Professional Documents
Culture Documents
UNMANNED SYSTEMS
Putting Cyber in SORA
• So, lots of standards, but are they appropriate for small UAS?
WG-105 C3
• “One topic that came up often in ED-205 discussions so
far is the tolerance level for risk and the need to keep
mitigations provided by established measures
implemented by IT and communications systems
providers that have been proved satisfactory over
many millions of operating hours.”
• It could be an issue … especially towards the higher
complexity end, and for UTM (U-Space) as well
• The argument is … that the cost of proving security
using ED-202A/ED-203A as well as ED-79A/ED-12C is so
high that operators will tolerate too high a level of
security risk.
Proposal
• Use a SORA-like process for Cyber
– Different “threats”, different “barriers” – but the same
philosophy
– Different “harms”, different barriers – same
philosophy
• Safety and Cyber security can work at cross
purposes
– More redundancy opens additional attack surfaces
• Examples – two ends of the spectrum:
– Stand alone hand controller in rural environment
– Fully connected to UTM
UAS Exposure to Cyber Threats
• Four key cyber threat areas that include:
– GPS spoofing
• Risk is loss of control by the pilot
• Automated geographical restrictions may be bypassed allowing the
drone to fly in restricted airspace or the drone may be forced to land
where it is not intended by using the automated flight restrictions
against the legitimate operator
– C2 Hijacking
• Via command injection, the UAS may lose connection to the
controller, and if it has no failover or automated exception handling,
safe flight of the vehicle can be compromised
– Remote Access
• With remote access to the CPU (through a secondary channel such as
the Video link, or through pre-loaded malware), both the normal
operation of the UAS and automated controls may be compromised
– Remote Access to sensors
• Operator observation of targets may be compromised
• Drone may be surreptitiously tracked
Cyber Vulnerabilities
Riham Altawy and Amr M. Youssef, “Security, privacy, and safety aspects of civilian drones: A survey.”
ACM Trans. Cyber-Phys. Syst. 1, 2, Article 7 (November 2016), 25 pages.
DOI: http://dx.doi.org/10.1145/3001836
Real-world Cyber-attacks on
UAS and Safety Implications
Actual Cyber-Attack General Safety Implication
Iranians attack on US Sentinel via GPS UAS position could be fooled to cause flight
spoofing (2012) (claimed) outside approved volume
Malware for AR Parrot (2015) provides UAS could be fooled into flight path
attacker with access to on-board sensors deviation which causes flight into obstacles
Defcon 23 (2015) attacker connects to UAS crashes to ground
WiFi link on drone to then power-down
drone mid-flight
Robustness
Cybersecurity Mitigation Cybersecurity Mitigation for GRC Adaptation
Low Med High
Cyber threats to proper containment
CSM #1 +2 +1 0
addressed
Inclusion in ARC
• Similar cybersecurity mitigations (harm barriers) are introduced corresponding to the Robustness
Level of the Air Risk Containment Measures (see Table)
• Robustness Level of Low may require operator to have in place a basic cybersecurity mitigation to
ensure that a cybersecurity attack on a UAS sub-system or component would not cause the UAS to
violate its containment airspace
• Increasing level of cybersecurity hardening would be expected to be in place by the operators for
Medium and High Levels of Robustness
• In considering the cybersecurity mitigations, the cardinal security properties of Confidentiality,
Integrity, and Availability will be used as the filter of preserving these properties
• Writing a new Annex to SORA would allow cyber security professionals the opportunity to help the
Aviation Safety community better define “Low, Medium, and High”
• This is parallel in thinking to enlisting the Industry Standards community (through EUROCAE WG-
105) to define appropriate industry standards for Operational Safety Objectives (Annex E)
2 Low
3 Medium
4 High
Mapping of Cybersecurity threats to potential mitigations
Confidentiality, Integrity, and Availability
Cybersecurity Can Be Included in SORA OSOs
JARUS Operational Safety Objectives
Hazard # Operational Safety Objective
OSO#01 Ensure the operator is competent and/or proven
OSO#02 UAS manufactured by competent and/or proven entity
OSO#03 UAS maintained by competent and/or proven entity
OSO#04 UAS developed to authority recognized design standards
OSO#05 UAS is designed considering system safety and reliability
Technical issue with the UAS
OSO#06 C3 Link performance is appropriate for the operation
OSO#07 Inspection of the UAS (product inspection) to ensure consistency to the ConOps
OSO#08 Operational procedures are defined, validated and adhered to
OSO#09 Remote crew trained and current and able to control the abnormal situation
OSO#10 Safe recovery from technical issue
OSO#14 Operational procedures are defined, validated and adhered to
OSO#15 Remote crew trained and current and able to control the abnormal situation
OSO#16 Multi crew coordination
OSO#17 Remote crew is fit to operate
Human Error OSO#18 Automatic protection of the flight envelope from Human Error
OSO#19 Safe recovery from Human Error
OSO#20 A Human Factors evaluation has been performed and the HMI found appropriate for the mission
CSO # 1 Factory passwords reset and good password practices employed to authenticate data and control links
OSO#21 Operational procedures are defined, validated and adhered to
Adverse Operating The remote crew is trained to identify critical environmental conditions and to avoid them
OSO#22
Conditions
OSO#23 Environmental conditions for safe operations defined, measurable and adhered to
OSO#24 UAS designed and qualified for adverse environmental conditions
OSO#11 Procedures are in-place to handle the deterioration of external systems supporting UAS operation
Deterioration of external OSO#12 The UAS is designed to manage the deterioration of external systems supporting UAS operation
systems supporting UAS
OSO#13 External services supporting UAS operations are adequate to the operation
operation beyond the control
CSO #2 UAS designed with multiple sensors which are used for verification of data reported by a sensor
of the UAS
CSO #3 UAS fitted with multiple GPS receivers to defend against GPS spoofing and denial attempts
Example 1: OSO #6 Integrity LEVEL of INTEGRITY
TECHNICAL ISSUE WITH THE UAS
Low Medium High
The applicant determines that performance, RF spectrum usage (1)(2)
and environmental conditions for C3 links are adequate to conduct Same as Low. In addition,
safely the intended operation. the use of licensed (4)
Criteria Same as Low.
