Numerical Analysis of Cyberattacks on Unmanned Aerial Systems

Numerical Analysis of Cyberattacks on Unmanned

Aerial Systems

James Goppert, ∗Weiyi Liu, † Andrew Shull, ‡ Vincent Sciandra, §

and Inseok Hwang ¶

Purdue University, West Lafayette, Indiana, 47907, United States

Hal Aldridge ‖

Sypris Electronics, Tampa, Florida, 33612, United States

Unmanned Aerial Systems (UASs) are currently in wide use in many applications, in-cluding surveillance, law enforcement, and a variety of military missions. As these systemsare unmanned, they cannot be directly monitored, and cyberattacks can jeopardize themission, the vehicle, and potentially lives and property. Given the potential severity of theconsequences of security breaches, it is important to assess the vulnerabilities inherent incyberphysical systems. This paper presents a method for modeling cyberphysical systemsin order to evaluate robustness to cyberattacks. We also establish a metric to quantifyattack severity: time till failure. We categorize intents and outcomes for typical attacksand perform numerical simulations to estimate the severity of attack combinations in orderto identify critical areas of vulnerability. Our findings can be used to guide strategies forimproving the security of UASs and other cyberphysical systems.

Nomenclature

x Aircraft state vectoru Input vectorz Measurement vectorv Measurement noise vectorf Vector valued non-linear flight dynamicsh Vector valued non-linear measurementJ Jacobian matrixH Linearized measurement matrixR Measurement covariance matrixω Angular velocity, rad/sB Normalized magnetic fieldV Velocity, m/sL Latitude, radl Longitude, radh Altitude, mΩ Rotational rate of earth, rad/sR Radius of earth, mCnb DCM from body to navigation frameqnb Quat. from body to navigation frame

a, b, c, d Attitude quaternion componentsα Acceleration, m/s2

σ2 VarianceSubscriptmag MagnetometerGPS Global Positioning SystemIMU Inertial Measurement UnitP, V,A Position, Velocity, Accelerationx, y, z Body x,y,z-directionN,E,D North, East, Down direction0 initial condition/ expansion pointSuperscriptk|k kthstep given kthdatan, b Navigation, Body framei, e Inertial, Earth-fixed frame

∗Graduate Student, Aeronautics and Astronautics, [email protected], AIAA Student Member.†Graduate Student, Aeronautics and Astronautics, [email protected], AIAA Student Member.‡Graduate Student, Aeronautics and Astronautics, [email protected], AIAA Student Member.§Graduate Student, Aeronautics and Astronautics, [email protected], AIAA Student Member.¶Associate Professor, Aeronautics and Astronautics, [email protected], AIAA Senior Member.‖Director of Engineering, Sypris Electronics, [email protected]

1 of 18

American Institute of Aeronautics and Astronautics

I. Introduction

With the increasing complexity of the networked embedded control technology, unmanned aerial systems(UASs) have become vulnerable to many cyberattacks, and these vulnerabilities have not been thoroughlyinvestigated. Many UASs rely solely on encryption of data channels to prevent cyberattack.1 While dataencryption is a key component of many security strategies, relying on it as the only defense against acyberattack is misguided.2 This is clearly demonstrated by the recent reports of a malware infection inUAS control systems at Creech Air Force Base and reports that foreign agents were able to gain completecommand capability of the Landsat-7 and Terra EOS AM-1 satellites by targeting internet-connected groundcontrol stations outside of the US.3,4 These incidents clearly demonstrate that it is possible for an attackerto compromise a ground station controlling a UAS. Since the attacker has application layer control at thesource node in these cases, link layer encryption does not protect the UAS. There are also multiple sensorattacks that can be employed by an adversary to corrupt the state of a UAS without needing to breakencryption. Examples of these attacks include spoofing GPS or ADS-B signals.5,6

If a UAS were to be compromised by a cyberattack, the consequences could be disastrous. When anindividual UAS is compromised, it may fail to complete a potentially vital mission, such as active combat,combat support, military or law enforcement surveillance, fire fighting, or wilderness search and rescue. Acompromised UAS may also leak intelligence information, as was the case in 2009 when Iraqi militants wereable to view live video feeds from US military UASs. Finally, a compromised UAS poses a significant threatto human life and property if the attacker is able to access any on-board weapon systems or is able to usethe vehicle itself as a kinetic weapon. These dangers are amplified when multiple UASs are formed into anetwork. As more vehicles are added to the network, the number of vulnerabilities that are available foran attacker to exploit increases. Additionally, the communication links formed between the nodes of thisnetwork provide new avenues of attack. With the opportunity to compromise more vehicles, the attackeralso gains the ability to cause more damage than with a single vehicle.7

Attempting to analyze UAS vulnerabilities is a daunting task. A UAS is a cyberphysical system,1,8

and ensuring the security of a cyberphysical system requires analysis of the interactions between both thedigital and physical components. Additionally, each UAS design is physically unique. The mass properties,propulsion system specifications, sensors, actuators, control system, and aerodynamics of the vehicle allcontribute to the system dynamics. The unique dynamics of individual UASs contribute to the vulnerabilitiesof the system to cyberattack, making a generalized protection system very difficult to implement. A detailedstudy of UAS cyberattack vulnerabilities has not been previously conducted due to the varied nature of theproblem and the lack of a well defined measure of attack severity.

In this paper we identify attack scenarios that exemplify typical attack vectors in a UAS system. Wethen investigate how these attacks can be combined to form more sophisticated attack strategies. Due tothe complicated nature of the cyberphysical system, we have not yet developed analytical models capable ofpredicting the vulnerabilities discovered numerically through simulation.

The contributions of this paper are as follows:

• A measure for attack severity has been created in Section II. This measure, time till failure, is theamount of time the system operates within the mission and flight envelope.

• A model of a typical UAS cyberphysical system has been created in Section III. The model employsJSBSim, a C++ flight dynamics model library to model the aircraft dynamics. It utilizes the Scicosblock diagram environment to model control, guidance, and navigations sytems as well as cyberattacks.

• Typical cyberattack routes have been identified and vulnerabilities to combined cyberattacks have beeninvestigated for a small UAS system in Section IV. The results were used to create a heat map of attackseverity for various attack combinations.

Although UAS dynamics have not been previously studied in conjunction with cyberattacks in depth,many have investigated UAS flight envelope enforcement as a method of fail-safe recovery.9–11 Currently,33% of all UAS system failures are caused by the UAS exceeding its designed flight envelope.9 Fault detectionhas also been employed in UASs to diagnose faults and react to them.12 In addition, the effect of cyberattackson the system survivability in a network has also been studied.7

2 of 18


II. Cyberattack Measures

II.A. Attack Intent Classification

In this analysis we will investigate vulnerabilities of typical Unmanned Aerial Systems (UASs). In thisinvestigation, potential cyberattacks will be classified by the intent of the attacker as a way to motivate thedifferent analytical techniques used to quantify the severity of the attack. The three intents that will bediscussed are mission obstruction, control acquisition, and vehicle destruction. Through the modeling of arepresentative system and extensive testing, we will draw conclusions on these attacks.

• Mission Obstruction

In a mission obstruction attack, the objective of the attacker is to prevent the unmanned vehicle fromcompleting the assigned mission objectives. There are several ways that this can be accomplished. Forexample, the vehicle can be delayed such that time requirement of the mission is not met, or the vehiclecan be caused to waste so much fuel or battery power that the mission objectives are no longer feasible.Unpredictable errors could also be inserted into the navigation system in order to degrade the stateawareness of the vehicle. A final possibility is that the control system could be corrupted to the pointthat its sensors begin to perform poorly, introducing issues such as highly oscillatory motion. Oneexample we will consider leverages the collision avoidance system to obstruct the vehicle. By insertinga phantom vehicle in the path of the target vehicle, an attacker can cause the target vehicle to perturbit’s flight path in order to avoid collision. It should be noted that in a mission obstruction attack, theattacker does not have the ability to control the vehicle directly. If the attacker can control the systemdirectly, that will be considered a control acquisition attack.

• Control Acquisition

In a control acquisition attack, the objective of the attacker is to assume direct control of the vehicle.An example of this would be the use of GPS spoofing to shift the flight path of the UAS to suit thepurposes of an attacker. For this type of attack, it may be possible for an attacker to have differinglevels of control, i.e., an attacker may be able to gain control of vehicle subsystems without gainingcontrol of the entire vehicle. If the attacker is able to gain complete control of a vehicle, there is apossibility of a man-in-the-middle attack. In this attack, the attacker would send falsified data to theoriginal controller to make it appear that the vehicle is behaving normally, when it is actually beingcontrolled by the attacker. Such an attack is especially dangerous, as having the attack be undetectedprovides a clear advantage to the attacker.

• Vehicle Destruction

The attacker’s intent may be simply to destroy the vehicle. It is possible that an attacker would havesufficiently limited control over one state that they cannot perform a meaningful control acquisitionattack, but they can still destroy the vehicle. For instance, if they have control of the altitude of thevehicle they may command the aircraft to fly into the ground. However, the primary area of danger,and thus the focus of this analysis for vehicle destruction attacks, will be the introduction of instabilityinto the control and navigation system of the vehicle. An instability in this critical system will mostlikely result in a crash.

II.B. Failure Criteria

In order to determine whether or not a cyberattack has been successful, criteria for failure must be established.Based on the identified attack intents described above, two failure modes have been identified. They aredescribed below. In order to quantify the severity of an attack, the metric we utilized was the time elapsedwhen any of these failure criteria were reached, referred to as time till failure.

• Mission Envelope Failure

By defining parameters that define restrictions the user would like to place on the vehicle, the vehiclestate can be compared to those parameters to determine if the mission envelope has been violated.The parameters identified in this study are summarized in Table 1.

3 of 18


Table 1. Mission Envelope Parameters

Mission theater Geographic region to which the UAS is to be confined to.

Altitude window Range of acceptable vehicle altitudes.

Battery/fuel level Amount of battery power and fuel that the vehicle must hold in reserve.

Target window Geographic region that the vehicle should stay within during the specified time.

Target time window The time period during which the vehicle must be within the target window.

• Flight Envelope Failure

Flight envelope failure is defined as failure of the vehicle airframe. This type of failure typically leadsto destruction of the vehicle.

III. UAS Cyberphysical Model

In this section, the configuration of the UAS testbed is presented along with the mathematical modelsof the on-board navigators and the estimation algorithm. The Purdue Hybrid Systems Lab simulationenvironment was employed for this analysis. The power of this environment is the ability to simulate high-fidelity models using a proven C++ library while interfacing to a block diagram environment. A blockdiagram environment is very useful for the rapid prototyping and analysis of guidance, navigation andcontrol systems. The current testbed has been utilized by the Purdue Hybrid Systems Lab for analysis ofautonomous quadrotors, rovers, and fixed wing aircraft. Figure 1 illustrates the typical analysis process forthe unmanned vehicles in the lab.

Figure 1. The Purdue Hybrid Systems Lab simulation test-bed.

4 of 18


In order to use the testbed, a vehicle description is first obtained using the wind tunnel if a physicalmodel is available or the USAF Digital DATCOM software. Once the aerodynamics and mass propertiesof the vehicle are defined, JSBSim (a C++ flight dynamics model library) is used to simulate the vehicle.Next, ScicosLab (a software package similar to Simulink from MathWorks) interfaces with JSBSim. At thispoint, the block diagram environment within ScicosLab (Scicos) provides a mechanism for rapid analysis.The digital controller can then either be simulated in ScicosLab or implemented using the actual hardwareof the unmanned system. Implementing the controller in software is called a software in the loop simulation(SIL), and using the actual hardware is called a hardware in the loop simulation (HIL). Telemetry data fromthe UAS can then be sent to ground station software to allow complete testing and verification of all userinteractions with the unmanned system.

In Figure 2, the complete Scicos block diagram used for this analysis is shown. In this diagram, thecommands block provides the commanded waypoint and velocity to the vehicle, and the waypoint guidanceblock uses this information combined with information about nearby obstacles to compute a desired bearingand speed for the aircraft. The backside controller block implements digital PID controllers to regulate theerror in the control surfaces. The servos block models the lag in the actuators using the first order transferfunctions. The JSBSimComm block sends the actuator signals to JSBSim (the C++ flight dynamics library)where the aircraft state derivative is computed. The ScicosLab block then uses a variable step size integrationscheme for propagating the state. The computed state and outputs from the JSBSimComm block are thensent to the sensor models. The sensor models use the state of the aircraft and random noise generation tosimulate realistic data from the sensors. This data is then fed into the navigation system. The navigationsystem uses the sensor information to estimate the state of the aircraft.

JSBSimCombinedAttack

JSBSimComm

ModelsSensors x

yimumaggps

Commands

waypointGuidance

SystemNavigation imu

maggps

x

controllerbackside

Analy..

Obstacle

xServos

TimingEnvel..Mission

Envel..Flight

Fault Detection Failsafe

TK Scale

[da..

"gyroG..

Envel..Flight

Figure 2. The block diagram of the UAS autopilot in JSBSim.

III.A. Aircraft

The aircraft analyzed in this paper is the MultiPlex Easy Star. This aircraft is widely used for UAS research.It is very stable, inexpensive, and durable. Due to the low cost and simplicity of the airframe, it was designedto fly without ailerons. Although this vehicle is the focus of analysis for this report, other aircraft can easilybe evaluated in the same manner. This may be useful when designing a particular airframe to be robust tocyberattacks.

5 of 18


Figure 3. The MultiPlex Easy Star airframe.

III.B. Digital PID Controller

A digital PID controller is used to generate the control signals for the actuators. The controller in thisanalysis was updated at 50 Hz, which is the typical update rate for hobby servos commonly used on researchUASs. This vehicle uses a backside control strategy, in which the elevator is used to control the velocityand the throttle is used to control the altitude. The elevator controls velocity by controlling angle of attack;therefore, this strategy works at both high and low flight speeds. In contrast, a frontside control strategyuses the throttle for velocity and the elevator for altitude. This approach is more complicated to implementin a control system because there is a gain reversal on the back side of the power required curve, requiringmore throttle to go slower.13

Backside Controller

u0

++

0

++

Demux Mux

++

1

1

Mux

thro..

aile..

elev..

rudd..

Demux

"eC.. w/ d/dtDiscretePID

r

v e

y

Pass Filt.Low

h

0

[c..

w/ d/dtDiscretePID

r

v e

y

Pass Filt.Low

vt

w/ d/dtDiscretePID

r

v e

y

Pass Filt.Low

r

w/ d/dtDiscretePID

r

v e

y

Pass Filt.Low

psi

0

0

w/ d/dtDiscretePID

r

v e

y

Pass Filt.Low

phi

0

0

den(s)num(s)

0

Figure 4. The digital controller model.

6 of 18


III.C. GPS/INS Modeling

In order to evaluate the effects of malicious states changes in the navigation system, it is necessary to carefullyconstruct a typical GPS/INS navigation system model. The dynamics of the inertial navigation system haveto be derived as well as the models for sensor measurements. These non-linear models must all then belinearized in order to apply the typical Extended Kalman Filter (EKF) navigation methods.

III.C.1. Navigator Dynamics

The navigator state consists of the quaternions, the velocity in the navigation frame, and the global position.Here we denote the quaternions as a, b, c, d, the north velocity as VN , the east velocity as VE , the downwardvelocity as VD, the latitude as L, the longitude as l, and the altitude as h. The full navigation state is givenby x := [a b c d VN VE VD L l h]T . The navigator input vector consists of the measured body angular rates,ωx, ωy, ωz, and the measured accelerations, fx, fy, fz. Here x, y, z, represent a right handed coordinateframe fixed in the body with the x axis pointing forward and the y axis pointing out the right wing. Thus,the input to the navigator is given by: zIMU := [ωx ωy ωz fx fy fz]

T . Taking into account the rotationalvelocity of earth, Ω, and the distance from the center of earth R, the dynamics of the navigator are givenby:

x(t) = f(x(t), zIMU (t)) (1)

The nonlinear function f is defined in Equation 2, where Cnb is the direction cosine matrix from the bodyto the navigation frame, qnb is the attitude quaternion from the body to the navigation frame, ωnb is theangular velocity of the body frame with respect to the navigation frame, αb is the acceleration measured inthe body frame, ωie is the angular velocity of the earth with respect to the inertial frame, ωen is the angularvelocity of the navigation frame with respect to the earth frame, gn is the acceleration of gravity expressedin the navigation frame, R is the radius of earth, × is the vector cross product, ⊗ is the skew operator, andVN VE VD are the components of the velocity in the navigation frame.14

f(x(t), zIMU (t)) =

12qnb ⊗ ωnb

Cnbαb − (2ωie + ωen)× vn + gn

VN

RVE

cos(L)R

−VD

(2)

III.C.2. GPS measurements

The GPS sensor measures the velocity and position related to the navigator’s states. Let zGPS be the GPSmeasurement:

zGPS = hGPS(x) + vGPS =[VN VE VD L l h

]T+ vGPS (3)

where vGPS is the zero-mean white Gaussian measurement noise with deterministic covariance. