Understanding Cyber Attacks on MIL-STD-1553 Buses

Home > Uncategorized

Understanding Cyber Attacks on MIL-STD-1553 Buses

By Ofer Hofman, Founder and CTO of Sital Technology, August 2023.

 

Over our 28 years of delivering MIL-STD-1553 IP cores, components, and cards, we have provided solutions for critical systems such as:

  1. MIL-STD-1553 for weapon delivery in jet fighters.
  2. MIL-STD-1553 for avionic system control in aircraft.
  3. MIL-STD-1553 for nuclear plants control.
  4. MIL-STD-1553 for satellites and space vehicles.

 

It is a robust communication standard used for controlling various machines and systems. For this article, we assume the reader is familiar with this standard and operation, if not, please read this resource about MIL-STD-1553.

 

If an attacking hacker gains control over such critical 1553 buses, they can undermine missions by preventing weapon delivery or crippling the system’s operation.

 

For those criticalities, it is important to protect 1553 systems from possible attacks.

It is also common to hear from operators that 1553 buses are not on the internet, and therefore attackers cannot gain access to attack. We, at Sital Technology, believe that attackers do find their way in, especially when the 1553 system operators are indifferent to the risk, and that closing those attack holes today, would send the potential attackers a clear message and turn them to try elsewhere.

 

Disclaimer: we do not attempt to know all types of Cyber-attacks. If you think we are missing something to improve this article, kindly send me a note to ofer.ZZ@sitaltech.com (replace ZZ with ‘h’).

 

In this article we would like to explore the possible attack types on 1553 buses:

 

  • DoS – Denial of Service attack
  • BC Impersonation attack
  • RT Impersonation attack
  • Wiring failures

 

In addition, explore the optional attack vectors from which they penetrate the 1553 network (cyber):

 

  • Online, through internet connected 1553 modules
  • Through supply chain
  • LRU service cycle
  • Intermittent wiring failures

DoS – Denial of Service attack

A Denial of Service attack is achieved when an attacker floods the 1553 bus, preventing the BC from completing its transmissions. The BC works with both Bus A and Bus B. If one bus is blocked, the BC will retry on the other. As a result, a DoS attack is likely expected to block both buses.

 

The DoS might simply involve non-1553 noise or sine waves.

 

The DoS can be achieved by legit 1553 messages. They can be standard messages or Broadcast and/or mode codes. A single command word such as broadcast reset RT mode code, sent every 4 milliseconds would cause all RTs to mute for 5 milliseconds on both buses, and would consequently be offline, re, denied.

 

The DoS attack can start at power-up, or worse, triggered-on by some kind of event that would paralyze the bus at specific time slots or locations during the mission.

BC Impersonation attack

MIL-STD-1553 bus calls for a single Bus Controller (BC) at a time. The BC starts every one of the messages on the bus. No other can, only the BC. All RTs wait for the BC command to potentially react and respond.

 

An attacker employs an additional BC, and sends messages to the bus. These messages can be of DoS in nature, such as explained above, or worse, send falsified data and instructions to the Remote Terminals (RT/s) to jeopardize the mission. Such data as GPS information would cripple weapon release and or weapon delivery accuracy.

 

This impersonating BC can be an RT that is SW programmed to become a BC for an attack, as we recorded in one of the squadrons with one of the munitions, or an attacking LRU added to the 1553 bus.

 

For example, hijacking an aircraft and routing it to a wrong destination can be achieved by an attacker if the impersonating BC distributes falsified GPS information.

RT Impersonation attack

RT impersonating is a bit more complex to achieve by an attacker. RTs on a bus serve as either actuators or sensors. Actuators such as relay controllers and displays, or sensors such as Navigation or Radar. An attacker would want to replace the reply to the BC command instead of the legit RT. It would want to reply with falsified data.

 

The challenge is that in MIL-STD-1553B an RT is required to responds to the BC command within 4 to 12 microseconds (uSec) from the end of the command word. If the legit RT responds in 7 uSec, the attacking RT should respond faster, say within 4 uSec. Some attacked RTs would see that the bus is busy (by the attacker response), and would back-off completely. But for most RTs out there, if there was some bus dead time after the BC command, the legit RT would respond even if the attacking RT responded very fast.

 

In most cases we see that RTs do respond even if the bus is already busy by the attacking RT.

 

If the attacking RT snicks in and responds, concurrent to the legit RT response, that would make a mess on the bus, because two transmitters are transmitting at the same time. The actual attacker achievement would be that the responses from the attacked RT are erroneous rather than valid and falsified. The actual result of these overlapped responses would be RT DoS, and the attacker would not be able to inject falsified data, but rather error out data from that RT.

 

So RT impersonation is actually in most cases be RT DoS. Would the attacker take the risk?

Wiring failures

Most aircrafts fly for decades. They age under their intensive environmental conditions. So do their 1553 buses. Sometimes 1553 buses get disconnected, or shorted, or couplers fail, or transformers short, plugs get pin push-backs, and connecters get disconnected. These are damages to the Cyber medium.

 

All of these failures degrade the MIL-STD-1553 reliability, and cause communication failures.

 

These communication failures impact very much like DoS attacks, they deny RT/s from the bus and from live data.

 

In MIL-STD-1553 there are two buses, bus A and B redundancy in order to provide backup, and the BC can automatically retry the message on the other bus. Each bus has 2 termination resistors. The 1553 is so robust that it can operate with 1 bus and 1 resistor on it.

 

Normally on the aircraft, the Signal to Noise Ratio (SNR) in 1553 signal is at least 1:10, i.e., SnR > 10. But when there is a missing terminator resistor, or other bus faults, the SNR can drop down to 1:1. In this case, most messages would finish Ok, and some fail. However, in flight, when environmental conditions are worse, SNR drops below 1, and two things can happen:

 

  1. Messages fail with error – This is equivalent to DoS.
  2. Messages pass with 2-bit flip. 2-bit change is not detected by a parity error.

 

The latter is where it starts to get scary. MIL-STD-1553 uses 1-bit parity as word validation. Parity can detect 1, 3, 5… bit flips, but if there are even bit flips such as 2, 4, 6… bits, parity can’t find it, and the message would be considered Ok. Obviously the receiver would receive wrong data! – which is exactly what a cyber-attacker is trying to achieve…

 

For example, when it gets to weapon delivery, the GPS information loaded to a weapon might be corrupted by these wiring issues, and the bomb release might suffer from one of:

 

  1. Least significant bits flipped – The weapon would be released but to a slight wrong destination!!
  2. Most significant bits flipped – The weapon rejects the released since the corrupted GPS target is way off…

 

For all these reasons and more, weapon buses use MIL-STD-1760 which is based on 1553 but with extra CRC testing, and higher bus voltages.

 

CRC would error out many more messages, and the pilots would experience lots of weapons not releasing…

 

Scary even further, we encountered weapons that ignore CRC data to assure delivery…

 

Ground maintenance crews would not be able to find and locate these issues since they occur during flight. As a result, we see that every squadron has a blacklist of certain tail number aircraft which are tagged “sick”. They would be used in training, but avoided for critical missions.

Common Attack Vectors

How do the attackers find their way in to the 1553 bus sub-systems?

 

Online attack – An aircraft LRU that has both an external wireless data connection as well as a 1553 bus connection. The attacker remotely injects or triggers malicious SW program that causes the LRU to execute 1553 transmissions on both 1553 bus A and B with damaging contents.

 

Supply chain attack – The LRU manufacture, tier 1 supplier, supplies a unit that has malicious SW built in to it. That malicious attack can wait for a predefined trigger to attack which could be a zero-day attack.

 

LRU Service Cycle – An LRU is removed from the aircraft for maintenance. Taken to service. Fixed, and returns to service. During this service cycle, an attacker can inject the malicious SW. These kind of attacks are more common with maintenance crew that recruited for money, ideology, or blackmail.

 

Wiring failures – The aircraft attacks itself. The very high SNR of 1553, combined with aging and environmental extreme conditions with the in-ability of common 1553 maintenance tools to detect wiring degradation lead to 1553 communication failures during a mission, without the ability to detect, nor solve it on the ground, post flight.

Additional Cyber protection topics

Eavesdropping prevention – In most buses there is an intentional monitor that records the entire flight communication. Sometimes it is critical for highly classified equipment, and their associated 1553 messages, not to be recorded, since the team that have access to the monitored data do not have the sufficient clearance.

