Professional Documents
Culture Documents
1
KRISHNA SAMPIGETHAYA*, ** , RADHA POOVENDRAN* , MINGYAN LI** , LINDA BUSHNELL* , RICHARD RO
on their use, e.g., "sensing" by RFID readers is unit, memory, and a wireless data communica-
done only when airplanes are on the ground [14]. tion unit, deployed over the airplane structure and
Security concerns, on the other hand, need a care- onboard systems for health monitoring. These
ful assessment of threats and their prevention or sensors can be heterogeneous in capabilities (e.g.
mitigation. Therefore, with the potential future node transmission range) and modalities (e.g. vi-
use of vulnerable wireless solutions for health bration, temperature, pressure etc). Due to their
data collection and distribution, the emerging se- limited battery-energy, multi-hop routes are em-
curity threats must be addressed. ployed in the WSN where each sensor node com-
WSN and active RFID system have vulnera- municates directly with one-hop neighbors, i.e.,
bilities that can be exploited to deteriorate the re- nodes in its radio range. Further to reduce the
liability, accuracy and availability of health diag- overwhelming volume of data in the AHMMS,
nostics and prognostics, impeding beneficial uses we assume in-network data aggregation or data
of the AHM (see Section 2.3). This paper ad- fusion in the WSN [18]. The aggregator nodes
dresses such threats to the business of the AHM. forward data to a local control unit which in turn
Additionally, the paper discusses threats that can provides this feedback to a central control unit.
arise if e-enabled health data is used in real-time The data collection in the WSN can be done pe-
flight-critical operation and control. riodically, or upon detection of an event by one
The remainder of this paper is organized as or more sensors (e.g., abnormal structural tem-
follows. Section 2 presents the system model and peratures) or on demand by an airplane subsys-
the types of adversarial attacks considered, fol- tem or the control units (e.g., fuel level queries).
lowed by the resulting security threats to wireless Further, the onboard RFID system consisting of
AHM. Section 3 proposes security requirements active tags and readers shown in Fig. 1, is used
for health data collection and Section 4 discusses to collect onboard part maintenance information
security of health data distribution. Section 5 dis- and forward to the central control unit.
cuss challenges that must be addressed for using Upon receiving feedback from the local con-
proposed security solutions as well as for future trol units, the central control unit forwards data to
WSN-enabled flight operation and control. Sec- the airplane subsystems owning the sensors. The
tion 6 presents our conclusions and future work. subsystems perform diagnosis, i.e., locating and
describing existing failures, and prognosis, i.e.,
2 AHMMS Model Considered locating and describing potential failures [9]. The
analysis can lead to execution of tasks at the sub-
Fig. 1 illustrates the generic model in this pa- systems, such as triggering onboard actuations
per referred as Airplane Health Management and via the central control unit or initiating a down-
Monitoring System (AHMMS), including on- link of detected airplane faulty part diagnostics
board health data collection by a central con- to the ground systems as shown. The authorized
trol unit and health data distribution to ground ground systems of airlines are also capable of ini-
systems of airlines. As shown, we consider the tiating a download of health data when their fleets
use of wireless sensors, wireless access points are on the ground and/or in flight.
and active RFID system for collecting business-
critical health data only, and assume that all 2.1 System and Trust Assumptions
safety-critical data collection is by protected
wired sensors. The AHMMS is assumed to be administered in
The WSN consists of smart sensors which are such a way that access privileges are assigned and
battery-powered 1, possessing a signal processing managed appropriately. Passwords and private
keys are kept secret, and digital certificates are
1 In
some cases, it maybe possible to scavenge power properly managed and protected. The networks
from the sensor-residing system instead of a battery. used for health data distribution to ground sys-
2
SECURITY OF WIRELESS SENSOR NETWORK ENABLED HEALTH MONITORING FOR FUTURE
AIRPLANES
Fig. 1 Airplane Health Management and Monitoring System (AHMMS) Model. Solid lines are wired links.
tems are assumed to be robust against well known RF communications. For example, the proposed
denial of service attacks. As a backup mecha- onboard use of transmitting personal electronic
nism for addressing network systems failure, data devices [25] which can include laptops, RFID
distribution via physical media is assumed and tags and cell phones, raises a potential vulner-
is considered adequate to meet requirements for ability for disruption or unauthorized access to
timely data delivery from an aircraft. Further, air- health data communications. Therefore, use of
lines are trusted to be capable of managing the wireless networks can allow an adversary to per-
AHMMS configuration reliably and correctly. form remote attacks, manipulating AHMMS op-
The sensors are assumed to be resilient to eration and availability in unexpected ways.
