Patent Grant
10432730
The present invention relates generally to cyber security and, more particularly, to safeguarding avionics from anomalies due to programming errors.
In recent years, there has been an increased interest with respect to understanding and improving cyber security aspects of aeronautical platforms and weapon systems. This activity involves understanding the potential threat to legacy and future weapon systems; discovering, characterizing, and mitigating cyber related issues; and developing protections to reduce the risk of avionics operating outside of their intended domain.
Before a threat to the internal processing of a system can be mitigated, the particular threat must be generally identified. However, there are circumstances wherein either the risk of loss is so great, or the number and types of viable threats are so varied, that it becomes prudent to employ physical barriers. One method is to provide an air-gap between the protected system and external devices. With the exception of auxiliary channels that will not be discussed herein, in an air-gapped system, data can only enter or leave the system through external media or changes in hardware or firmware. As long as users do not knowingly or unknowingly introduce coding errors into the system, the air-gapped system is robust to a tremendous number of attack vectors.
One such threat could come from adding or changing hardware that is part of the air-gapped system. In an aeronautic platform, a central processor or bus controller, must communicate with numerous peripheral units within the aircraft. Some of these peripheral units are configured to both receive and transmit data over a common bi-directional data bus. Conversely, other peripheral devices are configured to only receive data from the bi-directional bus.
One threat related to peripheral devices is applied to data logging devices or other “receive-only” devices. If a receive-only device is removed and replaced from a system, particular care must be taken to ensure that the contents of the replacement unit have not been adulterated. For example, counterfeit parts entering the supply chain may enable avenues of introducing malicious code. Moreover, since the receive-only device may be surreptitiously modified to enable bi-directional communication on the bi-directional common bus, factory-introduced malicious code would be capable of traveling upstream on the bi-directional common bus.
As a result, there exists an unmet need in the art for improved apparatus and methods for converting a portion of a bi-directional analog channel into a uni-directional channel to counteract any possibility that a device could transmit unknowingly.
The present invention overcomes the foregoing problems and other shortcomings, drawbacks, and challenges of protecting control systems, having a common bi-directional bus, from unintended code execution. While the invention will be described in connection with certain embodiments, it will be understood that the invention is not limited to these embodiments. To the contrary, this invention includes all alternatives, modifications, and equivalents as may be included within the spirit and scope of the present invention.
According to one embodiment of the present invention, an apparatus for inhibiting data on a bi-directional bus is provided. The apparatus includes a first portion having a first analog port and a digital output. A second portion has a second analog port and a digital input, and the digital output is operably coupled to the first digital input. The digital output of the first portion is configured to produce a digital representation of an analog input signal presented to the first analog port. Likewise, the second analog port of the second portion is configured to produce an analog output representation of a digital signal presented to the digital input. The first and second portion cooperate to inhibit the propagation of data presented to the second analog port as an input.
According to another embodiment of the disclosed invention, a method for inhibiting data on a bi-directional bus is provided. The method includes providing a first portion having a first analog port and a digital output. The first portion is configured to translate analog data presented to the first analog port into a digital representation at the digital output while rejecting any input of data to the digital output. A second portion, having a second analog port and a digital input, is also provided. The second portion is configured to translate digital data that is presented to the digital input into an analog representation at the second analog port while rejecting any input of data to the second analog port. The digital output of the first portion is electrically coupled to the digital input of the second portion to permit data to pass in a downstream direction established from the first portion to the second portion, and to inhibit the propagation of data in an upstream direction established from the second portion to the first portion.
Additional objects, advantages, and novel features of the invention will be set forth in part in the description which follows, and in part will become apparent to those skilled in the art upon examination of the following or may be learned by practice of the invention. The objects and advantages of the invention may be realized and attained by means of the instrumentalities and combinations particularly pointed out in the appended claims.
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the present invention and, together with a general description of the invention given above, and the detailed description of the embodiments given below, serve to explain the principles of the present invention.
It should be understood that the appended drawings are not necessarily to scale, presenting a somewhat simplified representation of various features illustrative of the basic principles of the invention. The specific design features of the sequence of operations as disclosed herein, including, for example, specific dimensions, orientations, locations, and shapes of various illustrated components, will be determined in part by the particular intended application and use environment. Certain features of the illustrated embodiments have been enlarged or distorted relative to others to facilitate visualization and clear understanding. In particular, thin features may be thickened, for example, for clarity or illustration.
