Cybersecurity at 500 Miles Per Hour

The Internet of Things (IoT) is an exciting, fast-moving area with great opportunities for breakthrough applications. From smart agriculture to smart cities to connected cars, smart healthcare devices, and smart homes, the internet of things is measuring, connecting, and transforming many areas of our lives. However, to succeed in the IoT, engineers must carefully consider, design, and test for the 5 C's of IoT: compliance, cybersecurity, continuity, connectivity, and coexistence.

Cybersecurity of connected wireless devices is always important for IoT applications. But it is mission-critical for life safety when the "wireless device" has 15 to 20 radios, moves at 500 miles per hour, and carries 400 people and 150 tons of jet fuel. Aviation cybersecurity is a critical area of wireless cybersecurity, and it is especially challenging because aviation relies on two systems that have known security flaws.

Pranay Bhardwaj and Dr. Carla Purdy of the University of Cincinnati have published some of their research in a paper entitled System Design Methodologies for Safety and Security of Future Wireless Technologies in Aviation. The paper focuses on approaches to improving the security of automatic dependent surveillance–broadcast (ADS–B), which determines an airplane's position via the Global Navigation Satellite (GNS) and then broadcasts the airplane’s location. This allows the airplane to be tracked, which is important for scheduling, air traffic control, collision avoidance, and severe weather avoidance.

According to Pranay and Dr. Purdy, the essential problem is that ADS–B was designed to favor openness over security. Many people are working on ways to introduce security into ADS–B, but it is always difficult to add security to an architecture that did not emphasize it during the design phase. To address this problem, the University of Cincinnati team thought deeply about the nature of the problem and modeled security requirements using Universal Modeling Language (UML) use case diagrams. They leveraged previous research on the Controller Area Network (CAN) bus used in automobiles, because ADS–B and CAN bus are similar in many ways. They are both broadcast area network protocols, they have no central server, and their fundamental designs lack basic cybersecurity features, such as authentication and encryption.

Beyond the basic lack of encryption and authentication, the paper documents numerous additional challenges that ADS–B faces. The 1090-MHz RF channel that commercial aircraft use for ADS–B is so congested that 50% of messages are lost at 174 miles. It is subject to spoofing by “ghost” aircraft that do not actually exist but can overwhelm the system if significant numbers are injected. Hybrid attacks that delete some aircraft positions and injects others can occur. There are also various issues associated with Internet Protocol (IP), especially as it relates to updating older aircraft.

The UML use case diagrams that Pranay and Dr. Purdy developed are very simple in appearance, and their simplicity reveals the essential nature of various problems and how various solutions may address them. For example, the diagram below suggests how Kalman filtering, a statistical noise reduction algorithm, might be used to improve the early detection of suspicious messages.

Figure 1: UML use case diagram showing structure of data modification attack and use of Kalman filtering to address it. Diagram courtesy of Pranay and Dr. Purdy.

The published paper includes similar diagrams for several other use cases, and while it does not solve all of the security problems associated with ADS–B, it makes a useful contribution by clearly identifying the nature of the problem and serving as a template for future research. Pranay and Dr. Purdy have a long-term goal of creating a model of ADS–B in TLA+, which is a formal specification language for modeling and documenting computer software.