A Risk-Oriented Systems Engineering Approach to

address Cyber Security Issues of

Aircraft, Air Traffic Management and
Airports Systems

Lanka Bogoda CISSP

Ph.D. candidate : School of Engineering - Aerospace Engineering and Aviation - RMIT University
Senior Engineering Specialist : Information Management & Data Services – Airservices Australia
CISSP : Certified Information Systems Security Professional
 Aircraft, Air Traffic and Airport
operation network
• Common goal of IT, Automation and Network Connectivity;
– A greater accuracy of flight arrival & departure times
– Efficient management of airport operations and air traffic
– Reduced work load of flight crew
– Maximise the use of ground resources
– Sharing information locally and internationally among stakeholders
– Immense amount of data collected processed and shared
– Flight data
– Terminal & Aeronautical Information
– Weather and passenger updates
– Infrastructure availability and NOTAMs,
2
– Security surveillance, baggage and cargo information

2
2
Civil Aviation Cyber-physical Systems
1 Aircraft
Flight information systems, Avionics
& Communication System
2 Air Traffic Management
Radar, ADS-B, Flight information systems,
Avionics & Communication System
3 Airport and Airline Network
4 System Wide Information Management
(SWIM)
5 Ground Navigational-Aid
Doppler VHF Omni Range
Instrument Landing System
Distance Measuring, System,
Ground Based Augmentation System 3

3
3
Legacy aircraft systems and unsatisfactory
information management

4
Expose to Information Security Threats during
Flight along flight routes

55
Flight Information Systems, Avionics & Communication
Systems

6
6
Air Traffic Management (ATM) system Colombo

Melbourne

Brisbane

7
7
Air Traffic Management (ATM) system - Radar
Replies
1090 MHz Secondary
Interrogations
1030 MHz
Replies
1090 MHz
Site Monitor Radar Antenna

Primary Radar
Antenna

Wave Guide
Assembly
Rotating 
Joint 

TX/RX Azimuth
Receiver Encoder TX/RX
Receiver

  
 
LNA LNA

GPS Secondary Secondary

Receiver Transmitter

Weather PrimaryTarget Primary

Receiver Receiver Transmitter
Secondary radar data
processor

Weather PrimaryTarget Generation

Extractor Extractor
Radar
Modems
Weather Radar Pulse ( c)
Processor Processor Formation

IP Data Protocol
converters
Radar
Modems

Protocol IP Data Router Router Protocol

converters (Radar site) (ATC Centre) converters

Multi Sensor Tracking ADS-B

Decision
ATC
La nk a Bog od a
Aids
&
Sensor Data Fusion
Mulilataration 8
SMR
Disp lay
ASMGCS
LNA : Low Noise Amplifier
GPS : Global Position System

8
(a) Primary Radar (b) Secondary Radar (c) Surface Movement Radar 8
Airport and Airline Network

9
9
System Wide Information Management (SWIM)

10
10
Ground Navigational and Landing-Aid : ILS, DVOR &
DME

11
11
Ground Navigational and Landing-Aid : ILS, DVOR &
DME

12
(a) DME (b)DVOR (c) ILS-Glidepath (d) ILS – Localiser system Antenna 12
 Security Risks - Civil Aircraft Systems
Risk/Vulnerability
Inadequate network segregation among flights Management System (FMS), In-Flight Entertainment
(IFE) system and passenger wireless network
Zero-day attack to FMS: Attackers exploit software vulnerability and alter flight plan data,
trajectories, navigational aid and weather data
Malware, virus or worm attack to FMS:
ADS-B flight ID spoofing (Altered Aircraft ID)
Malware attack on ACARS system (Controller–pilot data link communications [CPDLC] message
deletion or alteration of route, terminal, aeronautical and weather information)
Malware (or Stuxnet) attack on aircraft radar transponder (modified Aircraft ID and altitude)
GNSS Jamming and spoofing (Malware)
Unauthorized access to Electronics Flight Bag (EFB) and navigational aid databases
Use of proprietary encryption key algorithms between avionics and ground control systems for data Prone to cryptanalytic attacks (proprietary cryptosystems can be exploited by plain design mistakes). Use of
communication
Compromised private keys being used between avionics and ground control systems when using
Public Key Infrastructure(PKI) for data comm.
Denial-of-Service (DoS) attack on aircraft datalink application
Privilege escalation of ADS-C and CPDLC logon credentials
Country specific legislations require disclosure of Avionic data link secret key and decryption
algorithm to country’s authority (when cryptosystems used in data com)
Use of Industrial, scientific, and medical (ISM) radio band (802.11 b/g) to update aircraft system
components (AHM, LSAP, VDAR, EFB) using Boeing TCU
Use of unsecure (or unencrypted) wireless dataloaders to update aircraft system configuration.
In flight data update during flight using the Internet via a satellite link with no SSL/TSL or VPN
Use of common default engineering login all applications in all aircraft
No active intrusion detection and/or active response mechanism (such as IPS & firewall) to
cyberattack
Country specific legislations require disclosure of secret key and decryption algorithm to country’s
authority (when cryptosystems are used in aircraft for data communication)
Regulation restrictions - delay important security updates
Comment
Hackers gain access to flight controls & parameters via IFE or passenger network (ARINC 629 buses are
designed for two-way communication)
Aircraft deviate from its approved flight path into conflicting paths violating separation minima's. In extreme
situations control flight into terrain. Aircraft separation is reduced to a minimum or leaving no room for
manoeuvre
Aircraft shows abnormal behaviour. Modified flight parameter thresholds causing unexpected warning and
system alarms. Slow response time. Compromised system resources allocations
Aircraft is not visible to ATM system (as the spoofed aircraft ID cannot be correlated to any of the flights in
the ATM database)
Vectoring aircraft to a pre-planned map coordinates or redirect to an unsafe (or already occupied) flight path
via fabricated CPDLC messages. Flight separation is reduced to a minimum and leaving no room for
manoeuvre
Ghost(unidentified) aircraft causing ATCs to execute emergency procedure to avoid collisions. Uncertainty of
flight level occupation. Loss of real aircraft position on ATM system
Incorrect aircraft position, velocity and time (PVT) reporting. Conflicting aircraft positions display on ATM
system making ATCs to execute emergency separation procedures
Control flight into terrain (The identified vulnerabilities are often plain design mistakes, which makes the
cryptosystems exploitable)
proprietary encryption is extremely risky in aviation environment.
Disclosure of command and control communication and possible injection of falsified data. This may direct
control flight into terrain, reduced separation minimums or/and leaving no room for manoeuvre
Flight operations, maintenance, crew management, station assistance, ground handling, passengers, fuel and
anti-icing information will not be negotiated in timely manner and extended period of ground/gate delay
Falsified clearance injection to FMS which lead flight to a collisions course with another flight creating havoc
in airspace
Revelation of secret key and decryption algorithms may lead to destruction, disclosure, alteration of safety
critical data use for aircraft operation.
The wireless data can be sniffed and intercepted to execute an attack at the airport terminal gate.
The wireless data can be sniffed and intercepted to execute an attack. High risk manipulating system configs
through a MITM attack.
Systems and data are vulnerable to all internet based cyber attacks
No accountability can be stablished in the event of a security breach unless adequate physical security is
provided to aircraft.
Prone to network-based attacks and longer recovery time after an attack. Longer delays and higher recovery
cost.
Revelation of secret key and decryption algorithms may lead to destruction, disclosure, alteration of safety
critical data use for aircraft operation.
The software security patch updates have to passed from manufacturer through to operator needing
appropriate certifications for all relevant regions along the way
13
Security Risks - Air Traffic Management System
Risk/Vulnerability
Inadequate network segregation between ATM and corporate/public systems
Man in the middle (MITM) + replay (ADS-B) attack where altered ADS-B aircraft location data is
fed to ATM system
Information leak through covert channel (storage or timing) attack
Unsecured (or unencrypted) data and voice(VoIP) communication over public shared network
between ATM centres
Secured data communication over public shared network between ATM centres
Inadequate network perimeter and endpoint security controls to inspect and prevent encrypted
malware
SQL injection (flight plan, aircraft parameter, route, reporting points, weather and aeronautical
information databases)
Privilege escalation attack on ATM system
Inadequate application and endpoint security protection( virus, worms, Trojan, rootkit, spyware,
blended threat and adware)
Remote access session hijacking (Admins use remote VPN to troubleshoot ATM systems and
networks)
Privilege escalation to ACARS system (ADS-C and CPDLC messages)
Privilege escalation to Notice to Airmen (NOTAM) system
No software patch management for ATM systems (leading to Zero day attack)
No Disaster Recovery Plan (DRP) or Business Continuity Plan (BCP) for ATM services
No Security Information and Event Management (SIEM) mechanism for ATM system and network
admin operations
Unauthorized interception of wireless ATC data communication
DoS attack on core/distribution network connecting adjacent ATSP facilities.
Attack on symmetric key (Known plaintext, Chosen plaintext or Chosen cipher text) between
avionics and ATM system when using encrypted data comm.
Inadequate ATM system physical security and access controls
No patching on GPSRAIM servers
No ATM incident response plan for possible cyber-attacks
Exploit vulnerabilities in an organisation’s information systems
Comment
Unauthorized access to ATM information. Destruction, disclosure and alteration of safety critical airacraft
surveillance data
Erroneous display of aircraft position information on ATM system if no redundant mechanism available to
verify data
Safety critical information is passed in secretive, unauthorized or illicit manner (Attackers use covert channels
to transmit sensitive documents unobserved).
Exposed to network-based attacks (sniffing, MITM, session hijacking, Phishing, and Backdoor)
Encrypted malware uses ATM data as payload to bypass security controls
ATM system information are exposed to malware attack.
Alteration/deletion of safety critical data from various ATM databases causing catastrophic air safety
incidents and lead to excessive flight delays
System misconfiguration, disable decision aids, increase warning or alert thresholds, alteration or deletion of
safety critical data (flight, aeronautical, NOTAM and met info)
Alteration or deletion of parameter thresholds causing system failure, service degradations abnormal IT
resources allocation, memory overflow and slow response
Unauthorised configuration of critical network parameters and systems using hijacked sessions
Unauthorised feeding of ATC clearance messages to aircraft's navigation system causing unsafe flight
operation
Falsified ATM information is disseminated among ATM steakholders causing aircraft to fly longer routes.
The vulnerability is leveraged in live attack to gain access to systems and forcing aircraft deviate to conflicting
routes violating ATC separation minima's.
Extensive reduction of system availability in case of incidents, data breach or disaster. ATC services to
aircraft in the effected FIRs and incur extended period of delays.
No assurance that all actions performed are logged in and for a time period that can satisfy both regulatory and
consumer needs. Impossible to perform forensic investigations.
Forcefully injected ATC clearance for landing, take off causing runway intrusions
Extended length of service outages causing excessive delays due to communication and surveillance failures
Command and control data communication revealed/altered causing catastrophic air safety incidents and
excessive flight delays
Unauthorized access to systems compromise availability, confidentiality, and integrity
Extended period of delays due to incerased speration. (GPSRAIM servrs predicts GPS outages to pilots during
the pre-flight planning process and notify ATCs of these outages as well).
Severe effects on ATM services and business operations
The threat exploits coding bugs or design flaws (e.g. buffer overflows, improper validation of input)
14
 Major issues at hand
• Lack of information on aviation system vulnerabilities
• Available information is inconsistent and erroneous
• Inadequate Aviation system knowledge of security risk assessors
contribute to;
• Inconsistencies in risk assessment
• Weak controls in high valued asset
• Substantial investment in lower valued assets
• Shortage of cyber security professionals – specialised in aviation systems

15
15
 Security risk assessment process for - Civil Aviation
Systems

Research Area

Research Area

16
AHP : Analytic Hierarchy Process
 Pairwise assessment of cyber security risk

Results of each comparison are presented in numerical form from 1 (equally preferred) to 9 (Extremely
preferred)

17
AHP : Analytic Hierarchy Process 17
Consistency Index (CI) and Consistency Ratio (CR)
The result of Pairwise comparison matrix A, its
maximum, λ𝑚𝑎𝑥 (eigenvalue), is equal to ‘n’ only if the
matrix is consistent.
λ𝑚𝑎𝑥 − 𝑛
𝐶𝐼(𝐴) = 𝑛 = 𝑂𝑟𝑑𝑒𝑟 𝑜𝑓 𝑚𝑎𝑡𝑟𝑖𝑥
(𝑛 − 1)

Saaty′s random index

𝐶𝐼
𝐶𝑅 =
𝑅𝐼

According, CR < 0.1 implies consistency, while if it is not less than 10% the judgments
need to be revised

18
18
Conventional vs Fuzzy Logic Method

Conventional method

Fuzzy Logic method

19
19
De-Fuzzification of risk attributes using fuzzy logic

The basic architecture of a fuzzy expert system

Membership function – representing imprecision in crisp value variations

20
20
 The use of ‘If then rules’ by inference engine

21
ToF : Threat occurrence Factor 21
Risk matrix interpretation of fuzzy rule

22
22
 De-Fuzzification of risk attributes using fuzzy logic

23
Fuzzy inference process (IF-THEN rule and aggregation) 23
 Modelling and simulation
Test data input for the cyber-attack scenario

24
The risk assessment model developed in Matlab Fuzzy Logic Toolbox with Simulink 24
De-fuzzified Simulation Outputs for the Test Data

(a) (b)

(c) (d)

(a) Threat Occurrence Factor (b) Threat Realisation Factor (c) Loss Expectancy (d) Annual Loss Expectancy25 25
 Summary
Research objectives
• Study threats to aviation system and vulnerabilities
• Identify high risk assets and consequences
• How to enhance consistency and accuracy
• In security perspective;
• Better controls for high valued asset
• Greater RoI on enterprise security expenditure
• Improved security means enhanced safety

26
RoI : Return on Investment 26
Aerospace and Aviation industry

Are we secure and safe ?

Your thoughts and questions?

27