protect your platformastronautics.co.il/sites/default/files/astronautics... · astronautics is...

PROTECT YOUR PLATFORM

PROPRIETARY NOTICE This material is the sole property of Astronautics C. A. Ltd. and embodies a proprietary design. You agree not to use, disclose, reproduce or transfer it in whole or part without the express written consent of said corporation and to immediately return same upon request.

Rev. 4.1

Astronautics' CyberSmart® White Paper

Rev 4.1

Astronautics C.A Ltd proprietary information

P a g e | 2

General

Astronautics is offering military and airborne systems and platforms cyber threats detection and

protection. We are focusing on protection embedded systems and platforms, and securing the

platforms (aircraft, naval vessels, military & Para-military land vehicles & systems) against cyber

threats and potential cyber attacks. Our cyber protection solutions may be embedded into the

system (hardware, software or combined), or as stand-alone monitoring & detection devices

connected to the internal buses of existing systems.

Astronautics C.A. Ltd. Israel, a wholly owned subsidiary of Astronautics Corporation of America, is

a supplier of airborne, naval, and land civil and defense systems and solutions. The Company has

built an impressive record of innovative, next generation, high-quality, battle-proven products.

Solutions include avionics with state-of-the-art displays, military grade computers for airborne

applications, glass-cockpit avionics and digital moving maps. The Company's software is

developed and verified in accordance with DO-178B (Level A), DO-254 hardware verification, and

DO-160E environmental and EMI qualification. The Company also owns TSO authorizations and

STCs for a number of its products and systems. Among its global customer base are some of the

world's leading defense contractors and agencies.

Astronautics is currently developing avionics embedded cyber solutions, addressing the various

vulnerability aspects of today's avionics systems.

Existing avionics are based on system architectures dated 10-25 year back, and lack the required

cyber protection of today's computing world. One may look at current avionics as "naive" systems,

mostly developed for a sterile and stand-alone environment, without taking into account malicious

code, cyber attacks and other hostile environments that most computers are exposed to

nowadays. For years the concept of the avionics system designer was that the avionics is not

connected to the IT world and networks; therefore, it does not require special protection against

threats from the outside world.

However, avionics systems have evolved and currently include Ethernet buses, connected to other

systems, either wired or wirelessly, including data-link and satellite communication data exchange,

modernized data and software loading via maintenance loaders and even modern wireless data

links to the ground. On top of this, Avionics LRUs that are removed for maintenance are connected

to lab testers for testing and software/data updates. The lab testers, once infected (using the same


Rev 4.1


P a g e | 3

methods one may infect your office PC or the IT network), may transfer malware code into the

embedded computer. This computer will then infect the entire network while airborne. Therefore,

cyber security measures are required throughout the entire chain – from the maintenance

laboratories and up to the aircraft, with means to detect and block any cyber threat while loading

data, but also onboard, detecting and protecting any cyber threat that is already resident within the

avionics and may damage the system or its' operational use.

A classic example for such a security threat is the famous Stuxnet malicious worm, which allegedly

resided inside one of Iran's nuclear plants and caused severe damage. An anomaly detection

solution, if installed in the system, could have detected the operation of the worm, and provided

early warning that could have prevented the destruction caused to the facility. It is a classic

example of a cyber weapon that could reach today avionic systems. Astronautics Cyber protection

solution (Called CyberSmart®) will detect such malicious code, without the requirement to

specifically identify and detect a specific signature of the malicious code. CyberSmart® is not rule-

based, and will be generic enough to detect the next malicious code that may operate in a different

manner in the system. CyberSmart® is a combined hardware & algorithms solution, providing

sampling & analysis of the electrical signals at the low-level, as well as avionics traffic over the

various avionic buses.

Astronautics has relevant experience in securing access to the avionics via secure onboard

maintenance servers, securing testers and loaders to protect airborne systems from loading

malicious code during maintenance. CyberSmart® further expands the cyber security scope to

monitor and detect anomalies in the operation of onboard avionics systems, as another required

cyber security layer for the avionics.

Astronautics cyber development is performed at our new cyber research laboratory that creates the

required working environment for cyber security measures development. The lab includes various

working environments, simulating different avionics buses and communications (MIL-STD 1553B,

ARINC-429, ADS-B etc.), based on existing systems and know-how of Astronautics in the

development of airborne avionics. The new cyber lab provides a lab-controlled implementation of a

typical avionics environment, which will support the team evaluating different attack modes and

their effectiveness in existing systems.

The Astronautics' cyber lab supports the activation of various attack vectors, evaluating their

impact on the avionic systems, before and after implementing various detection and protection

algorithms. The lab supports the development and implementation of cyber security solutions to

military and avionic embedded systems, and will allow testing of its' effectiveness in various

scenarios, prior to implementation and tests on actual aircraft avionics.


Rev 4.1


P a g e | 4

Astronautics' embedded cyber security Research & Development is based on our team of avionics

and cyber specialists, as well as a tight cooperation with leading Israeli cyber departments, such as

Ben-Gurion University Cyber Security Research Center and Tel Aviv University ICRC (Blavatnik

Interdisciplinary Research Center).

Astronautics' Existing Cyber protection related programs [Already Deployed & in Operational Use]

A-400 server system – Astronautics Corporation

has developed the Airbus A-400 maintenance

server, which securely controls personnel access,

data loading and maintenance activity. It all goes

through the server, with identification verification and

authentication, as well as other classified measures

(see system elements photo to the right).

Trainer Aircraft Secured I/O – Astronautics' supplies a secured interface to a data-link system

installed on a trainer aircraft, which meets the air-force security requirements, as part of avionics

tailored to the air-force needs.

Secured loaders – Astronautic developed and provided secured data loader to the IAF, built to

assure only authenticated and controlled data loading to an avionic system.


Rev 4.1


P a g e | 5

What is the problem we try to solve?

Most current cyber security implementations try to use standard & known protection measures –

encryption, authentication, verifying that data files loaded into the systems are known and therefore

secure and controlled. This level of security is required, but is not sufficient. Most of the cyber

attack techniques can easily overcome such protection methods. Some cyber attack techniques

even ride on top of such protection methods, which allow them to incorporate malicious code in the

"securely" loaded packages into the avionics. Therefore, a different approach is required.

Astronautics' approach specifically addresses a possible cyber attack campaign that has already

penetrated the system, despite perimeter protection methods and systems.

Looking into existing avionic & military systems architectures, all current architectures are a mix of

legacy buses (ARINC-429, MIL-STD-1553) combined with more modern buses such as MIL-1394

(Military FireWire), ARINC-664 (Avionic Full-Duplex Switched Ethernet), Ethernet and Can-Bus.

The use of commercial Ethernet & USB, together with increased connectivity creates a potential for

cyber security threats, since it opens new avenues for connection to the avionics & other military

platforms and create penetration opportunities into the system, either for loading malicious code for

future attacks, or altering platforms' buses data. This can cause immediate damage or system

malfunction during critical phases of the mission. Astronautics' embedded-cyber solutions activity

specifically addresses these problems.

As mentioned above, modern systems also incorporate data-loading provisions, allowing easy

update of operational software and/or data. Typical implementation is the loading of a digital flight-

plan in commercial aircraft, loading of mission data in military platforms, software updates, loading

of aeronautics & other charts and manuals and more. Modern, easy loadable software & data

opens the security threat of loading malicious code, along with the actual software/data loaded into

the system. Astronautics understands that while protecting the data loaders and ground test

equipment is necessary, it is not the only protection needed. Astronautics had already fielded

secure loading solutions. However, in view of current cyber threats we are confident that secured

loading does not provide a sufficient protection to the systems. Therefore, Astronautics is focusing

at this stage on the installed avionics in the aircraft, assuming that malicious code can be loaded

into the system, circumventing procedures and protections that may be implemented in the ground

support equipment. The current data loading packaging in accordance with the ARINC-665

standard or similar is essential, but trivial. A simple file transfer that does not follow the above-

mentioned standard may not be possible, but any smart attacker will surely package its malicious


Rev 4.1


P a g e | 6

code in standard packages, overcoming the package loading scheme. Such malicious code may

be inserted as part of a standard aeronautics charts package, a download that is routinely

performed for aviation platforms every 28 days, according to FAA/EASA regulations. Since such an

update could contain a large amount of files, altering such a package maliciously may be

transferred to the aircraft systems, without notice. The target computer in this case could be the

Electronic Flight Bag (EFB) or Flight Management System (FMS). The inserted file may then reside

in the computer mass-storage disk, starting malicious activities under certain pre-programmed

conditions. Therefore, such malicious code may be dormant in existing avionics computer, starting

its malicious activity at a certain date, certain altitude or even upon crossing specific coordinates. A

cyber security monitoring system, such as the one developed by Astronautics - will detect, alert

and even prevent the initiation of such code, preventing potential damage that may be caused by

such cyber threats.

