Search

US-12625952-B2 - Secure MIL-STD-1553 data bus

US12625952B2US 12625952 B2US12625952 B2US 12625952B2US-12625952-B2

Abstract

Systems, devices, and methods for providing security on a MIL-STD-1553 serial data bus are described herein. Detected anomalies on the serial data bus that are determined to be threats are invalidated.

Inventors

  • Sam Grigorian
  • Tim Uhl

Assignees

  • ABACO SYSTEMS, INC.

Dates

Publication Date
20260512
Application Date
20210430

Claims (19)

  1. 1 . A bus security device integrated into a bus controller (BC) that provides security on a MIL-STD-1553 serial data bus, said device comprising: a memory, wherein the memory at least contains security rules stored thereon; a processing circuit in communication with the memory; and a transceiver that connects the bus security device to the MIL-STD-1553 serial data bus, wherein the processing circuit is programmed to: monitor the MIL-STD-1553 serial data bus in accordance with the security rules stored in the memory; and if the processing circuit detects an anomaly on the MIL-STD-1553 serial data bus that is characterized as a threat by the rules stored in the memory, then the processing circuit causes the transceiver to inject an invalidation signal onto the MIL-STD-1553 serial data bus to counteract the anomaly, wherein the anomaly comprises a message on the MIL-STD-1553 serial data bus that is characterized as the threat and the invalidation signal comprises a relatively short transmission burst injected onto the MIL-STD-1553 serial data bus that creates a collision with either a data or a status word transmission and causes the message characterized as the threat to be invalidated, wherein the anomaly comprising a message on the MIL-STD-1553 serial data bus that is characterized as the threat comprises a broadcast mode command without data, a non-allowed command word, or an out-of-bounds data word, and wherein the message characterized as the threat is invalidated by the invalidation signal corrupting its Manchester encoding or sync encoding, and wherein the invalidation of broadcast mode commands without data begins before the bus security device receives all of the broadcast mode command, and wherein the BC is a secure BC and the bus security device detects a command word transmission in the MIL-STD-1553 serial data bus or in a stub of the MIL-STD-1553 serial data bus that connects the BC to the MIL-STD-1553 serial data bus and determines whether the command word transmission was initiated by the BC or not by the BC.
  2. 2 . The device of claim 1 , wherein the invalidation signal is at a higher frequency than normal traffic on the MIL-STD-1553 serial data bus.
  3. 3 . The device of claim 1 , wherein the BC is an unsecure BC and the bus security device provides security against false BC attacks caused by a second false BC generating traffic on the MIL-STD-1553 serial data bus.
  4. 4 . The device of claim 1 , wherein the BC is an unsecure BC and the device further comprises a transmit detect device to detect a transmission in a stub of the MIL-STD-1553 serial data bus that connects the BC to the MIL-STD-1553 serial data bus.
  5. 5 . The device of claim 1 , wherein the bus security device detects BC command transmission by both monitoring the MIL-STD-1553 serial data bus and by detecting current in the stub of the MIL-STD-1553 serial data bus.
  6. 6 . The device of claim 1 , wherein any detected transmission determined to not be initiated by the BC is invalidated by the bus security device.
  7. 7 . The device of claim 1 , wherein the BC is an unsecure BC and comprises a fixed silicon BC protocol sequencer and/or a BC that cannot be modified.
  8. 8 . The device of claim 1 , wherein the device determines whether the command word transmission was initiated by the BC either by direct integration with a BC sequencer in the processing circuit, or by detection of a command word transmission by detecting current in the stub of the MIL-STD-1553 serial data bus.
  9. 9 . The device of claim 1 , wherein if the bus security device determines the command word transmission was not initiated by the BC, then it determines that the command word transmission was initiated by a false BC and the device invalidates the command word transmission initiated by the false BC.
  10. 10 . A method of providing security on a MIL-STD-1553 serial data bus, said method comprising: monitoring the MIL-STD-1553 serial data bus in accordance with security rules; and in response to detecting an anomaly on the MIL-STD-1553 serial data bus that is characterized as a threat by the security rules, then the injecting an invalidation signal onto the MIL-STD-1553 serial data bus to counteract the anomaly, wherein the anomaly comprises a message on the MIL-STD-1553 serial data bus that is characterized as the threat and the invalidation signal comprises a relatively short transmission burst injected onto the MIL-STD-1553 serial data bus that creates a collision with either a data or a status word transmission and causes the message characterized as the threat to be invalidated, wherein the anomaly comprising a message on the MIL-STD-1553 serial data bus that is characterized as the threat comprises a broadcast mode command without data, a non-allowed command word, or an out-of-bounds data word, and wherein the message characterized as the threat is invalidated by the invalidation signal corrupting its Manchester encoding or sync encoding, and wherein the invalidation of the broadcast mode commands without data begins before all of the broadcast mode command is received, and wherein the BC is a secure BC and the bus security device detects a command word transmission in the MIL-STD-1553 serial data bus or in a stub of the MIL-STD-1553 serial data bus that connects the BC to the MIL-STD-1553 serial data bus and determines whether the command word transmission was initiated by the BC or not by the BC.
  11. 11 . The method of claim 10 , wherein the invalidation signal is at a higher frequency than normal traffic on the MIL-STD-1553 serial data bus.
  12. 12 . The method of claim 10 , wherein the method is performed by a device that is integrated into a bus controller (BC).
  13. 13 . The method of claim 10 , wherein the BC is an unsecure BC and the device provides security against false BC attacks caused by a second false BC generating traffic on the MIL-STD-1553 serial data bus.
  14. 14 . The method of claim 12 , wherein the BC is an unsecure BC and the device further comprises a transmit detect device to detect a transmission in a stub of the MIL-STD-1553 serial data bus that connects the BC to the MIL-STD-1553 serial data bus.
  15. 15 . The method of claim 14 , wherein the device detects BC command transmission by both monitoring the MIL-STD-1553 serial data bus and by detecting current in the stub of the MIL-STD-1553 serial data bus.
  16. 16 . The method of claim 15 , wherein any detected transmission determined to not be initiated by the BC is invalidated by the device.
  17. 17 . The method of claim 12 , wherein the BC is an unsecure BC and the BC comprises a fixed silicon BC protocol sequencer and/or a BC that cannot be modified.
  18. 18 . The method of claim 10 , wherein the device determines whether the command was initiated by the BC either by direct integration with a BC sequencer in a processing circuit of the device, or by detection of a command word transmission by detecting current in the stub of the MIL-STD-1553 serial data bus.
  19. 19 . The method of claim 10 , wherein if the device determines the command word transmission was not initiated by the BC, then it determines that the command word transmission was initiated by a false BC and the device invalidates the command word transmission initiated by the false BC.

Description

BACKGROUND MIL-STD-1553 is a military standard published by the United States Department of Defense that defines the mechanical, electrical, and functional characteristics of a serial data bus. It was originally designed for use with military avionics but has also become commonly used in spacecraft on-board data handling (OBDH) subsystems, both military and civil. It features a dual redundant balanced line physical layer, a (differential) network interface, time division multiplexing, half-duplex command/response protocol, and up to 31 remote terminals (devices). Since its inception in 1973 and in subsequent revisions during the ensuing years, MIL-STD-1553 has evolved into the predominant, internationally accepted networking standard for the integration of military platforms. Today, the standard has expanded beyond its traditional domain of US Air Force and Navy aircraft to encompass applications for combat vehicles, ships, satellites, missiles, and the International Space Station Program, as well as advanced commercial avionic applications. Once considered primarily a military data bus standard, MIL-STD-1553 has caught the attention of commercial aircraft manufacturers who seek to capitalize upon the standard's inherent reliability, robustness, maturity, and superior EMI performance. The current version of MIL-STD-1553 is MIL-STD-1553B, “Aircraft Internal Time Division Command/Response Multiplex Data Bus,” originally published on Sep. 21, 1978, by the U.S. Department of Defense, which is fully incorporated by reference, though as used herein the term “MIL-STD-1553” means either MIL-STD-1553A, MIL-STD-1553, or any future release/upgrade of the standard. MIL-STD-1553 has a long history going back to the 1970s, and it remains very active today even in new systems. MIL-STD-1553 is deterministic and dual-redundant, thus making it highly fault tolerant and suitable for use in mission-critical systems. MIL-STD-1553 will likely be a part of military platforms for many years to come. However, MIL-STD-1553 was developed before cyber security became a concern. MIL-STD-1553 has no inherent security features built into the protocol itself, and thus has significant vulnerabilities. In complex modern systems, with many MIL-STD-1553 terminals being part of intelligent and interconnected subsystems, security has become a growing concern. Potential threats on MIL-STD-1553 data buses include, for example, the following basic threats and how they would appear relative to the 1553 bus: (1) compromised bus controller (BC) software; for example, the BC is re-programmed to send malicious commands or sequence of commands and/or data; (2) compromised remote terminal (RT) software; for example, the RT is re-programmed as a malicious BC; (3) compromised RT software; for example, the RT is re-programmed to transmit incorrect/corrupted data; (4) a second (false) BC sending malicious commands or sequence of commands and/or data; (5) a terminal (generally configured as a BC) can create traffic to cause collisions, resulting in a denial-of-service type of attack; (6) a malicious BC connected to maintenance port; (7) and the like. These are only examples. There is almost no limit to the types of theoretical attacks which one could imagine, but many are impractical or inapplicable to the vast majority of systems. For example, some have suggested that attacks could take the form of a slight altering of the timing of either BC messages and/or RT response time to slowly and indirectly “leak” sensitive or classified data. This type of attack would require at least two terminals to be compromised and participating in the attack, as well as the ability to both control and detect the subtle timing differences. Previously proposed MIL-STD-1553 security concepts include blocking/filtering of command words and possibly also data words. In some instances, security may be required to be incorporated into individual terminals. Also in some instances, security may be specific to the configuration of the network. Therefore, what is needed are systems and methods for providing security for data buses utilizing MIL-STD-1553 that overcome challenges in the art, some of which are described above. In particular, an approach that provides simple, reliable, easy-to-integrate security for MIL-STD-1553 communication buses is desired that focus on the message content itself and preventing unauthorized messages from completing successfully. SUMMARY Disclosed and described herein are embodiments of a bus security device that provides security on a MIL-STD-1553 serial data bus. In one aspect the device comprises a memory, wherein the memory at least contains security rules stored thereon; a processing circuit in communication with the memory; and a transceiver that connects the bus security device to the MIL-STD-1553 serial data bus. The processing circuit is programmed to monitor the MIL-STD-1553 serial data bus in accordance with the security rules stored in the mem