By Ofer Hofman, Sital Technology founder and CTO. August 2023.
In our 28 years of delivering MIL-STD-1553 IP cores, 1553 components and 1553 cards, we have provided solutions for critical systems such as:
- MIL-STD-1553 used for weapon delivery in jet fighters.
- MIL-STD-1553 used for avionic system control in aircraft.
- MIL-STD-1553 used for control in nuclear plants.
- MIL-STD-1553 used in satellites and space vehicles.
It is a robust communication standard used for the control aspect of machines and systems. For this article, we assume the reader is familiar with MIL-STD-1553 standard and operation, if not, please Wiki 1553.
If an attacking hacker is able to grasp control over such critical 1553 buses, the attacker can undermine a mission such as prevent weapons delivery or cripple system’s operation.
For those criticalities, it is important to protect 1553 systems from possible attacks.
It is also a common belief among operators that 1553 buses are not connected to the internet, and therefore, attackers cannot gain access to them. At Sital Technology, we believe that attackers can find their way in, especially when 1553 system operators are indifferent to the risk. Closing these vulnerabilities now would send a clear message to potential attackers and deter them.
Disclaimer: we do not attempt to know all types of Cyber-attacks. If you think we are missing something to improve this article, kindly send me a note to ofer.h@sitaltech.com.
In this article, we would like to explore possible attack types on 1553 buses:
- DoS – Denial of Service attack
- BC Impersonation attack
- RT Impersonation attack
- Wiring failures
In addition, explore optional attack vectors from which they penetrate the 1553 network (cyber):
- Online, through internet connected 1553 modules
- Through supply chain
- LRU service cycle
- Intermittent wiring failures
DoS – Denial of Service Attack
Denial attack is achieved when an attacker floods the 1553 bus and prevents the BC from fulfilling its transmissions. The BC works with both Bus A and Bus B. If one bus is blocked, the BC will retry on the other. As a result, a DoS attack is likely expected to block both buses.
The DoS might be simply non-1553 noise or sinewave.
The DoS can be achieved by legit 1553 messages. They can be standard messages or Broadcast and/or mode codes. A single command word such as broadcast reset RT mode code, sent every 4 milliseconds would cause all RTs to mute for 5 milliseconds on both buses, and would consequently be offline, re, and denied.
The DoS attack can start at power-up, or worse, triggered-on by some kind of event that would paralyze the bus at specific time slots or locations during the mission.
BC Impersonation Attack
MIL-STD-1553 bus calls for a single Bus Controller (BC) at a time. The BC starts every one of the messages on the bus. No other can, only the BC. All RTs wait for the BC command to potentially react and respond.
An attacker employs an additional BC, and sends messages to the bus. These messages can be of DoS in nature, such as explained above, or worse, send falsified data and instructions to the Remote Terminals (RT/s) to jeopardize the mission. Such data as GPS information would cripple weapon release and or weapon delivery accuracy.
This impersonating BC can be an RT that is SW programmed to become a BC for an attack, as we recorded in one of the squadrons with one of the munitions, or an attacking LRU added to the 1553 bus.
For example, hijacking an aircraft and routing it to a wrong destination can be achieved by an attacker if the impersonating BC distributes falsified GPS information.
RT Impersonation Attack
RT impersonating is a bit more complex to achieve by an attacker. RTs on a bus serve as either actuators or sensors. Actuators such as relay controllers and displays, or sensors such as Navigation or Radar. An attacker would want to replace the reply to the BC command instead of the legit RT. It would want to reply with falsified data.
The challenge is that in MIL-STD-1553B an RT is required to responds to the BC command within 4 to 12 microseconds (uSec) from the end of the command word. If the legit RT responds in 7 uSec, the attacking RT should respond faster, say within 4 uSec. Some attacked RTs would see that the bus is busy (by the attacker response), and would back-off completely. But for most RTs out there, if there was some bus dead time after the BC command, the legit RT would respond even if the attacking RT responded very fast.
In most cases, we see that RTs do respond even if the bus is already busy by the attacking RT.
If the attacking RT snicks in and responds, concurrent to the legit RT response, that would make a mess on the bus, because two transmitters are transmitting at the same time. The actual attacker achievement would be that the responses from the attacked RT are erroneous rather than valid and falsified. The actual result of these overlapped responses would be RT DoS, and the attacker would not be able to inject falsified data, but rather error out data from that RT.
So RT impersonation is actually in most cases be RT DoS. Would the attacker take the risk?
Most aircrafts fly for decades. They age under their intensive environmental conditions. So do their 1553 buses. Sometimes 1553 buses get disconnected, or shorted, or couplers fail, or transformers short, plugs get pin pushbacks, and connecters get disconnected. These are damages to the Cyber medium.