 

In those cases, a Cyber filter module should prevent the unwanted messages from reaching the monitor. It is commonly seen that man-in-the-middle module would be placed between the coupler and the monitor, to filter out the classified messages.

 

Same goes for prevention of eavesdropping. In that scenario, place a man-in-the-middle filter on each stub, allowing only the messages that are intended for that stub’s LRU.

 

Schematic and components cyber-attack – We have seen complete squadrons with 1553 buses having a single termination resistor, instead of two.

 

In one event, a UAV, a “3-stub with termination” coupler was wrongly replaced with a “3-stub without terminator” coupler, and the entire fleet suffered from a single termination, with very low SNR, causing multiple communication failures during flight, and no issue detection on ground.

 

In a second event, a fighter jet, was upgraded to include an additional LRU to the 1553 bus. During this add-on, a coupler was added to the bus. The coupler has 2 bus ports, and a single stub port. In the upgrade schematic, the stub port and the bus port were swapped, leaving the terminator on the stub, and added LRU on the 2nd bus port of the coupler. This degraded the SNR dramatically, but not enough to be detected on ground.

September 2023: We Are Part Of NASA’s Test Equipment!

We are part of NASA’s test equipment!

Sital Technologies will take an active part in the use of the equipment by testing 1553,

with the help of our component that has been with them since 2005, and by testers MCX.

To learn more click here:

BRM1553ERL

An explanatory video on the NASA website:
https://go.nasa.gov/488KJUZ

An article on “Ynet” (Hebrew):

https://bit.ly/3sWacRq

May 2023: IP Cores from Sital are now live on Lattice’s website!

We’re thrilled to announce that both IP Cores from Sital are now live on both websites!

At Lattice, we constantly strive to bring you the latest advancements and innovative solutions. With the addition of Sital’s IP Cores, we are expanding our offerings to provide you with even more cutting-edge capabilities for your projects.

Discover the exceptional features of these IP Cores by visiting our website today!

Click Here For More Info.
Also on Lattice's website.

For real-time updates, check out our LinkedIn page! Linkedin logo

 

May 2023: MIL-STD-1553 IP Cores

Exciting news from Sital Technology! 🚀

Looking for MIL-STD-1553 IP cores to meet your system requirements?

Look no further!

Sital Technology offers a wide selection of MIL-STD-1553 IP cores that are designed to accommodate diverse system needs.

Whether you’re using FPGAs or ASICs, our IP cores can be easily instantiated, providing you with flexibility and scalability.

And don’t miss out on our flagship BRM1553D-SnS core, packed with exceptional performance and Cyber security !

Click Here For More Info.

For real-time updates, check out our LinkedIn page! Linkedin logo

May 2023: MIL-STD-1553 BC Firewall

Sital Technology’s BC Firewall is now a standard feature in its BRM1553D IP core and other MIL-STD-1553 products, providing intrusion prevention and detection capabilities for unauthorized messages transmitted by rogue BCs.

The Firewall continuously monitors data buses and can detect any impersonating messages.
It also includes an option for intrusion protection, invalidating detected impersonating messages by crashing the bus during the transmission, preventing RTs from responding to such messages.

For more information go to our SnS News releases page !

For real-time updates, check out our LinkedIn page! Linkedin logo


 

 

 

April 2023: AMD Xilinx is now publishing: Intergrated 1553!

Sital Technology offers a unique solution for integrating our IP and software on Xilinx SoC/MPSoC FPGAs, called Intergrated 1553. It leverages Xilinx’s Vivado and Vitis tools, allowing customers to reduce FPGA system integration times and focus on their areas of higher-level hardware and software value-add.

By using our Intergrated 1553 service, customers can benefit from Sital’s efficient integration of hardware firmware and software for our data bus interfaces, saving more than 1 man year of engineering time.

Intrigued? great! Click Here For More Info.

For real-time updates, check out our LinkedIn page! linkedin

 

 

Sital Extends the MultiComBox Tester with EBR 1553 Capabilities

EBR-1553 is a 10Mbps bit rate protocol which utilized the robust Mil-Std-1553 protocol over RS-485 transceivers in a hub-based point-to-point connection. Using the network topology of a star between Remote and BC Terminals allows robust and high-speed data transfer.
EBR supports various modes of operation – “SPEC” mode, “SWITCH” mode and “LINK” mode.