In some industrial control system, a common bus is provided to interface with a plurality of processors, sensors, or other peripheral devices. In some embodiments, a bi-directional analog bus is provided to serve as a backbone for such devices. One such example of an analog bi-directional bus is related to use in military avionics systems.
The MIL-STD-1553 avionics bus is a bi-directional (half duplex), analog, balanced line protocol. While optical variations exist, the physical layer of the bus frequently consists of single shielded twisted pair having a characteristic impedance between 70-85 ohms at 1 MHz. Redundant variations exist, wherein a primary and secondary/tertiary channel are provided via independent additional shielded twisted pairs. This enables continued operability in an event that one channel is physically damaged or otherwise disabled.
A plurality of modules, peripherals, or Line Replaceable Units (LRUs) are coupled to the bus, and may be configured to transmit and receive data to other LRUs or a Bus Controller (BC). The LRUs may comprise remote terminals, monitors or data recorders, or the like. While the majority of LRUs require bi-directional access, a non-trivial minority of LRUs are configured to operate as uni-directional units. For example a data logger or a Heads Up Display (HUD) is configured to serve as a receive-only uni-directional device. However, it must be recognized that by interfacing with the bus, a data logger has the potential to access bi-directional capabilities of the bus, and in turn access other LRUs.
The LRUs may be chained together in parallel to the shielded twisted pair bus using twin-axial connectors known to one of ordinary skill in the art. Some LRUs may tap the bus by way of a stub transformer. Such stub transformers are intended to isolate and protect the bus from damaged LRUs connected thereto. For example, an open circuit, or short circuited secondary coil of a stub transformer would be invisible to a bus connected to a corresponding primary coil. Dead ends of the bus are capped using appropriately line-matched resistive terminators.
Embodiments of the disclosed invention are directed to interfacing between a uni-directional LRU (ULRU), and the bus, and are configured to inhibit an ULRU from unintentionally transmitting data or signals (with respect to the disclosed invention, malicious signals, malicious code, and malicious data may be used interchangeably) to the bus.
Turning attention to
The apparatus 10 includes a first portion 12 and a second portion 14. In one embodiment, the first portion 12 may be an analog to digital converter (ADC), and the second portion 14 may be a digital to analog converter (DAC). An analog input 16 is electrically coupled to the first portion 12 in accordance with termination methods and connectorization known to one of ordinary skill in the art. One or more digital outputs 18 of the first portion 12 are electrically coupled to a corresponding number of digital inputs 20 of the second portion 14. The quantity of digital outputs 18 and digital inputs 20 is a function of the resolution of the ADC and DAC, and will vary depending upon design objectives under varied operating environments and conditions.
An analog output 22 is likewise coupled to the second portion 14 in accordance with termination methods and connectorization known to one of ordinary skill in the art. External to the apparatus 10, the analog input 16 establishes an interface with an active bus 30 (the portion of the global bus that is capable of propagating malicious code to other connected LRUs) and the analog output 22 establishes an interface with a protected bus 32 (the portion of the global bus wherein malicious code deposited thereon cannot be propagated to other connected LRUs). A protected ULRU (PLURU) 34 is deemed to be downstream 36 of the apparatus 10, and the active bus 30 is defined as being upstream 38 of the apparatus 10.
In one embodiment, the analog input 16 is coupled to a MIL-STD 1553 active bus 30. When the first portion 12 receives the MIL-STD 1553 signals, it converts them to 2 digital signals (again, the two digital lines 40 are exemplary, and the quantity will vary with design objectives). These digital signals exiting the digital outputs 18 are propagated into the digital inputs 20 of the second portion 14. The signals on the digital inputs 20 of the second portion 14 are decoded and sent to the analog output 22. In sum, the cooperating first portion 12 and second portion 14 replicates the data from the analog input 16 to the analog output 22.
Since the first portion 12 is configured as an ADC, and the second portion 14 is configured as a DAC, the flow of upstream 38 data can pass freely to the downstream 36 direction (and connected PULRU 34). However, since the second portion 14 is configured as a DAC, it is not possible for the second portion 14, to receive data on the analog output 22, and it is further unable to propagate any presented data upstream 38 back through the first portion 12 to the active bus 30. In this way, a unapproved or untested LRU installed as a PULRU 34 between the apparatus 10 and the active bus 30 is rendered impotent with respect to adversely impacting other LRUs upstream 38 on the active bus 30.
The disclosed configuration advantageously establishes the protected bus 32 without having a negative impact on bus traffic latency. It is further noted that disposing the apparatus 10 between a stub transformer and a PULRU 34 serves to protect the active bus 30 only from the PULRU's 34 emissions. However, if the apparatus 10 is inserted at a midpoint of the bus, for example having three upstream 38 LRUs and three downstream 36 LRUs, all downstream 36 LRUs will be capable of communicating with each other while simultaneously being prohibited from forwarding data upstream 38 of the apparatus 10.
In other embodiments of the disclosed invention, the first portion 12 is a commercial off the shelf MIL-STD 1553 capable transceiver, and the second portion 14 is also a commercial off the shelf MIL-STD 1553 capable transceiver. First behavior pins 50 of the first portion 12 transceiver are configured to inhibit transmission and enable reception on at the first analog port 52. Likewise, second behavior pins 54 are configured to enable transmission and inhibit reception at the second analog port 56. Of course, it is possible to configure one of the first portion 12 or second portion 14 as a DAC/ACD, and the alternate one of the first portion 12 or the second portion 14 as an appropriately configured transceiver, should design objectives require.
It will be recognized that depending on the selected transceiver, the first and second behavior pins 50 and 54 may depart from being discrete conductors exiting a chipset. By way of example and not limitation, the behavior pins may be a DIP switch having a plurality of SPDT or SPST switches, a rotary selector, a software selection in a field programmable array emulation, a fusible link, or the like. In any event, tying the behavior pins 50 and 54 to high, ground, or related manipulation thereof, will establish the behavior of the first and second analog ports 52 and 56 to comport with the proper operation of the apparatus 10. Tying the behavior pins 50 or 54 to high, ground, or the like, to yield a desired behavior of the first analog port 52 or second analog port 56, may be referred to as selecting or configuring the behavior pin to produce the desired behavior.
Regardless if the first and second portion 12 and 14 are implemented as DACs or transceivers, the apparatus 10 serves to protect the active bus 30 from electrical problems (such as signal interference, open circuits, short circuits, etc.) arising from physical damage on the downstream 36 side of the apparatus 10. This protection from the aforementioned electrical problems is more robust than the physical protection afforded by stub transformers.
It will be recognized by one of ordinary skill in the art that depending on the protocol used by the native bus, adaptors, converters, conditioners, or the like may be place upstream 38 or downstream 36 of the apparatus 10. Optimally, appropriately selected transceivers would possess such conversion capabilities internally, but the use of adaptors, converters, conditioners, or the like may be applied in conjunction with both transceiver-type embodiments and DAC/ADC capabilities.
While the present invention has been illustrated by a description of one or more embodiments thereof and while these embodiments have been described in considerable detail, they are not intended to restrict or in any way limit the scope of the appended claims to such detail. Additional advantages and modifications will readily appear to those skilled in the art. The invention in its broader aspects is therefore not limited to the specific details, representative apparatus and method, and illustrative examples shown and described. Accordingly, departures may be made from such details without departing from the scope of the general inventive concept.
The invention described herein may be manufactured and used by or for the Government of the United States for all governmental purposes without the payment of any royalty.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5093910 | Tulpule et al. | Mar 1992 | A |
| 5113499 | Ankney et al. | May 1992 | A |
| 5293375 | Moorwood et al. | Mar 1994 | A |
| 5325359 | Jordan et al. | Jun 1994 | A |
| 5764634 | Christensen et al. | Jun 1998 | A |
| 5764895 | Chung | Jun 1998 | A |
| 5768162 | Rupp et al. | Jun 1998 | A |
| 5818654 | Reddy et al. | Oct 1998 | A |
| 5916300 | Kirk et al. | Jun 1999 | A |
| 6175560 | Bhagalia et al. | Jan 2001 | B1 |
| 6195768 | Green | Feb 2001 | B1 |
| 6285298 | Gordon | Sep 2001 | B1 |
| 6778160 | Kubota et al. | Aug 2004 | B2 |
| 7046992 | Wallentin et al. | May 2006 | B2 |
| 7096137 | Shipton et al. | Aug 2006 | B2 |
| 7194663 | Fletcher et al. | Mar 2007 | B2 |
| 7284272 | Howard et al. | Oct 2007 | B2 |
| 7337465 | Kiyoto et al. | Feb 2008 | B2 |
| 7340597 | Cheriton | Mar 2008 | B1 |
| 7376111 | Moreton | May 2008 | B2 |
| 7480500 | Mittal | Jan 2009 | B1 |
| 7587499 | Haghpassand | Sep 2009 | B1 |
| 7760882 | Tidwell et al. | Jul 2010 | B2 |
| 7889715 | Criddle et al. | Feb 2011 | B2 |
| 7908480 | Firestone et al. | Mar 2011 | B2 |
| 7913011 | Emma | Mar 2011 | B2 |
| 7934088 | Wang | Apr 2011 | B2 |
| 8238551 | Reznik et al. | Aug 2012 | B2 |
| 8254574 | Reznik et al. | Aug 2012 | B2 |
| 8312320 | Almadi et al. | Nov 2012 | B2 |
| 8335609 | Beacham et al. | Dec 2012 | B2 |
| 8350749 | Malas et al. | Jan 2013 | B1 |
| 8438628 | Shah et al. | May 2013 | B2 |
| 8503673 | Patwari et al. | Aug 2013 | B2 |
| 8515061 | Patwari et al. | Aug 2013 | B2 |
| 8542719 | Lassini et al. | Sep 2013 | B2 |
| 8543260 | Righi et al. | Sep 2013 | B2 |
| 8717721 | Rostron | May 2014 | B2 |
| 8744082 | Ly et al. | Jun 2014 | B2 |
| 8863236 | Haddad et al. | Oct 2014 | B2 |
| 8963741 | Righi et al. | Feb 2015 | B1 |
| 8978467 | Wagner et al. | Mar 2015 | B2 |
| 9003052 | Holstein et al. | Apr 2015 | B2 |
| 9225703 | Smithson | Dec 2015 | B2 |
| 9407619 | Tunnell et al. | Aug 2016 | B2 |
| 9582447 | Arehart et al. | Feb 2017 | B2 |
| 9633484 | Fazi | Apr 2017 | B2 |
| 9727496 | Parundekar et al. | Aug 2017 | B1 |
| 9912531 | Neff et al. | Mar 2018 | B2 |
| 20020130768 | Che et al. | Sep 2002 | A1 |
| 20020174332 | Vialen et al. | Nov 2002 | A1 |
| 20050008157 | Hjelm | Jan 2005 | A1 |
| 20060265540 | Mass | Nov 2006 | A1 |
| 20080090572 | Cha et al. | Apr 2008 | A1 |
| 20100333172 | Jiang | Dec 2010 | A1 |
| 20110128912 | Katayama et al. | Jun 2011 | A1 |
| 20140331287 | Barr et al. | Nov 2014 | A1 |
| 20140354328 | Hematy | Dec 2014 | A1 |
| 20150128205 | Mahaffey et al. | May 2015 | A1 |
| 20150134947 | Varcoe et al. | May 2015 | A1 |
| 20150146872 | Baek et al. | May 2015 | A1 |
| 20150236844 | Pan et al. | Aug 2015 | A1 |
| 20150324506 | Li | Nov 2015 | A1 |
| 20170026808 | Johnson | Jan 2017 | A1 |
| 20180109656 | Cho et al. | Apr 2018 | A1 |
| 20180285309 | Prentice | Oct 2018 | A1 |
| Number | Date | Country |
|---|---|---|
| WO2014139406 | Sep 2014 | WO |
| WO2016165683 | Oct 2016 | WO |
| WO2017050150 | Mar 2017 | WO |
| Entry |
|---|
| Department of Defense US, MIL-STD-1553B, Military Standard: Aircraft Internal Time Division Command/Response Multiplex Data Bus (Sep. 21, 1978). |
| Xilinx, Spartan-6 FPGA Data Sheet:DC and Switching Characteristics, DS162 (v3.1.1), Jan. 30, 2015. |
| Technical Committee SD Card Association, SD Specifications Part 1 Physical Layer Simplified Specification, Ver 4.10, Jan. 22, 2013. |
| Diligent, Cmod A7 Reference Manual, Rev. B, Jun. 24, 2016. |