harsh flight conditions such as high temperatures
and acceleration vibrations. Additionally, it is as- 2.2 Adversary Model
sumed that sufficient physical security checks are
in place to prevent unauthorized cabin access to The overall objective of the adversarial attacks
onboard systems and sensors. considered is to induce unwarranted delays and
While the onboard wired network is trusted expenses for owners of the e-enabled airplane.
and protected from any unauthorized access, the The adversary can be external to the AHMMS
onboard WSN, RFID system and wireless inter- and/or an insider. We assume the adversary to be
faces cannot be trusted due to the easy access to capable of passive attacks (network traffic anal-
3
KRISHNA SAMPIGETHAYA*, ** , RADHA POOVENDRAN* , MINGYAN LI** , LINDA BUSHNELL* , RICHARD RO
ysis) as well as active attacks such as node im- aggregate of) data sent by the originating sensor
personation attack, compromise of sensors (node or tag. Further, injection of any misleading data
capture [22]), tags and readers. It is also assumed into the WSN or the tags by unauthorized and au-
that the adversary is capable of performing denial thorized nodes must be prevented.
of service attacks on data collection by jamming To prevent attacks by an external adversary,
the wireless channels [19]. upon receiving data, all sensor nodes must be
We note that insider attacks based on compro- able to verify the validity of both the source and
mised sensors, tags or readers can be deterred by the message. For the RFID system, it has to
enforcing legal regulations and sufficiently safe- be guaranteed that only the authorized readers
guarded against with specific physical, logical can write to the tags. Additionally, the readers
and organizational inhibitors, checks and con- must be able to authenticate the tags to prevent
trol. However, in this paper, we consider insider any corrupted data being scanned from compro-
threats for rigor and completeness of our security mised tags, e.g., fake or cloned tags hidden on-
analysis. We present potential solutions which board. Hence, mutual authentication is needed
can enhance the level of protection to airplane between tags and readers. Further, for defending
systems. against insider attacks by compromised nodes,
potential distributed solution approaches for the
2.3 Security Threats WSN and RFID system include majority voting
or reputation-based schemes, where local nodes
The adversary may attempt to manipulate health can jointly determine the validity of an alarm
data with the intention of hiding or delaying fault raised by a neighbor based on their direct and in-
detection in the airplane to potentially induce de- direct observations [21].
lays and costs that significantly impede airline
business. The manipulation may be done by cor- 3.2 Confidentiality
rupting, replaying, or blocking the data during
its collection and/or distribution in the AHMMS. Communications in the WSN that contain propri-
For instance, the adversary may engineer suffi- etary data and/or sensitive data capable of aiding
cient false alarms during onboard or off-board di- future attacks (e.g. engine fuel level) must be
agnosis of the health data feedback, to reduce the protected against passive eavesdropping on the
reliability and level of confidence in the AHMMS wireless channels. Similarly, part maintenance
health assessments. Further, any late detection history and other data stored in tags must be pro-
of onboard faults can induce unwarranted flight tected if they have business value or contain pro-
safety concerns. prietary information of the system owner. Al-
though physical security control ensures the first
3 Securing Wireless Health Data Collection line of defense, encryption is preferred as the
wireless links can be intercepted by an adversary
In order to mitigate the above threats to the health without physical access if the transmission power
data collection, we propose the following secu- is sufficiently high.
rity primitives for WSN and RFID systems.
3.3 Efficient Cryptography Schemes
3.1 Integrity and Authenticity
For providing integrity, authenticity and confi-
Sensor data, e.g., an abnormal decrease in tire dentiality of WSN and RFID communications,
pressure, and tag data, e.g., part maintenance cryptography solutions can be used. However,
information, must be protected from any unau- since sensors can be limited in terms of battery
thorized modification by an adversary. Hence, power, symmetric cryptography is preferred in
data received by a sensor or aggregating node or WSNs as opposed to asymmetric cryptography
reader or control unit must be identical to (or an which is relatively computation and communica-
4
SECURITY OF WIRELESS SENSOR NETWORK ENABLED HEALTH MONITORING FOR FUTURE
AIRPLANES
tion intensive. At the same time, for protecting of keying material in the AHMMS is challenging
communications between onboard systems and as will be discussed later.
higher capable nodes in the WSN, i.e., local con- Another major threat to both WSN and RFID
trol units and aggregators, asymmetric cryptogra- systems is from wireless jamming attacks [19,
phy based solutions such as digital signatures can 20]. Therefore, we propose the following primi-
be used. tive.
