• Abstract

# Secure Operation, Control, and Maintenance of Future E-Enabled Airplanes

Measures to protect safety and business viability are important in the operation, control and maintenance of aircraft and air traffic enabled by advanced information systems.

Commercial aviation is at the threshold of the era of the e-enabled airplane, brought about by the convergence of rapidly expanding worldwide data communication infrastructures, network-centric information processing, and commoditized lightweight computational hardware. With advanced avionics, processing, and wireless communication capabilities, the e-enabled airplane can revolutionize the current air transportation system. However, the use of unregulated information technology and wireless technologies introduces vulnerabilities that can be exploited to provide unauthorized access to the onboard aviation information systems and impede their operation. The emerging security threats are not covered by current aviation guidance, and regulations, hence, remain to be addressed. This paper presents a comprehensive survey of security of the e-enabled airplane with applications such as electronic distribution of loadable software and data, as well as future directions such as wireless health monitoring, networked control, and airborne ad hoc networks.

SECTION I

## INTRODUCTION

### A. Overview

Over the last century, aviation has evolved to become a driving force for the global economy. In 2006, air transportation produced an estimated \$3.5 trillion, nearly 8% of the world gross domestic income [1]. However, air traffic has overwhelmingly increased over the decades, with the number of passengers and amount of cargo transported on worldwide routes reaching an unprecedented 4.4 billion and 85.6 million tons, respectively, in 2006 [2]. Crowded skies combined with factors such as changing business models, terrorist threats, environmental concerns, and passenger needs test the current capacity and capabilities of air transportation systems. Consequently, today the aerospace industry is witnessing a revolutionary trend in commercial aviation, seeking technological and process innovations in aircraft design, manufacturing, operation, maintenance, and traffic management.

Large-scale initiatives are under way to assuredly integrate new aviation technologies into the civil airspace in the next two decades, with an expected threefold increase in airspace capacity. In the United States, the Federal Aviation Administration (FAA) is collaborating with other government agencies, industry, and academia to modernize the current National Airspace System to the Next Generation Air Transportation System.1 Another similar initiative is the Single European Sky ATM Research in Europe.2

A recent vision in commercial aviation is the e-enabled airplane, i.e., an aircraft that can participate as an intelligent node in a global information network [3]. The e-enabled airplane is envisioned to possess advanced avionics highly integrated with wireless commercial technologies for automated functionalities, e.g., global positioning system for navigation [4], wireless sensors, and radio-frequency identification (RFID) tags for maintenance [5], [6]. Wireless access points in the in-aircraft network will facilitate communications between onboard systems as well as communications with off-board infrastructure of air traffic control or airlines [aircraft-to-infrastructure communications (A2I)] and another aircraft [aircraft-to-aircraft communications (A2A)]; see Fig. 1. Off-the-shelf and wireless solutions can substantially reduce onboard equipment maintenance overhead as well as system weight [3], [5], [7]. This fact and achievable enhancements in information delivery, availability, usage, and management make the e-enabled airplane a promising, cost-effective basis for improvements in flight safety, schedule predictability, maintenance and operational efficiencies, and other areas.

Fig. 1. Illustration of a future air transportation system with e-enabled airplanes, aircraft-to-ground (A2I), and aircraft-to-aircraft communications (A2A).

The latest developments strongly support the envisioned future of the e-enabled airplane. For instance, next-generation commercial airplanes have wireless access points for receiving loadable software [8], [9] and passive RFID tags for storing maintenance data [6], [14]. Other examples in commercial aviation include the introduction of 1090 MHz extended squitter data links for A2A/A2I [24] and broadband networked commercial unmanned aircraft systems [10].

However, due to the high level of integration with off-the-shelf and wireless technologies, the e-enabled airplane information systems are not completely regulated nor isolated from external network access. New vulnerabilities are introduced that may open access to onboard systems and impede their operation, creating safety and airline business concerns.

Current guidance for airplane airworthiness from aviation regulatory agencies, e.g., [11], does not cover emerging security threats to the e-enabled airplane [8], [12], [13], [14]. Therefore, to ensure a safe, secure, reliable, and efficient air transportation system with high capacity, security of the e-enabled airplane must be addressed. An important step towards streamlining this effort is to develop a unified framework for identification of security properties that the e-enabled airplane and its applications must satisfy and for evaluation of candidate solutions. This paper provides such a framework, focusing on three representative applications for the operation, maintenance, and control of the e-enabled airplane.

### B. E-Enabled Airplane Applications

#### 1) Electronic Distribution of Software (EDS) [8], [15], [16]

Distribution of software for airplane systems has been via physical distribution of storage media (e.g., floppy/compact discs) and signed documents over bonded carriers. However, compared to this legacy FAA-approved process, the electronic distribution of software has advantages such as reduction of system weight from onboard storage media. The EDS allows ground servers to deliver software and download data over A2I links from the e-enabled airplane. Aeronautical Radio Inc. is defining standards to secure the EDS for commercial airplanes [17], and industrial implementations are ongoing at Boeing and Airbus [9], [18]. Section V overviews the major security concerns with the EDS.

#### 2) Air Health Management (AHM) [7], [18], [19]

A major goal of AHM is to improve maintenance overhead and lifetime of aircraft. In the e-enabled airplane, wireless sensors and RFID can meet this goal by offering a cost-effective means for continuously monitoring the health of structures and systems. Such a wireless-enabled AHM can provide timely feedback to an onboard computer via in-aircraft communications or to off-board units via A2I, enabling a paradigm shift in commercial aircraft maintenance from the fixed-interval scheduled process to an automated, real-time and proactive process [20]. Section VI discusses security of a wireless-enabled AHM.

#### 3) Air Traffic Control (ATC) [21], [22], [23]

Recent events have highlighted the inefficiencies and lack of fault tolerance of current ATC due to a highly centralized architecture [21]. The e-enabled airplane presents several opportunities to decentralize ATC and share traffic control tasks, such as navigation and aircraft safe separation, with the ground controllers [21]. A recent example is the Automated Dependent Surveillance Broadcast initiative (ADS-B) [24], which can allow the e-enabled airplane to broadcast periodically (every second [22]) its identity and accurate location information to ground controllers (over A2I) as well as other airplanes (over A2A) for enhanced traffic surveillance and situational awareness [45]. Section VII reviews the security of a A2A/A2I-enabled ATC.

### C. E-Enabled Airplane Security Standards and Research

Table 1 presents some security standards for the e-enabled airplane. An Ethernet-based architecture that protects flight-critical in-aircraft network systems from unauthorized access is in [27]. In [26], this architecture is improved with security mechanisms meeting airline constraints.

Table 1 Most Relevant Standards for the E-Enabled Airplane Security. EDS—Electronic Distribution of Software; AHM—Airplane Health Management; ATC—Air Traffic Control; ADS-B—Automated Dependent Surveillance Broadcast

A well-established guidance for development of loadable software by onboard equipment suppliers is in [11], defining software safety-criticality levels based on impact of failure on flight safety, i.e., level A to level E with reducing criticality and development effort. Moreover, a data format for secure distribution of loadable software via EDS is in [17]. Recently, safety implications from onboard use of personal devices, e.g., cellular devices and active RFID tags, were studied in [28]. Further, requirements for safe use of passive RFID tags on airplanes are identified in [29], e.g., use of password-based mechanisms for protecting tag data. Furthermore, ATC tasks based on the ADS-B are presented in [30].

Research efforts have also begun, focusing on issues not addressed by the above standards. In [3], [18], [25], and [26], security mechanisms that can strengthen the in-aircraft network architecture are evaluated. In [8] and [15], a security framework to analyze a generic EDS system is proposed. Further, in [5] and [19], secure integration of wireless sensors and RFID in AHM is studied. In [16], the potential impact of security solutions on onboard information systems is discussed.

In this paper, we provide an extensive survey of fertile research areas related to the e-enabled airplane, presenting the state-of-the-art and identifying several open problems.

### D. Paper Outline

Section II describes the overall system for the e-enabled airplane. Section III provides primitives and solutions to secure this system. Sections IV–VII detail concerns due to vulnerabilities in the in-aircraft network, a generic EDS system, a wireless-enabled AHM, and an e-enabled air traffic control, respectively. Section VIII discusses the e-enabled airplane security challenges. Section IX concludes this paper.

SECTION II

## SYSTEM MODEL OF THE E-ENABLED AIRPLANE

Fig. 2 illustrates the considered system model called Airplane Information Assets Distribution System (AIADS). The AIADS distributes the e-enabled airplane information assets, i.e., information that is valuable for safe, reliable, and profitable operation of the airplane. Based on the three representative applications, the information assets include loadable software (e.g., navigation databases, electronic flight bag, weather reports), health data (e.g., wireless sensor and tag data, diagnostics), and traffic control data (e.g., traffic beacons).

Fig. 2. An abstract model of the AIADS model in which the e-enabled airplane is operating. Dark gray boxes indicate trusted entities and light gray boxes indicate untrusted entities. Blue (thick) lines represent A2A or A2I or in-aircraft network communications.

The top half of Fig. 2 shows that the e-enabled airplane has multiple entities communicating with it for each application, including: manufacturer, equipment suppliers, airlines, aeronautical, and other network service providers, servicers (for maintenance), ATC centers, regulatory agencies (e.g., FAA), and other airplanes. The primary role of a regulatory agency is to certify the aircraft model and ensure compliance of entities with well-established safety guidance, e.g., Part 25 airplane generic configuration for the manufacturer [26], Part 121 airplane operational readiness for the airlines [26], and onboard software development practices for the suppliers [11].

Fig. 2 shows the flow of information assets. The responsibility of the AIADS for an information asset begins when the asset leaves its producer until the asset reaches its destination. The path between the producer and the destination is referred to herein as the end-to-end path. Each of the links in this path must fulfill the security objectives given in Section III-B.

### A. System and Trust Assumptions

Processes at each entity in the AIADS are assumed to be operating as designed and expected. In particular, the AIADS is assumed to be administered appropriately, e.g., proper assignment and management of access privileges at each entity, proper management and protection of passwords, and cryptographic and security quantities. Each supplier is accountable to produce safety-assured loadable software [11]. Additionally, we assume that airlines manage software configuration of their fleet reliably and correctly, including the list of software/updates and latest software versions for each airplane model, and that airplanes can produce a configuration report accurately after receiving loadable software. The ATC and aeronautical service providers are trusted with traffic management tasks in the airspace. The providers of A2I links shared by multiple users, however, may not be considered responsible for airplane operation. Nevertheless, networks are assumed robust against well-known denial of service attacks.

Today, one must assume that terrorists as well as criminals pursuing economic damage are highly capable of employing advanced technologies for attacks on the e-enabled airplane. Therefore, we consider that the objective of an adversary is to lower the airplane safety margins (e.g., terrorist motivation) and/or to induce safety concerns and disturb airline business (e.g., motivation of sophisticated hackers or criminal organizations). We assume that the adversary is capable of external attacks—passive analysis or active manipulation of network traffic, and node impersonation—and internal (insider) attacks.

For simplifying exposition, we limit adversarial attacks to be only over data networks in the AIADS. Further, we note that insider attacks on the e-enabled airplane can be deterred by enforcing legal regulations and sufficiently safeguarded against with physical, logical and organizational inhibitors, checks, and control. However, we consider insider threats for depth and completeness of our security analysis and present solutions that can enhance the level of protection to onboard systems.

In what follows, we propose our framework for securing the e-enabled airplane.

SECTION III

We first identify the major threats to the AIADS assets.

### A. Security Threats

#### 1) Asset Corruption

The adversary may attempt to alter, insert, or delete assets at any point along the end-to-end path between airplane and the source or destination of the asset to present threats to airplane safety or airline business. For example, some of the onboard systems contain safety-critical loadable software assessed to be at level A-C of [11], e.g., flight control computer, or business-critical loadable software assessed to be at levels D and E of [11], e.g., cabin light and in-flight entertainment systems. Malfunction of software in these systems can significantly degrade airplane airworthiness and/or create unwarranted flight delays/costs as well as visible disruptions in the operation of onboard systems, e.g., cabin light flickering. Other examples for critical assets of the e-enabled airplane include health diagnostics, which may be manipulated to hide timely detections, and traffic beacons, which may be corrupted to engineer mid-air collisions.

The adversary can also attack the AIADS for personal gain or for inducing unwarranted safety concerns that cause flight delays, cancellations, and/or create passenger anxiety during flight, presenting additional threats to airline business.

#### 2) False Alarm

Some assets can be corrupted to cause economic damage from misleading alarms. For example, the adversary can attempt to alter the software configuration report from the airplane to create mismatches between actual and intended configurations. Similarly, health diagnostics and traffic beacons may be manipulated.

#### 3) Late Detection

Assets can be intentionally corrupted so that their detection is late enough for the airplane to be put out of service—for example, when corruption is detected in software received at the airplane or in health diagnostics distributed to the ground systems.

#### 4) Asset Sensitivity

Some assets may provide leverage to the adversary for side-channel attacks (e.g., fuel level data) or may be considered to be intellectual property with business value (e.g., RFID tag data).

#### 5) Asset Unavailability

Assets can be made inaccessible, e.g., by jamming networks to disrupt airplane applications.

#### 6) Repudiation

Any entity in the AIADS could deny having performed security-relevant actions on assets.

### B. Basic Security Requirements

The AIADS needs to meet the following requirements to protect distributed assets from the above threats.

#### 1) Integrity

For preventing any corruption of distributed assets by the adversary, the identity and content of the asset received at the destination must be verified to be the same as at the distribution source.

#### 2) Source Authenticity

For preventing injection of corrupted assets by unauthorized entities, the identity of each entity performing an action of any asset must be verifiable.

#### 3) Authorization

The verifiable identity of each entity accessing any asset must be checked to possess the appropriate permission and privilege.

#### 4) Confidentiality

Unauthorized access to sensitive assets must be prevented to protect intellectual property and prevent any future attacks.

#### 5) Correct and Early Detection

In order to prevent unwarranted flight delays and costs, any manipulation of an asset must be detected as soon as possible while also eliminating or reducing false alarms.

