JOINT AUTHORITIES FOR RULEMAKING OF

UNMANNED SYSTEMS
Putting Cyber in SORA

On behalf of JARUS WG-6 by

Andy Thurling,
Chief Technology Officer
NUAIR Alliance
 Motivation
• Purpose of SORA is to inform a National authority's approval of a
specific UAS use case concept of operations
• FAA is looking toward SORA as a way to streamline approvals in the
future; and EASA has fully adopted it for their “Specific” category.
• The SORA as written currently "punts" on Security:
– "(c) Security aspects are excluded from the applicability of this
methodology (when not limited to those confined by the airworthiness
of the systems, e.g. aspects relevant to the protection from unlawful
electromagnetic interference)."
• EASA Technical Opinion, page 23, requires the operational risk
assessment (i.e. SORA) to include Cyber:
– “- The requirements on the operational risk assessment have been
amended to also include an evaluation of privacy and security risks."
(emphasis added)
 Motivation
• Cyber had an entire track at SANIS last year
• We can do the best job with SORA and then still have people
turned down by their Regulator because they haven’t thought
about the security aspects sufficiently, specifically cyber
• Once we get passed airworthiness, have airspace access, and
spectrum is available - cyber security (or lack thereof) will
become the "next " show stopper to widespread use of UAS
 Work in Progress
• WG-72 is working on security of ATM systems (ED-205 group)
– Section on the relationship between security and safety
– Updated draft of ED-205 should be available soon
• RTCA published DOs 326, 355, 356
• U.S. Commerce Department's NIST has released version 1.1 of
Framework for Improving Critical Infrastructure Cybersecurity
• WG-73 C2 group (now WG-105 C3)
– WG-73 draft RPS C2 Link Security Requirements
– Standalone system-neutral document
– Only about 20% of the complete picture
– System design, operational scenarios, hazard analysis, risk assessment,
objectives and measures were closely linked to a proprietary RPAS and
can't be made public
 Work in Progress

• So, lots of standards, but are they appropriate for small UAS?
 WG-105 C3
• “One topic that came up often in ED-205 discussions so
far is the tolerance level for risk and the need to keep
mitigations provided by established measures
implemented by IT and communications systems
providers that have been proved satisfactory over
many millions of operating hours.”
• It could be an issue … especially towards the higher
complexity end, and for UTM (U-Space) as well
• The argument is … that the cost of proving security
using ED-202A/ED-203A as well as ED-79A/ED-12C is so
high that operators will tolerate too high a level of
security risk.
 Proposal
• Use a SORA-like process for Cyber
– Different “threats”, different “barriers” – but the same
philosophy
– Different “harms”, different barriers – same
philosophy
• Safety and Cyber security can work at cross
purposes
– More redundancy opens additional attack surfaces
• Examples – two ends of the spectrum:
– Stand alone hand controller in rural environment
– Fully connected to UTM
 UAS Exposure to Cyber Threats
• Four key cyber threat areas that include:
– GPS spoofing
• Risk is loss of control by the pilot
• Automated geographical restrictions may be bypassed allowing the
drone to fly in restricted airspace or the drone may be forced to land
where it is not intended by using the automated flight restrictions
against the legitimate operator
– C2 Hijacking
• Via command injection, the UAS may lose connection to the
controller, and if it has no failover or automated exception handling,
safe flight of the vehicle can be compromised
– Remote Access
• With remote access to the CPU (through a secondary channel such as
the Video link, or through pre-loaded malware), both the normal
operation of the UAS and automated controls may be compromised
– Remote Access to sensors
• Operator observation of targets may be compromised
• Drone may be surreptitiously tracked
 Cyber Vulnerabilities

Riham Altawy and Amr M. Youssef, “Security, privacy, and safety aspects of civilian drones: A survey.”
ACM Trans. Cyber-Phys. Syst. 1, 2, Article 7 (November 2016), 25 pages.
DOI: http://dx.doi.org/10.1145/3001836
 Real-world Cyber-attacks on
UAS and Safety Implications
Actual Cyber-Attack General Safety Implication
Iranians attack on US Sentinel via GPS UAS position could be fooled to cause flight
spoofing (2012) (claimed) outside approved volume
Malware for AR Parrot (2015) provides UAS could be fooled into flight path
attacker with access to on-board sensors deviation which causes flight into obstacles
Defcon 23 (2015) attacker connects to UAS crashes to ground
WiFi link on drone to then power-down
drone mid-flight

Hazards to UAS Safety from Cyber Attack Have

Already Been Observed
 Adjustments to SORA process to include Cyber

• The SORA applies mitigations in three areas

– Adjustments to GRC or “harm barriers”
– Inclusion in ARC
– In Operational Safety Objectives
• Cyber requirements can be divided in a similar manner
• Cybersecurity considerations can be included in SORA
at three different points in the existing process
– Minimal change to the current process flow
– (a) In the transition to the final GRC
– (b) in the generation of the initial Air Risk Class
– (c) in the Operational Safety Objectives
 Adjustment to GRC
• Included as part of the harm barriers and GRC adjustment performed as
part of arriving at the Final GRC (refer to Steps #2 and #3)
• The GRC is defined, essentially, by the UA size, and where it will be
operating
– An adjustment should be made if the assumption of operating location is not valid, i.e.
the UA is where it should not be
– The operator is encouraged to identify appropriate mitigations to avoid increasing the
the final GRC
• Requires the identification of additional, cyber security focused, harm
barrier; “Cyber threats to proper containment addressed”.
• As part of the identification of this harm barrier, relative correction factors
and estimates of robustness will need to be generated by modifying the
current Annex B.

Robustness
Cybersecurity Mitigation Cybersecurity Mitigation for GRC Adaptation
Low Med High
Cyber threats to proper containment
CSM #1 +2 +1 0
addressed
 Inclusion in ARC
• Similar cybersecurity mitigations (harm barriers) are introduced corresponding to the Robustness
Level of the Air Risk Containment Measures (see Table)
• Robustness Level of Low may require operator to have in place a basic cybersecurity mitigation to
ensure that a cybersecurity attack on a UAS sub-system or component would not cause the UAS to
violate its containment airspace
• Increasing level of cybersecurity hardening would be expected to be in place by the operators for
Medium and High Levels of Robustness
• In considering the cybersecurity mitigations, the cardinal security properties of Confidentiality,
Integrity, and Availability will be used as the filter of preserving these properties
• Writing a new Annex to SORA would allow cyber security professionals the opportunity to help the
Aviation Safety community better define “Low, Medium, and High”
• This is parallel in thinking to enlisting the Industry Standards community (through EUROCAE WG-
105) to define appropriate industry standards for Operational Safety Objectives (Annex E)

Uncontained ARC Robustness Level of the Air-Risk Containment Measures

1 None (the operator may still need to show some form of containment
as deemed necessary by the local authority / qualified entity)

