design of a cyber security framework for ads-b based surveillance systems

Design of A Cyber Security Framework for ADS-B Based Surveillance Systems

Sahar AminTyler Clark

Rennix OffuttKate Serenko

2

Agenda Context Analysis Stakeholder Analysis

Problem Statement & Needs Statement

Mission Requirements

Design Alternatives

Preliminary Simulation Design

Project ManagementDepartment of Systems Engineering and Operations Research


SYST 490 - 2013

3

Context Analysis

Increase in air transportation and

air traffic

Need for surveillance

systems to track and monitor flights

Implementation of NextGen by FAA

Department of Systems Engineering and Operations ResearchDesign of A Cyber Security Framework for ADS-B Based Surveillance

SystemsSYST 490 - 2013

4

Context Analysis


air traffic






5

Number of People Flying Each Year in US

1995 2000 2005 2010 2015 2020 2025 2030 20350

50

100

150

200

250

300

Number of Passengers (Millions)

Years

Num

ber o

f Pas

seng

ers (

Mill

ions

)

* Source: U.S. Department of Transportation. Form 41 and 298C



Forecast

6

20002002

20042006

20082010

20122014

20162018

20202022

20242026

20282030

20320

1,000

2,000

3,000

4,000

5,000

6,000

7,000

8,000

9,000

10,000

US Air Carriers Fleet

MainlineRegional

Year

Num

ber o

f Pla

nes

United States Air Carriers Fleet

*Source: FAA Aerospace Forecast: Fiscal Years 2012-2032



Forecast

7

US Airspace Congestion

Only ADS-B coverage



Radar and ADS-B coverage

8

Context Analysis


air traffic






9

SurveillanceWhat:

Surveillance is close observation and monitoring of changing information.

Why:

Surveillance in air transportation is needed to track and monitor flights to maximize efficiency and safety in

airspace.



10

Primary Surveillance Primary Surveillance Radar

Created to provide continuous surveillance of air traffic disposition

Uses a rotating antenna to transmit electromagnetic waves that reflect from aircraft surface up to 60 miles from radar

Problems: could only provide object’s location; does not identify object type; does not provide coverage over oceanic regions



11

Secondary Surveillance Radar Secondary Surveillance Radar

Initially developed as a wartime radar system, called Identification Friend or Foe (IFF)

Attached to primary radar; relies on aircraft transponders to transmit and receive aircraft data

Problems: expensive; does not provide surveillance coverage over oceanic regions



12

Context Analysis


air traffic






13

Next Generation (Next Gen) Next Generation (Next Gen)

New airspace for US to be implemented between 2012-2025 New framework for flight tracking and monitoring Ground/radar-based tracking system satellite-based tracking

system Major Component of NextGen: Automatic Dependent

Surveillance-Broadcast (ADS-B)



14

Automatic Dependent Surveillance-Broadcast (ADS-B)

Automatic – does not require interrogation

Dependent – depends on location information from GPS

Surveillance – provides situational awareness for ADS-B equipped aircraft and ARTCC

Broadcast – constant broadcasting of flight navigation information



15

How ADS-B Works



16

ADS-B Advantages Increased situational awareness for both pilots and ARTCC

Provides surveillance coverage in areas without radar coverage

Less expensive than traditional radar

Information is broadcasted in real time

Can decrease separation distance between aircraft



17

Decreased Separation DistanceWithout ADS-B Coverage

With ADS-B Coverage

20 NM

5 NM 5 NM 5 NM 5 NM



One In, One Out

Separation distance decreased to 5 NM

18

ADS-B Messages

DF: Downlink Format

CA: Capability

AA: Individual

Aircraft Address

ADS-B Data: Aircraft type, Altitude, Latitude,

Longitude, Airborne Velocity

PI: Parity Information (Error Detection Code)



19

Cyber Security in Aviation Aviation has gone Cyber

ADS-B transmits digital signals to ground servers and nearby aircraft

New threat vector in aviation

Signals are unencrypted signals can be spoofed or jammed by adversaries



20

Threats

1090MHz

1090MHz

1090MHz

Spoofing

False SourceFalse Content

Jamming

Ghost Plane Flooding

Ground Station Flooding



21

Scope Definition

Oceanic area between two land masses covered by ARTCC No radar coverage – Only ADS-B surveillance Commercial aviation – en route flights Spoofing attacks only - concentrating on prevention of attacks

Jamming is out of our scope because it cannot be prevented



22

Agenda Context Analysis

Stakeholder Analysis Problem Statement & Needs Statement


Design Alternatives




SYST 490 - 2013

23

Stakeholder Analysis

FAA

ARTCC

Airline Companies

Crew/Pilots ADS-B Manufacturers

Congress

Passengers

Labor Unions



24

Primary StakeholdersFAA (Federal Aviation Administration)• Objective: provide the safest, most efficient aerospace system in the world

ARTCC (Air Route Traffic Control Center) • Objective: maintain safety and efficiency of flights in specified volume of

airspace at high altitudes

Airline Companies• Objective: provide a safe and up-to-date aircraft; maximize profits

Crew/Pilots• Objective: Provide safe and enjoyable flying experience for their customers



25

Secondary StakeholdersADS-B Manufacturers• Objective: Provide aircraft with satellite-based surveillance system that allows for

more accurate and real-time transfer of flight data

Congress• Objective: Control spending across government and government agencies

Passengers• Objective: Arrive at destination safely and on time

Labor Unions• Objective: Protects rights of workers, strive to secure better working conditions for

members, increase workers’ income



26

Stakeholder TensionsFAA vs. Congress

• Budget for proposal has to be approved by Congress

• Tension if Congress disagrees with proposed FAA budget

FAA vs. Airline Companies

• Airline companies must follow and meet requirements set by FAA

• Tension if FAA wants airplane companies to pay for installation of ADS-B systems in aircraft

FAA vs. ARTCC

• ARTCC employees must follow all rules and regulations set by FAA

• Tension if proposed rules increase workload and employees are required to learn how to use new equipment



27



Problem Statement & Needs Statement Mission Requirements

Design Alternatives




SYST 490 - 2013

28

Gap Analysis

1995 2000 2005 2010 2015 2020 2025 2030 20350

10000000

20000000

30000000

40000000

50000000

60000000

70000000

Gap Analysis

Year

Num

ber o

f Airc

raft

Hand

led

by E

n Ro

ute

Traffi

c Co

ntro

l Cen

ters

(In

Mil-

lions

)

* Source: FAA Aerospace Forecast

Gap



29

Problem StatementUnencrypted communication between aircraft and ARTCC

ADS-B signals can be spoofed

Unreliable/untrustworthy signals

Location of aircraft cannot be determined with 100% certainty

Reduced situational awareness, threatened flight safety, reduced airspace capacity

Decreased airspace efficiency Department of Systems Engineering and Operations Research


SYST 490 - 2013

30

Win-Win Analysis

Solution is cost effective

Implementation occurs by 2020

ADS-B signals are secure and reliable

Separation distance between aircraft is

decreased

Win-Win Analysis



31

Needs Statement

There is a need for a system that prevents spoofing attacks on ADS-B signals sent from aircraft to ARTCC and between aircrafts.



32




Mission Requirements Design Alternatives




SYST 490 - 2013

Mission Requirements 1.0 The system shall increase the capacity of airspace by 32% in the areas without radar coverage.

1.1 The system shall decrease the separation distance between aircraft to 3 nautical miles.

1.1.1 ADS-B messages shall be resistant to spoofing attacks Y% of times.

1.1.2 A spoofing attack shall not overload the capacity of the airspace.

2.0 The system shall maintain or decrease accident rate of 0.291* accidents per 100,000 departures.

3.0 The system shall be ready to be implemented by 2020.*Source: Bureau of Transportation StatisticsDepartment of Systems Engineering and Operations Research


SYST 490 - 2013

34





Design Alternatives Preliminary Simulation Design



SYST 490 - 2013

35

Design Alternatives

1. Hashing

2. Symmetric Encryption

3. Asymmetric Encryption

4. Maintain Status QuoDepartment of Systems Engineering and Operations Research


SYST 490 - 2013

36

1. Hashing

What Is It? Goal – Confirming the source of a message Digital Signature/Hash created by sender – aircraft Attached at the end of the message Verified by receiver - ARTCC Fusion System



Hashing DemoHash – attaching at the end of the message

Design of Cyber-Security Prevention System for

ADS-B Based Surveillance System

Design of Cyber-Security Prevention System for

ADS-B Based Surveillance SystemBc89236dec6d39f8

SHA-2 Algorithm

Original Text Text with Hash



2. Symmetric Encryption

What Is It? Encryption – converting data into code Symmetric – each entity has one private key Message encrypted with key has to be decrypted with the same

key



39

3. Asymmetric Encryption

What Is It? Two keys – Public and Private Longer keys – stronger security

Message from A Encrypt

Private AEncrypt Public B

Message in Public Airspace

Decrypt Private B

Decrypt Public A

Message received at

B



40

Encryption Demo

Design of Cyber-Security Prevention

System for ADS-B Based Surveillance

System

fJ9zVVvyyPFFyzhdyaeuV68Ayz+gBHlVoFgzojMbIdZ8c2pOLtndL1wzL0BjONpNP0tZasspRPo

a NPdcNDT9fpQNDbvQSWOUR

CfWQJWFKQI=

Key: CyberSecurity



Original Text Encrypted Text

Encrypt

Decrypt

41

Design Alternatives Evaluation



Design Alternative

AttackPrevention

Ease of Implementation

Security Strength

Technology Cost/Airplane

Additional Requirements

1. HashingSpoofing Easy TBD Available Low More bits

2. Symmetric Encryption Spoofing Moderate TBD Available Low Key

Exchange

3. Asymmetric Encryption Spoofing Moderate TBD Available Low Access to

public keys

4. Maintain Status Quo Nothing Easy Not

secure None None None

42

Value Hierarchy

Value Hierarchy

SecurityWS

Execution TimeWE

Minimum Separation Distance Achieved

WD

Ease of Implementation

WI



43





Design Alternatives

Preliminary Simulation Design Project Management



Design of Experiment Goal – show how securing ADS-B signals can increase airspace

capacity Verify the ability of the system to prevent cyber attacks and

maintain current safety level under diverse/dangerous conditions. Simulation Design:

1. Signal Simulation 2. Airspace Capacity Simulation



45

Simulation Design

ADS-B Messages

Design Alternatives

Spoofed Messages

Signal Simulation

Separation Distance

Departure StreamsArrival Capacities Speed of Aircraft

Airspace capacity

Collision Rate

Airspace Capacity

Simulation

Reliability of Design

Alternatives



1 2

46

1. Signal Simulation Purpose of simulation: evaluate reliability of design alternatives

Simulating signals with and without signal security design alternatives

Output (reliability of signal security methods) of signal simulation will be used as input to airspace capacity simulation

Signal simulation will be programed in Matlab



47

2. Airspace Capacity Simulation Purpose of simulation: verify ability of system to maximize airspace

capacity and maintain safety levels

Find the optimal separation distance for flights to operate in the airspace allows for increase in airspace capacity

Simulation will abide by FAA regulations

En route flights over oceanic area relying solely on ADS-B data

Flight paths modeled after popular Gulf of Mexico flights

Airspace capacity will be modeled in Arena Department of Systems Engineering and Operations Research


SYST 490 - 2013

48

Airspace Simulation (Continued)



49

Arena Simulation Model



50

Single Cell Decision Planned/preferred path is in red

If capacity of cell 1 (Level 0 Preference) is full: Level 1 Preference: Cells 2 or 4 (blue)

Shortest path to 1 (2 iterations) Level 2 Preference: Cells 3,6 or 7 (green)

3 iterations Level 3 Preference: Cell 9 (orange)

4 iterations

Will choose the highest ranked level with free capacity Department of Systems Engineering and Operations Research


SYST 490 - 2013

51

Control Scenario



52

Attack Scenario



53

Attack Scenario (Continued)



