Cyber safety and security for Reduced Crew Operations (RCO)

Presents a collection of slides covering the following topics: aircraft safety; reduced crew operations; aircraft data communications; ground communications; and cryptography.


Overview and Problem Statement
Honeywell • This presentation contains preliminary results from a program Honeywell is performing for NASA.
• Problem Statement: Significant safety hazards will be introduced in the system for Reduced Crew Operations (RCO) when the traditional, two-pilot cockpit is transformed into one pilot operation with support from another person on ground.
-For the ground personnel to control an aircraft, the equipment added for RCO operations will have to be highly invasive into existing safety-critical aircraft systems -Will require a highly-reliable data communication system that offers very low latency and jitter, as well as high data integrity and authentication Airborne Crew (AC) versus Ground Crew (GC) Honeywell • There are several scenarios for differing levels of autonomy and authority of GC versus AC as to who is pilot in command (PIC) and other responsibilities -AC is pilot in command, GC is just standby redundancy -AC is pilot in command, GC is active second pilot • "Another pair of eyes" (sharing the "see and avoid" responsibility) • What are the GC's "eyes"?-add multiple video cameras?(high bandwidth, low round-trip latency, shared "ether", safety-critical) -GC is pilot in command, AC is active second pilot -GC is pilot in command, AC is just standby -To what extent should we address rogue pilots? How many of the ways a rogue pilot can crash an airplane can/should we protect against (e.g., lowering the landing gear at speed, differential flaps, all of the critical circuit breakers on the cockpit ceiling)?
-Where does the ground crew interface into aircraft systems?
-What protections do we provide for normal aircraft system component failure versus malicious human influence?
• "Murphy versus Satan" (natural failures vs human threats, respectively) For 10e-9 requirements, Murphy is indistinguishable from Satan, except for coordinated attacks against independent components -What is the proper balance of integrity versus availability?• Suspect that this degree of invasiveness not foreseen by RCO proponents who maybe only thinking about intercepting the control path from stick/rudder to flight surfaces RCO System Architecture Honeywell • Depending on requirements for handling rogue pilots, may need to intercept all systems that could possibly cause an aircraft to not continue safe flight (including systems not in the three traditional control layers: FMS, autopilot, flight control).
• Even without a rogue pilot (i.e., just "benign" loss of pilot) many systems will need to be intercepted to provide a ground override (dying pilot falls on stick or flails and hits < ... ». • A couple of possible on-aircraft architectures (both are safetycritical and highly disruptive to current aircraft systems): and Preliminary A's for Degree of Ground Authority Q: Can RCO ground communications be used to assist (partially*) able-bodied airborne crew?A: Yes, This is the most studied and easiest case.
Cost would depend on the degree of assistance.
Honeywell Q: Can RCO ground communications be used to take over for totally incapacitated* airborne crew?A: This probably will be required for single airborne crew.
Too invasive and expensive to retrofit into existing aircraft.
Possible, but still very invasive and expensive for future aircraft designs.
May have the same security issues as the next question (next slide).That is, if the crew is not incapacitated, can they prevent an adversarial ground control (e.g., rogue or spoof) from taking control, given this level of invasiveness?
* Note: It is not uncommon to have an incapacitated crew member.
In the UK, there were 32 in 2009 and 36 in 2004 (-1 per 10 days).This actually is better than the 1 % probability per year rule.
Q: Can RCO ground communications be used to override a rogue airborne crew (e.g., suicide)?
Honeywell A: This leads to some troubling questions."Who has the ultimate authority (air or ground)?"The answer to this must be the same for all situations.Otherwise, who has the authority to decide what the situation is? Obviously, the ultimate authority would have to be the ground for this level of control.But, why should a ground crew be any less prone to being rogue than an airborne crew?One can argue that there is a greater probability for a ground crew going rogue (they don't have to face certain death) and they can crash more than one aircraft.One could envision a redundant ground crew.But, they would have to be totally independent (including independent communication channels to the aircraft) and these redundancies could only be used for integrity, not availability.So, this would require two ground crews to replace one airborne crew (could be timeshared among a few aircraft).Add this cost of two ground crews to the high cost of very invasive avionics ) the economics doesn't look very promising.• Looked at R&D done in adjacent fields -UASs (no airborne crew to share control responsibility) • Looking communication issues (availability, safety, and security) -Autonomous ground vehicles (shared responsibility issue) • Looking at issue of full autonomy versus shared responsibility • Ford and Volvo (known to stress safety in their marketing) both say that the possible interim step to fully autonomous vehicles, where the driving responsibility is shared between an autonomous digital driving system and human drivers, can't be done safely.The problem is the handoff from the digital system back to the human driver when something unexpected happens.Designers can't anticipate every possible situation a vehicle can encounter.
• " Right now, there's no good answer, which is why we're kind of avoiding that space" --Dr.Ken Washington Ford's VP of research and advanced engineering Control Hand-Back Problems • Time to get to the controls, when out of cockpit -Delta (Chautauqua) 6132: captain stuck in the lavatory Honeywell due to door latch being broken, had to breakdown the door -A common reason for leaving the cockpit is to investigate an abnormal situation (e.g., smoke).One can argue this is precisely the wrong time to leave the cockpit unattended (the abnormality being investigated could cause a loss of RCO communication or its interface to critical systems).
• First corollary of Murphy's Law: When things do go wrong, they will go wrong at the most inopportune time.

Typical Abnormality Requiring Crew to Leave Cockpit Honeywell
A half-hour into a scheduled 12-hour flight, a cockpit crew member rushed to the rear of the airplane to investigate the smell of smoke.In RCO, this would have been the whole crew (!), away from the cockpit for a significant amount of time.This is not a very unusual scenario.
The airplane returned to Seattle for over-night repairs.
Control Hand-Back Problems (cont.)Honeywell • Time to get to the controls, when in cockpit -Aeroflot 593 (A-310): Pilot's son accidently disengaged the autopilot.Children in the way plus g-forces prevented crew getting back into their seats and at the controls in time.
All 63 passengers and 12 crew members died in crash.
• Once at the controls, time to regain situational awareness under normal conditions -Air Canada 878 (8-767): "Under the effects of significant sleep inertia (when performance and situational awareness are degraded immediately after waking up)" a pilot mistook the planet Venus as lights of another airplane on a collision course and dove to avoid it.When the plane nosedived, 14 passengers and two crew members were injured because they were not wearing seatbelts.
-Audi says its tests show it takes an average of 3 to 7 seconds, and as long as 10, for a driver to snap to attention and take control, even with flashing lights and verbal warnings.• Dealing with abnormal situations may require additional airborne crew, versus a reduction in crew 12 Loss of one generator and associated systems [electrical busses 1 and 2 failed] 13 Loss of brake anti-skid system . .
14 No.1 engine could not be shut down in the usual way after landing because of major damage to systems 15 No.1 engine could not be shut down using the fire switch , which meant fire extinguishers wouldn't work 16 There were 58 different ECAM warning messages, plus an unknown number of ACARS messages 17 Fuel was trapped in the trim tank (in the tail) creating a balance problem for landing 18 Left wing forward spar penetrated by debris Only one engine (of 4) was working normally with thrust reversing .Four blown tires.Leaked fuel on 1600°F wheels.
Richard Woodward (a Qantas A380 pilot and deputy president of the Australian and International Pilots Association) said that the "number of failures is unprecedented, [ ... ] There is probably a one in 100 million chance to have all that go wrong."But, there have been over a half-dozen previous similar incidents (Sioux City DC-10 crash is well known).

"Those who cannot remember the past are condemned to repeat it."
Are There Real Communication Threats?

Honeywell
• Would someone really try to interfere with the flight of an RCO aircraft or is this just a "Hollywood" fantasy?
• "Just because you're paranoid, that doesn't mean that they are not out to get you." -Individuals • Officially called "phantom controller" (a.k.a., "bogus", "fake", "phony") • U.K. (18 in 1999), U.S. ("several times a year") • Underreported (this is hard to verify, but from reasonable sources) • Jim Epik's book "Phantom Controller" and petition to encrypt ATC comm's -Ad hoc I transitory groups • Yes, we have to assume there will be actors who are out to get us.

Honeywell
Each transmission loop incurs the latency of two encrypts and two decrypts.If AES (or similar block cipher) is used to provide secrecy and integrity, a block (e.g., 128 bits) of store-and-forward latency has to be added, plus the latency for any added initialization vector (IV) and/or integrity data (e.g., 32 bits each).These latencies depend on communication speed (the slower the link, the longer these latencies) and they have to be added to the crypto computation latencies.The sum of these latencies doubles if handshakes (e.g.ACKINAK) are used and are encrypted.

Does the sum of all these added latencies exceed the round-trip latency constraints?
UASs solve this problem with very high-speed (e.g., 10 Gbps) communication links and special hardware encryption (e.g., KG-340 encryptors and Single-Chip Crypto field programmable gate arrays) or use video compression (which is still> 10 Mbps per video stream).
Don't Re-invent the Wheel Honeywell • Not much R&D done for aircraft RCO safety/security -Mostly human factors related (e.g., workload/stress reduction) -Safety, security, and certification rarely addressed (skipping the difficult stuff = "design procrastination")

.
* www.wired.com/2015/01/rode-500-miles-self-driving-car-saw-future-boringemphasis added Qantas A3S0 Engine Fan Blade Separation 1 Massive fuel leak in left mid fuel tank --there are 11 tanks, including tail's horizontal stabilizer 2 Massive fuel leak in the left inner fuel tank 3 A hole on the flap fairing big enough to climb through 4 Aft fuel system failed, preventing many fuel transfer functions 5 Problem jettisoning fuel [180K Ibs] 6 Massive hole in the top of wing 7 Partial failure of leading edge slats 8 Partial failure of speed brakes and ground spoilers [and ailerons] 9 Shrapnel damage to the flaps 10 Loss of all hydraulic fluid in one of the jet's two systems 11 Manual extension required for landing gear [gravity drop] QANT.ij~ .~ i~:;~'if A<IStr;II~.• •••• • •• ~ .•• • I . . . . . .~ ... . . 10 • m '.DAMAGED No.2 HmltH: .. anyone who gets behind the wheel [of an semi-autonomous car] must be properly trained.For Audi, this means learning to be a better than average driver.[... ]if you need to grab the wheel, the Control Hand-Back Problems (cont.)Honeywell -" .