3.5. Aeronautical network communications security

3.5.1. Levels of deployment for security mechanisms

As described in [ICA 02], the general ATN security strategy consists of access control, message integrity and user authentication functions.

Confidentiality has generally been considered optional, which is quite logical if we look at the security requirements for operational services. The main identified threats are data alteration, message replay and identity masquerading. In order to mitigate these threats and improve the robustness of the ATN network, several security mechanisms have been provided at different layers of the Open Systems Interconnection (OSI) reference model:

access, network, transport and application layers.

3.5.1.1. Access network security: example of AeroMACS security

A first level of security can be provided at the link layer (or access layer).

One example of such an improvement is addressed by AeroMACS security architecture. In the scope of the EUROCONTROL/FAA Action Plan 17 [EUR 07b], AeroMACS system has been identified as the C-band technology candidate that best suits the provision of dedicated aeronautical communication services on the airport surface (this technology has been detailed in the previous chapters). As AeroMACS has been based on the IEEE 802.16e/802.16-2009 standard, it is logical that it uses the same layer- 2 security mechanisms of the WiMAX technology.

Meanwhile, several studies [ERE 08, BAR 05] discovered critical WiMAX security weaknesses, such as unauthenticated signaling messages or unencrypted management messages. Therefore, AeroMACS security is

already considered obsolete against attacks such as eavesdropping and Man In The Middle (MITM) attacks. Security at upper layers seems, in this case, essential to mitigate these issues. Thus, AeroMACS system represents an illustrative case of security weaknesses at the access layer that needs to be taken into account by additional security mechanisms, for instance, at network, transport or application layers. Examples of such security mechanisms are introduced in the following sections.

3.5.1.2. Network layer security

An important aspect that has been covered by the aviation community is the IP network connectivity between the aircraft and ground stations. There is also an important challenge at the network level to deploy ATN architecture compliant with (IP) standards. This compliance allows the reuse of security mechanisms available for traditional IT networks such as IPSec [KEN 05]. In this context, ICAO Aeronautical Communication Panels (ACPs) were created in 2003 in order to develop standards and recommended practices for data link aeronautical communications. Among the four working groups created by ICAO, WG-I is probably the most relevant to security concerns. ICAO WG-I’s primary goal is to develop guidelines to use IPS in future ATN applications. IPS security has been largely addressed for air–ground and ground–ground communications.

Several recommendations to use and implement IPSec [KEN 05] and Internet Key Exchange (IKE) [HAR 98]) protocols have been provided in the scope of WG-I meetings as stated in [PAT 08a]. IP mobile security is also discussed in [PAT 08b]. All these guidelines are meant to update the security requirements listed in the ICAO “Manual for the ATN using IPS Standards and Protocols” document as indicated in [ICA 08].

In [EHA 08], the authors provided an overview of IP-based threats against aeronautical networks. They focused mainly on network logical separation using network tunnels. In [ALI 04], the authors depicted the scalability issues related to the use of IPSec in the scope of ATN networks.

They revealed the computational high consumption related to various encryption and decryption processes within IPSec. Thus, they proposed a backup solution, namely the use of an anomaly detection engine within a Network Intrusion Detection System (NIDS) in order to monitor malicious acts within the operational and non-operational network domains.

These solutions are promising developments, which need to be investigated a lot further to be fully operational before the end of the 2020 SESAR program.

3.5.1.3. Transport-level security

In the context of ATN/IPS network architecture, we can also deploy additional security mechanisms at the transport layer. Providing security at the transport layer has a definite advantage over the security at the application layer, as it does not mandate modifications to each application and provides a transparent security for users. Secure Socket Layer (SSL), also known as Transport Layer Security (TLS) [DIE 08], has been discussed in several studies as an alternative to application-based security [STE 04, WAR 03] for future aircraft. However, transport layer security has several drawbacks that make it inefficient in some circumstances. For example, TLS is only able to secure TCP flows and does not provide any security mechanisms for User Datagram Protocol (UDP) flows [POS 80]. Indeed, TLS needs to maintain context for a connection and is not implemented over UDP.

3.5.1.4. Application-level security: security improvement for traditional aeronautical applications

In addition to the already existing AMS protocol proposed to secure Aircraft Communications Addressing and Reporting System (ACARS) communications, other proposals attempted to provide security mechanisms at the application layer. A particular emphasis has been placed on the Controller Pilot Data Link Communication (CPDLC) application. The authors in [GET 05] investigated an elliptic curve-based authentication protocol for CPDLC communication systems. Mutual authentication between the pilot and air traffic control (ATC) ground systems was provided in order to avoid identity masquerading and spoofing attacks.

Another paper focused on the security of CPDLC over ATN [MCP 01].

The authors presented a set of cryptographic techniques in order to improve the overall security of pilot-controller communications. For the specific key management and agreement schemes, they suggested the use of a dedicated ATN PKI. Similarly, the authors in [OLI 01] recommended the use of some security mechanisms in order to optimize the ATN security solution, such as elliptic curve cryptography or compressed certificates. Key management and

distribution have been addressed through an ATN PKI using airline certificate authorities. These performance considerations are clearly in line with an optimized security for a resource-restrained ATN network.

Besides the CPDLC application, other aeronautical applications have been addressed. For instance, the authors in [SAM 07] proposed a security framework for the use of Wireless Sensor Networks (WSNs) in Airplane Health Monitoring and Management System (AHMMS) future applications.

The AHMMS system continuously checks the state of airplane structures and systems via embedded sensors, providing a report to onboard and off- board units. The AHMMS system has been identified by the FAA as a key enabler for current wide-body commercial aircraft, such as Airbus A380 and Boeing 787 models. The authors proposed some security primitives for a secure data collection by the WSNs. Integrity, authentication, confidentiality, link key establishment and secure routing have been discussed regarding their potentiality to mitigate most critical threats.

[ROB 07a] presented a security framework for a specific aeronautical network application, namely Electronic Distribution of Software (EDS). The EDS application aims to distribute information assets such as software and data when the aircraft is in maintenance, in production or on ground at the terminal. As these pieces of software are to be used when the aircraft takes off, it is essential to ensure the integrity and authenticity of information loaded into the aircraft. Thus, the authors tried to identify main security threats targeting the EDS application, and then they proposed a secure EDS system called Airplane Assets Distribution System (AADS), which addressed these threats and served as a guideline for later EDS design and implementation. The AADS system used digital signatures and key management and distribution schemes. As an extension of this work, the same authors presented two security approaches in [ROB 07b] for their AADS system: an ad-hoc technique without trust chains between certificates, and a structured approach employing a third party PKI for EDS on commercial airplanes and based on the Common Criteria (CC) standard [ISO 99].