2 Low
3 Medium
4 High
Mapping of Cybersecurity threats to potential mitigations
Confidentiality, Integrity, and Availability
 Cybersecurity Can Be Included in SORA OSOs
Hazard
Technical issue with the UAS
Human Error
Adverse Operating
Conditions
Deterioration of external
systems supporting UAS
operation beyond the control
of the UAS
JARUS Operational Safety Objectives
# Operational Safety Objective
OSO#01 Ensure the operator is competent and/or proven
OSO#02 UAS manufactured by competent and/or proven entity
OSO#03 UAS maintained by competent and/or proven entity
OSO#04 UAS developed to authority recognized design standards
OSO#05 UAS is designed considering system safety and reliability
OSO#06 C3 Link performance is appropriate for the operation
OSO#07 Inspection of the UAS (product inspection) to ensure consistency to the ConOps
OSO#08 Operational procedures are defined, validated and adhered to
OSO#09 Remote crew trained and current and able to control the abnormal situation
OSO#10 Safe recovery from technical issue
OSO#14 Operational procedures are defined, validated and adhered to
OSO#15 Remote crew trained and current and able to control the abnormal situation
OSO#16 Multi crew coordination
OSO#17 Remote crew is fit to operate
OSO#18 Automatic protection of the flight envelope from Human Error
OSO#19 Safe recovery from Human Error
OSO#20 A Human Factors evaluation has been performed and the HMI found appropriate for the mission
CSO # 1 Factory passwords reset and good password practices employed to authenticate data and control links
OSO#21 Operational procedures are defined, validated and adhered to
The remote crew is trained to identify critical environmental conditions and to avoid them
OSO#22
OSO#23 Environmental conditions for safe operations defined, measurable and adhered to
OSO#24 UAS designed and qualified for adverse environmental conditions
OSO#11 Procedures are in-place to handle the deterioration of external systems supporting UAS operation
OSO#12 The UAS is designed to manage the deterioration of external systems supporting UAS operation
OSO#13 External services supporting UAS operations are adequate to the operation
CSO #2 UAS designed with multiple sensors which are used for verification of data reported by a sensor
CSO #3 UAS fitted with multiple GPS receivers to defend against GPS spoofing and denial attempts
 Example 1: OSO #6 Integrity LEVEL of INTEGRITY
TECHNICAL ISSUE WITH THE UAS
Low Medium High
 The applicant determines that performance, RF spectrum usage (1)(2)

and environmental conditions for C3 links are adequate to conduct Same as Low. In addition,
safely the intended operation. the use of licensed (4)
Criteria Same as Low.
 The UAS remote pilot has the means to continuously monitor the frequency bands for C2
performance of C3 to ensure the adequacy of that performance to the Link is required.
operation requirements (3).
(4) Thisis ensuring a
(1) For a low level of integrity, unlicensed frequency bands might be accepted minimum level of
performance and is not
OSO #06 under certain conditions, e.g.: (2) The use of limited to aeronautical
C3 link  the applicant demonstrates compliance with other RF spectrum usage
licensed frequency licensed frequency bands
performance is requirements (e.g. for EU: Directive 2014/53/EU, for US: CFR Title 47
bands might be (e.g. licensed bands for
appropriate for Part 15 Federal Communication Commission (FCC) rules), for instance
necessary depending cellular network). It is
the operation by showing that the UAS pieces of equipment are compliant with these
on the operation nevertheless expected that
requirements (e.g. FCC marking), and
Comments considered, although some of the operations
 the use of protection mechanisms against interference (e.g. FHSS,
the use of non- may require the use of
frequency deconfliction by procedure).
(3) The remote pilot has access at all times and in a timely manner to the
aeronautical bands bands allocated to the
(e.g. licensed bands aeronautical mobile service
relevant information on C3 affecting the safety of flight. For the operations
for cellular network) for the use of C2 Link (e.g.
requesting only a low level of integrity for this OSO, this could be limited to
might be acceptable. 5030 – 5091 MHz).
monitoring the C2 link signal strength and receiving an alert from the UAS
In any case, the use of
HMI if the signal is becoming too low.
licensed frequency bands
needs to be authorized.
The C2 link is designed to
have authentication,
The C2 link is
encryption, and back-up
designed to have
Criteria # 2 The C2 link is designed to have some basic form of authentication links as well as the
authentication and
separation of data and
encryption
control links to the UAS
and link redundancy
Possible use of RTCA DO-
362, IEC-62443, and NIST
800-122 Series to derive
Comments
the details of the criteria to
map to different levels of
integrity
 OSO #6 Assurance

LEVEL of ASSURANCE
TECHNICAL ISSUE WITH THE UAS
Low Medium High
Evidence for required C3 Same as Medium. In
Refer to the criteria provided in link performance is addition, evidence is
Criteria
section 9. produced in accordance checked by a competent
with recognized standards. third party.
OSO #06
A list of adequate industry
C3 link performance is
standards (existing or to be
appropriate for the operation
established) will be
Comments N/A N/A
identified by Eurocae
WG105 by September
2018.
Independent 3rd-party
Independent 3rd-party
cybersecurity assessment
User defines password for testing to show system
carried out to show C2 link
GCS to authenticate to the passes tests derived from
Criteria # 2 is hardened for encryption
UAS via the C2 link as part of established standards such
and authentication and
system set-up as DO-362 and others for
against attacks to the C2
C2 link robustness
link
 Example 2: OSO #13 Integrity
DETERIORATION OF LEVEL of INTEGRITY
EXTERNAL SYSTEMS
SUPPORTING UAS OPERATION
Low Medium High
BEYOND THE CONTROL OF
THE UAS
The applicant ensures that the level of performance for any externally provided service
necessary for the safety of the flight is adequate for the intended operation.
Criteria #1
Roles and responsibilities between the applicant and the external service provider are
defined.
External interfaces and data feeds to the UAS operation are to meet information security
Criteria #2 requirements in preserving the security properties of Confidentiality, Integrity, and
Availability as well as Access control.
OSO #13

External
services
supporting UAS Requirements for contracting services
operations are with Service Provider may be derived
adequate to the from ICAO SARPS (currently under
operation Comments N/A N/A development).

Requirements may be derived from

the NIST 800-53 framework
 OSO #13 Assurance
DETERIORATION OF EXTERNAL SYSTEMS
SUPPORTING UAS OPERATION BEYOND THE
Low
CONTROL OF THE UAS
The applicant declares that
the requested level of
performance for any
externally provided service
Criteria #1
necessary for the safety of the
OSO #13 flight is achieved (without
External services evidence being necessarily
supporting UAS available).
operations are
adequate to the
operation
Self-declared compliance to
Criteria # 2 the standard (qualitative
assessment)
May point to Industry Best
Practices and/or from other
Comments
mature industries such as
Automotive
LEVEL of ASSURANCE
Medium High
The applicant has supporting
evidence that the required level of
performance can be achieved for
the full duration of the mission.
This may take the form of a
service-level agreement (SLA) or
any official commitment that Same as Medium. In addition:
prevails between a service  The evidence of the
provider and the applicant on externally provided service
relevant aspects of the service performance is achieved
(including quality, availability, through demonstrations.
responsibilities).  A competent third party
validates the claimed level
The applicant has a means to of integrity.
monitor externally provided
services which affect flight critical
systems and take appropriate
actions if real-time performance
could lead to the loss of control of
the operation.
System tested by an external
In-house testing and test report
independent testing entity and test
provided
report available
Expect testing to standards
May borrow standards from other
established by RTCA or other
domains such as Industrial
standards organization and
Controls, Automotive, Computer
specific to cybersecurity of UAS
Networks etc.
and cyber-physical systems
 Conclusion
• Aviation Safety
experts create
framework
with Cyber
community Level of Involvement
involvement
– L/M/H
determinati
on for
barriers
• Leader in
Cyber Security
put the “flesh
on the bones”
– Annex “X”

Cybersecurity SMEs Working With UAS Operators to Balance

the Introduction of Cybersecurity Harm and Threat Barriers
 Conclusion
• We propose to include cybersecurity considerations
into SORA at three points in the existing process
– Minimal change to the current process flow
– (a) In the transition to the final GRC
– (b) in the generation of the initial Air Risk Class
– (c) in the Operational Safety Objectives
• We propose that a Cybersecurity Focus Group be
established to accomplish the work required to do the
three tasks identified above
• The Focus Group will be composed of respondents to a
call for participation from among the member
countries
 Questions

AThurling@NUAIR.org +1 805 368 6351 https://nuairalliance.org/

23
 Questions

+32 2 729 3629

contact@jarus-rpas.org +32 2 801 3902 http://jarus-rpas.org/

24