Enhancing the security of aircraft surveillance in the next generation air traffic control system

doi:10.1016/j.ijcip.2013.02.001

International Journal of Critical Infrastructure Protection

Volume 6, Issue 1, March 2013, Pages 3-11

https://doi.org/10.1016/j.ijcip.2013.02.001 Get rights and content

Abstract

The U.S. air traffic control system is reliant on legacy systems that artificially limit air traffic capacity. With the demand for air transportation increasing each year, the U.S. Federal Aviation Administration has introduced the Next Generation (NextGen) upgrade to modernize the air traffic control system. Automatic Dependent Surveillance-Broadcast (ADS-B), a key component of the NextGen upgrade, enables an aircraft to generate and broadcast digital messages that contain the GPS coordinates of aircraft. The incorporation of ADS-B is intended to provide enhanced accuracy and efficiency of surveillance as well as aircraft safety. The open design of the system, however, introduces some security concerns. This paper evaluates the limitations of the legacy systems currently used in air traffic control and explores the feasibility of employing format-preserving encryption, specifically the FFX algorithm, in the ADS-B environment. The ability of the algorithm to confuse and diffuse predictable message input is examined using message entropy as a metric. Based on the analysis, recommendations are provided that highlight areas which should be examined for inclusion in the ADS-B upgrade plan.

Introduction

Despite the economic turmoil in the United States and abroad, air travel and transportation have only seen modest drops in activity. The most recent U.S. Federal Aviation Administration (FAA) report [1] notes that civil aviation contributes $1.3 trillion annually to the national economy, earning upward of $397 billion or about 5.2% of the gross domestic product. The aviation industry generated more than 10 million jobs in 2009 alone and in excess of 730 million passengers utilized air travel in 2011. Additionally, 26 cargo-only carriers operate within the nation's airspace to transport freight and mail; UPS announced that its aircraft hauled an average of 2.2 million packages in 2012 [20]. The United States is so heavily reliant on the air transport industry that the Department of Homeland Security has identified aviation as a key component of the transportation critical infrastructure sector.

With the constant demand for faster travel and package delivery, the volume of air traffic is expected to increase considerably. In 2011, air traffic control centers handled 41.2 million aircraft, and this number is expected to increase by 50% over the next 20 years, significantly stressing the air traffic control system [7]. For reasons of efficiency and cost savings, flights are expected to bypass the established airline hubs around which the air traffic network is currently structured. The resulting concerns about air traffic safety have provided the impetus to adapt the air traffic network and upgrade legacy air traffic control systems under the Next Generation (NextGen) plan.

The proposed changes include the upgrade to the Automatic Dependent Surveillance-Broadcast (ADS-B) system. The upgrade, however, introduces potential network-wide vulnerabilities. This paper assesses the current state of the air traffic control system, identifies the security risks inherent in the ADS-B upgrade and evaluates a security solution designed to provide confidentiality for aircraft surveillance activities.

Section snippets

Background

The current air traffic control system is antiquated and is in need of an upgrade to meet the expected growth and safety considerations. This section evaluates the current state of the air traffic control system and discusses the FAA's NextGen plan and the associated vulnerabilities.

FFX algorithm

At this time, the National Institute of Standards and Technology (NIST) does not support any format-preserving encryption algorithms. However, the FFX algorithm was proposed to NIST in 2010, and is expected to be ratified although no published use cases currently exist. FFX stands for format-preserving (F), Feistel-based encryption (F) with multiple implementation variances (X) [1].

The FFX-A2 instantiation of FFX is specifically designed for binary strings of 8 to 128 bits. The parameters for

ADS-B application

The format of the airborne position message is shown in Fig. 3. The 112 bits (14 bytes) are divided into five fields: (i) downlink format (DF); (ii) capability (CA); (iii) address announced (AA); (iv) message extended squitter (ME); and (v) parity/identity (PI) [15]. The DF field describes the message format and, as the name implies, is coded as decimal 17 (10001 in binary). These bits must remain unencrypted so that each message may be identified as a position report. The other fields may be

Algorithm evaluation

The goal of encryption is to alter the plain text message in a predetermined manner, obfuscating the content by reducing the recognizable structure of the original message. This is accomplished by implementing confusion (i.e., altering the plain text in a complicated, seemingly unpredictable, manner) and diffusion (i.e., dissipating redundancies and distributing localized changes) [17], [18].

Entropy is often used in cryptography to quantify the uncertainty of a bit string. It indicates the

Conclusions

The experimental results presented in this paper suggest that a subset of the FFX-A2 algorithm is suitable for encrypting ADS-B messages, and provides sufficient diffusion and confusion to obfuscate inherently redundant message fields. Even with 12 of the 13 message bytes fixed, the entropy of the encrypted output indicates that the algorithm effectively obfuscates message content.