#### 6) Availability

Each asset must be available on time to meet regulatory and airline needs (discussed in next section).

#### 7) Traceability

All actions performed on each asset must be logged in a format and for a time period that can satisfy both regulatory and airline needs.

#### 8) Nonrepudiation

In order to support forensics, such as after occurrence of safety hazards, the traceability of actions on each asset must be undeniably associated with at least one authorized entity.

Table 2 shows which threats can be mitigated by the security requirements. We now present some of the major constraints of the AIADS system that can impact these requirements and potential defense mechanisms.

Table 2 Coverage of Threats to AIADS Assets by the Proposed Security Requirements and Solution Mechanisms. √—Satisfied; C—Partially Satisfied; ×—Not Satisfied

### C. Relevant System Constraints

#### 1) Lifetime of the Airplane

Average lifetime of a typical commercial plane and, hence, of its assets, is in the order of several decades. Time-dependent security requirements for the airplane assets, such as nonrepudiation, must take this constraint into account. Further, the constraint imposes the need for long-term security solutions.

#### 2) Stages of Airplane Operation

The different phases of flight can be categorized into three operational stages: on-the-ground, takeoff/landing, and in-flight. The time period of each operational stage of the airplane is fixed. Applications and their security mechanisms are therefore expected to function within these time constraints.

#### 3) Regulatory Requirements

Additionally, certain mandatory guidelines from the regulatory agency must be met for the airplane to be considered airworthy and ready for flight.

The airline fleet operation and maintenance costs must be reduced. Therefore, any security solution must minimize its overhead.

#### 5) Legacy Systems and Processes

In order to obtain return-of-investment from existing onboard systems and processes, new technologies must be compatible with legacy systems and processes in commercial aviation [18].

#### 6) Global Scale of Traversed Path

An airplane may traverse multiple airports during its end-to-end flight, with possible lack of network connectivity at any traversed airport or during flight. At each airport, the airplane can encounter varying conditions such as in terms of protocol standards, security technologies, and export restrictions [18], and multiple off-board systems (e.g., airport wireless access point and airline information systems) may communicate with the airplane. Security solutions therefore must be adaptable and scalable to ensure seamless air travel for the airplane.

As seen in Table 3, any solution approach for securing the e-enabled airplane and applications must take into account the above constraints.

Table 3 AIADS Constraints on the E-Enabled Airplane and Implications for Its Applications and Security

### D. A Solution Approach for AIADS

#### 1) Use of Digital Signatures

Digital signatures constitute one the potential mechanisms to secure distributed assets in the AIADS. We note that the choice of using digital signatures, as opposed to other solutions such as keyed cryptographic hashes and virtual private networks, is made in order to additionally provide nonrepudiation and source authenticity along with integrity across multiple AIADS entities. A generic signed asset from a source to a destination in the AIADS can be of the form TeX Source $${\hbox{asset}, \hbox{sign}}_{\rm source}\left(h{\hbox{(asset)}, \hbox{tstamp}}\right),{\hbox{cert}}_{\rm source}$$where signx(.), Kx denotes signature and public key, respectively, of an entity x. h(.) is a one-way cryptographic hash and a,b denotes concatenation of two strings a and b. The digital certificate of a trusted certificate authority (CA) is of the form TeX Source $${\hbox{cert}}_{\rm source}\!=\!{\hbox{sign}}_{\rm CA}{\hbox{(source}},K_{\rm source},{\hbox{CA}, \hbox{validity}}\_{\hbox{period)}}.$$Assuming the CA's public key is known, the destination can use certsource and tstamp to verify the integrity and source authenticity of the received asset. Verifying signatures as soon as possible at each intermediate entity along the end-to-end path in AIADS can contribute to the correct and early detection of corrupted assets. Signatures in combination with audit logs are sufficient for achieving nonrepudiation and traceability.

Later in Section VIII, we discuss the major challenges posed by the AIADS constraints when using digital signatures as a solution mechanism.

All security-relevant actions during asset distribution as well as actions related to the associated certificates must be authorized, e.g., using role-based access control. Further, for traceability, all security-relevant actions, including unsuccessful attempts, must be time-stamped and logged in tamper-proof storage. Availability for the AIADS systems, especially those supporting A2I applications, can be achieved with host and network protection mechanisms [3]. Further, the A2A and A2I data links can be secured via higher layer security mechanisms, such as IP security at network layer and secure socket layer (SSL) at transport layer; see [3] for a survey of potential mechanisms.

Any copyrighted or sensitive asset requiring confidentiality can be transferred over an encrypted channel, e.g., network layer encryption between airport access point and airplanes. Additionally, some communications in the AIADS may be subject to stringent delay and/or resource constraints. In such cases, symmetric key cryptography offers solutions, e.g., SSL, that are more efficient compared to those based on asymmetric key cryptography [3].

Table 2 shows the requirements and threats satisfied by the solution mechanisms given above. However, as seen in Table 2, these mechanisms may not be sufficient to fully meet the security requirements. Vulnerabilities in the distribution of AIADS assets over the in-aircraft network as well as over A2I/A2A applications must be separately addressed.

SECTION IV

## SECURING THE IN-AIRCRAFT NETWORK

As illustrated in Fig. 3, based on [26] and [27], information systems on the in-aircraft network of the e-enabled airplane can be logically separated into three domains: flight control, cabin, and passenger [26]. The flight control domain consists of avionics and control systems handling safety-critical onboard operations, navigation, and surveillance. Failure of these systems has a direct impact on flight safety. On the other hand, the cabin domain systems mostly support only business critical onboard operations (e.g., cabin lights), maintenance (e.g., health monitoring), and passenger entertainment functions. The passenger domain consists of wireless-enabled personal electronics, such as laptops and cellular devices, that do not support any flight related function.

Fig. 3. An abstract model of the in-aircraft network architecture and domains, showing logical connections between components.

Attacks on the assets in the in-aircraft network can emerge from vulnerabilities in the passenger and cabin domain, e.g., malware-based attacks and signal jamming attacks by the wireless devices carried onboard [27]. A solution approach is to secure all cross-domain communications at multiple layers by using sufficient physical, logical, and organizational inhibitors, e.g., network firewalls, routers, switches, and monitoring tools [3], [25], [26] and usage policies for wireless devices carried onboard. These measures along with other host-based mechanisms (e.g., efficient filtering, redundant storage, tamper-proof logging of security-relevant actions) may ensure that the flight control domain is operational and closed to passenger domain as well as protected against unauthorized access/passive eavesdropping from cabin domain [18]. Similarly, cabin domain is secured from passenger domain.

Overall, such an approach has the potential to protect AIADS assets distributed over in-aircraft communications. However, threats to these assets can emerge from vulnerabilities in the EDS, AHM, and ATC applications of the e-enabled airplane. We cover these threats next.