All of these failures degrade the MIL-STD-1553 reliability, and cause communication failures.
These communication failures impact very much like DoS attacks, they deny RT/s from the bus and from live data.
In MIL-STD-1553 there are two buses, bus A and B redundancy in order to provide backup, and the BC can automatically retry the message on the other bus. Each bus has 2 termination resistors. The 1553 is so robust that it can operate with 1 bus and 1 resistor on it.
Normally on the aircraft, the Signal to Noise Ratio (SNR) in 1553 signal is at least 1:10, i.e., SnR > 10. But when there is a missing terminator resistor, or other bus faults, the SNR can drop down to 1:1. In this case, most messages would finish Ok, and some fail. However, in flight, when environmental conditions are worse, SNR drops below 1, and two things can happen:
- Messages fail with error – This is equivalent to DoS.
- Messages pass with 2-bit flip. 2-bit change is not detected by a parity error.
The latter is where it starts to get scary. MIL-STD-1553 uses 1-bit parity as word validation. Parity can detect 1, 3, and 5 bit flips, but if there are even bit flips such as 2, 4, and 6 bits, parity can’t find it, and the message would be considered Ok. Obviously, the receiver would receive wrong data! – which is exactly what a cyber-attacker is trying to achieve.
For example, when it gets to weapon delivery, the GPS information loaded to a weapon might be corrupted by these wiring issues, and the bomb release might suffer from one of:
- Least significant bits flipped – The weapon would be released but to a slight wrong destination!!
- Most significant bits flipped – The weapon rejects the released since the corrupted GPS target is way off…
For all these reasons and more, weapon buses use MIL-STD-1760 which is based on 1553 but with extra CRC testing, and higher bus voltages.
CRC would error out many more messages, and the pilots would experience lots of weapons not releasing.
It was alarming when we encountered weapons that ignore CRC data to assure delivery.
Ground maintenance crews would not be able to identify and locate these issues, as they occur during flight. As a result, we see that every squadron has a blacklist of certain tail number aircraft, which are tagged “sick”. They would be used in training, but avoided for critical missions.
Common Attack Vectors
How do the attackers find their way in to the 1553 bus sub-systems?
Online attack – An aircraft LRU that has both an external wireless data connection as well as a 1553 bus connection. The attacker remotely injects or triggers malicious SW program that causes the LRU to execute 1553 transmissions on both 1553 bus A and B with damaging contents.
Supply chain attack – The LRU manufacture, tier 1 supplier, supplies a unit that has malicious SW built in to it. That malicious attack can wait for a predefined trigger to attack which could be a zero-day attack.
LRU Service Cycle – An LRU is removed from the aircraft for maintenance. Taken to service. Fixed, and
returns to service. During this service cycle, an attacker can inject the malicious SW. These kind of attacks are more common with maintenance crew that recruited for money, ideology, or blackmail.
Wiring failures – The aircraft attacks itself. The very high SNR of 1553, combined with aging and environmental extreme conditions with the in-ability of common 1553 maintenance tools to detect wiring degradation lead to 1553 communication failures during a mission, without the ability to detect, nor solve it on the ground, post flight.
Additional Cyber protection topics
Eavesdropping prevention – In most buses there is an intentional monitor that records the entire flight communication. Sometimes it is critical for highly classified equipment, and their associated 1553 messages, not to be recorded, since the team that have access to the monitored data do not have the sufficient clearance.
In those cases, a Cyber filter module should prevent the unwanted messages from reaching the monitor. It is commonly seen that man-in-the-middle module would be placed between the coupler and the monitor, to filter out the classified messages.
Same goes for prevention of eavesdropping. In that scenario, place a man-in-the-middle filter on each stub, allowing only the messages that are intended for that stub’s LRU.
Schematic and components cyber-attack – We have seen complete squadrons with 1553 buses having a single termination resistor, instead of two.
In one event, a UAV, a “3-stub with termination” coupler was wrongly replaced with a “3-stub without terminator” coupler, and the entire fleet suffered from a single termination, with very low SNR, causing multiple communication failures during flight, and no issue detection on ground.
In a second event, a fighter jet, was upgraded to include an additional LRU to the 1553 bus. During this add-on, a coupler was added to the bus. The coupler has 2 bus ports, and a single stub port. In the upgrade schematic, the stub port and the bus port were swapped, leaving the terminator on the stub, and added LRU on the 2nd bus port of the coupler. This degraded the SNR dramatically, but not enough to be detected on ground.