Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UK Essays.
Systems Design of Cyber Security in Embedded Systems
Embedded Systems which are mission oriented are referred as critical embedded systems. This paper describes the design approach of cyber security for a mission oriented embedded system, an avionic computer in its early development stage & observe its behavior under attack. The avionic computer is used to monitor & control the operations of an unmanned aerial vehicles like drones which are usually prone to cyber-attacks. It is an incremental development process for managing R&D projects in which features are added one by one each time to the system being developed & tested till the system completion.
The main objective of this paper is to describe the use of systems design approach in the development of a cyber resilient avionic computer architecture. Few design principles include minimizing the trusted units as they are prone to attacks, techniques like cryptography, key management for the protection of data, randomization & diversification of critical functions to nullify break one breaks all situations. The two most important cybersecurity features in this architecture are using of the separation kernel & crypto & key management. Separation kernel enables a virtual distributed environment in which every process is executed in its own separate partition. Thus, the information flows from one partition to another via the established channel & is under control of separation kernel. Here an individual process can be reloaded & restarted which paves way to the modular design. The confidentiality & integrity of the data can be assured by cryptography.
The architecture is divided into software & hardware layers. Hardware layer comprises of processor cores, FPGA fabrics & associated memories. Along with network interface the architecture also has an extension to an avionic data bus system, for example 1553 bus usually used in military aircrafts. The data & the code at rest, in transit & while in use can be protected by encryption using a key centric, secure thread processor ensuring security to the complete system. This secure processor also manages secure booting & authenticates the configurations at startup. The architecture has a crypto & key management co-processor like SCOP (security coprocessor) intended to provide crypto services to the software layer. The architecture & the board support packages provide the interface between hardware & software layers. Applications like APM (auto pilot modules), intelligence, surveillance payloads are operational in their respective partitions on the top of the separation kernel. The API is provided by the crypto service to the crypto key management coprocessor in the hardware layer. The architecture also provides recovery services which is essential for recovery of functions.
The design approach also focuses on the system behaviors, how well the system reacts & responds under successful attacks. In order to define & evaluate the mission level recovery metrics we need to know the mission objectives, types of attacks it might encounter. Since it is not possible to predict all the attacks, the author considers using high level attacks like loss of communication. These objectives & attacks lead to a risk analysis graph (RAG). RAG also covers the mission objective dependencies to the system & sub system functions & connection between system level metrics (system reboot time, data access time) to mission level metrics. To estimate the mission objective failure, author relies on subject matter expert assessments & system level metrics. RAG acts as a tool for strengthening the architecture.
Author explains with an example of a simple mission objective of reaching & reporting from multiple way points & an attacker whose intention is to fail the mission objective. Here the UAV is the drone (mission computer), which is controlled & monitored by pilot wirelessly & we have a ground control station which receives & displays data from the drone. So, the mission computer in drone is accountable for reaching & reporting from waypoints. For attacks, accurate threat models decided by the mission objectives & CONOPS (concept of operations) are considered as it is difficult to consider all possible attacks. Here author assumes that the drone will be the target of the attacker who injects infectious commands into the drone (APM) & misguides it away from the waypoints. Next comes the recovery scheme, it is the simplest scheme in which the system has two APM’s, one being the main & the other as a backup for recovery. In usual case the main APM controls the drone depending on the flight instructions, if the security has been compromised & it’s under attack APM issues infectious instructions. These attacks will be detected by the monitoring service & it directs the resilient APM to take over. There is also a recovering service which ensures reloading & restarting of the main APM. After receiving the acknowledgement from the main APM about its successful rebooting the recovering service gives the control back to main APM. Monitoring & recovering services are included incrementally while the system is being developed.
For analyzing the above architecture simulation modeling is used. Simulink model has a resilient architecture model, an attack module. The attack module is user configurable, user can select any attack from the probability model at random times. User also has the facility to select the two parameters attack detection latency reboot latency. We can also compare the performance of the architecture with without resiliency by switching on off this feature. We see that the mission goal of reaching the waypoints is dependent on the system functions i.e. positive flight control. Such dependencies can be used to find lower level subsystem functions. The diagrams are being developed manually currently by analyzing the system subsystem functions hierarchically, in future automation tools can be developed for creation of diagrams. We also apply one of the approaches adopted by NASA called fault tree analysis graph in which the function dependency graph & the attack categories develop RAG. Along with the development of system design architecture a quasi-quantitative metric to compare the cost benefits & other recovery architectures is also the objective of this paper.
Conclusion of this paper is the provision of tools for development & analysis to demonstrate the cyber security of the system under design phase. Here the analysis of cyber security was restricted to using of probability & statistics, Bayesian network functions can be used for this purpose. In future the design methodology can be improved with research, experiments and develop accurate, appropriate system level metrics.
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have the essay published on the UK Essays website then please: