Abstract
MIL-STD-1553 is a military standard that defines the physical and logical layers, and a command/response time division multiplexing of a communication bus used in military and aerospace avionic platforms for more than 40 years. As a legacy platform, MIL-STD-1553 was designed for high level of fault tolerance while less attention was taken with regard to security. Recent studies already addressed the impact of successful cyber-attacks on aerospace vehicles that are implementing MIL-STD-1553. In this work we present a security analysis of MIL-STD-1553, which enumerates the assets and threats to the communication bus, as well as defines the attacker’s profile.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Chong, J., Pal, P., Atigetchi, M., Rubel, P., Webber, F.: Survivability architecture of a mission critical system: the DPASA example. In: 21st Annual Computer Security Applications Conference (ACSAC 2005), December 2005, pp. 10, 504
Data Device Corporation: MIL-STD-1553 Designer’s Guide (1998)
Gillen, A., Shelton, J.: Introduction of 3910 high speed data bus. In: Military Communications Conference, MILCOM 1992, Conference Record. Communications-Fusing Command, Control and Intelligence, pp. 956–960. IEEE (1992)
Gligor, V.D.: A note on the denial-of-service problem. In: IEEE Symposium on Security and Privacy, pp. 139–149 (1983)
Jiang, W., Guo, W., Sang, N.: Periodic real-time message scheduling for confidentiality-aware cyber-physical system in wireless networks. In: 2010 Fifth International Conference on Frontier of Computer Science and Technology, pp. 355–360, August 2010
Kuhn, M.G., Anderson, R.J.: Soft tempest: hidden data transmission using electromagnetic emanations. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 124–142. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49380-8_10
Lindsay, J.R.: Stuxnet and the limits of cyber warfare. Secur. Stud. 22(3), 365–404 (2013)
Liu, Y., Ning, P., Reiter, M.K.: False data injection attacks against state estimation in electric power grids. ACM Trans. Inf. Syst. Secur. (TISSEC) 14(1), 13 (2011)
Mayoux, J.-J.: The data bus of the next generation European fighters. In: Proceedings of the IEEE 1993 National Aerospace and Electronics Conference, NAECON 1993, pp. 152–156. IEEE (1993)
McGraw, R.M., Fowler, M.J., Umphress, D., MacDonald, R.A.: Cyber threat impact assessment and analysis for space vehicle architectures. In: International Society for Optics and Photonics SPIE Defense+ Security, p. 90850K (2014)
Miller, B., Rowe, D.: A survey SCADA of and critical infrastructure incidents. In: Proceedings of the 1st Annual Conference on Research in Information Technology, RIIT 2012, pp. 51–56. ACM (2012)
Mo, Y., Sinopoli, B.: False data injection attacks in control systems. In: Preprints of the 1st Workshop on Secure Control Systems, pp. 1–6 (2010)
Murdock, J.K., Koenig, J.R.: Open systems avionics network to replace MIL-STD-1553. In: Proceedings of 19th Digital Avionics Systems Conference, 19th DASC (Cat. No. 00CH37126), vol. 1, pp. 4E5/1–4E5/6, October 2000
Nguyen, T.D.: Towards MIL-STD-1553B covert channel analysis. Technical report, Naval Postgraduate School, Monterey, California (2015)
US Department of Defense: Fiber Optics Mechanization of an Aircraft Internal Time Division Command/Response Multiplex Data Bus, May 1988
Vai, M., et al.: Systems design of cybersecurity in embedded systems. In: 2016 IEEE High Performance Extreme Computing Conference (HPEC), pp. 1–6, September 2016
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendices
A Assets and Potential Consequences
Asset | Integrity | Confidentiality | Availability |
---|---|---|---|
Transceiver | Compromised transceiver can provide corrupted data to the subsystem it connects to the bus or to other components connected to the bus which can lead to incorrect operation | Compromised/corrupted transceiver can stop data transfer between the bus and the subsystem which can lead to DoS to the subsystem it connects to the bus, and/or to other components that depend on the data it should transmit | |
Transmission medium (the bus itself) | Shorts or failure of the transmission medium may provide corrupted data to the components connected to the bus which can further lead to incorrect operation of the system | Electromagnetic energy emanating from compromised transmission medium may be used to deduce the information transmitted on the bus and compromise the system’s confidentiality | Shorts or failure of the transmission medium may lead to total disconnection of the communication over the bus and interrupt the system’s operation |
Coupler | Compromised coupler can provide corrupted data to the RT it connects to the bus, or to other components connected to the bus which can lead to incorrect operation | Electromagnetic energy emanating from a compromised coupler may be used to deduce the information transmitted on the bus and compromise the system’s confidentiality | Unavailable coupler disconnects the RTs connected to the coupler from the bus. In some cases it can also cause DoS to other components connected to the bus |
Subsystem | Compromised subsystem can provide corrupted data to other components and lead to incorrect operation. It can also spoof as another component by changing the TA field of a command | Compromised subsystem can abuse access to devices that have the ability to transmit data outside the system (i.e., radio transmitter) and leak sensitive information | Unavailable subsystem stops responding to commands and data transmission which might lead to DoS to other components depending on its outputs and possibly even to the entire system. Corrupted data sent by a compromised subsystem to other subsystems may also result in DoS |
DPR data | Corrupted data provided to a component can lead to incorrect operation | Classified data that leaks outside the system in plain text can be abused by malicious individuals | Unavailable or corrupted data may lead to DoS to the components depending on it, and possibly even to the entire system |
Subsystem data | Corrupted data provided to a component can lead to incorrect operation of the system | Classified data and/or operation logic that leaks outside the system in plain text can be abused by malicious individuals | Unavailable or corrupted data may lead to failure of the subsystem’s operation and may also result in DoS to the components depending on its outputs and possibly even to the entire system |
Data in motion | Corrupted data provided to a component can lead to incorrect operation of the system | Classified data and/or operation logic can be leaked outside the system by compromising emanation and can be abused by malicious individuals | Unavailable data might lead to DoS to the components depending on it and possibly even to the entire system |
B Threats and Attack Methods
Category | DoS attack | Data leakage | Data integrity vaiolation |
---|---|---|---|
Message manipulation | |||
Command word | WC field – Changing the WC field to a smaller number causes the target RT to receive or transmit partial data which can lead to an error in the target RT or other RTs depending on its output – Changing the WC field to a larger number can also lead to an error due to collisions and corrupted data reception T/R bit – Flipping the T/R bit in a ‘transmit’ command causes the target RT to receive a ‘receive’ command that causes the target RT to respond with an error or wait for data to arrive (while no data is transmitted); furthermore the RT won’t send the data it should to other RTs and they won’t get their inputs – Flipping the T/R bit in a ‘receive’ command causes the target RT to receive a ‘transmit’ command that can lead to an error or data transmission that causes collision (since the BC continues to transmit the data of the ‘receive’ command) TA field – Changing the TA field to another/unsupported RT address prevents the command from reaching its target RT and can cause a failure in the RT’s operation or failure of other RTs depending on it | WC field – By changing the WC field of a ‘transmit’ command to a larger number the threat agent might cause the target RT to transmit more data than it should. If the attacker is familiar with the memory map of the target RT, he/she can use this method to access restricted areas in the target RT’s memory TA field – By changing the TA field in a ‘transmit’ command to another RT address the threat agent might obtain data from a subsystem that it is not authorized to hold – By changing the TA field of a ‘receive’ command, the threat agent can force an RT to accept data that it might not be authorized to hold | A threat agent with BC capabilities can be used to tamper with the communication between the real BC and various RTs. The threat agent can corrupt the original command when it is transmitted over the bus, and send its own command to the target component instead. The target component will send its response without knowing that the command received is different than the original one, and the real BC will receive a response for a command it did not send |
Status word | A compromised RT can impersonate as another and set the ‘Busy’, ‘Terminal’, or ‘Subsystem’ flags in its status word and provide a falsely indication to the BC regarding a malfunction or inability to handle messages and thus disrupt the communication with that RT. Similarly, a fake BC can respond on behalf of the target RT and signal the BC to stop sending commands to the target component. | Leaking data via status words can be done by utilizing the ‘reserved’ bits (see Fig. 2) - three bits that are reserved for future development of the standard. The standard specifies that these bits should be unused and remain set to zero. A lack of status word monitoring enables cooperating threat agents to easily transfer any data without detection | Any threat agent connected to the bus (with BC or RT capabilities) can corrupt status words transmitted back to the real BC and send fake statuses as if is the transmitting RT |
