Cyber Security and Cyber-Resilience for RPAS

Cyber Security and Cyber-Resilience for Remotely-Piloted Aircraft Systems – R.A.M.S Department
A brief overview on Cyber Security and
Cyber-Resilience for RPAS
Giovanni Panice
Trainee at Reliability, Safety and Security Department
g.panice@studenti.unina.it
g.panice@cira.it
Naples, October 1 2016
Italian Aerospace Research Center

Scope and
Challenge of
RPAS Cyber
Security
Threat and
Vulnerability
Identification
Past Incidents
Risk
Assessment
Scheme
Recent
Studies and
Works
Where
investigate
Contents

The RPAS integration in European Aviation System
• Unmanned aircraft systems (UAS) and
operations have significantly increased in
number, technical complexity, and
sophistication during recent years
without having the same history of
compliance and oversight as manned
aviation.
• Unlike the manned aircraft industry, the
UAS community does not have a set of
standardized design specifications for
basic
• UAS design that ensures safe and
reliable operation in typical civilian
service applications.
Scope: introduction

RPAS Classification
•EUROUVS introduced a
classification in 2006 dividing
UAVs in four main categories,
originally taken from UVS
International
Scope: RPAS Classification

RPAS Operational Classification
•For UAS operations, aircraft may
operate within radio frequency
line-of-sight, or beyond line-of-
sight
•Technologies and operating
procedures related to command,
control, and communication of
UAS are divided into one of these
two categories
Scope: Operational Classification

Scope and challenge of Cyber Security for
RPAS
•In recent years, Cyber Security has become a high ranking issue
threatening stability worldwide.
•In particular, aviation systems and Remotely Piloted Aircraft
Systems (RPAS) are of highest importance in terms of safety and
security
•the main goal being to eliminate potential vulnerabilities open to
attacks from hackers, cyber criminals and terrorist focusing on ‘the
theft of information and general disruption to potential loss of life’
Scope

Europe Strategy for R&D
•In order to accommodate RPAS integration into non-segregated
ATM environments on a European scale, the European RPAS
Steering Group (ESRG) defined the R&D Roadmap that identify
operational and technological system gaps of enablers required to
achive the integration
•Evaluated aspects in the Roadmap, are the cyber risks related to
potential intrusions into the RPAS or to threats which might
compromise safety of crew, of other airspace users, or of third
parties.
Scope

Security issues attached to the use of RPAS
•ENABLERS:
• Cyber protection techniques
• Satellite navigation anti-spoofing techniques
• Communication security techniques
• encryption methods
• crypto components
Scope: RPAS Roadmap

Identified Gaps
•The goal is to perform a system analysis of all threats on RPAS security
and integrity:
• Identification and description of all types of attacks
• Analysis of their functional consequences
• Assessment of their impact on flight safety
• Identification of protection techniques and operational procedures
• Definition of minimum design rules
•The analysis will be organized according to the following main categories
of threats:
• Cyber-attacks(internet, infrastructure network, SWIM, wireless means)
• Aggression on C2 data communication
• Satellite navigation spoofing or jamming
Scope: RPAS Roadmap

Activities and Deliverables
Activities
•Soft side of the RPAS and cyber
security:
• Cyber intrusion detection system
• Cyber intrusion prevention system
• Authentication and encryption of
communication
• Resistance to GNSS Jamming and
spoofing
• Resistance to C&C jamming
• Resistance to C&C spoofing
•RPAS Systems:
• Cyber hijacking
Scope: RPAS Roadmap
Deliverables
•Security advice for R&D activities
•Physical security requirements
•Cyber security requirements

Threat and Vulnerability
Identification

General Attack Possibilities
We have determined, through studying the data flow in
the RPAS, several general cyber attack feasibilities
• Hardware Attack: attacker has access to the
UAV components directly
• Wireless Attack: Attacker carries out the attacks
through one of the wireless communication
channels
• Sensor Spoofing: attacker passes false data
through the on-board sensors of the UAV
We have characterized the attacks within the CIA Triad:
• Confidentiality: data are not exposed to
unauthorized subjects
• Integrity: data must retain their veracity and be
intentionally modified by only authorized subjects
• Availability: authorized subjects are granted timely
and uninterrupted access to data
Threat and Vulnerability Identification: component model