As noted above, legacy avionics which was

designed and built years back, combined with

modern connectivity and data loading devices

creates a system-wide vulnerability that requires

immediate attention and solutions.

Since the complexity of military platforms is

constantly increasing, with a significant increase

in the amount of onboard computers and

significantly increases in the amount of software

line of codes, the vulnerability potential is

increasing accordingly, and the attention of the designers and the operators to embedded cyber

security is a must. In the figure to the right we see that the famous platform of the Wright brothers

has, of course no computers and no cyber threats. However, throughout the years the number of

lines of code in the avionic computers increased, up to over 15 Million line of code in the latest JSF

(Joint Strike Fighter). With this increase in the software complexity, the attack surfaces significantly

increased, creating an increasing scope of operational risk due to potential cyber attacks, which

must be handled to reduce platform risk and increase readiness and mission accomplishing

probabilities.

According to foreign sources, embedded military and avionics cyber threats are already here. As

you may read in a sample of news articles presented in the following page, cyber threats &

Lines of Code


Rev 4.1


P a g e | 7

malware is already identified onboard various platforms (such as the Boeing 787 Dreamliner), and

already caused damages on several famous occasions as depicted below.


Rev 4.1


P a g e | 8

How can an attacker damage a military platform?

The previous paragraphs describe in general the possibility to cyber attack a military or airborne

platform. The following will move one step further presenting several practical alternatives that an

attacker may use to penetrate a system, infect it with malicious code and cause a damage, only

using software and methods that are possible and available today for immediate use of any hacker

or attacker.

For the sake of the explanation, we may address four examples of possible attacks that we may

consider as an immediate threat:

✓ Compromised (Infected) Software Update – Loading malware as part of standard

software or data update to any of the onboard computers during maintenance (Load of

compromised software). As depicted below, the software or data loaded could be infected

at the loading file level, causing the infected code or data to be loaded via the standard

flight-line loader, or via infected data cartridge. In several modern systems, loading may

also be WiFi loading, or connecting a tablet with supporting data (manual, charts) wirelessly

to the aircraft avionics. This creates another route to infect the data or software prior to

loading into the aircraft or military system computers.

✓ Loading Compromised (Infected) software or data via Data-Link – Loading malicious

code with software or data via data-link or satcom communication. The data-link provides

modern connectivity between the military and airborne platforms and the ground, providing

another possible cyber attack vector and a possible path for loading malware into the

system.


Rev 4.1


P a g e | 9

✓ Infected equipment during Maintenance/Repair –

As the equipment is removed from the platform and

sent to a maintenance lab, it is exposed during

maintenance (in the military lab or at an external

maintenance shop) for altering the hardware and

software, which may cause the system to be cyber

infected. This can be done by altering the system code to incorporate added malicious code

(it is easier to perform while in a maintenance lab, far from the platform). Another cyber

threat during maintenance is adding fake components, which already incorporate "back

doors" for cyber penetration. Such fake or altered components may be the infrastructure for

any future attack, which will exploit the new vulnerability created in the system due to such

component alteration.

✓ Installing a "Cyber-Bomb" – Installing (physically) a device inside the

platform, for immediate activation or as a dormant device that will

come into action till remotely initiated or until pre-defined conditions

occur (reaching a specific altitude, coordinates or any other pre-

defined condition). Such cyber attack trigger condition may be

launching a missile (with the malicious preventing the missile from

launch, aborting the whole mission) or any other condition that will

jeopardize accomplishing the mission, or causing a significant deviation, and/or chaos. The

end result shall al be similar – The platform shall not perform a critical mission due to


Rev 4.1


P a g e | 10

interference, and even cause the operator to enter into a misleading action that may cause

up to a total loss of the platform.