SECTION V

## SECURING AIRPLANE LOADABLE SOFTWARE ASSETS

Apart from the well-established guidance in [11] to assure loadable software development at suppliers, in Section III we proposed the use of digital signatures for integrity and authenticity of loadable software distribution from suppliers to the e-enabled airplane via the EDS. The software is finally uploaded into the onboard embedded systems by a data-load process. Regulatory agencies mandate that this data-load process is sufficiently protected and controlled. For example, loading is only performed at specified times, such as when the airplane is in maintenance mode, and by authorized personnel using authorized equipment. During the data-load process, additional checks are in place to detect corrupted software, including:

1. cyclic redundancy code check by the embedded system for detecting accidental modifications of software;

2. onboard generated configuration report check to verify that distributed software matches a configuration list at the airline;

3. compatibility check of the uploaded software with the destination hardware and software environments.

However, the data-load process presents vulnerabilities that must be addressed by separate measures in the EDS.

### A. Addressing Vulnerabilities in EDS

#### 1) Use of Onboard Software and Hardware Redundancy

The adversary may alter or replace contents of the loadable software with nonarbitrary bit substitutions, making the corrupted software pass the error check and loadable at the destination. Therefore, safety-critical software and hardware must incorporate redundancies, e.g., several code instances executing in parallel on different system platforms on the airplane, to tolerate and/or detect corrupted software. In order to effectively cripple a safety-critical function in the airplane, the representation of software must be modified at several positions. While this increases the adversary effort, it may restrict the desirable automation of onboard software maintenance.

#### 2) Use of Metadata for Digital Signatures

Loadable software may be incompatible across different software versions and airplane models. The adversary can attempt to exploit this vulnerability and prevent or delay A2I distribution of signed software updates to an airplane as well as divert signed software intended for another airplane model, resulting in anomalies during the compatibility check. A mitigation approach is to include a metadata with the signed software TeX Source $$\displaylines{{\hbox{asset}, \hbox{metadata}, \hbox{sign}}_{\rm source}\left(h{\hbox{(asset)}, \hbox{metadata}, \hbox{tstamp}}\right),\hfill\cr\hfill {\hbox{cert}}_{\rm source}}$$where metadata =ver_num,intended_dest. The version number ver_num and timestamp tstamp ensure that outdated software is not accepted, assuming again that airlines manage the configurations of the airplanes. The intended destination intended_dest in the signed metadata ensures that diverted software is not accepted at incorrect destinations.

### B. A Major Challenge in EDS

In order to integrate the EDS with well-defined guidelines for loadable software development and data-load process that ensure airworthiness, a standardized approach is needed to identify security requirements in a systematic way. Such an approach is proposed in [8] and [15], where the Common Criteria methodology is used for security analysis of a generic EDS system. Emerging as a well-known standard for information system security, Common Criteria provides a framework to identify threats, derive security objectives, state security functions, and specify an evaluation assurance level.3

Both the EDS and AHM depend on digital signatures to protect data from the e-enabled airplane to the ground systems, i.e., software configuration report and health diagnostics, respectively. However, with the integration of wireless sensors and RFID tags in the AHM, the onboard collection of the data used in health diagnostics is vulnerable, as seen next.

SECTION VI

## SECURING AIRPLANE HEALTH ASSETS

We first describe the AHM model and then discuss major vulnerabilities and their mitigation.

### A. Wireless-Enabled AHM Model

Fig. 4 illustrates the AHM model considered in this paper. Passive RFID tags are attached to onboard systems and parts for storing their maintenance data. Smart sensors that possess a signal processing unit, memory, and a wireless communication unit are deployed on airplane structures and systems for health monitoring. These sensors may have heterogeneous capabilities (e.g., node transmission range) and modalities (e.g., vibration, temperature, pressure etc). Further, due to energy constraints, they form a wireless sensor network (WSN) with multihop routes where each sensor communicates directly with one-hop neighbors, i.e., nodes in its radio range. To reduce the overwhelming volume of health data, we assume in-network data aggregation in the WSN [32].

Fig. 4. Illustration of the AHM model considered, containing wireless sensors and RFID tags onboard to collect health data and enable automated and real-time health monitoring. The resulting health diagnostics can be distributed to ground systems for proactive aircraft maintenance.

The aggregator nodes forward data to a base station, which provides this feedback to a central control unit. The feedback is finally sent to the intended airplane subsystems. The data collection in the WSN can be done periodically, upon detection of an event by one or more sensors (e.g., abnormal increase in structural temperature), or on demand by the control unit (e.g., query to determine the fuel level). The airplane subsystems analyze the feedback received from sensors owned by them. The analysis can lead to execution of tasks at the subsystems, such as notifying the pilot or triggering some onboard actuator or initiating a downlink of diagnostics to the ground systems via A2I link. The authorized ground systems of airlines are also capable of initiating download of health data when their airplanes are on the ground and/or in flight.

We assume that the wireless sensors and RFID tags do not degrade under the harsh flight conditions, such as extreme hot/cold temperature and high vibrations. We also assume that sensors for assessing safety-critical parts are subject to physical checks when validating airplane airworthiness; additionally these sensors have a backup hard-wired connection to the control unit to enable cross-checks for verifying consistency of the generated wireless readings. Nevertheless, use of wireless channels allows an adversary to perform remote attacks that can manipulate avionics operation in unexpected ways.

### B. Use of Link Key Cryptography

Since we assume that sensors are energy-constrained, symmetric cryptography is more suited for providing integrity, authenticity, and confidentiality of WSN communications, as opposed to asymmetric cryptography, which is relatively computation and communication intensive. Further, in the WSN, solutions based on link layer cryptography, i.e., using a cryptographic key shared by two neighbors, are more suited when compared to end-to-end solutions [33].

The link keys, however, need to be established by the WSN nodes upon deployment. Since the topology of the WSN is assumed to be predetermined before deployment, the key establishment problem is simplified [34], [35]. A potential solution can be based on the tamper-resistant base station that shares a predistributed pairwise key with each sensor node before deployment. In such an approach, two neighboring sensor nodes can later establish their link keys via the base station. On the other hand, administration of keying material in the AHM is challenging, as will be discussed later.

However, the use of cryptography alone is insufficient to address vulnerabilities in the WSN and RFID [33], [36], [41]. Threats from jamming and side-channel attacks on the network protocols translate to the following primitives.

### C. Addressing Vulnerabilities of WSN

#### 1) Mitigation of Channel Jamming

The adversary can, for example, employ jamming attacks to block or delay safety-critical fault detections from propagating towards the base station. Therefore, channel jamming attacks must be detected as soon as possible and mitigated in the WSN. A potential solution is in [37], where a network node adjusts its transmission rate in order to contain jamming interference.

#### 2) Secure Routing

The sensors in WSN need to route their readings in a timely way and reliably even under attacks. The WSN routing protocol must be robust to jamming attacks that induce long and energy-inefficient routes. The routing protocol must also be robust to attacks based on misleading routing messages. For example, if geographic routing is used then by spoofing location information (e.g., wormhole attack [36]), a compromised node can modify routes at will.

#### 3) Secure Location Verification

Sensor readings are only useful when associated with their physical locations [38]. For example, sensor data that represents a detected crack in the aircraft structure will be useless if it does not include a physical location for the crack. Further, network services, such as geographic routing, depend on node location information [38]. Hence, WSN nodes must be able to securely verify location claims of their neighbors to address attacks based on spoofed location data, e.g., the wormhole attack on geographic routing [39], [40]. Secure location verification also provides another level of source authentication using the position of a neighbor to validate data received from it.