54

𝑇𝐼𝐹𝐴𝑣𝑔 = σ(𝑇𝑖𝑚𝑒𝐶𝑒𝑙𝑙 + 𝑇𝑖𝑚𝑒𝑊𝑎𝑖𝑡)𝑁𝑆𝑢𝑐𝑐𝑒𝑠𝑠

𝑇𝑖𝑚𝑒𝐶𝑒𝑙𝑙 = 𝐷𝑖𝑠𝑡𝑎𝑛𝑐𝑒𝑉𝑒𝑙𝑜𝑐𝑖𝑡𝑦

𝑁𝑢𝑚𝑏𝑒𝑟𝑉𝑖𝑜𝑙𝑎𝑡𝑖𝑜𝑛𝑠 = 𝐴𝑖𝑟𝑐𝑟𝑎𝑓𝑡𝑖𝑛𝐶𝑒𝑙𝑙 − 𝐶𝑎𝑝𝑎𝑐𝑖𝑡𝑦𝐴𝑡𝑡𝑎𝑐𝑘𝐶𝑒𝑙𝑙 − (𝐶𝑎𝑝𝑎𝑐𝑖𝑡𝑦𝐴𝑑𝑗𝑎𝑐𝑒𝑛𝑡𝐶𝑒𝑙𝑙 )

𝐶𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛 𝑅𝑖𝑠𝑘 = ሺ𝑃ሺ𝐶𝑟𝑎𝑠ℎሻ∗𝑁𝑉ሻ∗100%

Formulas for Simulation



55

Expected Results We expect that asymmetric encryption will be the best design

alternative Easy to implement Technology is already available Inexpensive to implement Most secure design alternative No security issues related to key exchange Quick processing time



56





Design Alternatives




SYST 490 - 2013

57



Work Breakdown Structure

58

Work Breakdown Structure (Continued) 1.0 Management – Assigning tasks and deadlines, contacting sponsors, organization, revision, etc

2.0 Research & Data – Primary and secondary radar, ADS-B, meetings with sponsors, data collection, etc

3.0 Conops & Requirements – Context analysis, stakeholder analysis, problem and needs statement, requirements

4.0 Simulation/Analysis – Simulation design, implementation of simulation, tradeoff analysis of alternatives, testing, results, conclusion

5.0 Documentation – Initial deliverables, conference papers, poster

6.0 Reports & Presentations – Prelim project plan and presentation, final project plan and presentation, final report, faculty presentations, etc



59

Project Plan



60

Budget

Individual hourly rate:

$45/hour

Overhead costs:

$54/hour

Total billing rate per person:

$99/hour

Estimated Time to Be Spent on Project: 1,350 Hours

Total Project Cost: $133,650



61

Earned Value, Actual Cost, Predicted Value



1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 380

20000

40000

60000

80000

100000

120000

140000

160000

Budget

Cumulative PVCumulative ACEVBest CaseWorst Case

Weeks

Cost

($)

62

Earned Value, Actual Cost, Predicted Value



1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 160

10000

20000

30000

40000

50000

60000

70000

80000

Budget

Cumulative PVCumulative ACEVBest CaseWorst Case

Weeks

Cost

($)

63

Cost Performance Index vs. Schedule Performance Index



1 2 3 4 5 6 7 8 9 10 110

0.2

0.4

0.6

0.8

1

1.2

CPI vs. SPI

CPISPI

Weeks

Ratio

64



Project RisksWBS Task Risks Mitigation

Techniques 1.0 Management Tasks not assigned with

correct deadlines Deliverables not completed by

internal team deadlines Sponsors do not reply after

being contacted

Assign internal team deadlines several days before official deadlines

Continue following up with sponsors

2.0 Research Majority of research is not completed by the middle of the Fall semester

Assign research tasks to each team member so that research findings can be combined

3.0 Conops & Requirements

Context Analysis, Stakeholder Analysis, Problem Statement, Needs Statement, and Requirements are not complete by Final Project Plan due date

Make sure that each of these components is about 60% complete by mid-October

65



Project Risks (Continued)WBS Task Risks Mitigation

Techniques 4.0 Simulation Not enough data for

simulation Data is not collected time for

simulation Simulation is too complex to

be modeled within time frame of this project

Begin data collection right after Prelim Project Plan due date

Resize scope early in semester; seek guidance from sponsors

5.0 Documentation Documentation deliverables are not completed by deadline

Set internal team deadlines for at least five days before official deadline

6.0 Reports & Presentations

Reports or presentations are not completed by deadline

Set internal team deadlines for at least five days before official deadline

66

Questions?



design of a cyber security framework for ads-b based surveillance systems

Documents

surveillance systemssyst

cyber security framework

operations researchdesign

surveillance coverage

adsb system design

department of transportation

primary radar

radar problems