Existing aircraft flight data and communication systems present a number of problems that have not yet been resolved, as discussed below. Traditional aircraft communications systems support both safety-affecting and non-safety-affecting communications but have limited functionality and capacity. Research and the resulting development of improvements to such systems frequently encourage upgrading installed communications systems software and hardware to enhance the aircraft's capabilities. However, it is difficult to modify aircraft communications systems software and hardware, because any substantive upgrade of an existing aircraft communications system will result in aviation regulatory agencies requiring an associated recertification of all other core aircraft systems using that communication system, due to the way that the current aircraft communications system is architected within the core of the aircraft. The recertification process is both time consuming and relatively costly.
Also, due to the manner in which current legacy communication systems are architected, even small off-board changes to the systems require an airline company to create, test, and certify an “airline modifiable part” before it can be used on an aircraft. For example, once a software part for the communication systems is created, the airline company must certify it and have an authorized mechanic install the update on the aircraft system. This update process for transmitting or receiving just a few bytes of new data can take several weeks to months to complete for an airline's entire fleet, incurring substantial time and cost penalties for the airline company.
Similarly, for a new data security threat affecting aircraft communications, if the threat is deemed serious, the only action an aircraft operator can take is to disable any affected legacy communications link until new software parts—parts that are not vulnerable to the new threat—can be developed, recertified, and manually installed. This process can also be lengthy and costly.
Another problem encountered in aircraft communication systems is the limited access to or sharing of data between each of the installed systems on the aircraft. In contrast to today's land-based data networks, where all systems connected to a network are (at least in principle) able to share information with all other systems on the network, aircraft systems are interconnected to only a small number of other systems, according to their unique data needs. In addition, the time and costs involved in acquiring additional data from these systems are substantial, due to the level of regulatory oversight and physical-installation engineering. This architecture thus severely restricts the ability of a system or application to acquire a different set of data, from a different mix of components, as the air traffic management and airline operational systems evolve.
Traditional aircraft systems are single-purpose, so that each software application is tightly coupled to the hardware on which it executes, which is a result of many factors, including safety considerations, the inertia of past designs, and the relatively recent emergence of modern networked-systems for use on aircraft. The consequence of single-purpose systems is that new or updated software applications require parallel development of both software and hardware components, resulting in substantial expenditures in time and money to implement installation of new communication systems on aircraft. Accordingly, it would be preferable to provide onboard application-hosting capabilities that are coupled with robust data-acquisition and data-exchange services, instead of the limited data access by hardware and systems currently employed.
Recently, new data-link communication options for use with aircraft have proliferated. There are now multiple options on the market for providing broadband Internet Protocol (IP) communications to an aircraft, including multiple satellite-based systems, and systems based on terrestrial cellular technology. Any one solution works reasonably well for its given area of operations. For example, Wi-Fi solutions provide connectivity in the airport ramp area; terrestrial cellular services provide connectivity over the North American continent; and Satcom systems based on geostationary satellites provide substantially global coverage, excluding Earth's polar areas. As a result of these developments—with the limitations noted above, an increasing number of aircraft are being equipped with multiple broadband communications systems. However commercial aircraft have only minimal and narrow bandwidth communications available for the crew to utilize, or for use in transmitting the aircraft systems data or position to ground-based air traffic management or to airline operational systems, due to both the regulatory rules and the aircraft system's architecture. For this reason, although passengers have access to onboard Internet and other wireless communications, these new aircraft broadband services that are provided via mobile radio technology, or satellite networks are not available to an aircraft crew to utilize or for the airline to use for new data gathering, or for applications that can enhance or improve airline operational efficiency. In essence, the aircraft operators' basic interface to their aircraft is still through paper documentation.
Also, there is a substantial complexity associated with managing multiple broadband communications systems, including problems in several areas. Air traffic management services and functions are restricted to the legacy certified communications links; however, much of the data exchanges over these links are not related to air traffic management and could utilize these new faster and cheaper data links. For example, it would be desirable to select and use the current best communication link (for a given aircraft position, flight characteristics, link usage costs, link quality, etc.) in a way that is transparent to applications using the link. It is also desirable to manage the data links so as to satisfy the various (and sometimes conflicting) operational requirements, including authentication/authorization schemes, network filtering policies, traffic prioritization policies, etc., which are imposed by link providers. To achieve better efficiency, it would be desirable to provide legacy onboard systems with a stable unchanging proxy service that maintains the certified interface and protocols protecting the highly certified core aircraft systems from any changes in the communication environment and the associated need to modify or upgrade them. The proxy service could also provide the equivalent of a single sign-on (SSO) service that could authenticate with an onboard Platform component only once, but which would be able to authorize the component to use any data links that are currently operational, without needing the core systems to utilize the link's specific authentication protocols or digital keys, since the specific data link being used can change throughout a given flight and can potentially exceed more than 100 different link providers for an aircraft in international global service.
Likewise, to manage the in-flight change of link providers and links, a dynamic real-time link management service is needed to configure the link network parameters like Internet services, so as to conform to individual nation's air space laws and regulations, and routing. Impliedly, there should also be some mechanism to manage use across the different links, because only a few links are certified for air traffic management communications, and the usage costs vary significantly. And finally, it may be important to expose the current details of link operational characteristics to dependent systems and/or applications, so as to enable appropriate reactions to periods of low bandwidth, periods of no communication link availability, regulatory link use restrictions, bandwidth costs, or various types of link degradation, and/or to address other types of issues that can impact on a specific link that is selected for communication with an aircraft.
In consideration of the problems discussed above, a new concept for a “distributed computing and communication service” (which is referred to herein at times as “the service”) has been developed. When applied to aviation to facilitate communication between an aircraft and ground stations, the service is designed to enable maximum integration of both legacy aircraft communication links and protocols and new Internet protocol-based communications. In this application, the architecture merges traditional aircraft/airline supporting ground server and storage with all available communication links to the aircraft, one or more onboard aircraft server units, and one or more aircraft interface devices that implement “read only” interfaces to onboard aircraft systems or data buses. The architecture thereby provides “an Aircraft Service Platform” (sometimes referred to herein as simply “the Platform”, but to be distinguished from other types of platforms, such as the “Customer Service Platform”), fully integrating the aircraft into the ground information technology infrastructure. The architecture of this distributed computing and communication service also centralizes data feeds to all off-board communications through an onboard unit or units that isolate the aircraft core systems from the ever changing communications and computing technology and the associated ecosystem of service providers. The service uses distributed computing to create a “system of systems” that extends ground communications and computing infrastructure to the aircraft in the onboard server node of the Platform. This Platform unifies the entire fleet of aircraft of an airline company into the system of systems, which is able to seamlessly span all aircraft manufacturers and model lines, creating a data collection and computing platform that securely ties together the entire airline's fleet of aircraft with ground support infrastructure extending to the airline's Information Technology (IT) infrastructure. The onboard communications and computing service specifically isolates the “highly certified” aircraft core internal communication systems from any changes caused by new types of off-board communications media, as well as from changes to communications protocols, spectrum, and ground-based aircraft support systems. It also adds the ability to dynamically install new operational support applications, either onboard or on the ground, extensive capabilities to collect aircraft system information, and to present or store such data to onboard or off-board applications or storage.
The new Aircraft Service Platform is a software solution, unlike core aircraft communications systems and servers, and can readily be updated, replaced, or dynamically reconfigured with new links, services, or cyber security functionality, as desired by the aircraft operator. The ability to implement these changes without concern for recertification and all of the time delays and costs associated with that process is accomplished architecturally by creating the Platform as a single digital software service that spans ground infrastructure, communication links, and onboard systems, and which moves some of the traditional ground-based communications functions onboard the aircraft but outside of and isolated from the certified aircraft core systems and servers.
As noted in the Background section above, when the architecture of current aircraft legacy systems is modified, even small off-board changes to an aircraft communications system software require an airline to create, test, and certify an “airline modifiable part.” Once the software part is created, the airline must have an authorized mechanic install the update on the aircraft system. This process can take several weeks to accomplish when updating the aircraft. The update can be as simple as defining a new airline ground server, or adding a configuration for a new airport, or updating one of the dozens of “public key certificates” (the equivalent of an employee or home personal username-password combination) that the aircraft uses to access different link service providers or airport wireless infrastructures. With this exemplary embodiment of the novel distributed computing and communications service that has been developed, the existing certified onboard aircraft systems will require these updates to only a single authentication key set employed between the aircraft systems and the onboard Aircraft Service Platform components, and then updating this single key set only annually or semi-annually, instead of monthly or weekly, as is the case today. All other configuration or link usage changes to aircraft communications services are completely hidden from the certified core systems. Also, all routine operational changes are made within the new onboard Aircraft Service Platform software remotely and can be applied instantly across an entire fleet of aircraft without the need for certification processes or mechanic/technician interaction.
Further, as the Internet changes and evolves, it is highly likely that new cyber threats will find vulnerabilities in existing certified onboard aircraft communications systems and servers. If a threat is deemed serious in a conventional aircraft, the aircraft operator must disable the affected off-board communications link until new software parts, which are not vulnerable to the new threat, can be developed, re-certified, and manually reloaded. As noted above, the process of installing new software components on an aircraft can be time consuming and costly. During the time that a communication link is disabled, which may be for months, the airline must schedule a certified aircraft mechanic to board the aircraft once it lands and manually upload or download data using a “certified maintenance laptop,” as often as required, to retrieve aircraft operational data or update data gathering configurations. In contrast, by using the novel distributed computing and communication service design provided by the Platform, new cyber threats can be countered across an airline's entire fleet as soon as a protection method is defined.
This Summary has been provided to introduce a few concepts of the subject technology in a simplified form that are further described in detail below in the Description. However, this Summary is not intended to identify key or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
Various aspects and attendant advantages of one or more exemplary embodiments and modifications thereto will become more readily appreciated as the same becomes better understood by reference to the following detailed description, when taken in conjunction with the accompanying drawings, wherein:
Exemplary embodiments are illustrated in referenced Figures of the drawings. It is intended that the embodiments and Figures disclosed herein are to be considered illustrative rather than restrictive. No limitation on the scope of the technology and of the claims that follow is to be imputed to the examples shown in the drawings and discussed herein. Further, it should be understood that any feature of one embodiment disclosed herein can be combined with one or more features of any other embodiment that is disclosed, unless otherwise indicated.
Although embodiments, figures, and description of this unique distributed platform service use aircraft data collection as an example, it must be emphasized that this same approach can be employed for other types of applications or technologies, and more generally, by any users of distributed systems or equipment, to add new data collection capabilities, applications, cyber security protections, and/or other digital services to legacy systems and equipment, without requiring the replacement of upgrading of those legacy components.
The novel aircraft distributed communications and computing system in
A ground data services platform 130 handles these bi-directional encrypted communications. Ground data services platform 130 includes a data ingestion layer 132 to initially process incoming communications received from aircraft 102, including providing for real-time storage and analysis of the data that is received, as indicated in a block 134, and both long-term archival storage 136, and implementation of batch/large analytic functions, as indicated in a block 138. The received communications are then provided to a dissemination layer 140, which further processes the communication data so that it is in a form appropriate to be provided for presentation in a block 142. The received communication data can then be presented to “customers” in a block 144. These customers include, by way of example, airlines, governmental regulators, carbon traders, insurance companies, OEM's, air traffic control facilities, industry analysts, and meteorological agencies, to name a few without any implied limitation.
Block 200 refers to a satellite communications antenna 208, a global system for mobile communications (GSM) antenna 210, and any other offboard communication systems 212 that emit and receive RF signals, whether using air-to-ground, air-to-air, or satellite-served links. Ku-band antenna 208 is coupled to a Ku-band antenna modem and control 214 that facilitates communications over this band. Similarly, GSM antenna 210 is coupled to a GSM antenna modem and control 216, which facilitates GSM communications with ground systems 202. There are also other communications modems and controls, as indicated in a block 218. Each of the modem and controls is used to implement various air/ground network segments under the controls of onboard network management services 222. The onboard management services also control various passenger network segments 224, including facilitating a GSM/UMTS access point 226, and a Wi-Fi access point (PAX) 228. By way of example, the GSM/UMTS access point and the Wi-Fi access point can provide Internet or other network communication for crew or passenger devices 232, such as laptops 234, GSM phones 236, and tablets 238.
Another important function implemented in block 200 is application hosting services 240. These services are implemented in connection with one or more secure network segment(s) 241, which are coupled to onboard network management services 222. One or more electronic flight bag(s) (EFBs) 242 can also be provided data communication through secure network segment(s) 241, and thus, be handled by onboard network management services 222. The secure network segment(s) can also be provided for data acquisition and management in a block 246, which by way of example and without any intended limitation, can receive data from a GPS receiver 248, an airline data management unit (DMU) 250, an airline fuel system 252, and from other data sources 254. Data using the secure network segment(s) can also be provided or received by a Wi-Fi access point (crew) 256. This access point can thereby be used for a variety of crew/operational devices 260. Examples of such crew/operational devices 260 include a telemedicine device 262, voice over Internet protocol (VOIP) phones 264, a credit card device 266, and a video capture device 268, without any implied limitation on other types of devices that may also be used. A control panel (e.g., a wireless tablet, or a laptop computer, or another type of computing device) with a display 258 can be included to manage secure network segment(s) 241.
As shown in an exemplary end-to-end flowchart for the Aircraft and Customer Service Platforms in
In regard to ground systems, devices, or virtual machines 284, data in blocks 286 can be sent to or received from customer or partner interfacing ground servers or virtual machines 288, which are coupled to communicate data bi-directionally with customer or partner facing ground servers or virtual machines 290. Customer or partner facing ground servers or virtual machines 290 are also coupled to communicate data bi-directionally with aircraft facing ground servers or virtual machines 292. Legacy aviation, new Internet, and new non-Internet protocols and links 278 can be used for communicating data bi-directionally with aircraft facing ground servers or virtual machines 292, which are part of ground systems, devices, or virtual machines 284.
The Aircraft Service Platform thus links onboard aircraft systems components 274, 282, and 276 to a highly secure isolated ground infrastructure comprising aircraft facing ground servers or virtual machines 292, and then to a sister service platform, i.e., to a Customer Service Platform, which includes customer or partner facing ground servers or virtual machines 290 that tie a customer or partner to a software component, e.g., in customer interfacing ground servers or virtual machines 292. The Aircraft Service Platform provides a greatly enhanced onboard data collection system, as discussed below in connection with
In
Virtual partitioning within the Platforms enables the execution on a single system, of software applications using one or more OSs concurrently and in isolation from other programs. As noted above, the exemplary virtualization implementation depicted in
An exemplary embodiment 400 in
As discussed above, the closed network system of systems used in the Aircraft Services Platform contains a ground-based service control infrastructure, as exemplified by aircraft facing ground servers or virtual machines 292, which includes servers configuring and controlling the aircraft onboard systems, air-to-ground applications servers serving the applications loaded on the aircraft, aircraft health data harvesting systems, ground data storage, ground-based network and communications equipment required to maintain the links to the aircraft, and operations centers that manage the whole Platform, i.e., for both ground systems and aircraft onboard systems.
The use of virtualization technology to extend the traditional ground-based aviation communication infrastructure to the edge of the aircraft also facilitates the secure communications and data movement between the aircraft and the ground systems, since its communication can be based on Internet standards, which unlike legacy aviation communication links, can readily employ new, highly secure protocols. Existing Internet technologies enable legacy communication protocol messages to be encapsulated within Internet protocol messages, with their original content and form unchanged. When thus encapsulated, an Internet message can be digitally signed to ensure its contents are unchanged on receipt, and it can be encrypted using any of several different Internet standard encryption technologies. Examples of Internet encryption technologies (without any implied limitation) include: “Internet Protocol security” (IPsec), which uses public digital key technology to encrypt messages; Digital Encryption Standard (DES), including various versions, such as “triple DES” (3DES) and CounterMode DES (CM-DES); and, the newer Advanced Encryption Standards (AES) and “Elliptic Curve Encryption.” Numerous Internet encryption technologies can be added, since the Platform uses modular encryption techniques like the Internet Engineering Task Force's Algorithm Agility framework architecture, which readily permits such change and expansion of functionality.
Equally important is that the use of virtualization frees the hardware and communication links used by this new system that is onboard the aircraft from the traditional restraints imposed on aircraft systems. The onboard systems of the closed network system of systems comprising the Aircraft Service Platform provide stable communications links with the core aircraft systems, networks, and buses; while isolating them completely from changes in communication links or protocols. The onboard Platform systems can be changed or upgraded at will, just like traditional ground computing systems, to accommodate changes in the Internet or new communications link types, or protocols. Further, the onboard components of the Aircraft Service Platform can be switched between different aircraft server models or vendors or upgraded, with just minor configuration changes and can add new onboard hosted applications in real-time, or accept dynamic changes to deal with emerging cyber threats. In addition, the Platform functionality enables an aircraft operator to add new communication links to an aircraft at any time, with only minor configuration changes to the aircraft portion of the onboard system, and none of these changes impact the core components of the aircraft, or require recertification.
Both the ground and aircraft components of the respective Aircraft Service and Customer Service Platforms are designed around the “Platform as a service” and “software as a service” concepts and architecture, and this approach provides a further benefit by naturally limiting the “cyber-attack threat surface” or number of ways that the communications and computing system can be attacked. The Aircraft Service Platform software and hosted applications running on the communications and computing system it provides are designed to serve a small set of the specific functions required in aviation, in contrast to traditional OSs that are designed to serve thousands of uses. Both Platforms and their hosted applications can also be more readily hardened, since their design supports naturally limited data communications functions. In addition, they can be readily adapted to use application/service authentication mechanisms.
The closed network of the onboard and aircraft facing ground components of the Aircraft Service Platform thus protects the aircraft by employing a layered security architecture that includes strong authentication of all connected systems and applications, multi-layered encryption, and “a closed network,” which only communicates externally via a “secure message passing gateways” to prohibit any Internet traffic from reaching the aircraft core systems or core data buses. The Aircraft Service Platform uses aircraft hardware systems that can only “listen” to (but not “write” to, or otherwise modify) the core aircraft systems and data buses, and which are physically incapable of sending any signal to a core aircraft system or data bus.
In the Aircraft Services Platform, the Remote Node comprises the onboard aircraft components, and the Central Node comprises associated ground servers, communications, and storage. In the Customer Service Platform, each Remote Node comprises the set of servers or virtual machines interfacing to the airline's back office systems, and the Central node comprises its associated ground services, communications, and storage. The Central Nodes of both types of Platforms are linked by a pair of “secure messaging gateways” 1702 and 1904 (see
In an exemplary secure messaging gateway 600 shown in
Each of the Remote Nodes and their connected Central Node collaborate to enable Multi-Link Management and Communication Bridge capabilities. This functionality provides proxy services establishing connections to different link technologies, including legacy aviation link technologies. Examples of such legacy technologies include the “Airborne Call and Reporting System” (ACARS), “Voice Data Link mode 2” (VDL2), satellite links like those operated by Inmarsat and Iridium, and other legacy digital links, as well as newer Ku and Ka satellite links, GSM air-to-ground links, and any other commercial communications links such as 802.11, 802.15, broadband over power (BPL) technology via the aircraft power umbilical at the gate, etc. This functionality simplifies interfaces, controls access and data movement across the links, and dynamically controls the configuration of links and the behaviors of data link usage.
Remote Facing Data and Services in Aircraft Service Platform Central Node 602 aggregate all incoming messages from aircraft Remote Nodes 606 into a central repository. Decoding, decrypting, partitioning, correlating, and de-identifying of the messages are implemented as necessary, prior to the messages being inserted into a data store. For example, “de-identifying” may be necessary if the message includes aircraft data such as the actual precise flight path of an aircraft, since some pilot union contracts prohibit such data from being stored in a way that can identify and tie the data to a specific aircraft and flight. The Customer Service Platform, which includes customer facing services in Customer Service Platform Central Node 604, provides access to this data store along with other Platform resources that enable secure, well-defined interfaces for external data consumption by airlines or other parties through remote node customer interfaces 608. The Customer Service Platform also receives and makes available any external data providers, for consumption by the Remote Nodes or Customer Facing Data and Services components. This Customer Service Platform comprising Central Node 604, ensures all communications between Remote Facing Data and Services in the Aircraft Service Platform and Customer Facing Services in the Customer Services Platform are brokered by the Platform infrastructure, providing centralized data security, consistent application hosting, data and systems management, and isolation of the Aircraft Service Platform from direct interaction with customers' IT infrastructure and the Internet in general.
The separation between the Aircraft Service Platform and the Customer Service Platform, while enabling communications between them through a “secure messaging gateway” shown on
Remote Node 700 collects data from telemetry sources 704 through a Source Interface Device (SID) 706, which in the case of an aircraft server unit that is part of the Aircraft Service Platform, includes an aircraft interface device (AID), an air traffic management interface, and communications proxy service, as discussed below. In the Customer Service Platform, the SID is implemented on a Customer/Partner Interfacing System (shown in
In addition, the virtualized network is properly partitioned in a similar fashion to the computational resources, in that the network resources appropriately isolate traffic to only flow within a segregated domain, which includes a trusted domain 802 and a separate untrusted domain 808. Servers, applications, and devices local to the Remote Node are separated into different levels of security, access, and protection. Controlled domain applications and platform 804 are included in trusted domain 802. The trusted domain components are collected into a controlled network that includes a virtual machine domain of applications and components 806, providing key communications. (For the Airline application of this technology, these applications and components can include, for example, the Electronic Flight Bag (EFB) Platform, and flight deck tablet devices that provide resources to airline information system applications, such as flight preparation, graphical weather presentations, and other information services.)
In untrusted domain 808, which employs lower security, components are collected into a separate network and virtual machine domain of applications and Platforms 810, which can include, for example, laptops 812 and smart phones 814. (For the Airline application of this technology, by way of illustration, these applications and components might include the In-Flight Entertainment Server and passenger devices providing applications for media consumption, GPS-position enabled software, and/or onboard-to-offboard enabled connected applications.) These untrusted components are network isolated and can use Internet “tunneling” technology for communications, which is similar to “virtual private networks,” but is used to protect intermediate systems that are being used from any aware contact with the communications they are carrying.
The “untrusted” applications and passenger communications of untrusted domain 808 are never allowed on the same virtual networks as the “trusted” components and applications of trusted domain 802 and are entirely contained in the Remote Nodes. The untrusted components are never allowed to communicate with any part of a Central Node or any component within a Remote Nodes “trusted” domain.
A network interface module 610 can be included to enable the computer system to communicate with other computing devices or storages over a network, and the communication can be over either hardwired or wireless links. The network interface module may include a modem, or a network interface card for coupling to an Ethernet, a token ring, or other type of local area network, or to either a wide area network or to the Internet via air-to-ground, satellite, or wired communications links (while the aircraft is on the ground). The network interface module enables computer system 900 to upload and/or download data and/or software programs by communicating with other computer systems, or servers, or storage devices. It also provides for either client-to-server, or peer-to-peer applications to communicate between Remote Nodes or between a Remote Node and a Central Node.
Bus 904 may include an input/output bus and graphics adapter (not separately shown) for coupling to a display 912 that displays graphics and/or text. A user interface 914 may be included for providing input of alphanumeric text and controlling the operation of computer system 900 and may include a pointing device, such as a mouse, a touch pad, a trackball, or other mechanism, for use in controlling a cursor and making selections for input to the computer system.
The following is a partial list of services that are provided by the Aircraft Service Platform:
Because the services of the present system are accessible over computer networks, applications can be located anywhere, so long as they can connect to the Platform over an appropriate communications network (including private networks or over the public Internet) and tolerate the lack of immediate communication link availability, or its limited performance, or its permitted uses through multi-link management and messaging routing services 1508. The Platform delivers an equivalent set of services on Remote Nodes and Central Nodes, to enable the broadest possible set of applications, while minimizing the performance and communications constraints of distributed architectures. Applications 1010 may be deployed within the Central Node(s), and applications such as applications 1005a, 1005b, and 1005c can be deployed within the Remote Nodes. In the data centers of customers or in the data centers of their partners, applications 1004a, 1004b, and 1004c can be deployed using the present system. Applications consume services that are running in either a Remote Node or a Central Node, as determined by “optimum” access patterns that consider network proximity, intervening network constraints, and tolerance for latency. In general, applications such as applications 1005a, 1005b, and 1005c that are deployed within the Remote Nodes (or within a monitored asset) will consume services that are deployed on the Remote Node, while applications outside of the Remote Node (such as applications 1010 deployed in the Central Node) will consume services that are deployed on the Central Node.
Virtualization technology, as shown in an exemplary Onboard Platform 1100 of
The use of Remote Node 700 for air traffic management is illustrated in an exemplary schematic diagram 1200 in
A global two-way communications system for commercial aircraft can readily be implemented with the new communication and computing systems, using a bus agnostic protocol read-only hardware aviation interface device (AID) 1308, as shown in an exemplary schematic diagram 1300 in
Block 1310 provides for acquiring and storing raw data streams per a cable interface protocol, e.g., Ethernet, Aeronautical Radio Incorporated (ARINC) protocols 429, 629, 717, 664, etc., without any intended limitation. Block 1312 provides for loading data handling configuration tables 1314 and then formatting or discarding raw data stream elements in accordance with the configuration tables. In block 1316, a time source 1318 is read, and a digital time stamp is applied to the formatted data elements. In block 1320, data integrity and security configuration tables 1322 are read, and data integrity and security stamps are applied to the data in accordance with requirements set forth in the data integrity and security configuration tables. Block 1324 provides for formatting the data produced by the preceding processes to a desired interface data transmission protocol and sending the formatted data to one or more ASUs. Data can be either sent or received, as indicated in a block 1326. Further, a block 1328 provides for received data handling, handles data integrity and security configuration table updates, validates and stores the updates, and transmits the validation to the ASU(s).
A typical ASU 1500, which is shown in
Since aircraft are often simultaneously using multiple communications services, multi-link management and messaging routing services in block 1508 (
An exemplary aircraft facing ground server unit 1700 is illustrated in
Details of an exemplary air traffic management interface server or VM 1800 are shown in
In
Details of an exemplary customer/partner interfacing system 2000 are illustrated in
Through the capabilities of the multi-link management and message routing services in block 1508 and security services module 1512, the Aircraft Service Platform can support Internet and cell phone connectivity for both passenger and airline operational usage. Passengers benefit from enhanced in-air connectivity and a wider variety of available services. However, there is a further benefit to Airline Operations Centers (AOC) and aircraft crews (cabin crew and flight deck), since they can receive more data—faster—via the Customer Service Platform providing improved aircraft operational performance, enhanced air-to-ground voice and data communications with the AOCs, the ability to install new onboard applications to digitally integrate an aircraft fully into the airline's operations and incorporate digital management systems, improving airline operational efficiency, corporate planning, and reducing ground turn times. Future benefits include the ability to install new, next generation air traffic management systems onto legacy aircraft, with the addition of ASU or VM 276, and air traffic management interface server or VM 274, if such systems are not already installed.
For passengers, the new communication system offers Internet connectivity (i.e., enabling passengers to connect their mobile devices to the Internet via Wi-Fi access point (PAX) 228, GSM/UMTS access point 226 (for voice and texting), enhanced in-flight entertainment (IFE) server(s) 230, or Skype or other Voice-over-IP (VoIP) communications via platform services virtual machine 1414. By using the capabilities of the Aircraft Service Platform, passenger communications, although utilizing the same communications links as the airline communications, are digitally isolated from the aircraft communications using the latest cyber security and encryption techniques provided in secure network segment(s) 241, extending through the ground infrastructure and terminating at an Internet service provider facility that is completely outside and isolated from the ground Aircraft Service Platform components. These connectivity functions can thus provide numerous opportunities for an airline to offer many new services and flight communications options to their passengers.
To realize such operational benefits, the novel distributed communications and computing Platform used in the communication and computing system collects real-time data from the multiple operational systems on the aircraft via one or more aircraft interface device, server, or VM(s) 1712, which are significant components of the Aircraft Services Platform, using multi-link management and messaging routing services in block 1508 and the link management rules loaded from system services communication and application configuration tables 1428. The Platform employs these components to select the optimum data communications pathways from the aircraft to the ground station based on link availability, message priority, and usage rules, and may transmit the collected data to an associated ground system based on data handling configuration tables 1424 that are loaded into onboard data management services in block 1522, which is also part of the new communication and computing system. Alternatively, the Platform can temporarily store the data in onboard data store 1430 of the aircraft until an appropriate link and/or capacity is available for transmission of the data to the ground system. As described in more detail below, an aircraft facing ground server unit 1700, which is shown in
The novel distributed service Platform and its associated communication and computing system is not a single monolithic box. Instead, it is a system of systems, as shown in
This technology thus provides a global communications system for commercial aircraft that includes the ability to select and use the “current-best” link (based on aircraft position, link cost, etc.) through multi-link management and messaging routing services in block 1508 in cases where the aircraft has multiple communication link technologies available. Using the present novel approach, onboard network access components (i.e., Wi-Fi access points, Global System for Mobile communications (GSM) pico-cells, etc.) enable various types of wired and wireless devices, as shown in the lower part of
The Aircraft Service Platform includes ASU or VM 276″ that is used to host and deliver various application services for the airline company, and Internet and cell phone connectivity for the passengers and crew, all onboard the aircraft. Aircraft interface device, server, or VM 1712 and AID 1308 are provided as part of the Aircraft Service Platform to collect data from multiple aircraft systems, including core aircraft systems. The Aircraft Service Platform components then tag the data with trusted time and origin metadata, check for onboard storage requirements, and if marked for ground storage, then securely transmit the data to the ground in near real-time. AID 1308, discussed above in connection with
Also as shown in
ASU 1500, which is an important component of the Aircraft Service Platform, adds a new dynamic layer of cyber security protection to the aircraft for near real-time response to cyber threats or environmental changes in security services module 1512. A key concept is that the architecture of the novel onboard distributed service Platform enables all of these functions and additional capabilities to be added, modified, or performed on an aircraft without impacting the certification of the aircraft core communications systems and servers, which have an unchanging interface through the transmission and receipt of data in block 1504, via communications proxy service 1502.
The new distributed communications and computing Aircraft Service Platform is an open platform from a software view—although, for reasons of data privacy, it is not a public Platform. Instead, it creates a “closed/private/secure” system of systems environment that extends the airline company's existing ground infrastructure to the aircraft using a distributed system, virtualization, and cyber security technology, as shown in
The new Platform as a service architecture enables third-party software developers to deliver arbitrary operational or passenger applications that run on the Platform without the need to construct complex hardware and software systems onboard the aircraft. This enhanced application facility enables developers to focus on the core functionality of their own applications and results in faster time-to-market and lower investment costs, versus the traditional “siloed” approach normally employed for developing aviation software applications. The term “siloed” refers to the current approach in which aircraft systems are developed as single point solutions, without any provision for adding functionality to an existing aircraft system.
The communications and computing service Platform also protects the aircraft via a true-layered security architecture that is employed in security services module 1512, including strong authentication of connected systems and applications, multi-layered encryption, and two “closed computing clouds.” The Aircraft Service Platform and the Customer Service Platform only communicate externally via military-style “secure message passing gateways.” This approach precludes any Internet traffic from reaching the aircraft core systems, thereby minimizing cyber threats to the aircraft. The system also uses double digital signing of software to facilitate checking software signatures in security services module 1512 on startup and to ensure that any compromise of a single “public key infrastructure” provider does not leave the aircraft vulnerable to cyber attacks. The approach further uses aircraft hardware systems that can only “listen” to the core aircraft systems and buses, but which are physically incapable of sending any type of signal to a core aircraft system or core data bus that might interfere with the certified core components.
The Aircraft Service Platform is not an avionics box. Instead, it is a system of systems, as depicted in
The Aircraft Service Platform is an open and distributed application Platform, designed to enable rapid deployment of applications for commercial aircraft. The Aircraft Service Platform provides a complete solution and includes core onboard and ground-based Platform elements and a set of baseline applications and services. The Aircraft Service Platform acquires operational data from a variety of aircraft systems and then securely distributes this data for use by Platform-hosted applications (which can run on VMs and thus be isolated from each other), customers, and partners. Application programming interfaces (APIs) enable authorized applications, customers, and partners to access aircraft operational data as necessary to support their business processes. The Platform approach used in the present technology provides the following functionality and features:
The Multi-Link Management and Communications Bridge components provide cyber security implementation and cyber security configuration management for each Remote Node—enabling them to adapt to emerging threats to the network and data. This function is performed via security services module 1512 in ASU 1500, shown in
Applications executed on both the Aircraft Service and Customer Service Platforms are accessible through onboard data management services in block 1522, and data produced by such applications is managed, stored, and made available through standard application programming interfaces (APIs). Data collection, storage, and application access to the data is managed in accord with data handling configuration tables 1424, which are loaded into the onboard data management services in block 1522. Data handling configuration tables 1424 can be changed or updated as required by onboard platform management services in block 1510, to satisfy operational data needs, airline requirements, or the needs of other external consumers. Additionally, applications can use onboard platform management services in block 1510 to exchange data with one or more other applications, regardless of whether those applications are hosted on one or more Remote Nodes comprising ASUs or VMs 276, or on customer or partner facing ground servers or VMs 290, or on Central Nodes comprising aircraft facing ground servers or VMs 292, or on customer or partner interfacing ground servers or VMS 288, which can be located in an external consumer's facility.
The use of communications proxy service 1502 in both the Central Node that is coupled to the aircraft core systems, and Remote Nodes provides a mechanism for concealing the implementation details of the communication functionality of legacy or proprietary communication protocols from the data management services and the applications. The communications proxy service provides the means for separating the processing of communication control interfaces from the data being sent through the layers.
Communications proxy service 1502 resides between the software systems receiving the data and any legacy communication links. The communications proxy service provides protection to the data flow between legacy communications infrastructures and the legacy software systems, by implementing communication controls on the computing resources in the Remote Node of the service.
By generalizing the access to communication link options, the communications proxy service enables multiple communication links to be used in a consistent and simple way, despite age or implementation details of those communication links. The producers and consumers of any particular communication link need only interface with the communications proxy service, and as described above, the communications proxy service will apply security and processing steps to the data flow before connecting to the selected communication link system. The communications proxy service is also the design element that ensures communication with the aircraft core systems is stable, optimized, and immune to link, protocol, or cyber security changes, and is maintained exactly as it was at the time of its original construction and installation.
The communications proxy service implements several additional functions. Specifically, it:
Most legacy communication systems were not designed to be exposed to such threats. Thus, by using the communications proxy service in the Platform, these legacy unprotected links can be protected from cyber threats, because the legacy communications are encapsulated and are passed unchanged, with outer security layers added by the system to ensure authenticity and integrity.
The Aircraft Service Platform also contains a dynamic configuration management service as part of the onboard platform management services in block 1510 (and in corresponding blocks 1712 and 1910). This configuration management service provides continuous aircraft location information to communications proxy service 1502, multi-link management and messaging routing services in block 1508, onboard platform management services in block 1510 (and in corresponding blocks 1710 and 1908), and security services module 1512. Due to differences in national laws in various countries around the globe through which an aircraft may be passing, the aircraft must be able to change communication parameters and security settings to conform to those laws. These changes may include bans on certain websites and content filtering, or allowed/required communications authentication or encryption. Also, each different communication or link service provider may use different types of routing address management and other supporting networking communication services. Thus, as the aircraft crosses into different national airspaces or communicates with different service providers, it must be able to dynamically adjust the security network and communication services during flight. The dynamic communication configuration management functions of ASU 1500 constantly monitor the aircraft position for changes in national airspace and the communication links, and for changes in communication service providers. Whenever such changes occur, the dynamic configuration management service then checks the changes against data handling configuration tables 1424, and where appropriate or required, makes the necessary changes in either the security, communications, or network services configurations and rules that are applied, including restarting a link if necessary. This service ensures that the aircraft can operate globally with minimal disruption in communication services and can automatically adjust to changes as the aircraft passes over different national countries/regions, to conform to the laws or regulations of those countries/regions.
The architecture of the Aircraft Service Platform ensures that it cannot introduce cyber security threats to the aircraft core systems, since it incorporates “read only” or “listen only” interfaces to these critical systems, thus ensuring that the Platform cannot interfere with aircraft flight critical systems. The Platform incorporates layers of modular cyber security. It is constructed of two Platform segments, including the Aircraft Service Platform (which provides remote facing data and services), and the Customer Service Platform (which provides customer facing services), as shown in
The Aircraft Service Platform uses a security concept that permits no human users, systems, links, or applications to authenticate to each other. When necessary, human authentication is done only with the device a particular person is using. Aviation fundamental aircraft security, which provides access to the aircraft by crew, maintenance, and operations personnel, is physically controlled, and this same physical access control exists throughout the industry. Platform operational staff are also subject to physical access control. This concept limits the number of security interactions required by the Aircraft Service Platform. The security control uses a public key infrastructure (PKI) for authentication and encryption, as well as private network services in security services module 1512, but the security services can be modified, if needed, to use private keys.
The Customer Service Platform implements the same control concepts between itself and the customer/partner Remote Nodes, with all authentication and encryption being implemented between systems, communication links, and applications. This Service also nominally uses a PKI for authentication and encryption, and where required, can use industry PKI bridges like the aviation industry's CertiPath, standard commercial PKI services, or a private key infrastructure—if desired by the customer.
From a security perspective, software elements with different security characteristics are allocated to different VMs, so as to minimize the opportunities for a digital attack on the most sensitive elements of the Platform. For example, consider a hypothetical “Element A” that provides secure services to aircraft flight crew, and a hypothetical “Element B” that provides entertainment services to passengers; each of these elements is allocated to a different VM and communicates on different virtual networks that are isolated from each other.
From a resource management perspective, the virtual-machine manager is hypervisor operating system 308; it manages the execution of one or more “guest” VM's, such as virtual hardware 306a or 306b, on a “host” machine, i.e., physical hardware 314. The VM manager has the ability to constrain the computing resources that are allocated to any VM and, by extension, to any software elements that are deployed on that VM. Critical elements of the Platform are deployed separately from applications developed by third-parties, so that undesired or unpredictable resource consumption on one element has minimal effect on another element that is deployed in a separate VM. Vulnerability and computing resource requirements (e.g., applications or services with variable resource requirements) can be deployed in VMs to constrain the use of resources.
Virtualization decouples guest VM's and any software deployed therein, from underlying physical hardware 314. By emulating the underlying physical hardware, such as in virtual hardware 306a or 306b, the VM manager enables VMs to be portable across any physical hardware, in either Platform supported by the VM manager. Virtualization also facilitates easy replacement of onboard hardware with similar or enhanced physical hardware, because the virtualized hardware is isolated from physical hardware dependencies. This feature is similar to a commercial OS like Microsoft Corporation's WINDOWS™ OS, which can be loaded onto almost any vendor's computer system and which detects the underlying hardware so that it loads the specific drivers and interfaces needed to utilize that hardware.
Exemplary onboard platform 1100 shown in
The Platform architecture isolates and protects the interfaces of upstream aircraft telemetry systems and safety-sensitive avionics by employing separate onboard hardware device(s), known as SIDs. On the Aircraft Service Platform, the SID elements connecting to aircraft core systems is aircraft interface device, server or VM 282, or air traffic management interface server or VM 274 (see
Authentication and encryption between Platform systems, applications, and links is nominally done through the use of PKI technology. If other authentication or encryption technologies are required at some point, Kerberos, private key exchanges, or evolving new standards like Policy Augmented S/MIME (PLASMA) or elliptic curve encryption can be utilized, with only changes to the aircraft configuration file being carried out, as required.
The system also incorporates standard anti-virus technology on all communications traffic and messages between the remote aircraft node and the ground systems. Further, as new cyber security technology is developed and becomes available, the Platform can seamlessly install this new technology to further control the communications links and message traffic, with no impact to the installed applications or platform services.
Additionally, communications proxy service 1502 adds still another protection layer, since it controls all communications to and from non-Platform systems on the aircraft.
To add the capability to support new advanced air traffic management services, secure messaging gateway 1708 having military style characteristics is included in the Aircraft Service Platform for the ground infrastructure, to receive and send advanced air traffic management directions with regard to national air navigation service providers, like the FAA and Eurocontrol. An additional secure messaging gateway VM (not separately shown) is also included in each aircraft Remote Node for carrying these messages to and from the aircraft core flight management systems. These secure message gateways can use either PKI or private (hand installed) digital keys and can send or receive their digitally signed and encrypted messages over any available communications link with the aircraft.
A micro-server “line replaceable unit” (LRU), air traffic management interface server or VM 274, corresponding to air traffic management interface server or VM 1800, which is shown in detail in
Other Applications of this Technology
Although the discussion of exemplary embodiments of the present novel approach that is set forth herein relates to its application to aviation, it should be understood that this new technology can be beneficially used in connection with any critical infrastructure segment or high security environment (e.g., SmartGrid, Health, and Banking, to name a few, but without any implied limitation), to create a secure system of systems distributed computing and communication environment. For example, the present approach can provide flexible, secure edge services to a remote banking customer, or to an operating room or ICU at a medical facility, or can provide continuous patient health status monitoring, or monitoring of power transmission substations or generating plants. In the more general sense, the present approach can be used for enabling distributed computing and secure communication of data between a first entity (which would correspond to an aircraft in the exemplary application of this technology to aviation that is discussed above) and any of one or more second entities (which would correspond to one or more ground stations in this exemplary application). It will thus be evident that this technology is applicable to many very diverse fields and is not in any way limited to use in aviation.
This approach can use any legacy, existing, or new communications links/services to provide these services and functionality. As an example, implanted or wearable medical devices, such as insulin pumps or implantable cardio defibrillators/pacemakers, can wirelessly transmit their status to proprietary devices when in range, and these proprietary devices can then retransmit the status information to a health care provider at a remote location via the Service Platform described above. Also, numerous wearable systems and portable systems exist that have storage, and these systems can implement data processing, using standard non-proprietary wireless communications. Examples include without any implied limitation, the Apple iPhone™, other types of smart phones, pedometers, “Fitbits,” etc. This technology enables these types of systems to directly interface to medical devices on or in the body of the person wearing or carrying the portable communication device, providing the person with local storage, processing, and standard, widely available communications links, as needed. Accordingly, it is not intended that the scope of these concepts in any way be limited by the description provided herein in regard to its application to aircraft and aviation ground stations.
Although the concepts disclosed herein have been described in connection with exemplary embodiments for practicing them and modifications thereto, those of ordinary skill in the art will understand that many other modifications can be made thereto within the scope of the claims that follow. Accordingly, it is not intended that the scope of these concepts in any way be limited by the above description, but instead be determined entirely by reference to the claims that follow.