At the same time, the location of some sensors that are used for safety-critical detections may be of interest to the adversary for launching side-channel attacks. Consequently, the communications in the WSN must not reveal the location and type of such sensors to unauthorized entities.

#### 4) Robustness to Sensor Capture

For insider attacks based on compromised sensors, tamper-proof sensor hardware offers a potential solution. However, since this solution is expensive and adds to avionics overhead, the design of WSN algorithms for the above primitives must be capable of tolerating compromise of a fraction of network nodes [35].

### D. Addressing Vulnerabilities of RFID

Unlike the dynamic data observed by wireless sensors, the static nature of information stored in the passive RFID tags onboard the aircraft may imply a false sense of security. However, with the proposed onboard use of transmitting personal electronic devices including RFID tags in the passenger domain [28], potential threats emerge to the integrity, authenticity, confidentiality, and availability of the passive RFID tag data [41]. Attacks including spoofing, unauthorized access, and passive eavesdropping of the stored data can disrupt business of the data users, including the airline, servicers, and suppliers. For example, a bogus tag with a spoofed identity can prevent an expired part from timely replacement. Therefore, security primitives such as robustness to tag impersonation, read access control, and robustness to denial of service (e.g., the kill command) must be met by the RFID system [41].

### E. Major Challenges in Wireless-Enabled AHM

Wireless sensors and RFID tags have unique properties compared to current avionics, yet they may be subject to similar high-performance needs and operational processes existing onboard. Consequently, a number of unprecedented challenges can be anticipated while adopting these technologies onboard.

#### 1) Providing Power-Efficient Solutions for WSN and RFID Tags

Wireless sensors and tags may be subject to a periodic maintenance as current avionics. Assuming the maintenance period can vary in the order of a few weeks to months, the wireless sensors and tags must be able to operate reliably within their energy constraints during this period. For conserving the battery power of the WSN nodes, a balanced combination of sensor processing and energy-efficient data aggregation algorithm is needed. Further, the WSN medium access algorithm employed must also be energy-efficient, e.g., by making nodes periodically enter sleep mode when not active [33]. Additionally, the solution design for the above primitives must incorporate this energy constraint, e.g., by designing energy-efficient secure broadcast routing [42].

#### 2) Ensuring Low End-to-End Path Latency in WSN

Similar to other onboard systems whose response is time-critical, it is pivotal that all detected safety-critical faults be delivered in a timely manner by the WSN to the central control unit for real-time diagnosis by the airplane subsystems, and if needed to the ground systems for further analysis. Consequently, the WSN routing algorithms must be designed to be energy-efficient but under a maximum end-to-end delay constraint.

#### 3) Providing Traceability Under Data Aggregation in WSN

As seen from Section III-B, traceability of authorized actions taken in the AIADS is inherently important. However, use of data aggregation obscures traceability of data in the WSN, reducing, in most cases, the ability to identify the source of the false or malicious fault detection data. The data aggregation algorithm employed in the WSN must address this tradeoff.

#### 4) Accommodating WSN Membership Dynamics

Like other onboard systems, nodes in the WSN can be expected to be removed or replaced over time. Consequently, the key management scheme and policy must be capable of allowing node additions and deletions from the WSN while also ensuring secure periodic key updates in the network.

#### 5) Impact of Active RFID Tags on Airworthiness

In [14], the certified use of passive-only RFID tags onboard commercial airplanes is provided. However, due to safety concerns, the use of active RFID tags still remains to be studied and approved. One of the safety concerns includes the potential for their electromagnetic interference with the operation of flight-critical avionics systems. Any future approval of the use of active RFID tags onboard would, however, provide a stepping stone for the use of the WSN-enabled AHM.

The airplane together with the A2I networked ATC ground controllers and other A2A networked airplanes becomes part of a large-scale decentralized control system that enables global traffic-relevant decisions (e.g., aircraft altitude control) at the ground as well as onboard controllers [21]. The security of this control system, specifically of its A2I and A2A communication networks, is considered next.

SECTION VII

## SECURING AIRPLANE TRAFFIC ASSETS

In this section, the ATC model considered is described, followed by the vulnerabilities that must be addressed.

### A. E-Enabled ATC Model

Each airplane periodically broadcasts (approximately every second) its state vector containing position, altitude, speed, time, and other information [45]. These beacons can be utilized by the ground controllers and other airplanes. The enabled automated surveillance applications can be broadly classified as A2I-Out and A2/A2A-In [45]. In the A2I-Out applications, the periodic beacons are utilized only by ground controllers for surveillance. In the A2I/A2A-In applications, the periodic beacons are also used by other airplanes to enhance pilot's situational awareness, and the ground controllers can communicate traffic and weather reports to the airplanes.

Fig. 5 illustrates some of the applications that use networking and other key enablers such as conflict resolution algorithms to potentially optimize air travel with respect to time and cost (e.g., fuel expenses) [46]. Airplanes traversing remote areas can engage in free flight, i.e., each airplane can self-optimize by choosing its own route, altitude, speed, etc. [21]. Further, the flow of air traffic in a typically congested terminal area can also be optimized, and ground delays at the gates, taxiways, and runways can be significantly reduced [22]. Further, multihop communications in airborne networks can extend information reachability to airplanes in remote areas such as oceans or mountainous regions [22].

Fig. 5. Illustration of considered ATC applications with e-enabled airplanes. Circles indicate a communicating group of nodes (aircraft and ground stations).

While worldwide deployment of enabling infrastructures, e.g., ADS-B [24], supports the future of airborne ad hoc networks in commercial and general aviation, several networking and security challenges remain to be resolved. An abundance of literature, during the last decade, addresses the airborne ad hoc networking issues such as the design of transmission protocols and the impact of air traffic on the network topology4 [22], [23] as well as the design of safety-critical airborne traffic operations such as conflict detection and resolution in free flight [21]. However, only a few have addressed security vulnerabilities in surveillance applications of airborne ad hoc networks [47], [48].

Even with the use of digital signatures, the ATC information assets can be unintentionally corrupted or attacked due to inherent vulnerabilities that are presented next.

### B. Addressing Vulnerabilities of ATC

#### 1) Providing Accuracy Information in Signatures

While the accuracy of ADS-B can be significantly higher than radar, making safety-critical ATC operations rely on a position that is computed onboard and communicated over A2A/A2I poses a vulnerability. For example, an inaccurate position that is beyond the expected error margins can disrupt conflict detection and resolution algorithms, which compute local safe separation between airplanes [21].

The position, velocity, and other spatial data in the beacons is derived from multiple onboard sources, e.g., positioning, altitude, and heading systems. The overall accuracy of these data is dependent on the correctness and robustness of these sources as well as security of the data transfer over in-aircraft network. Therefore, as noted in [45], the signed ATC asset must also include the accuracy of the spatial information in order to establish error margins.