On the other hand, for the RFID system, only
the tags have limited memory, constrained com- 3.5 Mitigation of Jamming
munication range and scarce energy. Therefore,
efficient asymmetric key cryptography schemes, Leveraging the broadcast medium of wireless
such as elliptic curve cryptography, have been channels, the adversary can employ jamming at-
shown to be feasible for RFID authentication tacks to block or delay fault detections from
[20]. Comparatively, symmetric key based au- propagating towards the control units. Similarly,
thentication with a shared key between a tag and the wireless communications between RFID tags
a reader is vulnerable to the compromise of either and readers are inherently subject to jamming at-
authenticating entity, and can incur prohibitive tacks. Therefore, channel jamming attacks must
overhead from compromise of a reader since all be detected as soon as possible and mitigated in
tags that share a pair-wise key with the compro- the WSN and RFID system.
mised reader must be securely updated with the The conventional defense strategy against
new keys. jamming, i.e., spread spectrum, is resource con-
Further, in the WSN, solutions based on link suming to be deployed in tags and sensors.
layer cryptography, i.e., using a cryptographic The detection and defense of jamming attacks
key shared by two neighbors, are more suited, launched in different layers of network have been
when compared to solutions based on end-to-end an active research area, and interested readers are
cryptography, i.e., using a key shared by each referred to [19] for more recent research advance.
originating sensor and the end destination which A potential solution is also in [19], where a net-
can be an aggregator, sensor, or control unit. work node adjusts its transmission rate in order
However, the link keys must be established by to contain jamming interference.
the WSN nodes upon deployment, warranting the
following primitive. 3.6 Mitigation of WSN Side Channel Attacks
5
KRISHNA SAMPIGETHAYA*, ** , RADHA POOVENDRAN* , MINGYAN LI** , LINDA BUSHNELL* , RICHARD RO
3.6.2 Secure Location Verification provided to protect health data distribution from
the adversary.
Sensor readings are only useful when associated
In [15, 16], we have proposed the use of digi-
with their physical locations. For example, sen-
tal signatures to provide end-to-end integrity and
sor data that represents a detected crack in the
authenticity and defend against external adver-
aircraft structure will be useless if it does not
sary attacks. Signatures can also support trace-
include a physical location for the crack. Fur-
ability and non-repudiation of actions taken on-
ther, network services, such as geographic rout-
board as well as on the ground, hence mitigat-
ing, depend on the node location information.
ing insider attacks. For confidentiality, asymmet-
Hence, nodes in the WSN must be capable of se-
ric or symmetric encryption can be additionally
curely verifying the location claims made by their
used. For more details, we refer the reader to
neighbors to address attacks based on misleading
[16] where we have employed the Common Cri-
location data, e.g. the wormhole attack on geo-
teria (CC) methodology for developing a com-
graphic routing [21]. Secure location verification
plete analysis of the security of data distribution
also provides another level of source authentica-
between airplane and ground systems.
tion using the position of a neighbor to verify va-
lidity of data received from it.
5 Challenges and Open Problems
At the same time, the location of some sen-
sors that are used for time-critical detections may 5.1 Wireless Sensor Capabilities
be of interest to the adversary for launching side
channel attacks. Consequently, the communica- Sensor communications incur overhead in terms
tions in the WSN must not reveal the location and of energy and bandwidth resources which maybe
type of such sensors to unauthorized entities. limited in the airplane environment. More pro-
cessing at smart sensors can reduce this overhead.
