Unique requirements for safeguarding aircraft

Boeing rotorcraft test pilot Roger Hehr (left) reviews security features following a successful High-Assurance Cyber Military Systems flight test on the Unmanned Little Bird helicopter. Boeing photo

Cyber-physical systems are ones that integrate physical components through computation and networking, and they present unique challenges and opportunities for cyber defense.

Wherever there are computers, there is the potential for adversaries to attempt to subvert them for their own purposes.

First the challenge: cyber-physical systems like aircraft are typically more resource constrained—including in connectivity—than desktop and enterprise systems (and even mobile systems). This means that desktop and enterprise security solutions relying on spare computing power, storage and always-on high-bandwidth networking, generally cannot be used on cyber-physical systems. This complicates the problem for cyber defense.

But here’s the opportunity: cyber-physical systems are generally designed for a specific purpose and to interact with the physical world. In other words, their behaviors tend to be designed to achieve a physical result.

This simplifies the problem for the defense; if we know what our systems are supposed to be doing, it can be easier to recognize attacks. Additionally, cyber-physical systems typically have significant safety requirements, and so benefit from more extensive verification and validation than desktop systems.

Cybersecurity research leverages these constraints to develop new approaches. One angle of recent research uses mathematical techniques to guarantee that the software in cyber-physical systems is free from the sort of implementation defects that attackers can use to subvert systems.

These techniques have been used in the past to ensure safety, and we are looking to extend these formal methods to enhance cybersecurity. If we can mathematically prove that the software in our cyber-physical systems is free of a particular kind of defect, then we have a complete defense against those types of attacks.

Another approach uses the designed regularity of our systems’ behavior to detect signs of attacks. Such anomaly detectors have a mixed heritage in desktop and enterprise systems, in part because it is difficult to predict what the user of such a system might legitimately do. For example, is visiting a new website evidence of an attack, or did the user just need to research a new vendor? Exploiting the constrained behavior of our systems (e.g., the aileron actuator should not be talking to the cabin lighting) allows us to significantly reduce these kinds of false alarms.

Cyber threats evolve rapidly, and defenses that work can quickly become obsolete. So, there is a need for the defenses to be able to adapt to threats. We are adapting emerging paradigms, such as software-defined networks and software diversity that provide the ability for cyber-physical networks to quickly adapt to changing environments and defeat emerging threats.

Finally, communications also affects cybersecurity, as a system cannot rely on being able to “phone home” to make sure that the signature on a message hasn’t been forged or a credential stolen.

Emerging Delay/Disruption Tolerant Networking (DTN) protocols specialized for space and aircraft applications where network connectivity is intermittent could also be leveraged for security.

Boeing has also been involved in developing standards for Delay Tolerant Networking (DTN). Originally intended to enable space applications to compensate for the large transmission delays and intermittent connectivity of the interplanetary internet, DTN can help earth-bound platform systems deal with limited and slow connections to aircraft in flight or submarines under water.

These approaches and others help bridge the gap between the capabilities offered by the overall computer security industry and the unique requirements of cyber-physical systems.

By Douglas Stuart, cybersecurity network technology engineer, Boeing Research & Technology