#### 2) Enabling Position Verification

A malicious adversary can, however, attempt to spoof aircraft positions, i.e., make false position claims, to the ground controllers and airplanes—for example, by using a compromised general aviation aircraft equipped with ADS-B, Universal Access Transceiver, or by using unattended ground ADS-B equipment [47], [48].

Initial defense mechanisms have been proposed to verify position information received in A2I-Out applications. In [47], a solution approach is proposed that combines two multilaterations at the ground controller: one from use of time-of-arrival of the aircraft beacons and another from that enabled by ADS-B. This solution, however, requires at least four ground controllers to verify the three-dimensional position by multilateration. Therefore, it has limited applicability to free flight in remote areas where coverage is not as dense. Another solution applicable to the terminal area is the use of secondary surveillance radar for verifying position information received from airplanes [48]. In [48], an approach for position verification of airplanes in free flight is proposed. This makes use of ADS-B enabled multilateration in combination with Kalman filter estimation of the flight trajectory based on the bearing information of the source making the position claim. However, the approach needs an additional dedicated omnidirectional antenna onboard to obtain the heading information.

On the other hand, solutions for verification of position information received in A2I/A2A-In applications do not currently exist. The problem is made challenging due to the difficulty of using time-of-arrival based multilateration in a mobile aircraft, as well as potential for spoofing on the A2I link from ground controller [47]. Most safety-threatening situations, such as midair collisions, can be potentially mitigated by relying on an onboard traffic collision and alerting system transceiver that can interrogate transceivers of neighboring airplanes [45]. However, we note that, as seen in Section VI-C2, spoofing can be used to delay communications over multihop routes in the airborne ad hoc network, which in turn reduces information reachability and its safety benefits [22]. Therefore, the design of position verification mechanisms for A2I/A2A-In applications is pivotal. A potential solution is to build on the approach in [48] and ensure that more information apart from only heading, e.g., range and intended destination, of the claimer is available to the verifier.

### C. A Major Challenge in ATC

Even with the increase of automation, the human-in-the-loop will continue to play an important role in controlling the commercial airplane in the AIADS. However, for airplane safety, apart from securing information assets, it is also pivotal to properly present delivered information to the pilot who is an overloaded user. With the enormous amount of information available from the A2I-Out and A2I/A2A-In applications, a major challenge lies in the design of a suitable interface that can provide a coherent and correct presentation to the flight and ground crew controlling the airplane [46].

SECTION VIII

## CHALLENGES IN E-ENABLED AIRPLANE SECURITY

We present some major challenges in onboard and ground systems due to AIADS constraints in Section III-C.

### A. Enabling the Use of Digital Signatures

Digital signatures require a public key infrastructure (PKI), a mechanism that manages identities with associated cryptographic keys and digital certificates [16]. However, the use of a PKI raises issues with the interoperability between multiple CAs and the standardization of certificate policy for aviation to enable global seamless air travel, such as establishment of a “bridge of trust” between unique trusted third parties and development of a policy for various use-cases encountered by the e-enabled airplane [9]. Moreover, as seen in Section VIII-E, PKI can limit the assurance level of the AIADS.

Further, over the aircraft lifetime, an increase in cryptanalytic capabilities of the adversary can also increase the potential for compromise of the signing. Hence to accordingly elongate lifetime of AIADS asset signatures, mechanisms such as periodic key refresh, longer keys, or provably secure/forward secure signature algorithms must be considered.

### B. Enabling Global Onboard Verification of Signatures

At each traversed airport, the e-enabled airplane may not have guaranteed network access. In the presence of network connectivity, the airplane communicates with multiple off-board systems. Each access point can be shared by multiple airlines at that airport. Additionally, the airplane will receive software from multiple suppliers of the onboard equipment. With the use of digital signatures, this multidomain problem reduces to ensuring onboard validation of certificates received with the asset for verifying asset signature, even in the absence of networks. Potential solution approaches include the use of a PKI or preloaded certificates on the airplane [16]. However, this problem is further complicated in the ATC context, due to the large number of airplanes that can be encountered by each aircraft, as well as the real-time constraints of the control network for verification of the received assets. Further, the scalability of solutions to enable secure verification of received ATC assets at ground controllers can be an issue.

### C. Impact of Key and Certificate Management on Airlines

The introduction of certificates and keys in onboard storage clearly affects the e-enabled airplane operator guidance and levies new requirements on airlines, including the need for a PKI [16]. Consequently, airlines may need guidance to cover emerging needs of the e-enabled airplane, such as for distribution and update of certificates and keys.

Fig. 6 illustrates a potential allocation of anticipated operational requirements imposed on the airlines by the e-enabled airplane [16]. To minimize overhead, these requirements are integrated into a typical infrastructure and processes at many airlines. Based on the approach taken by the airlines to handle certificates, there can be an ad hoc solution, i.e., use of preloaded certificates that do not employ a trust chain, or a structured solution, i.e., use of a PKI. Accordingly, the airline CA issuing the trusted certificates may be an offline third-party vendor from which certificates are purchased or an online entity that is external or internal to the airlines.

Fig. 6. Illustration of a possible integration of some operational tasks associated with the e-enabled airplane to the existing typical infrastructure and organizational structure of airlines.

The distribution of keys and trusted certificates to airplanes can be challenging. This distribution must be protected by either a secure online or out-of-band mechanism. A potential solution approach is to enable onboard generation of the airplane private key and to ensure authentic distribution of the corresponding certificate request to the CA of the airlines, or authentic distribution of the airplane self-signed certificate to all off-board components that require it for verification of assets. Similarly, integrity and authenticity of trusted certificates must be protected during distribution to onboard storage.

The security of the AIADS depends on the integrity and authenticity of trusted certificates and the confidentiality of private keys. However, an airplane may interface with multiple networks, and the embedded systems storing airplane keys and certificates may be replaced as needed over the airplane life cycle. These constraints require careful consideration to protect the airplane's private key. Further, compromise of a ground system or an airplane's private key requires that that entity's certificates be revoked to prevent misuse of signatures in the AIADS. Consequently, the e-enabled airplane must be able to validate certificate status periodically or on demand.

### D. Impact of Security on Safety

Although existing literature such as [49], [50], [51] argues for commonality among the safety and security disciplines, it remains an open problem as to how the two fields can be integrated. While indeed security affects safety, it is not clear how to express the relevant security considerations and accommodate security risks and mitigations in a safety analysis. Security threats are not bounded and their impact can change over time, making traditional quantitative, probabilistic safety analysis inapplicable for security evaluation [18]. The formulation of guidelines for assessing safety-critical systems along with their security needs would hence require approaches that can integrate the typically discrete methods of security analysis into the quantitative, probabilistic methods [8].

### E. High Assurance for AIADS Applications

For airplane safety, the threat level to AIADS assets is that of international terrorists, i.e., sophisticated adversary with moderate resources who is willing to take significant risk [31]. Failure from corrupted safety-critical assets, e.g., loadable software assigned Level A of [11], can be catastrophic. Therefore, according to [31], the integrity and authenticity of safety-critical assets should be guaranteed by the AIADS at an evaluation assurance level of 6 [31]. However, realizing this assurance level can be challenging, since evaluation of commercially available PKI is currently limited to the level 4. Further, level 6 requires consideration for the use of formal methods to model and verify systems supporting the EDS.

