transponders, to help prevent their possible compromise. Notably, node devices should be tamper-resistant by design.

The AWN should reject unauthorised connection requests or unauthenticated communication packets, to ward off remote attacks. Cryptographic keys should be unique to each node and network link, whether logical or physical.

DDoS (Distributed Denial of Service) attacks are notoriously difficult to prevent. Characterised by attempts to stress communication channels and the computational capabilities of the target node(s), these incursions aim to downgrade or remove system security, reduce QoS (Quality of Service) or even force a shutdown. Nonetheless, the extra capacity offered by dissimilar redundancy under WAIC systems offers the potential to change wireless channels and thereby mitigate the impact of DDoS attacks.

To avoid any data loss or acquisition by unauthorised parties during the decommissioning of AWN nodes, any hardware or firmware security credentials should be blacklisted.

An integrated approach

The most secure approach is to embed security into aircraft systems from the outset. Therefore, security-related measures have to be incorporated, managed and followed during every stage of the AWN system lifecycle.

At the design stage, memory protection and on-chip MMUs (memory management units) protect against corruption of programming threads and processes. Additionally, real-time operating systems (RTOS) mean that threads do not share the same memory space, obviating the intentional or unintentional loss of data due to stack errors or errant pointers. Although memory look-up tables constitute an overhead, the benefits are considerable: no inadvertent or malicious corruption across process boundaries. Furthermore, fail-safe system states should be simplified to limit the likelihood of unforeseen conditions.

Security measures during the manufacture and deployment of aircraft nodes include tightly controlled delivery, secure operating system installation and strong safeguards to prevent disclosure of information and operating parameters.

During flight operation, AWNs should be in lock-down mode and changes to security settings not permitted.

Finally, after firmware updates, the software and hardware require testing and sign-off.


New WAIC technology presents extra security challenges. In order to maintain functional safety and the correct performance and integrity of avionics systems, it is essential to detect potentially dangerous security breaches, prevent hazardous events and mitigate their effect(s) whenever necessary. From initial design through to deployment and post-installation updates, safe aviation systems require high memory availability and built-in fault tolerance. Additionally, properly secured embedded aircraft systems require the authentication of endpoints, human operators and data.

Go back

Update Notification

For an automatic notification on new blog articles, just register your EMail address.

We are the Blogger:

Andrea Dorn

After my study of industrial engineering I worked at an engineering service provider. As team leader and sales representative, I was responsible for customers from aviation and mechanical engineering. I am part of the Embedded Office team since 2010. Here I am responsible for the Sales and Marketing activities. I love being outside for hiking, riding or walking no matter the weather.

Fridolin Kolb

I have more than 20 years experience in developing safety critical software as developer and project manager in medical, aerospace and automotive industries. I am always keen on finding a solution for any problem. The statement “This won’t never work”, will never work for me. In my spare time You can find me playing the traverse flute in our local music association, spending time with my family, or in a session as member of our local council and member of the local church council. So obviously I am lacking the ability to say “No” to any challenge ;-).

Michael Hillmann

I have been working for 20 years in safety critical software development. Discussing and solving challenges with customers and colleagues excites me again and again. In my spare time I can be found while hiking, spending time with my family, having a sauna with friends - or simply reading a good book.

Wolfgang Engelhard

I’m a functional safety engineer with over 10 years of experience in software development. I’m most concerned with creating accurate documentation for safety critical software, but lately found joy in destruction of software (meaning I’m testing). Spare time activities range from biking to mentoring a local robotics group of young kids.

Matthias Riegel

Since finishing my master in computer science (focus on Embedded Systems and IT-Security), I’ve been working at Embedded Office. Before that, I worked with databases, and learned many unusual languages (like lisp, clojure, smalltalk, io, prolog, …). In my spare time I’m often on my bike, at the lathe or watching my bees.