The UAS remote pilot has the means to continuously monitor the frequency bands for C2
performance of C3 to ensure the adequacy of that performance to the Link is required.
operation requirements (3).
(4) Thisis ensuring a
(1) For a low level of integrity, unlicensed frequency bands might be accepted minimum level of
performance and is not
OSO #06 under certain conditions, e.g.: (2) The use of limited to aeronautical
C3 link the applicant demonstrates compliance with other RF spectrum usage
licensed frequency licensed frequency bands
performance is requirements (e.g. for EU: Directive 2014/53/EU, for US: CFR Title 47
bands might be (e.g. licensed bands for
appropriate for Part 15 Federal Communication Commission (FCC) rules), for instance
necessary depending cellular network). It is
the operation by showing that the UAS pieces of equipment are compliant with these
on the operation nevertheless expected that
requirements (e.g. FCC marking), and
Comments considered, although some of the operations
the use of protection mechanisms against interference (e.g. FHSS,
the use of non- may require the use of
frequency deconfliction by procedure).
(3) The remote pilot has access at all times and in a timely manner to the
aeronautical bands bands allocated to the
(e.g. licensed bands aeronautical mobile service
relevant information on C3 affecting the safety of flight. For the operations
for cellular network) for the use of C2 Link (e.g.
requesting only a low level of integrity for this OSO, this could be limited to
might be acceptable. 5030 – 5091 MHz).
monitoring the C2 link signal strength and receiving an alert from the UAS
In any case, the use of
HMI if the signal is becoming too low.
licensed frequency bands
needs to be authorized.
The C2 link is designed to
have authentication,
The C2 link is
encryption, and back-up
designed to have
Criteria # 2 The C2 link is designed to have some basic form of authentication links as well as the
authentication and
separation of data and
encryption
control links to the UAS
and link redundancy
Possible use of RTCA DO-
362, IEC-62443, and NIST
800-122 Series to derive
Comments
the details of the criteria to
map to different levels of
integrity
OSO #6 Assurance
LEVEL of ASSURANCE
TECHNICAL ISSUE WITH THE UAS
Low Medium High
Evidence for required C3 Same as Medium. In
Refer to the criteria provided in link performance is addition, evidence is
Criteria
section 9. produced in accordance checked by a competent
with recognized standards. third party.
OSO #06
A list of adequate industry
C3 link performance is
standards (existing or to be
appropriate for the operation
established) will be
Comments N/A N/A
identified by Eurocae
WG105 by September
2018.
Independent 3rd-party
Independent 3rd-party
cybersecurity assessment
User defines password for testing to show system
carried out to show C2 link
GCS to authenticate to the passes tests derived from
Criteria # 2 is hardened for encryption
UAS via the C2 link as part of established standards such
and authentication and
system set-up as DO-362 and others for
against attacks to the C2
C2 link robustness
link
Example 2: OSO #13 Integrity
DETERIORATION OF LEVEL of INTEGRITY
EXTERNAL SYSTEMS
SUPPORTING UAS OPERATION
Low Medium High
BEYOND THE CONTROL OF
THE UAS
The applicant ensures that the level of performance for any externally provided service
necessary for the safety of the flight is adequate for the intended operation.
Criteria #1
Roles and responsibilities between the applicant and the external service provider are
defined.
External interfaces and data feeds to the UAS operation are to meet information security
Criteria #2 requirements in preserving the security properties of Confidentiality, Integrity, and
Availability as well as Access control.
OSO #13
External
services
supporting UAS Requirements for contracting services
operations are with Service Provider may be derived
adequate to the from ICAO SARPS (currently under
operation Comments N/A N/A development).
23
Questions
24