The airline business' threat level, however, is that of organized crime, hackers, and international corporations, i.e., a sophisticated adversary with moderate resources who is willing to take little risk [31]. Hence, the evaluation assurance level 4 is enough to evade business concerns in the AIADS [31].

An assurance level of 6 incurs a significant evaluation effort for systems handling safety-critical assets, including at the airlines. Therefore, an architecture-based solution is needed to reduce costs and time for evaluation of airline systems. As suggested in [8], a potential solution is a two-level approach where the AIADS mechanisms for the most critical security requirements, i.e., integrity, authenticity, and authorization for asset corruption threat in Table 2, reach an evaluation assurance level of 6 while the remaining components are kept at level 4. This approach enables the design of an architecture that can isolate mechanisms requiring high evaluation, reducing the evaluation effort at the airlines.

### F. Securing Wireless Networked Control of Airplane

A future extension of a wireless-enabled AHM can be in the real-time networked control of the e-enabled airplane [43]. Wireless sensors and actuators can be used as field devices for non-safety-critical controls. The field devices can be integrated with other onboard AHM components in Fig. 4 to form a distributed control system that enables localized computations and actuation (e.g., local temperature control). The system includes a data network, i.e., interconnected wireless sensors, tags, and readers, as well as the control network.

Although both data and control networks are subject to the same threats, the impact of these threats on the control network is more critical. For example, by incurring delays or jamming packets in the control network, the adversary can create instabilities and unwanted responses in the control system [43], [44], directly affecting airplane operation. However, most of the current approaches analyzing the stability of networked control systems consider delays [43] and packet losses [44] arising from queuing and congestion in the network. They do not consider the presence of a malicious adversary that is disrupting the control network communications to cause system instabilities. For example, in [43], a dynamic network resource scheduling algorithm for time-critical information sources in a control system is proposed, but the modeled delay is only due to the scheduling and not malicious disruptions. In order to protect communications and prevent unauthorized access to the wireless control network, a promising approach is in multilayer security, including at the physical layer.

SECTION IX

## CONCLUSION

The e-enabled airplane with its A2I and A2A applications is envisioned to revolutionize commercial aviation by facilitating rapid advances in next-generation air transportation systems. However, the use of wireless and off-the-shelf technologies introduces vulnerabilities that mandate careful security considerations due to the potential airplane safety and airline business concerns. Further, the resulting security needs and mechanisms must be integrated into the well-defined processes related to airplane operation, control, and maintenance.

Previous works have focused on securing the distribution of airplane information assets over the in-aircraft network. However, new threats to the integrity of these assets emerge from A2I and A2A applications including EDS, AHM, and ATC. In this paper, we presented a framework to evaluate the security of these applications. We summarized a security evaluation methodology to integrate EDS for supporting current and future commercial airplanes. We also considered emerging threats from potential use of wireless sensors and RFID tags for AHM as well as for wireless networked control of an airplane. Furthermore, we reviewed the security challenges with air traffic surveillance applications based on A2A/A2I data links such as 1090 MHz ADS-B, solutions to which can enormously benefit future ad hoc networking of airplanes.

Finally, we consider this paper to be a precursor to a cyber-physical system view of aviation information systems [52].

APPENDIX

## COMMON ABBREVIATIONS IN THIS PAPER

### Acknowledgment

The authors would like to thank R. V. Robinson, M. Li, S. A. Lintelman, and C. Royalty from The Boeing Company and D. von Oheimb from Siemens Corporation for collaborating on the electronic distribution of loadable software.

## Footnotes

Manuscript received nulldate; revised July 12, 2008. Current version published nulldate. This work was supported in part by ARO PECASE under Grant W911NF-05-1-0491, ARO under Grant W-911NF-07-1-0287, and Boeing under Grant 207946. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors, and should not be interpreted as the views of the U.S. Army Research Office, or the U.S. Government, or The Boeing Company.

K. Sampigethaya and R. Poovendran are with the Network Security Lab, Electrical Engineering Department, University of Washington, Seattle, WA 98195 USA (e-mail: rp3@u.washington.edu).

L. Bushnell is with the Networked Control Systems Lab, Electrical Engineering Department, University of Washington, Seattle, WA 98195 USA.

1. www.jpdo.gov/.

2. http://www.eurocontrol.int/sesa.

3. http://www.commoncriteriaportal.org.

4. http://www.airborneinternet.org.

## References

1. Fact Sheet—Economic and Social Benefits of Air Transport

International Air Transport Association, http://www.iata.org/pressroom/facts_figures/fact_sheets/economic_social_benefits.htm

2. International Media Release

3. Security considerations for the e-enabled aircraft

C. Wargo, C. Dhas

Proc. Aerosp. Conf., 2003

4. Global Positioning System: Signals, Measurements, and Performance

P. Misra, P. Enge

Lincoln, MA
Ganga-Jamuna, 2001

5. Wireless sensor network for aircraft health monitoring

H. Bai, M. Atiquzzaman, D. Lilja

6. Rfid in commercial aviation

Aircraft Technol. Eng. Maintenance, vol. 75, p. 92–99, 2005-04/05

7. Wireless solutions for aircraft condition based maintenance systems

R. Harman

Proc. Aerosp. Conf., 2002

8. Electronic distribution of airplane software and the impact of information security on airplane safety

R. Robinson, M. Li, S. Lintelman, K. Sampigethaya, R. Poovendran, D. von Oheimb, J. Busser, J. Cuellar

Proc. Int. Conf. Comput. Safety, Reliab. Security (SAFECOMP), 2007

9. Data and Communication Security Standards in Practice

J. Pawlicki, J. Touzeau, C. Royalty

10. Unmanned aircraft systems

RTCA Special Committee 203, RTCA Paper 006-06/PMC-438, 16-12-2005

11. Software considerations in airborne systems and equipment certification

RTCA, DO-178B, 1992

12. 14 CFR Part 25, Special Conditions: Boeing Model 787-8 Airplane; Systems and Data Networks Security-Isolation or Protection From Unauthorized Passenger Domain Systems Access

Federal Aviation Administration, [docket no. NM364 special conditions no. 25-07-01-SC], Federal Register, vol. 72, no. 71, 13-04-2007, http://www.edocket.access.gpo.gov/2007/pdf/E7-7065.pdf

13. 14 CFR Part 25, Special Conditions: Boeing Model 787-8 Airplane; Systems and Data Networks Security-Protection of Airplane Systems and Data Networks From Unauthorized External Access

Federal Aviation Administration, [docket no. NM365 special conditions no. 25-07-02-SC], Federal Register, vol. 72, no. 72, 16-04-2007, http://www.edocket.access.gpo.gov/2007/pdf/07-1838.pdf

15. Challenges for it infrastructure supporting secure network-enabled commercial airplane operations

R. Robinson, K. Sampigethaya, M. Li, S. Lintelman, R. Poovendran, D. von Oheimb

Proc. AIAA Infotech@Aerosp. Conf., 2007

16. Impact of public key enabled applications on the operation and maintenance of commercial airplanes

R. Robinson, M. Li, S. Lintelman, K. Sampigethaya, R. Poovendran, D. von Oheimb, J. Busser

Proc. AIAA Aviation Technol., Integr. Oper. (ATIO) Conf., 2007

17. Electronic distribution of software

Aeronautical Radio Inc., ARINC 666, 2006

18. Use of integrated vehicle health management in the field of commercial aviation

G. Bird, M. Christensen, D. Lutz, P. Scandura

Proc. NASA ISHEM Forum, 2005

19. Secure wireless collection and distribution of commercial airplane health data

K. Sampigethaya, M. Li, R. Poovendran, R. Robinsin, L. Bushnell, S. Lintelman

Proc. Digital Avion. Syst. Conf. (DASC), 2007

20. Health monitoring and management systems (HMMS)

R. Domingo

Proc. U.S./Europe Int. Aviation Safety Conf., 2006

21. A next generation architecture for air traffic management systems

G. Pappas, C. Tomlin, J. Lygeros, D. Godbole, S. Sastry

Proc. 36th IEEE Conf. Decision Control 1997, 1997, vol. 3, 2405–2410

M. Cheng, Y. Zhao

J. Aerosp. Comput., Inf., Commun., vol. 1, issue (5), p. 225–238, 2004

23. Advanced communications networking concepts for the national airspace system

J. Burbank, R. Nichols, S. Munjal, R. Pattay, W. Kasch

Proc. IEEE Conf. Aerosp. 2005, 2005, 1–19

25. Aviation data networks: Security issues and network architecture

N. Thanthry, R. Pendse

Proc. 38th Annu. 2004 Int. Carnahan Conf. Security Technol. 2004, 2004, 77–81

26. Commercial aircraft information security—An overview of ARINC report 811

M. Olive, R. Oishi, S. Arentz

Proc. IEEE/AIAA 25th Digital Avion. Syst. Conf., 2006, 1–12

27. Computing security policies and objectives for an airborne information network

C. Royalty

Aircraft Data Network 664 Working Group, 2002

28. Guidance on allowing transmitting portable electronic devices (T-PEDs) on aircraft

RTCA Special Committee 203, DO-294B, 2007-12

29. Passive RFID tags intended for aircraft use

SAE, SAE AS5678, 2006-12

30. Minimum aviation system performance standards (MASPS) for ADS-B, rev. A

RTCA Special Committee 186, DO-242A, 2002-06

31. Information Assurance Technical Framework

U.S. National Security Agency, rel. 3.1, http://www.iatf.net/framework_docs/version-3_1/

32. Wireless sensor information fusion for structural health monitoring

J. Ou, H. Li

Proc. SPIE, 2003, vol. 5099, 356–362

33. Security in wireless sensor networks

A. Perrig, J. Stankovic, D. Wagner

Commun. ACM, vol. 47, issue (6), p. 53–57, 2004

34. A key-management scheme for distributed sensor networks

L. Eschenauer, V. D. Gligor

Proc. 9th ACM Conf. Comput. Commun. Security (CCS '02), 2002, 41–47

35. A canonical seed assignment model for key predistribution in wireless sensor networks

P. Tague, R. Poovendran

Commun. ACM, Vol. 3, issue (4), 2007-10

36. A graph theoretic framework for preventing the wormhole attack in wireless ad hoc networks

R. Poovendran, L. Lazos

Wireless Netw., vol. 13, issue (1), p. 27–59, 2007

37. Optimal jamming attacks and network defense policies in wireless sensor networks

M. Li, I. Koutsopoulos, R. Poovendran

Proc. 26th IEEE Int. Conf. Comput. Commun. (INFOCOM 2007), 2007, 1307–1315

38. SeRLoc: Robust localization for wireless sensor networks

L. Lazos, R. Poovendran

ACM Trans. Sensor Netw. (TOSN), vol. 1, issue (1), p. 73–100, 2005

39. Secure verification of location claims

N. Sastry, U. Shankar, D. Wagner

Proc. 2003 ACM Workshop Wireless Security, 2003, 1–10

40. ROPE: Robust position estimation in wireless sensor networks

L. Lazos, R. Poovendran, S. Čapkun

Proc. 4th Int. Symp. Inf. Process. Sensor Netw. (IPSN '05), 2005, 43

41. Security and privacy aspects of low-cost radio frequency identification systems

S. Weis, S. Sarma, R. Rivest, D. Engels

Security Perv. Comput., p. 201–212, 2003

42. Power proximity based key management for secure multicast in ad hoc networks

L. Lazos, R. Poovendran

Wireless Netw., vol. 13, issue (1), p. 127–148, 2007

43. Stability analysis of networked control systems

G. Walsh, H. Ye, L. Bushnell, C. Technol, C. Oakland

IEEE Trans. Contr. Syst. Technol., vol. 10, issue (3), p. 438–446, 2002

44. Stability of networked control systems in the presence of packet losses

in Proc.. 42nd IEEE Conf. Decision Contr., 2003, 1

45. Benefits and incentives for ADS-B equipage in the National Airspace System

E. Lester, J. Hansman

MIT ICAT Rep. ICAT-2007-2, 2007

D. W. Nelms

Avion. Mag., 1-10-2007

47. Integrity and security of ADS-B

M. Sharples, H. Hutchinson, K. Carpenter, D. Bowen

Proc. SurTech, 2004

48. Independent ADS-B verification and validation

J. Krozel, I. Andrisani

Proc. AIAA 5th Aviation, Technol., Integr., Oper. Conf. (ATIO), 2005, 1–11

49. Safe and sound: A safety-critical approach to security

S. Brostoff, M. Sasse

Proc. ACM Workshop New Security Paradigms, 2001, 41–50

50. Why safety and security should and will merge, Invited talk

A. Pfitzmann

Proc. Int. Conf. Comput. Safety, Reliab. Security (SAFECOMP), 2004

51. From security to safety and back

V. Stavridou, B. Dutertre

Proc. Conf. Comput. Security, Depend. Assurance, 1998, 182–195

52. High assurance aerospace CPS and implications for automotive industry

S. Lintelman, K. Sampigethaya, M. Li, R. Poovendran, R. Robinson

Proc. Nat. Workshop High Confidence Automotive Cyber-Physical Syst. (CPS), 2008-04

## Cited By

Challenges and Solutions for Embedded and Networked Aerospace Software Systems

Proceedings of the IEEE, vol. 98, issues (4), p. 621–634, 2010

## Keywords

### IEEE Keywords

No Keywords Available

### INSPEC: Controlled Indexing

aircraft communication, aircraft control, aircraft maintenance, authorisation, avionics

### More Keywords

No Keywords Available

No Corrections

## Media

No Content Available
This paper appears in:
Proceedings of the IEEE
Issue Date:
December 2008
On page(s):
1992 - 2007
ISBN:
0018-9219
Print ISBN:
N/A
INSPEC Accession Number:
10401572
Digital Object Identifier:
10.1109/JPROC.2008.2006123
Date of Current Version:
16 Jan, 2009