3.6.3 Robustness to Node Capture However, at the same time it can introduce vul-
For addressing insider attacks based on compro- nerabilities due to the level of criticality placed
mised sensors, tamper-proof sensor hardware of- on the wireless communication. For example, in-
fers one potential solution. However, since this stead of communicating the redundant raw data a
solution is expensive and adds to avionics over- wireless sensor processes the raw data and self-
head, the design of WSN algorithms for all the predicts a time-critical fault, the wireless sen-
above primitives must be capable of tolerating sor(s) must now communicate this self-prognosis
compromise of a fraction of network nodes [22]. to the central control unit reliable, accurately and
timely.
3.7 Early & Correct Detection of Corruption
5.2 Power Efficiency of WSN and RFID
Any manipulation of the health data during col-
lection in the WSN and RFID systems must be Similar to avionics, it is reasonable to assume that
detected as soon as possible, while false alarm the onboard sensors and active tags of the AH-
detections must be avoided. MMS will be periodically maintained. The sen-
sors and tags must be able to operate reliably on
4 Securing Wireless Health Data Distribu- their battery power within this period which can
tion vary in range of several days to weeks. Hence to
conserve the battery power of the sensor nodes,
For health data distribution from airplane to a combination of sensor processing and energy-
ground, asymmetric cryptography based end-to- efficient data aggregation algorithm is needed.
end solutions are more secure and practical [24]. Further, the WSN medium access algorithm em-
Similar to WSN and RFID communications, in- ployed must also be energy-efficient, such as by
tegrity, authenticity and confidentiality must be making nodes to be in sleep mode when not ac-
6
SECURITY OF WIRELESS SENSOR NETWORK ENABLED HEALTH MONITORING FOR FUTURE
AIRPLANES
tive [2]. Additionally, the solution design for the 5.6 Wireless Flight Operation & Control
above primitives for WSN and RFID system must
incorporate this energy constraint. For example, With their unprecedented features, WSNs have
given that communication costs more power than the potential for providing additional and timely
a computation, energy-efficient secure broadcast information to support increased automation as
routing algorithms for WSN [23] and energy- well as real-time decision making in future air
efficient authentication protocols for RFID [20] transportation systems. However, in such a future
are desirable. application, WSN vulnerabilities can threaten to
reduce aircraft safety margins, resulting in possi-
ble degradation of airworthiness and operational
5.3 Low End-to-End Latency in WSN efficiency of the aircraft. In addition to the se-
curity threats in Section 2.3, the manipulation
It is pivotal that all detected critical faults must
of health data can potentially induce flight haz-
be timely delivered by the WSN to the central
ards. For instance, the adversary may corrupt
control unit for real-time diagnosis [26], and if
health data during its collection to hide detec-
needed to the ground systems for further analy-
tion of safety-critical faults. However, since we
sis. Consequently, the WSN routing algorithms
assume that onboard safety-critical sensing and
must be designed to be energy-efficient under a
actuation in the AHMMS are hard-wired to the
given delay constraint.
central control unit, most of the attacks that gen-
erate such alerts during real-time airplane oper-
5.4 Traceability in WSN ation can be successfully thwarted by additional
consistency checks at the control units.
Traceability of authorized actions taken in the However, it is possible that the adversary may
avionics systems is inherently important. How- attempt to hide onboard safety-critical detections
ever, use of data aggregation obscures traceabil- during their distribution to ground systems. Fur-
ity of data in the WSN, reducing, in most cases, ther, the adversary may passively eavesdrop on
the ability to identify the source of the false or safety-critical health data to derive information
malicious fault detection data. The data aggre- that may be leveraged for other attacks. Although
gation algorithm employed in the WSN must ad- these two threats do not induce immediate haz-
dress this tradeoff. ards for flights, they may be exploited for fu-
ture attacks. Therefore, a major challenge in
5.5 WSN and RFID Membership Dynamics extending the use of wireless technologies from
business-critical to safety-critical functions is in
As other avionics, sensors and tags can be ex- identifying and mitigating/preventing threats to
pected to be removed or replaced over time. Con- flight airworthiness.
sequently, the key management scheme and pol-
icy must allow additions and deletions of nodes 5.6.1 Security Specification for Airworthiness
from the resource-constrained WSN and RFID
In [16] we define security requirements for air-
systems, while also ensuring secure periodic key
worthiness in a systematic manner. Specifically,
updates in the network. For the RFID system,
we contribute a standardized framework based on
the use of asymmetric key cryptography based
the CC methodology to identify requirements for
schemes for mutual authentication will mandate
securing the distribution of loadable software and
the management of digital certificates. In [20],
health data between airplane and ground systems
various approaches with related overhead and
[16]. The standardized approach is taken to en-
scalability are considered, including a certificate
able the extension of our framework into the ex-
whitelist and a hash-chain based approach [20].
isting certification guidelines for commercial air-
planes. Additionally, in [24], we have investi-
7
KRISHNA SAMPIGETHAYA*, ** , RADHA POOVENDRAN* , MINGYAN LI** , LINDA BUSHNELL* , RICHARD RO
gated impact of the use of cryptography based 6 Conclusions and Future Work
solutions on the avionics and ground systems op-
erated by e-enabled airplane owners. In this paper, we provided an overview of our
proposed framework for the assured use of WSN
5.6.2 Networked Control of Airplanes and RFID for data collection and use of wireless
networks for data distribution in airplane health
Apart from real-time operation, WSN feedback
management. Compared to other applications
and wireless networks can also support real-time
with random sensor deployments, such as ani-
distributed control of aircraft by onboard as well
mal habitat monitoring, the pre-determined and
as ground controllers [7]. However, related chal-
fixed deployment of AHM WSN can allow use of
lenges must be fully addressed, including the in-
simplified solutions such as centralized approach
stability of network control systems [26] and the
to key establishment. However, other constraints
security of networked control. Some potential so-
such as low end-to-end delay and traceability im-
lutions may be found in the area of ground con-
pose major challenges to the design of secure and
trol of unmanned aerial vehicles in military ap-
energy-efficient solutions for addressing threats
plications.
due to side channel attacks on the WSN. The suc-
5.6.3 High Confidence WSN and RFID cessful integration of RFID for AHM depends on
the integrity and authenticity of environment and
The airplane is a cyber-physical system on which workflow information stored at the tags and the
human lives are dependent [27]. Therefore, high feasibility of efficient asymmetric key based mu-
confidence is needed in order to ensure that the tual authentication schemes. Further, based on
airplane can exhibit deterministic behavior. The our previous work, we proposed the use of digital
potential use of WSN and RFID warrants that signatures for the secure distribution of airplane
the onboard network and security protocols are health data to the ground systems.
verified and validated at an adequate level of as- While we have identified the main classes
surance. Further, due to the dynamic nature of of threats and potential defense mechanisms for
WSN, it would be desirable to have visualization wireless-enabled AHM, our future work will pro-
tools to assess vulnerabilities and trust in the net- vide an in-depth security assessment and perfor-
work. Such tools will allow the operator to assign mance analysis of the recommended solutions.
a level of trust to the data received from a specific
node or a group of nodes in the network. How- References
ever, a related challenge is in finding a balance
between flight-operator attention and timely de- [1] Domingo, R., Health management and monitor-
cision making, as described next. ing systems, Proceedings of the USA/Europe In-
ternational Aviation Safety Conference, 2006.
5.6.4 Information Visualization [2] Bai, H., M. Atiquzzaman, D. Lilja, Wireless
sensor network for aircraft health monitoring,
Visualizing information for an overloaded air- Proceedings of Broadband Networks (BROAD-
plane pilot in safety-related applications is an NETS), 2004.
emerging area of study, e.g., visualization of sen- [3] Harman, R. Wireless solutions for aircraft condi-
sor data for aiding pilots when encountering haz- tion based maintenance systems, Proceedings of
ardous airflow scenarios [28]. Hence the network IEEE Aerospace Conference, 2002, pp. 6-2877-
visualization tools for trust and vulnerability as- 6-2886.
sessment in critical decision making mentioned [4] Ramamurthy, H., B. Prabhu, R. Gadh, Recon-
above, must be designed carefully. These tools figurable wireless interface for networking sen-
must help in making real-time and reliable deci- sors (ReWINS), Proceedings of IFIP Interna-
sions, but only require minimal attention from the tional Conference on Personal Wireless Commu-
operator. nications (PWC), 2004, pp. 215-229.
8
SECURITY OF WIRELESS SENSOR NETWORK ENABLED HEALTH MONITORING FOR FUTURE
AIRPLANES
9
KRISHNA SAMPIGETHAYA*, ** , RADHA POOVENDRAN* , MINGYAN LI** , LINDA BUSHNELL* , RICHARD RO
Copyright Statement
10