Airspace Q1 2018: Securing the systems of the future

22 February 2018

Cybersecurity must have due prominence in future ATM technology.

Satellite SVN 23 has a lot to answer for. When it was decommissioned it caused a 13 microsecond discrepancy that affected global positioning system (GPS) satellites and set off alarms across the world for the best part of 12 hours.

While this was not a cyberattack, it highlights the vulnerabilities of GPS, a technology that underpins many ATM advances, such as performance-based navigation (PBN).

A new report by the Atlantic Council, Finding Lift, Minimizing Drag, notes that GPS is subject to natural interference and degradation as well as these occasional blips. In addition, GPS signals can be easily jammed; it happened to New York's Newark Liberty International Airport in 2013. Again, it was not deliberate. A passing truck driver was trying to hide his whereabouts from his company.

Nevertheless, sophisticated attacks have happened. On one occasion, more than twenty vessels reported GPS location errors in the Black Sea. One ship, with a GPS accuracy of less than 100 metres, showed its location as twenty-five miles inland. Additionally, the automatic identification system, which vessels use to transmit their location to each other, was showing a number of ghost ships.

It is not difficult to imagine the consequences for the industry should this happen to aviation. The report argues that "wide-area augmentation systems and ground-based augmentation systems, which transmit either space- or ground-based signals to correct GPS signal errors, may make it more difficult to spoof aviation systems", but notes that this is "yet to be assessed".

Encrypted signals
Automatic dependent surveillance – broadcast (ADS-B) is also discussed in depth. The advantages of the technology are well documented and potential security flaws – caused by many ADS-B units using Wi-Fi and Bluetooth connectivity – are being handled proactively and effectively.

"There has been considerable alarmist publicity regarding ADS-B security," noted ICAO, "but careful assessment of security policies in use today for ADS-B and other technologies provide a more balanced view".

In theory, ADS-B signals could be blocked or replicated for malicious intent. Finding Lift, Minimizing Drag even suggests this capability can be had "for a few hundred dollars with cheap software-defined radio and easily accessible open source software".

Research has, however, already been carried out into the two main defence options; securing the link and validating the location. To secure the link between ADS-B units requires encryption or some form of validation. To validate the location of an ADS-B transmission, multilateration (MLAT) can be used, but only for ground-based units. MLAT can correlate the signal arrival at different receiving stations to calculate a location for the transmitting station, which is difficult to fake.

Keeping radar capabilities intact will also help. The FAA is no longer scaling back radars as part of its NextGen programme so it has this fall-back position. Of course, this would create capacity challenges due to the greater separation distances required, but at least it would ensure business continuity.

Making the case for ADS-B
Aireon, which is launching space-based ADS-B services, has gone to great lengths to ensure its systems are secure. "Aireon is committed to reducing vulnerabilities to security related incidents, GPS jamming and spoofing and cybersecurity management techniques throughout the system and service offering," says Vinny Capezzuto, Aireon's Chief Technology Officer and Vice President of Engineering.

Aireon addresses cybersecurity over the life cycle of a system or service through governance, design assurance, standards and regulations. It is also seeking safety certification from the European Aviation Safety Agency (EASA). Aireon is undergoing a series of audits that address software assurance, integrity of management processes (safety, security, configuration management, quality assurance, test) and validation of operational continuity of services (data, technical support and billing).

According to Capezzuto, the EASA organisational air traffic management / air navigation service (ATM / ANS) certification represents a commitment by Aireon to provide a level of service commensurate with the critical needs of an ANSP providing air traffic separation services.

ADS-B will also form part of the future Airborne Collision Avoidance System X (ACAS-X) alongside other data sources. ACAS-X utilises probabilistic modelling and dynamic programming to determine the best course of action. The report says that "any increased integration with aircraft collision avoidance systems and ADS-B must be very carefully considered. Adversaries attempting to cause ACAS-X to take avoiding action on false ADS-B signals is a potential threat that researchers have already highlighted."

Like ADS-B, controller-pilot data link communications (CPDLC) are potentially vulnerable due to a lack of encryption. An attack could allow false instructions to be given to either ATC or aircraft. Though voice communications act as a back-up, CPDLC is essentially a digital version of voice, meaning both systems could suffer the same effect.

Aviation intranet
Finding Lift, Minimizing Drag also explores one of the mainstays of ATM's future – system-wide information management (SWIM), which will be the digital backbone for moving ATM data. The report describes SWIM as "an aviation intranet with numerous touchpoints". Details of how aircraft – external users – will be securely connected to that intranet still need to be defined.

SWIM will increase its network connectivity as it develops in the years ahead. Around 2023, it is expected that aircraft will be fully connected to SWIM, enabling "full participation in collaborative ATM processes with access to voluminous dynamic data".

Protecting such a system is necessarily complex and requires detailed discussions with multiple stakeholders to ensure the different perspectives are taken into account. This may be easier said than done given that the International Coordinating Council of Aerospace Industries Associations (ICCAIA) has pointed out that SWIM itself is not yet clearly defined.

The FAA may help with the way forward. Its work on cybersecurity includes an 'air gap' that physically separates the FAA operational network and external users while providing accessibility. Additionally, the FAA has been working with EUROCONTROL on identity access management.

ICAO is supporting these efforts through the INNOVA Task Force, which is exploring governance and cybersecurity in a global SWIM architecture. Topics under consideration include global standards, Internet protocols and public key infrastructure.

The report acknowledges the tremendous advantages of SWIM but notes that several contributors expressed "unease about SWIM as a system with global access points, bringing acute concern of threat propagation (worm attacks) or adversaries pivoting across systems".

Realising the benefits of SWIM and ADS-B
ATM is investing in its future. The systems coming online, such as ADS-B and SWIM will bring a host of benefits for ANSPs and airspace users alike.

But for these benefits to be realised, the systems must be secure. Finding Lift, Minimizing Drag highlights the vulnerabilities that remain to be addressed. These are the same challenges facing any other large, complex network attempting to secure its information architecture.

Clearly, there is work to be done on cybersecurity, but ANSPs, through CANSO, are taking huge strides forward.

"As the aviation industry makes the leap to the latest generation of new technology, it also needs to be aware of the growing cyber threats to its systems, which have the potential to compromise safety if robust mechanisms are not put in place," says Jeff Poole, CANSO's Director General.

"To help tackle this cyber problem in air traffic management, CANSO has not only produced some excellent guidance material but is also working closely with ICAO and industry partners on a closed network, inaccessible to the public, for aviation data and SWIM."

The CANSO ATM Security Workgroup (ASWG) submitted a paper on cybersecurity to the ICAO Aviation Security Conference in 2017. It highlighted the human factor in cyber strategies, notably around awareness, resilience and contingency planning. It called for the training of all personnel to be increased on these items.

"CANSO is also a member of the ICAO Secretarial Study Group on Cybersecurity (SSGC)," informs Nico Voorbach, CANSO's Director, ICAO Affairs. "This is a multi-disciplinary group composed of safety and security experts from ICAO together with industry stakeholders. It will produce guidance material for States and the industry on how to deal with cyber threats and contingency planning."

Additionally, CANSO will produce a working paper for the 13th ICAO Air Navigation Conference in October based on the work previously sent to ICAO in 2017.




  • ADS-B
  • Airspace Magazine
  • SWIM

Subscribe to the CANSO publications