increasing the resilience of atc systems against false ... · fdias example (2): vehicular ad-hoc...
TRANSCRIPT
28/06/18 – Universitat Politècnica de Catalunya
Increasing the Resilience of ATC Systems against False Data Injection Attacks using
DSL-based Testing
8th International Conference on Research in Air TransportationDoctoral Symposium
Aymeric Cretin, Bruno LegeardFabien Peureux, Alexandre Vernotte
1
28/06/18 – Universitat Politècnica de Catalunya
Summary
2
• Context: ADS-B Protocol and FDIAs
• Objectives of research
• Proposed approach: T-FDIA Framework
• Conclusion and Future Work
28/06/18 – Universitat Politècnica de Catalunya
Automatic Dependent Surveillance-Broadcast (ADS-B)
3
ADS-B characteristics:
ADS-B goal:- Reduce the surveillance cost- Improve the aircraft position accuracy
- Deployed in most aircraft- 1090 MHz frequency- Periodically broadcast positioning- Unencrypted and unauthenticated
28/06/18 – Universitat Politècnica de Catalunya
ADS-B: How it works ?
4
GPS Satellite
Air Controller
Ground Station
ATC Network
ATC Software
What is an FDIA?
- Not secure by design - Vulnerable to cyber attacks- Especially False Data
Injection Attacks
28/06/18 – Universitat Politècnica de Catalunya 5
FDIAs Example (1): Smart GridSmart Grids characteristics
FDIAs comes from Smart Grids
Possible impacts of FDIAs
[1] Liang, Gaoqi, et al. "The 2015 ukraine blackout: Implications for false data injection attacks."IEEE Transactions on Power Systems 32.4 (2017): 3317-3318.
- A power grid- Promotes the use of digital information and
controls technology- Adjusts the production and distribution of
electricity - Works in real time
« a cyber-attack in which power system stateestimation outputs are corrupted by injectingfalse data into meter measurements in a carefullycoordinated fashion » [1]
- Implications in 2015 Ukraine Blackout
28/06/18 – Universitat Politècnica de Catalunya 6
[1] M. Amoozadeh et al., "Security vulnerabilities of connected vehicle streams and their impact on cooperative driving“ IEEE Commun. Mag., vol. 53, no. 6, pp. 126-132, Jun. 2015.
FDIAs Example (2): Vehicular Ad-hoc Networks (VANETs)
VANETs definition« A network through which vehicles participate ininformation sharing and cooperative driving toimprove the safety and performance of autonomousdriving. » [1]
Possible impacts of FDIAsFor impacted vehicles the consensus of the traffic
state is altered.
28/06/18 – Universitat Politècnica de Catalunya 7
« A combination of basic, illegal operations (listening,blocking, modifying and creating messages) to alterthe consensus reached by the nodes of a network,while preserving the logic of the communication flow »
False Data Injection Attacks (FDIAs) definition
Analogy between those domains permits to consider a general definition of FDIAs:
Smart Grid VANETs ADS-B
Nodes Sensors Vehicles/Road Infrastructures
Transponders/Ground Stations
Consensus Power system state estimation Traffic state Recognized
Air Picture
28/06/18 – Universitat Politècnica de Catalunya
False Data Injection Attacks on ADS-B
Different scenarios of FDIA:- Ghost Aircraft Injection- Ghost Aircraft Flooding- Virtual Trajectory Modification- False Alarm Attack- Aircraft Disappearance- Aircraft Spoofing- Potentially any combination of
basic operations(modification, creation, deletion)
8
Examples of possible impacts:- Controller distraction with false events- Loss of an aircraft position- Crash of the ATC system
28/06/18 – Universitat Politècnica de Catalunya
Summary
9
• Context: ADS-B Protocol and FDIAs
• Objectives of research
• Proposed approach: T-FDIA Framework
• Conclusion and Future Work
28/06/18 – Universitat Politècnica de Catalunya
Main Objectives of Research (RO)
How to automate resilience testing of ADS-B based ATC systems against False Data Injection Attacks?
Definition and development of a testing framework (T-FDIA):
10
Able to formalize the design of FDIA for automation (RQ1)
Able to assess the resilience of ATC Systems against FDIAs (RQ3)
Able to generate accurate FDIA on ADS-B protocol (RQ2)
28/06/18 – Universitat Politècnica de Catalunya
Research question (RQ1)
To what extent can test design be efficiently supported for FDIA?In real situation, an FDIAs are complex to design and achieve:
11
Complex attacks based on simple operations
Requires a deep understanding of the system protocols and logic
The communication flow must be preserved
28/06/18 – Universitat Politècnica de Catalunya
Research question (RQ2)
To what extent can an FDIA be accurately generated on ADS-B?
12
A simple FDIA only covers few test cases
FDIAs can be designed and injected in an ATC System. However, this process could be improved by smart generation strategies.
FDIA scenarios could improve the detection of vulnerabilities
28/06/18 – Universitat Politècnica de Catalunya
Research question (RQ3)
To what extent can the resilience of a system be evaluated?- Detection of attacks (security)
- Can the system differentiate legitimate data from illegitimate data?- Are controllers prepared to recognize an attack?
- Reaction of the system (security)- Does the system yield the expected response in case of an attack?
- Robustness of the system to uncommon data (safety)- Is the system still reliable while receiving corrupted data?
13
28/06/18 – Universitat Politècnica de Catalunya
T-FDIA: Positioning within resilience issues
14
Pre-incident Post-incident
Resilience Umbrella
Incident
Time
Prevention
Preparedness
Operational Continuity
RecoveryResponse
28/06/18 – Universitat Politècnica de Catalunya
Summary
15
• Context: ADS-B Protocol and FDIA
• Objective of research
• Proposed approach: T-FDIA Framework
• Conclusion and Future Work
28/06/18 – Universitat Politècnica de Catalunya
T-FDIA: Architecture proposal
16
1) Collecting of legitimate ADS-Brecordings from internet or usingan antenna.
2) Graphical or textual design of ascenario of FDIA.
3) Production of a set of alterationto perform on an ADS-B recordingaccording to the designed FDIA.
4-5) Generation of the alteredADS-B messages and injection inthe ATC System
6) Assessment of the resilience ofthe ATC System by analyzing theoutput.
28/06/18 – Universitat Politècnica de Catalunya
T-FDIA: Domain Specific Language (DSL)
• Using ATC specific terminology
• Defining scenario pattern:– A scenario is a combination of basic operations (modification, creation, deletion)
– A pattern is applicable on any recording
• Example of a ghost aircraft flooding pattern:
17
saturate plane with ICAO = “40688A"from 10 seconds until 30 secondswith_values ICAO = “RANDOM"and AIRCRAFT_NUMBER = 5global assert "Fake Aircraft detected"
28/06/18 – Universitat Politècnica de Catalunya
T-FDIA: basic principles
18
Concretize the scenario: create 5 fake aircrafts with random ICAO
Socket Data Format: http://woodair.net/sbs/Article/Barebones42_Socket_Data.htm
Record ADS-B messages in a file with an antenna
Import the ADS-B recording in the Testing Framework
Inject the altered ADS-Bin the targeted system
through Ethernet
Design False Data Injection Attack scenario to apply on the recording.saturate plane with ICAO = “40688A"from 10 seconds until 30 secondswith_values ICAO = “RANDOM"and AIRCRAF_NUMBER = 5global assert "Fake Aircraft detected"
28/06/18 – Universitat Politècnica de Catalunya 19
T-FDIA: Tool Support
28/06/18 – Universitat Politècnica de Catalunya
T-FDIA: Scenario Designer GUI
20
28/06/18 – Universitat Politècnica de Catalunya
Summary
21
• Context: ADS-B Protocol and FDIAs
• Objective of research
• Proposed approach: T-FDIA Framework
• Conclusion and Future Work
28/06/18 – Universitat Politècnica de Catalunya
Achievements of Research Objectives
How to automate resilience testing of ADS-B based ATC systems against False Data Injection Attacks?
22
Able to formalize the design of FDIA for automation (RQ1):- Definition and implementation of a DSL to design complex FDIA
Able to assess the resilience of ATC Systems (RQ3):- Definition of assertions, and basic report generation
Able to generate accurate FDIA on ADS-B protocol (RQ2):- Development of a first basic strategie based on FDIA parameters
combination (Cartesian Product)
28/06/18 – Universitat Politècnica de Catalunya
Future Work: Use the test results to train an AI
• Test design and generation assisted by Artificial Intelligence
23
AI Module to guide the test dependingon the verdict of previous executions
28/06/18 – Universitat Politècnica de Catalunya
Future Work: Toward post-incident resilience
24
Pre-incident Post-incident
Resilience Umbrella
Incident
Time
Prevention
Preparedness
Operational Continuity
RecoveryResponse
28/06/18 – Universitat Politècnica de Catalunya
Thanks for your attentionAny questions?
Contact: [email protected]