Spot The Hack: Intrusion detection systems for avionics networks and bus technologies

 
Image stock

1. Challenge Statement

The Department of National Defence and the Canadian Armed Forces (DND/CAF) are seeking innovative solutions for an effective Intrusion Detection Systems (IDS) for avionics network and bus technologies used within the aerospace and space industry.

2. Background and Context

Operational Technologies (OT) and Platform Technologies (PT) are used to control operations in manufacturing, transportation, utilities, defence networks, etc. Historically, these systems relied on closed proprietary protocols and software, and were managed and monitored by humans, thereby presenting a minimal attack surface from the outside. System/protocol developers were not concerned about security due to the rudimentary cyber security field and supposed air gap, but nowadays, legacy OT/PT systems are increasingly integrated with newer Information Technology (IT) systems. This connectivity improves efficiency in processes, transmission, and data storage allowing for remote monitoring and control of physical devices, but it also exposes these legacy systems to a wider range of threat scenarios which were never taken into account by their developers.

Military Standard (MIL-STD) 1553 bus is used in the majority of Royal Canadian Air Force (RCAF) aircraft to share avionics information, such as altitude, position and speed, throughout a network of remote terminals. Recent research has identified possible attack vectors for corrupting/modifying data on the MIL-STD-1553 bus as well as their likely consequences 1.

A sound “defense-in-depth” strategy for air platforms includes avionics bus monitoring as a way of detecting malicious cyber events. Platform technologies such as MIL-STD-1553 lack the richness and maturity of the IDS solutions available for traditional IT infrastructures. One of the main challenges with defending military platform technologies is that the cyber weapons that must be defended against do not have their signatures in openly available databases, as is usually the case for traditional IDS used within IT. The ability to detect zero-days via bus monitoring tips the scale towards a noisier anomaly-based IDS solution.

Avionics systems are real-time systems that operate in very predictable ways. Although there may be a variety of modes of operation, the number of modes is finite and well-defined. MIL-STD-1553 is a protocol designed to support real-time communications through the implementation of a schedule where every communication is initiated by a bus controller, orchestrating all communications designed to meet all the time constraints of the data exchange for the systems it supports. This predictability greatly increases the potential precision of an anomaly-based IDS in that a system could build a very precise model of normal operation in order to recognize abnormal activities.

3. Desired Outcomes

Innovative research, tools, technologies and/or processes are sought that address, but are not limited to the following:

  • Anomaly-based IDS tailored to the MIL-STD-1553 protocol;
  • The ability to monitor and analyze bus traffic while it is in operation and process the information faster than it is produced by the bus recorders;
  • Solutions that can be customized to suit other similar aerospace systems or protocols;
  • Ability to minimize the false positive rates or provide a means to reliably prioritize the detected anomalies;

Information that can help guide analysts when responding to anomalous activity.

1 O. Stan, Y. Elovici, A. Shabtai, G. Shugol, R. Tikochinski, and S. Kur. “Protecting Military Avionics Platforms from Attacks on MIL-STD-1553 Communication Bus.” arXiv:1707.05032v1 [cs.CR]. 17 Jul, 2017

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: