Cyber Security for Unmanned Systems

Definition of Cybersecurity

Cybersecurity are measures or adopt of technologies, processes and practices aim to protect computers, networks and digital data from attack.

Context

Unmanned wireless systems are growing in terms of time/space autonomy: long range, long duration. Depending on use cases, operations may be done under a wide range of supervision levels: from tight monitoring (remotely operated drones) to extremely low information exchange (autonomous drones), thanks to confidence in embedded autonomous behaviors. Lloyds has recently released a classification scale for autonomy levels:

^{Lloyds Classification Scale}

AL1- AL2

All actions are taken by a human. At level 2, low level automation is running on remote vehicle

AL3 - AL4

Humans are present, but only in supervisory roles which go beyond autopilot operations

AL5 - AL6

Vehicles are be fully autonomous, with decisions actioned with no human supervision

At level 5, humans may still act for a limited few particular decision

At level 6, human is not needed anymore

ECA Group systems are mainly classified in categories AL3, AL4 and AL5. AL6 is not reached yet because of the necessary redundancy on most of equipment.

Performance in autonomy mainly comes from massive use of advanced IT technology as core of the drones. Unfortunately an obvious drawback is that unmanned wireless systems are highly exposed to risks related to the IT subsystems. Cybersecurity is no more an option for drones industry.

Cybersecurity assessment

It is usually considered that cyber threats include:

Availability: capability to provide the expected service
Confidentiality: capability to protect data against access from unauthorized personnel
Integrity: capability to guarantee IT materials (hardware, software, data) origin

In unmanned systems, cyber threats mainly concerns the following segments or functions:

Mission execution
Data storage
Advanced algorithms Intellectual Property (IP)

An allocation table of the most sensitive risks (threats vs segments) is given below:

Main IT risks for Unmanned Systems

Mission Execution

Risk 1 - Availability

Risk 2 - Integrity

Communication

Risk 3 - Availability

Risk 4 - Confidentiality
Risk 5 - Integrity

Data Storage

Risk 6 - Confidentiality
Risk 7 - Integrity

Advanced Algorithm IP

Risk 8 - Confidentiality

Above risks may have different mitigation methods depending on the use case requirement, the amount of acceptable residual risk, or the technical/budgetary feasibility of the accurate solution.

The ECA Group policy, regarding IT risk management, intends to start with state-of-the-art industrial IT risk assessment and, whenever necessary, offer tailored solution for any kind of customer requirement. This flexibility comes from ECA double skill level:

As drone manufacturer

Full control of the detailed architecture of systems by our Design Offices

Capability to choose and integrate a wide range of equipment providing gradual assessment of the IT risk for most-concerned components (data storage, LAN distribution, encryption modules, wireless communication)

As system solution provider

Overall understanding of the security threats and risks, allowing risk reduction measures at any stage of the system life cycle (storage, operation, maintenance)

Homogeneous risk assessment over each segment (drones, control stations, workshop tools)

Whenever applicable and efficient, increase given segment protection by complementary measures provided by another segment

For obvious reasons, ECA Group detailed security measures cannot be unveiled. Nevertheless, a non-exhaustive catalog of usual practices on ECA Group unmanned system (respect to risk table 2) is given below:

Risk 1: Mission execution - Availability

Threat description

Jamming or spoofing of GNSS frequency

Mitigation Methods

Basic: Use receiver compatible with various constellation (GPS, GLONASS, GALILEO)

Basic: Manual input of original position and motion estimator. Position accuracy depends on the navigation sensors grade

Basic: Operator steering using the environment sensors (camera, IR, radar)

Advanced: For naval drone: position reset based on radar picture vs digital map matching

Advanced: Fit vehicle anti-spoofing GNSS receiver (military grade equipment)

Risk 2: Mission execution - Integrity

Threat description

Malware to infect the IT core of the drones

Mitigation Methods

Basic: Keep operating system updated

Basic: Keep drone networks disconnected from Internet or company infrastructure

Basic: Run antivirus on targets prior software installation/implementation

Advanced: OS hardening respect to recommendations coming from security agencies (ANSSI, CIS, …)

Threat description

Vehicle capture while out of communication range

Mitigation Methods

Basic: Continuous analysis of physical rules that may unveil an external attack:

Actual motion not compatible with own capabilities + standard external environment
For underwater drone: Vehicle brought out of water while mission is still executing

Risk 3: Communication - Availability

Threat description

Jamming of the wireless communication frequency

Mitigation Methods

Basic: On site user selectable frequency channel and associated wizards for best choice

Basic: Make system robust to short term communication loss: continue mission plan, loitering patterns, way-back patterns

Advanced: Fit system with hopping frequency radio sets

Risk 4: Communication - Confidentiality

Threat description

Content of exchanges (control/command or payload data) to be captured and analyzed by unauthorized personnel

Mitigation Methods

Basic: Use private communication infrastructure instead of public ones

Basic: Prevent use of consumer electronics modems. Choose equipment using proprietary encoding/modulation at frequency level instead

Basic: Use software encryption capabilities (e.g. AES 256) at modem level

Advanced: Use certified hardware encryption modules (military grade applications)

Risk 5: Communication - Integrity

Threat description

Uplink: Overtake control on the unmanned system

Downlink: Send wrong data to operator (position, health monitoring, fake payload data …)

Mitigation Methods

Basic: Data to include signature

Basic: Prefer variable length - variable format messages instead of fixed length - fixed format

Advanced: Signature algorithm to change over time in order to prevent from play-back attacks

Advanced: Reject all external communications except the ones initiated by the known drones (e.g. using iptables)

Risk 6: Data Storage - Confidentiality

Threat description

During storage or maintenance, data at rest may include sensitive information, to be prevented from unauthorized access

Mitigation Methods

Basic: Remote access to internal network and computers shall be strictly controlled:

Use accounts privilege to segregate access to various type of users
Strong password policy

Advanced: Role Based Access Control (RBAC)

Threat description

In case of capture during a mission, data at rest may include sensitive information, to be prevented from unauthorized access

Mitigation Methods

Basic: Software level disk encryption

Advanced: Hardware level disk encryption with irreversible key erase capability

Advanced: Use non standard plugs for network connection

Risk 7: Data Storage - Integrity

Threat description

Data at rest to be prevented from unauthorized modification

Mitigation Methods

Basic: All accesses to file system and user account privileges are logged

Basic: Prefer binary data format to text data

Basic: Software level encryption

Advanced: Signature mechanism

Risk 8: Advanced Algorithm IP - Confidentiality

Threat description

Results of R&D efforts finally end into pieces of software inside the unmanned system. Reverse engineering might be difficult but not impossible for people ready to spend time

Mitigation Methods

Basic: Obfuscation (sensitive parts of code are “hidden” into hundreds of useless lines)

Basic: Mathematic function always come with setting values that may give information on the type of algorithm. Hard coding into program has many drawbacks for trials, system configuration and customization. Preferred method is encryption of the parameter files

Advanced: Remove small but key parts of the software from the main program. Those parts are hosted in a kind of proprietary dongle with high level of protection against offline electronic analysis, or data protocol analysis