✓ Transmitting Fake Information– Cyber attack may also be in the form of generating and

transmitting fake information over valid data communication and/or broadcasting. For

example – ADS/B is a common surveillance channel, with information broadcasted from

aircraft that include calling ID, along with position, velocity and altitude information. A typical

attack over this channel may include the transmission of fake "ghost" aircraft, which does

not really exist, causing potential confusion and miss-interpretation or miss-trust in all

ADS/B data presented to the pilot. Such an attack is easily implemented as the ADS/B and

other data communication channels today (ACARS, TCAS etc.) are publically open with no

encryption or cyber protection.

Such attack may look as follows:

Photo A shows a sample of a cockpit display, with real aircraft presented, based on real

ADS-B data reception.

Photo B shown the same cockpit display after ADS-B attack, with an addition of many fake

aircraft presented, due to the malicious transmission of fake ADS-B data.

✓ And more…

B. Sample of a Real ADS/B display – Seven actual aircraft symbols shown, based on ADS/B reception from real aircraft

A. Cockpit ADS/B display – with added fake information due to a cyber attack


Rev 4.1


P a g e | 11

Astronautics' Embedded Cyber Solutions & Services

CyberSmart® Analytics is Astronautics' consulting service

that provides a comprehensive vulnerability and cyber

threat vectors to a specific platform or system. This

consulting service consists of the following:

✓ Analyzing the system to determine all potential

Threats Vectors

✓ Capturing the information in Attack Vector Matrix, for further analysis and to focus on

practical solutions:

✓ Identify threats that are most likely to happen

✓ Focus on the threats that may cause significant damages to the system

Schematically, the threats analysis will first map the main attack vectors to the analyzed platform,

as depicted in the example below:


Rev 4.1


P a g e | 12

The provided analysis shall be an interactive process with the customer, presenting possible

threats that are applicable to the defined platform, and fine-tuning it together with the customer.

The second phase is a drill down based on the above, in principle list of potential threats identified,

further analyzing each potential threats, creating attack vector matrix that is relevant to all threats

detected. The following is a sample attack matrix vector.

Once the attack matrix table is created, it is again presented to the customer for review. A joint

team of the customer and Astronautics specialists (Avionics & cyber specialists) further analyze the

table to identify the most dangerous threats, based on ease to implement and apply, as well as the

danger level to the vehicle, and/or to accomplishing the mission.

The end result is a vector of potential cyber threats, which are the most dangerous to the system

and should be handled. Typically the analysis scope ends with such a report. However,

Astronautics may further support the process, implementing cyber detection & protection solutions

– hardware and/or software, based on our existing products and algorithms, which may be tailored

to the specific requirements of the system/platform.


Rev 4.1


P a g e | 13

CyberSmart®-1000 is Astronautics' solution for embedded

avionics, monitoring cyber threats and anomalies over

MIL-STD-1553 buses, ARINC-429 channels and/or CanBus

(designed for car computer data exchange, but recently used in

avionics for various applications). CyberSmart®-1000 shall further

address, in a different implementation, other buses, such as

ARINC-664 (Avionics Full-Duplex Switched Ethernet) and MIL-1394

buses. The CyberSmart®-1000 will include interfaces to the above

buses, and real-time bus monitoring capabilities for each of the above-mentioned bus types. The

machine learning algorithm residing within the unit will learn normal operation behavior of the

relevant bus, and will detect any anomaly in the operation that may indicate a cyber attack or

malicious code operation from within the avionics computers connected to the monitored bus.

CyberSmart®-1000 shall replace existing bus-coupler (in

MIL-STD-1553 solution, for example), or shall be added as a

non-interfering add-on device for cyber monitoring and detection

over existing buses.

In addition to the above, the CyberSmart®-1000 shall also

monitor the raw electrical signals over the bus. Sampled bus

signals shall be further analyzed, detecting any abnormal

transmitting device over the monitored bus (signal amplitude,

timing and many other signal characteristics) shall be examine &

compared to known behavior of existing bus devices, detecting &

alerting for any unknown device transmitting over the bus. The

physical layer analysis, together with the protocol level anomalies

detection, provides a high-level of security to any bus monitored

by the CyberSmart®-1000 solution.


Rev 4.1


P a g e | 14

The CyberSmart®-1000 shall keep a log of the relevant data triggered by a cyber alert (one or

more), and will issue a "CYBER ALERT" – via an output discrete, as well as data transmitted to a

selected computer on the network (if applicable), or an

aural alert "Cyber Cyber" to the intercom system. Other

Man Machine Interface (MMI) options (an alert on a

PFL/MFL page, a flashing icon on the head-down display

or Head Up Display for example) can be alternately

implemented by the aircraft integrator, using data output of

the CyberSmart®-1000 device. The end result of this alert

detection shall be, as a minimum, "CYBER ALERT"

message on the MFCD (see example in the right MFCD

message window in the image to the right).

Alternatively, CyberSmart®-1000 could actively block the

detected cyber attack, preventing the false

targets/information display on the MFCDs. In this case – an

informative message such as "CYBER ATTACK

BLOCKED" could be presented to the pilot, informing him

that the system detected a cyber attack, but the false

information was detected and cleaned.

The above is an example of CyberSmart®-1000

implementation in a specific system, to further illustrate the

capabilities and usability in a system.

As discussed above, implementation may be passive or active:

a. Passive mode shall only issue an alert – logging threats internally, available for

download after the flight. Through a discrete alert (to be connected to the caution and

warning panel and/or the display processor, and/or the cockpit's smart displays), an aural

alert of a cyber attack data package may be sent to a computer that may translate the

message and display the alert to the pilot on one of the cockpit's displays or other MMI

options.

b. Active Mode - The active mode would block bus traffic, based on a set of rules, and/or

logic defined for such a situation. This option is still under investigation, as it may be critical

to the system operation, and a false alarm would neutralize the entire avionics creating a

potential new safety hazard to the system. On the other hand, blocking malicious bus traffic


Rev 4.1


P a g e | 15

messages could "clean" the avionic and allow the system to continue with normal

operation, once the source of the cyber attack is detected and isolated.

The CyberSmart®-1000 main feature will be the specific anomalies detection algorithms, which will

address the possible vulnerabilities of each of the monitored buses/channels, specifically tailored

to the possible attack modes of each specific bus, as analyzed by Astronautics' avionics

specialists. The anomalies detection engine is in fact an advanced cyber protection system that

detects specific bus protocol vulnerabilities, closing possible breeches in legacy buses and

systems against malicious penetration.

CyberSmart® MAGIC is Astronautics' airborne & military computer, with embedded cyber

protection. MAGIC (Military & Avionic Graphic enhanced Integrated Computer) is Astronautics'

leading product for embedded platforms, widely in operational use by various customers around

the world. The CyberSmart® MAGIC is Astronautics version of this computer, with a build in cyber

protection. The CyberSmart® add-on to the MAGIC computer shall continuously monitor interfaced

buses, utilizing Astronautics' machine learning algorithms. The embedded CyberSmart® shall

detect any bus anomaly (bus traffic, electrical parameters etc.) and shall provide threats indication

to the rest of the computer. The MAGIC computer application shall receive the indication via the

CyberSmart® software driver, along with relevant information that triggered the detected anomaly.

Then, the application may further decide how to treat the cyber alert – warning to the pilot, activate

specific action etc. The CyberSmart® driver shall also log all relevant information into an internal

log file, for further analysis at a later stage, if required. The system & software developers shall

have a full control over the log file, and may disable it if required.

CyberSmart®-2000 (Under Development) will provide a similar solution for a secure EFB

(Electronic Flight Bag) and its connectivity to the avionics via Ethernet and/or WiFi communication

– the two most commonly used interfaces of EFB data loading. The CyberSmart®-2000 will also

include multiple ARINC-429 interfaces, with the protection algorithms developed for the

CyberSmart®-1000, providing a holistic solution to civil aircraft with an EFB. The Ethernet

protection shall also address cyber concerns related to satellite communication connectivity and

other onboard data-link devices. CyberSmart®-2000 shall also be available as a cyber secured

WiFi hub for avionic system that does not have Electronic Flight Bag (EFB), but do intend to use

Aircraft Interface Device (AID) to allow iPAD and/or tablets receive aircraft data. The

CyberSmart®-2000 will also be provided as a cyber secured AID, allowing pilots to receive aircraft

data, or load WiFi received data in a cyber secured environment.


Rev 4.1


P a g e | 16

CyberSmart®-3000 (Under Development) will address ADS-B/TCAS/ACARS vulnerability.

CyberSmart®-3000 will specifically use anomaly detection algorithms that are focused on

ADS-B/TCAS/ACARS protocols, adding a monitoring and detection capability for ADS-B/ACARS

communications protocols. The CyberSmart®-3000 connection to the Astronautics' EFB is also

offered, allowing a cyber threat detection algorithm "grade" that receives ADS-B/TCAS/ACARS

signals and presents to the pilot an improved situational awareness display, or "cyber filtered"

ACARS messages. This system initially grades each aircraft on the ADS-B or TCAS situation

display as "suspicious", color-coding suspicious aircraft red. After "learning" the normal flight path

and altitude of each aircraft in the vicinity, the system turns suspicious "red" aircraft into "green"

(approved flight vector and altitude) aircraft, thus assisting the pilot in filtering possible spoofed

aircraft on the situational awareness display, reducing significantly the impact of spoofed ADS-B

received aircraft signals.

For ACARS signals, the CyberSmart®-3000 will examine the received signals and will clear the

incoming message as "Cyber secured" message, before it is displayed to the pilot. The most

sensitive ACARS messages are CPDLC (Controller-Pilot Data Link Communication) and flight-plan

changes that may cause the pilot to change its planned route. Therefore, the CyberSmart®-3000

shall grade the incoming messages, and will advise the pilot for the security grade of the incoming

message, allowing the pilot to decide how to treat the incoming messages, and be alerted for

suspicious received ACARS messages.

CyberSmart®-4000 (Under Development) A lab based LRU "cyber cleaning". The CyberSmart®-

4000 shall be a lab based workstation, which will have specific interface adaptor to each "cyber

tested" LRU. The system shall exercise the LRU and will check its cyber signature (electrical &

data protocol, indentifying any non-normal behavior. Any LRU that returned from maintenance at a

vendor around the world, or in internal maintenance laboratories shall be "cyber tested" before

returning to the aircraft. Successful test on the CyberSmart®-4000 shall assure that the LRU is

"cyber clean" for aircraft installation.

CyberSmart®-5000 (Under Development) will detect Weather Radar cyber attack. The

CyberSmart®-5000 will monitor radar received signals & data, and shall detect Weather Radar

and/or multi-mode radar cyber attack.


Rev 4.1


P a g e | 17

Summary

This white paper describes some of Astronautics innovative cyber protection solutions for both

commercial and military aircraft. The incentive is to provide cyber security solutions for aircraft

avionics. The vulnerability of today's avionics is clear. The combination of systems that were

designed years ago, together with the increasing modern means for digital data loading, the

extensive use of automated testers and air to ground connectivity introduce a clear and significant

cyber security threat to current avionic systems.

Astronautics is focused on embedded cyber security, addressing the vulnerability of existing

avionics, researching and developing innovative solutions to address the problem. We think our

approach is unique, and strongly based on the most advanced techniques of cyber research. Being

on the front edge of cyber security research, and the focus on embedded systems in general and

avionic systems in particular, allows Astronautics to provide proper and robust solutions of high-

quality in short implementation time. We are cooperating with the most advanced cyber research

centers in Israeli universities, as well as several leading cyber security companies in Israel, to bring

to the avionics domain the latest and greatest cyber-security techniques, tailoring it to the avionics

domain.

Astronautics is looking for investors and partners for the completion of the development of the

above products. We are deeply in the development stage, but wish to expedite our efforts and

reduce our time to market with the above products. Cooperation with Astronautics at this stage, will

provide a benefit to both parties, and will improve the products proposed to the aviation market.

We are specially looking for partners that will also be able to bring potential launch customers, or

will be a launch customer, allowing us to better direct our developed solution to a specific need of a

specific customer. This will assure focused solutions, which will best serve the potential customers

in the near future.

As our CyberSmart®-1000 product had completed development, and is now in evaluation &

tailoring to specific requirements, we are calling any potential customer to further inquire about

MIL-STD-1553 cyber protection, and allow Astronautics to demonstrate its' affectivity in the real

world on actual aircraft. Based on that, we will further tailor our solution to your specific platform,

providing avionics bus cyber protection in a fairly short lead time.

Please contact: Menahem Donner / Director, Marketing & Business Development

Phone: +972-3-925-1530; Mobile: +972-544-967-111; Email: [email protected]

protect your platformastronautics.co.il/sites/default/files/astronautics... · astronautics is...

Documents