By Ofer Hofman, Founder and CTO of Sital Technology, August 2023.
Over our 28 years of delivering MIL-STD-1553 IP cores, components, and cards, we have provided solutions for critical systems such as:
- MIL-STD-1553 for weapon delivery in jet fighters.
- MIL-STD-1553 for avionic system control in aircraft.
- MIL-STD-1553 for nuclear plants control.
- MIL-STD-1553 for satellites and space vehicles.
It is a robust communication standard used for controlling various machines and systems. For this article, we assume the reader is familiar with this standard and operation, if not, please read this resource about MIL-STD-1553.
If an attacking hacker gains control over such critical 1553 buses, they can undermine missions by preventing weapon delivery or crippling the system’s operation.
For those criticalities, it is important to protect 1553 systems from possible attacks.
It is also common to hear from operators that 1553 buses are not on the internet, and therefore attackers cannot gain access to attack. We, at Sital Technology, believe that attackers do find their way in, especially when the 1553 system operators are indifferent to the risk, and that closing those attack holes today, would send the potential attackers a clear message and turn them to try elsewhere.
Disclaimer: we do not attempt to know all types of Cyber-attacks. If you think we are missing something to improve this article, kindly send me a note to ofer.ZZ@sitaltech.com (replace ZZ with ‘h’).
In this article we would like to explore the possible attack types on 1553 buses:
- DoS – Denial of Service attack
- BC Impersonation attack
- RT Impersonation attack
- Wiring failures
In addition, explore the optional attack vectors from which they penetrate the 1553 network (cyber):
- Online, through internet connected 1553 modules
- Through supply chain
- LRU service cycle
- Intermittent wiring failures
DoS – Denial of Service attack
A Denial of Service attack is achieved when an attacker floods the 1553 bus, preventing the BC from completing its transmissions. The BC works with both Bus A and Bus B. If one bus is blocked, the BC will retry on the other. As a result, a DoS attack is likely expected to block both buses.
The DoS might simply involve non-1553 noise or sine waves.
The DoS can be achieved by legit 1553 messages. They can be standard messages or Broadcast and/or mode codes. A single command word such as broadcast reset RT mode code, sent every 4 milliseconds would cause all RTs to mute for 5 milliseconds on both buses, and would consequently be offline, re, denied.
The DoS attack can start at power-up, or worse, triggered-on by some kind of event that would paralyze the bus at specific time slots or locations during the mission.
BC Impersonation attack
MIL-STD-1553 bus calls for a single Bus Controller (BC) at a time. The BC starts every one of the messages on the bus. No other can, only the BC. All RTs wait for the BC command to potentially react and respond.
An attacker employs an additional BC, and sends messages to the bus. These messages can be of DoS in nature, such as explained above, or worse, send falsified data and instructions to the Remote Terminals (RT/s) to jeopardize the mission. Such data as GPS information would cripple weapon release and or weapon delivery accuracy.
This impersonating BC can be an RT that is SW programmed to become a BC for an attack, as we recorded in one of the squadrons with one of the munitions, or an attacking LRU added to the 1553 bus.
For example, hijacking an aircraft and routing it to a wrong destination can be achieved by an attacker if the impersonating BC distributes falsified GPS information.
RT Impersonation attack
RT impersonating is a bit more complex to achieve by an attacker. RTs on a bus serve as either actuators or sensors. Actuators such as relay controllers and displays, or sensors such as Navigation or Radar. An attacker would want to replace the reply to the BC command instead of the legit RT. It would want to reply with falsified data.
The challenge is that in MIL-STD-1553B an RT is required to responds to the BC command within 4 to 12 microseconds (uSec) from the end of the command word. If the legit RT responds in 7 uSec, the attacking RT should respond faster, say within 4 uSec. Some attacked RTs would see that the bus is busy (by the attacker response), and would back-off completely. But for most RTs out there, if there was some bus dead time after the BC command, the legit RT would respond even if the attacking RT responded very fast.
In most cases we see that RTs do respond even if the bus is already busy by the attacking RT.
If the attacking RT snicks in and responds, concurrent to the legit RT response, that would make a mess on the bus, because two transmitters are transmitting at the same time. The actual attacker achievement would be that the responses from the attacked RT are erroneous rather than valid and falsified. The actual result of these overlapped responses would be RT DoS, and the attacker would not be able to inject falsified data, but rather error out data from that RT.
So RT impersonation is actually in most cases be RT DoS. Would the attacker take the risk?
Most aircrafts fly for decades. They age under their intensive environmental conditions. So do their 1553 buses. Sometimes 1553 buses get disconnected, or shorted, or couplers fail, or transformers short, plugs get pin push-backs, and connecters get disconnected. These are damages to the Cyber medium.
All of these failures degrade the MIL-STD-1553 reliability, and cause communication failures.
These communication failures impact very much like DoS attacks, they deny RT/s from the bus and from live data.
In MIL-STD-1553 there are two buses, bus A and B redundancy in order to provide backup, and the BC can automatically retry the message on the other bus. Each bus has 2 termination resistors. The 1553 is so robust that it can operate with 1 bus and 1 resistor on it.
Normally on the aircraft, the Signal to Noise Ratio (SNR) in 1553 signal is at least 1:10, i.e., SnR > 10. But when there is a missing terminator resistor, or other bus faults, the SNR can drop down to 1:1. In this case, most messages would finish Ok, and some fail. However, in flight, when environmental conditions are worse, SNR drops below 1, and two things can happen:
- Messages fail with error – This is equivalent to DoS.
- Messages pass with 2-bit flip. 2-bit change is not detected by a parity error.
The latter is where it starts to get scary. MIL-STD-1553 uses 1-bit parity as word validation. Parity can detect 1, 3, 5… bit flips, but if there are even bit flips such as 2, 4, 6… bits, parity can’t find it, and the message would be considered Ok. Obviously the receiver would receive wrong data! – which is exactly what a cyber-attacker is trying to achieve…
For example, when it gets to weapon delivery, the GPS information loaded to a weapon might be corrupted by these wiring issues, and the bomb release might suffer from one of:
- Least significant bits flipped – The weapon would be released but to a slight wrong destination!!
- Most significant bits flipped – The weapon rejects the released since the corrupted GPS target is way off…
For all these reasons and more, weapon buses use MIL-STD-1760 which is based on 1553 but with extra CRC testing, and higher bus voltages.
CRC would error out many more messages, and the pilots would experience lots of weapons not releasing…
Scary even further, we encountered weapons that ignore CRC data to assure delivery…
Ground maintenance crews would not be able to find and locate these issues since they occur during flight. As a result, we see that every squadron has a blacklist of certain tail number aircraft which are tagged “sick”. They would be used in training, but avoided for critical missions.
Common Attack Vectors
How do the attackers find their way in to the 1553 bus sub-systems?
Online attack – An aircraft LRU that has both an external wireless data connection as well as a 1553 bus connection. The attacker remotely injects or triggers malicious SW program that causes the LRU to execute 1553 transmissions on both 1553 bus A and B with damaging contents.
Supply chain attack – The LRU manufacture, tier 1 supplier, supplies a unit that has malicious SW built in to it. That malicious attack can wait for a predefined trigger to attack which could be a zero-day attack.
LRU Service Cycle – An LRU is removed from the aircraft for maintenance. Taken to service. Fixed, and returns to service. During this service cycle, an attacker can inject the malicious SW. These kind of attacks are more common with maintenance crew that recruited for money, ideology, or blackmail.
Wiring failures – The aircraft attacks itself. The very high SNR of 1553, combined with aging and environmental extreme conditions with the in-ability of common 1553 maintenance tools to detect wiring degradation lead to 1553 communication failures during a mission, without the ability to detect, nor solve it on the ground, post flight.
Additional Cyber protection topics
Eavesdropping prevention – In most buses there is an intentional monitor that records the entire flight communication. Sometimes it is critical for highly classified equipment, and their associated 1553 messages, not to be recorded, since the team that have access to the monitored data do not have the sufficient clearance.
In those cases, a Cyber filter module should prevent the unwanted messages from reaching the monitor. It is commonly seen that man-in-the-middle module would be placed between the coupler and the monitor, to filter out the classified messages.
Same goes for prevention of eavesdropping. In that scenario, place a man-in-the-middle filter on each stub, allowing only the messages that are intended for that stub’s LRU.
Schematic and components cyber-attack – We have seen complete squadrons with 1553 buses having a single termination resistor, instead of two.
In one event, a UAV, a “3-stub with termination” coupler was wrongly replaced with a “3-stub without terminator” coupler, and the entire fleet suffered from a single termination, with very low SNR, causing multiple communication failures during flight, and no issue detection on ground.
In a second event, a fighter jet, was upgraded to include an additional LRU to the 1553 bus. During this add-on, a coupler was added to the bus. The coupler has 2 bus ports, and a single stub port. In the upgrade schematic, the stub port and the bus port were swapped, leaving the terminator on the stub, and added LRU on the 2nd bus port of the coupler. This degraded the SNR dramatically, but not enough to be detected on ground.