Data word | – A malicious BC or RT can alter legitimate data transmitted and cause failure in the target component (if the target component doesn’t perform validation at the subsystem level) – An attacker who has prior knowledge about the target component can generate and inject fake data that can cause failure, disrupt the normal operation, or impair the outputs of the target component | Any threat agent can use the data words it transmits in order to modulate additional payload. This type of attack requires a cooperating threat agent who is familiar with the modulation method and can then decode the additional payload | Threat agents can utilize idle times on the bus and resend fake commands to target components on behalf of legitimate components, in order to override the real data stored in the target components’ memory. The target components will consider the fake data to be the real data received from the legitimate component |
Behavior manipulation | |||
Command word | Fake command Issuing fake commands (either defined by the standard or meaningless) that are not part of the system’s normal operation may result in collisions, blocking all communication over the bus or affecting the proper system’s operation (e.g. issuing shut-down commands or clock synchronizing at incorrect timings) WC field – Sending less data than specified by the WC field of a command causes the target component to receive incomplete data and may fail to operate – Sending excessive amount of data can cause a collision if the target component responds with its status while the threat agent is still transmitting data | Neugen presented in [14] a storage attack method to create covert channel between two compromised components of different security levels over the 1553 bus, which requires a compromised BC and a compromised RT, and is based on the RT’s specific ‘command illegalization’ implementation | |
Status word | Neugen presented in [14] a storage attack method to create covert channel between two compromised components of different security levels over the 1553 bus, which is based on the Service Request (SR) bit of a status word and requires a cooperating BC and RT | ||
Transmission timings | – Threat agents that can control the timing of their transmissions can transmit messages at the time of choice. Sending unexpected messages to target components may result in failures. – Threat agents that can control the timing of their transmissions can cause collisions that corrupt data transmitted over the bus (e.g., by transmitting at random timing) and can lead to error or incorrect operation of other components | – Neugen presented in [14] a timing attack method to create covert channel between two compromised components of different security levels over the 1553 bus, in which two cooperating RTs establish a signaling mechanism based on their response time delays that are interpreted into binary data – Threat agent with BC capabilities can utilize idle time periods on the bus and initiate data transfer with any RT in order to extract data. If there is a cooperating threat agent connected to the bus, then the agent with BC capabilities can initiate RT-RT communication and transfer data from the target RT to the cooperating threat agent | |
BM impersonation | Any threat agent connected to the bus can act as a BM and record the data transmitted over the bus which is available to all components connected to the bus. This data may be further leaked to other components or external devices via removable hardware (e.g., USB, CD, or magnetic tape), an available connection to other networks, or covert channels | ||
Tempest | Malicious individuals can eavesdrop and capture the electromagnetic emanations of components [6] (which can be enhanced by physically sabotaging the components), and analyze them in order to obtain information about the target component’s operation that can imply on other operations and characteristics of the entire system and help the attacker better understand it |
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Stan, O., Cohen, A., Elovici, Y., Shabtai, A. (2019). On the Security of MIL-STD-1553 Communication Bus. In: Hamid, B., Gallina, B., Shabtai, A., Elovici, Y., Garcia-Alfaro, J. (eds) Security and Safety Interplay of Intelligent Software Systems. CSITS ISSA 2018 2018. Lecture Notes in Computer Science(), vol 11552. Springer, Cham. https://doi.org/10.1007/978-3-030-16874-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-16874-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-16873-5
Online ISBN: 978-3-030-16874-2
eBook Packages: Computer ScienceComputer Science (R0)