Attack modeling and categorization
Elements and connections along the dataflow are susceptible to attacks. In
order to effectively characterize know and future attacks on the UAV, we
have categorized the type of attacks and their propagation mechanisms
Threat and Vulnerability Identification: Categories of Attacks

Threat and Vulnerability Identification: Wireless Attacks
Command and Control link vulnerabilities
•C2 Link plays a major role in maintaining
the safety and efficiency of RPA flight
•International Telecommunications Union
allocates spectrum to a variety of services
• Protection from harmful interference is a key
ITU-R consideration
• Aeronautical Mobile Route Service spectrum is
reserved for communications relating to safety
and regularity of flight
•In 2012 ITU-R identified a number of
bands as suitable for RPA C2 Links, the
following are receiving the most interest
• Terrestrial: 960-1164MHz, 5030-
5091MHz
• Satellite: 1545-1555/1645.5-1656.5MHz
and 1610-1626.5MHz as well as 5030-
5091MHz

Command and Control link vulnerabilities
•Security is a multi-level consideration
• C2 Link message security
• C2 Link RF Signal security
•C2 Link message security
• Authentication, Integrity, Confidentiality
• End to End Encryption can provide adequate protection
(standard iso/iec 27033-2:2012 Network Security
Architecture)
•C2 Link RF Signal security
• frequency-hopping spread spectrum
Threat and Vulnerability Identification: Wireless Attacks
•Threats and Vulnerabilities
•Jamming
•Denial-of-service
•Eavesdropping
•Spoofing

GPS Vulnerabilities
• Radio frequencies used by the GPS
lie within the L Band, from about 1.1
Ghz to about 1.6 Ghz
• GPS is available as two services
• SPS (Standard Positioning System) for
civilian users
• PPS (Precise Positioning Service) for military
users
• The SPS uses signals at GPS L1
frequency with an unencrypted coarse
acquistion (C/A) code. SPS gives a
horiziontal position accurancy in the
order of 10 m
• Data spec NMEA 0183
Threat and Vulnerability Identification: Sensor Attacks

GPS Vulnerabilities
Today, most UAV systems rely heavily on GPS data to locate themselves, the ground
station, and their targets. The data received through the GPS sensors can be spoofed,
which results in a false estimate of the UAV position in the on-board navigation system.
This type of attack will result in failed missions and possible loss of assets
Threat and Vulnerability Identification: Sensor Attack

Automatic Dependent Surveillance – Broadcast
Vulnerabilities
ADS-B is an on-board component part of the
next generation air traffic control system,
which broadcasts information about an
aircraft, such as position, heading, speed
and intent. For a UAV this system will mainly
be used for environmental awareness and
collision avoidance, which is part of the
navigation component.
Since ADS-B is a broadcast system intended
for all nearby aircraft, the data transmitted is
not encrypted.

Automatic Dependent Surveillance – Broadcast
Vulnerabilities
The unencrypted data transmitted creates an easy attack point for false data injection. The
ADS-B data is used for navigation by the UAV autopilot, and false ADS-B data can
accordingly throw the UAV off track during a mission. Also, if the ADS-B data is
unavailable while another aircraft is en route for collision, the survivability of the UAV is
affected greatly. Some of the possible attack methods are spoofing ADS-B data and
jamming.

Gain Scheduling Attack
• Gain scheduling is often used to control non-
linear systems. For a example, a UAV will need
different gains for control depending on the state
of the UAV (mass, altitude, speed, flaps down,
etc). A UAV will have different dynamical
properties depending on its state and will require
gains matched to each state in order to control
the vehicle properly. Gain scheduling is also
used in hybrid systems. In hybrid systems, a
system is assumed to have multiple modes of
operation, and the modes can change at any
given time following some rules. In the case of a
UAV, for example, there might be different
modes corresponding to take off, landing, and
cruising. Each of these modes will have different
gains for controlling the vehicle.
Threat and Vulnerability Identification

Gain Scheduling Attack
• The control gains are often pre-computed and trusted, and they are coded into the on-
board autopilots. Without strict monitoring of the software, an override of the these
gains could very well go undetected.
• Some of the possible attack methods are overriding gains through hacking or causing
denial of service between the controller gain block and the UAV controller block by
overloading the on-board processor

Fuzzing attack
• Fuzz testing or Fuzzing is a Black Box
software testing technique, which basically
consists in finding implementation bugs
using malformed/semi-malformed data
injection in an automated fashion.
• The concept if software fuzzing can be
applied to Guidance, Navigation and
Control algorithms
• In the UAV system, random inputs with
expected distribution are not uncommon,
and Gaussian noise inputs are routinely
accounted for

Fuzzing attack
Some of the possible attack methods are buffer overflow attacks, sending malicious
packets with invalid payload data to the UAV, and adding malicious hardware between
components

Other Vulnerabilities
• In a scenario where the opponent can
access the UAV:
• Side-channel attacks: This kind of
blackbox attacks consists in
observing some information
leakage from algorithms running
on the target. From these
leakages, different kinds of
information can be retrieved:
• Cryptographic keys
• Opcodes executed

Other Vulnerabilities
• Threats to the Ground Control Station
directly connected to IT world:
• Viruses
• Malwares
• Trojans
• Key-loggers

System Security Threat Model

Past incidents

The military experience in Cyber warfare
•There are some well-know cyber attacks to RPA and RPS in
military mission:
• The theft of an RQ-170 Sentinel by Iranian forces
• A keylogging-virus found in a GCS for Predator and Reaper
• The capture of Predator video stream by Iraq forces
Past Incidents

The theft of RQ-170 Sentinel
•The most recent and interesting
incidents was the claimed theft an
RQ-170 Sentinel by Iranian forces.
•The circumstances under which the
UAV came into the possession of the
Iranian forces are controversial.
•The main theory supposes that a
vulnerability of the UAV sensor
system with effects on the navigation
system was used to attack the GPS
system
Past Incidents: RQ-170 case

The scenario
• Iran forces addressed an attack toward the C2 link (Jamming)
• Consequently, the UAV started his Link-Loss procedure (we assume
that the UAV turned to the last know location of the GCS)
• In addiction, the Iran Forces were able to land the UAV in hostile
territory with a GPS spoofing attack.
Past Incidents: RQ-170 case

Risk Assessment Scheme

Proactive Risk Assessment Scheme
• In the 2013(5th International Conference on
Cyber Conflict), researchers showed a
scheme for the risk assessment of UAVs
• The risk assessment result of the provided
scheme is multi-dimensional. It provides
the risk assessment according to the type
and intensity of security needed. It is a
component-wise, probability-based
evaluation of integrity, confidentiality and
availability of the UAV
• The scheme provides information on the
susceptibility of components to attacks on
the integrity, confidentiality or availability
• A high score in the risk assessment
scheme corresponds to a high risk
Risk Assessment Scheme

Mq-9-Reaper assessment
• The GA MQ-9 Reaper is a remotely controlled
UAV. It is the successor of the MQ-1 Predator. It
uses the TCDL satellite communication system
(SATCOM) as well as direct LOS C-band
communication
• The control of the uav is done by a GCS. The
default equipment of the UAV consists of several
cameras bundled in a multi-spectral targeting
system (MTS-B). These cameras detect infrared,
daylight and intensive light. The data is
automatically pre-processed and fused by the
MTS-B.
• The navigational sensors are INS and GPS
• The MQ9-Reaper contains digital storage for
video data. The encryption and signature
mechanism are unknown
Risk Assessment Scheme: MQ-9-REAPER example

Recent Studies and Works

The near side of the Moon
• The American institute of Aeronautics and
astronautics is developing an autopilot robust
to Cyber Attack
• DARPA with the HACMS program is creating
technology for the construction of high-
assurance cyber-physical systems, ranging
from unmanned vehicles to weapons
systems, satellites, and command and
control devices
• A theoretical supervisory controller was
showed at ICUAS 2016 in June. The goal of
this work is to detect faults and Cyber-
physical attacks on UAVs using dynamic
state estimation to determinate the nature of
such vulnerabilities

The far side of the Moon
• An indipendent security
researcher showed during
Black hat 2016, all the
vulnerabilities of an UAV
classified «mini»
• MAVLink protocol doesn’t
provide encyption and it’s
possible to hack an UAV with
a $100 radio and three lines
of code

Where Investigate

Activities
• Investigate an autopilot system
robust to gps spoofing
• Investigate a complete taxonomy
to better understand the
propagation mechanisms of
attacks and handle them in attack
models
• Evaluate the integration of a Cyber
risk assessment within
engineering lifecycle phases
• Redesign mavlink protocol with
secure communication
Where Investigate: Activities

Well-Know countermeasures
• Monitor the GPS signal strength
• Monitor the strength of each
received satellite signal
• Monitor Satellite identification
codes and the number of satellite
signals received
• Check the time Intervals
• Perform a sanity check
• New(2016): Check doppler shift
Where Investigate: GPS Spoofing Detection using RAIM with INS
Solution
Investigate a monitor to detect GPS spoofing
attacks using residual based Receiver
Autonomous Integrity Monitoring (RAIM) with
inertial navigation sensors

The lesson learned from IPsec, could be a way to redesign
mavlink to assure:
• Confidentiality
• data-origin authentication
• Integrity
• Anti-replay attack
• A Key Management Protocol
Where Investigate: MavlinkSEC

Questions?

References
• [1] Kim Hartmann, Christoph Steup ,‘The vulnerability of UAVs to Cyber Attacks – An approach to the
Risk Assessment’, 5°International Conference on Cyber Conflict, 2013
• [2] Kim Hartman, Keir Giles, ‘UAV Exploitation: A New Domain for Cyber Power’, 8° International
Conference on Cyber Conflict, 2016
• [3] Alan Kim, Brandon Wampler, James Goppert, Inseok Hwang, ‘Cyber Attack Vulnerabilities Analysis for
Unmanned Aerial Vehicles’, Purde University, 2012
• [4] Nils Rodday, Master Thesis: ‘Exploring security vulnerabilities of unmanned aerial vehicles’,
University of twente, 2015
• [5] Robert Klenke, ‘Developmente of a Novel, Two-Processor Architecture for a Small UAV Autopilot
System’, Virginia Commonwealth University
• [6] Daniel P. Shepard, Jahshan A. Bhatti, Todd E. Humphreys, ‘Unmanned Aircraft Capture and Control
via GPS Spoofing’, University of Texas at Austin
• [7] Ahmad Y. Javid, Weiqing Sun, Vijay K. Devabhaktuni, Mansoor Alam, ‘Cyber Security Threat Analysis
and Modeling of an Unmanned Aerial Vehicle System’, University of Toledo, Ohio
References

References
• [8] Richard s. Stansbury, Manan A. Vyas, Timothy A. Wilson, ‘A Survey of UAS Technologies for
Command, Control, and Communication (C3)’, Embry Riddle Aeronautical University, 2008
• [9] Reg Austin, ‘Unmanned Aircraft Systems – UAVS Design, Development and Deployment’, Wiley, 2010
• [10] Michael Neale, Dominique Colin ‘Technology Workshop ICAO RPAS Manual C2 Link and
Communications’, RPAS Symposium, 2015
• [11] Dewar Donnithorne, ‘RPAS Classification – Operational Approvals for Small RPAS Work’, Royal
Aeronautical Society, 2012
• [12] Roadmap for the integration of civil RPAS into the European Aviaton System, 2013
• [13] Strategic Research & Innovation Agenda
• [14] Advice of Information Risk Management for RPAS, Centre for the Protection of National
Infrastructure(UK), 2015
• [15] ‘Hijacking quadcopter with a Mavlink Exploit’ - http://hackaday.com/2015/10/15/hijacking-quadcopters-
with-a-mavlink-exploit/
References

Cyber Security and Cyber-Resilience for RPAS

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Cyber Security and Cyber-Resilience for RPAS

Similar a Cyber Security and Cyber-Resilience for RPAS (20)

Último

Último (20)

Cyber Security and Cyber-Resilience for RPAS