While the findings indicate that the FFX algorithm may be used to provide ADS-B message security, key management is

Acknowledgments

Note that the views expressed in this paper are those of the authors and do not reflect the official policy or position of the U.S. Air Force, U.S. Department of Defense or the U.S. Government.

References (22)

M. Bellare, P. Rogaway, T. Spies, The FFX Mode of Operation for Format-Preserving Encryption, Draft 1.1...
J. Black, P. Rogaway, Ciphers with arbitrary finite domains, in: Proceedings of the RSA Conference on Topics in...
A. Costin, Ghost in the air(traffic): On insecurity of the ADS-B protocol and practical attacks on ADS-B devices,...
P. Drouilhet, G. Knittel, V. Orlando, Automatic Dependent Surveillance Air Navigation System, U.S. Patent 5570095,...
Federal Aviation Administration, Automatic Dependent Surveillance-Broadcast (ADS-B) Out Performance Requirements to...
Federal Aviation Administration, FAA's NextGen Implementation Plan, Washington, DC,...
Federal Aviation Administration, FAA Aerospace Forecast Fiscal Years 2012–2032, Washington, DC,...
S. Henn, Could the new air traffic control system be hacked? National Public Radio, August 14,...
J. Jochum, Encrypted Mode Select ADS-B for Tactical Military Situational Awareness, Master's Thesis, Department of...
T. Judd, Automatic dependent surveillance data transfer, in: Proceedings of the AIAA/IEEE Eighth Digital Avionics...

D. Magazu, Exploiting the Automatic Dependent Surveillance-Broadcast System via False Target Injection, Master's...

Cited by (42)