SPEC mode is similar to the standard 1553 protocol, where the BC sends the message in all ports, all RTs receive the message, and only the RT with the appropriate RT address should respond.

In SWITCH mode the BC sends the message only on the port where the particular RT is connected. For example, if a message is intended for RT 6, then it will be transmitted only on port 6, and the message will contain the RT address 6.

In LINK mode, the message is transmitted only on the appropriate port which corresponds to the required RT address (for example – port 6), but the RT actual address on the message command is ‘0’ for all RTs. This means that any RT that receives a message in this mode, with the RT address ‘0’ should answer to the message. Therefore, RTs are physically connected to the corresponding ports on the BC.

In MultiComBox Sital supports all three modes of operation.

For more information please visit: https://sitaltech.com/products-main-page/multicombox/

Sital Technology and Logicircuit to Provide DO-254 Certified IP Cores for Avionic Data Buses

Kfar Saba, Israel, September 7, 2017 — Advanced data bus solutions provider Sital Technology, ltd. announces a new partnership with Logicircuit, Inc. and the resulting availability of DO-254 certified intellectual property (IP) cores for avionic products.

Sital Technology produces high-reliability connectivity FPGA IP cores, I/O cards, components and test system products for aerospace, defense and automotive products. On top of MIL-STD-1553 and ARINC825 protocol implementation, Sital also offers unique cyber security and intermittent wiring fault location detection solutions.

The partnership with Logicircuit focuses on offering MIL-STD-1553 and ARINC825 FPGA IP Cores with corresponding DO-254 certification packages. “Sital’s FGPA IP cores are integrated into many airborne platforms and end customers,” said Ilan Hayat, Vice President of Business Development at Sital, “Partnering with a trusted DO-254 certification provider, such as Logicircuit, expedites our customer’s development and production processes, and demonstrates Sital’s ongoing commitment to better quality products.”

Logicircuit, a provider of avionics design services for the past 18 years, offers DO-254 and DO-178C services and the industry’s largest portfolio of DO-254 compliant IP. Logicircuit creates new compliant cores or re-engineers the commercial IP cores of partners such as Sital, via a thoroughly vetted and approved process. This process results in a certification data package (CDP), which includes all the artifacts and support an aerospace company needs to be able to reuse that IP core in their DO-254 compliant FPGA with maximum efficiency and minimal risk.

“We are happy to finally offer a solution for DO-254 compliant MIL-STD-1553,” said Joe Goode, President of Logicircuit. “We believe the Sital core is the best offering for the industry, and the DO-254 compliant version of this highly requested IP core adds tremendous value to our Safe IPTM catalog.”

The new MIL-STD-1553 and ARINC825 FPGA IP cores are available for licensing on any FPGA design. For technical data sheets, evaluation kits and pricing information please visit www.sitaltech.com.

About Sital Technology

Founded in 1996, Sital develops and manufactures advanced data bus solutions. Our mission is to deliver novelty, robustness and commercial superiority for mission-critical data bus communications. Sital’s products are deployed in mass production across airborne platforms, avionic test bench systems and advanced automotive systems. Key customers include NASA, Boeing, Honeywell, Lockheed Martin, Raytheon, BAE Systems, Elbit Systems,General Motors, Ford and Chrysler.

About Logicircuit

Founded in 2000, Logicircuit offers professional services for DO-254/178C compliance as well as a portfolio of DAL A compliant IP cores. Our mission is to to provide our avionics customers with solutions that reduce the cost and/or burden of DO-254 (DO-178C) compliance. Our experienced staff of US-based “DO” professionals work seamlessly with our customers as an extension of their own design teams, to take on as much or as little of the compliance work as desired. Key customers include L-3, Honeywell, Lockheed Martin, Thales, Rockwell Collins, Goodrich, Northrop Grumman, Elbit Systems, PPG, Astronautics, Abaco and more.

Sital Integrates Wiring Fault Detection Capabilities Into it’s BRM1553 MIL-STD-1553 IP Cores

Sital Technology Ltd. announced today that its patented technology for detecting wiring faults will be integrated into its BRM1553D, BRM1553FE and BRM1553PCI Mil-Std-1553 IP cores and boards.

Sital’s Passive TDR (pTDR™) technology is capable of detecting wiring problems such as disconnections, short-circuits, and others, whether they are constant or intermittent. pTDR is a Passive Time Domain Reflectometer (TDR) technology, which constantly measures reflections of energy on an operating Mil-Std-1553, CAN or similar bus. pTDR technology runs during normal system operation without disturbing the standard bus activity.

A standard TDR device sends pulses of energy to the bus and measures the reflected signal. Reflections are created from wiring faults such as disconnections, shorts or lack of proper termination. The time it takes for the signal to travel to the fault and back to the TDR is related to the location of the fault. However, a TDR cannot run while the system is operating, simply because it would be confused by the on-going transmissions on the bus, and also because it may disturb the standard communication.

pTDR does not transmit any pulses to the bus. Instead, it monitors the existing communications and measures reflections created by the normal transmissions. If there are wiring faults then signals will be distorted in certain ways that are related to the location of the fault. The main distortion is related to the width of transmitted bits. For example, in Mil-Std-1553 bits width is 1uS. A distorted bit can last for an additional few nano-seconds, according to the location of the fault. pTDR measures the distortions and reports the additional length of each bit. We call this additional length a “tail”.

The Sital pTDR system constantly reports tails from all Remote Terminals (RTs) on the network. In a correctly performing bus the tails from all RTs will be small and uniform. Changes in the tails indicate a bus fault.

Tail measurements are constantly performed on every message and updated on every frame. Therefore, even a very short disconnection event will be reported.

“The current situation is that each system on the aircraft performs its own built-in-test (BIT) and reports its own problems. But there is no mechanism for performing BIT to the bus wires or reporting wiring problems when they occur.” said Ofer Hofman, Sital’s CTO. “Our technology adds a great level of reliability to the bus, without interfering with the bus activity and without adding any complexity to the system.” He added.

Duli Yariv, Sital’s VP Marketing and Sales said: “Our pTDR™ technology is already implemented on CAN bus and used by automotive manufacturers for detecting wiring faults on vehicles during manufacturing, maintenance and operation. We are excited to enable our avionics and automotive customers to enjoy this technology, add value to their products and make safer aircraft and vehicles.”

pTDR technology for detecting wire faults will be available on the full range of Sital products: testers, IP cores and interface boards.

For more information please visit: https://sitaltech.com/technology/smart-wiring-fault-detection-technology/

Sital Extends it’s BRM1553 IP with Error Injection Testing Capabilities

Until now, BRM1553 IP cores delivered to customers were mainly targeted for in-flight applications. This means that no errors are allowed to be generated from the system.

However, a recent customer application required Mil-Std-1553 testing capabilities from an already-existing flight system, so that the same system can be used as a bus simulator on the ground or as an in-flight operational system.

Multi-RT feature is an essential feature for a Mil-Std-1553 bus simulator. It means that a single 1553 node can be programmed to act as many 1553 Remote Terminals. The user can program the Remote Terminal (RT) addresses which are simulated and thus the unit will answer and create messages, as requested by a Bus Controller (BC) for the simulated RTs.

The Error Injection feature enables the system to simulate several types of errors which may occur on a 1553 network. Therefore, errors like Parity Error, Sync. Error, Zero-Crossing Error and others are all part of an advanced 1553 test and simulation system.

Same Hardware for Interface Card and Test Benches.

Many avionics vendors, who develop avionic systems, are required to provide test benches for their systems. In many cases, developing the test bench is a high cost project, requiring development of boards, software and other simulation tools, usually at low volumes. Therefore the advantages of developing a single hardware that can be used both as a flight system and as a bus simulation tool are obvious. First – there is only need to develop a single hardware, and not require equipment from additional vendors for bus simulation and testing. Second – customers can re-use the software written originally for the actual system also for testing, ensuring lower development cost and enabling faster time to market.

Of-course, the customer needs to make sure that the test software is not loaded into the operational systems. This can be achieved by having a separate FPGA load file for each system and also by enabling or disabling the Multi-RT and Error Injection features by hardware. This means that the IP core can enable or disable the features, by reading hardware configuration bits, which are set differently between the tester and the in-flight system.

Both features can be added to Sital’s standard BRM1553D, BRM1553PCI and BRM1553FE Mil-Std-1553 IP core and are provided with software API, so that users can easily implement these test features into an existing Mil-Std-1553 system.

2024©All rights reserved