Physical layer protection for ADS-B against spoofing and jamming
2022, International Journal of Critical Infrastructure Protection
Automatic Dependent Surveillance-Broadcast (ADS-B) is a widely used secondary surveillance radar standard for aviation and is a significant component in ensuring air traffic safety. Unfortunately, it has been demonstrated that ADS-B has security flaws. This paper addresses some of these issues by proposing a method and system architecture for verification of received signal authenticity on ADS-B In enabled aircraft. The method is based on physical layer signal analysis, i.e. estimation of signal source range and direction-of-arrival. Proposed system architecture includes a directional slotted antenna system and multi-channel receiver on ADS-B In side, but requires no change to existing ADS-B protocol. The proposed techniques provide security against message injection attacks, such as spoofing, and partial security against jamming. We assess estimation of error bounds and performance of the proposed techniques in simulated use-case scenarios.
Facing airborne attacks on ADS-B data with autoencoders
2021, Computers and Security
Citation Excerpt :
The secure broadcast authentication countermeasures aim to provide data authentication and integrity for the ADS-B protocol, meaning that the receiver of the ADS-B message will be able to confirm its origin and that it was not modified during transit. Such approaches include cryptography (Finke et al., 2013; Perrig et al., 2002), fingerprinting (Zeng et al., 2010) and spread spectrum techniques (Pöpper et al., 2009). However, the techniques in this group are considered to be the most difficult and costly to apply, since they require drastic modification of the current ADS-B system infrastructures (Manesh and Kaabouch, 2017).
The automatic dependent surveillance-broadcast (ADS-B) represents a major change in flight tracking and it is one of the key components in building the next generation of air transportation systems. However, several concerns have been raised regarding its vulnerabilities to cyber attacks. In recent years, a new and promising approach of utilizing large-scale and publicly available flight recordings for training machine learning models that can detect anomalous flight patterns has been demonstrated as a valid countermeasure for several ADS-B attacks. The new approach differs significantly from previously proposed methods in the simplicity of its integration with the current ADS-B system. It also provides a valid countermeasure against highly sophisticated airborne attackers. However, previously proposed machine learning methods require training a different model for each flight route or geographic location to give acceptable results. This requirement limits the current solution to flights with a sufficient amount of historical data, which is unavailable in many cases such as business aviation, instructional flying, aerial work, and more. In this research, we address this limitation of previous work, by applying a differencing time-series transformation on the ADS-B data and utilizing a non-recurrent autoencoder classifier. The effectiveness of our method is compared to existing methods on several simulated trajectory modification attacks. The results of our experiments show that the proposed method achieves a ROC AUC value of 0.935-0.951, in comparison to 0.627 from existing methods when evaluated on flights that are absent from training data.
Actual TDoA-based augmentation system for enhancing cybersecurity in ADS-B
2021, Chinese Journal of Aeronautics
Citation Excerpt :
Numerous studies have been proposed to address ADS-B security issues. Some techniques use authentication/encryption.16–20 Cryptographic techniques require changing the ADS-B protocol, which results in major changes to the related fleet.
Currently, cybersecurity and cyber resilience are emerging and urgent issues in next-generation air traffic surveillance systems, which depend primarily on Automatic Dependent Surveillance-Broadcast (ADS-B) owing to its low cost and high accuracy. Unfortunately, ADS-B is prone to cyber-attacks. To verify the ADS-B positioning data of aircraft, multilateration (MLAT) techniques that use Time Differences of Arrivals (TDoAs) have been proposed. MLAT exhibits low accuracy in determining aircraft positions. Recently, a novel technique using a theoretically calculated TDoA fingerprint map has been proposed. This technique is less dependent on the geometry of sensor deployment and achieves better accuracy than MLAT. However, the accuracy of the existing technique is not sufficiently precise for determining aircraft positions and requires a long computation time. In contrast, this paper presents a reliable surveillance framework using an Actual TDoA-Based Augmentation System (ATBAS). It uses historically recorded real-data from the OpenSky network to train our TDoA fingerprint grid network. Our results show that the accuracy of the proposed ATBAS framework in determining the aircraft positions is significantly better than those of the MLAT and expected TDoA techniques by 56.93% and 48.86%, respectively. Additionally, the proposed framework reduced the computation time by 77% compared with the expected TDoA technique.
Using LSTM encoder-decoder algorithm for detecting anomalous ADS-B messages
2018, Computers and Security
Citation Excerpt :
The ability to exploit the ADS-B system endangers billions of passengers every year, and therefore there have been attempts by academia and industry to develop solutions that address the lack of security. Past research suggested the use of encryption (Finke et al., 2013), aircraft authentication via challenge-response (Kacem et al., 2015), and message authentication (Costin and Francillon, 2012; Feng et al., 2010), in order to provide secured message broadcasting and prevent eavesdropping. Besides securing broadcast communication, additional approaches focused on verifying velocity and location reports via additional sensors or nodes.
Although the ADS-B system is expected to play a major role in the safe navigation of airplanes and air traffic control (ATC) management, it is also well known for its lack of security mechanisms. Previous research has proposed various methods for improving the security of the ADS-B system and mitigating associated risks. However, these solutions typically require the use of additional participating nodes or sensors (e.g., to verify the location of the airplane by analyzing the physical signal) or modification of the current protocol architecture (e.g., adding encryption or authentication mechanisms). Due to the regulation process regarding avionic systems and the fact that the ADS-B system is already deployed in most airplanes, applying such modifications to the current protocol at this stage is impractical. In this paper we propose an alternative security solution for detecting anomalous ADS-B messages, which is aimed at the detection of spoofed or manipulated ADS-B messages sent by an attacker or compromised airplane. The proposed approach utilizes an LSTM encoder-decoder algorithm for modeling flight routes by analyzing sequences of legitimate ADS-B messages. Using these models, aircraft can autonomously evaluate ADS-B messages received and identify deviations from the legitimate flight path (i.e., anomalies). We examined our approach on thirteen different flight route datasets into which we injected different types of anomalies. In addition, we compared our proposed method with five commonly used anomaly detection algorithms: GMM-HMM, DBSTREAM, one class SVM, LOF and Isolation Forest. Our experiments show that by using our approach, we were able to detect all of the injected attacks with an average false alarm rate of 4.5%. Moreover, in all cases, the performance of the LSTM encoder-decoder algorithm outperformed the other algorithms.
Analysis of vulnerabilities, attacks, countermeasures and overall risk of the Automatic Dependent Surveillance-Broadcast (ADS-B) system
2017, International Journal of Critical Infrastructure Protection
The U.S. Federal Aviation Administration has mandated the use of the Automatic Dependent Surveillance-Broadcast (ADS-B) system by January 2020 as a key component of the NextGen Project, which is intended to upgrade the air traffic control infrastructure and operations. The ADS-B system seeks to replace legacy approaches such as primary and secondary radars by employing global satellite navigation systems to generate precise air pictures for air traffic management. The security of ADS-B is a major concern because the system broadcasts detailed information about aircraft, their positions, velocities and other data over unencrypted data links, making it easy to launch eavesdropping, jamming and message modification attacks on aircraft in flight. This paper discusses ADS-B vulnerabilities and attacks that leverage the ADS-B protocol stack. The paper also presents the security requirements, state-of-the-art attack detection techniques and countermeasures, along with an overall risk analysis of the ADS-B system.
CABBA: Compatible Authenticated Bandwidth-efficient Broadcast protocol for ADS-B
2023, arXiv

View all citing articles on Scopus

View full text

Published by Elsevier B.V.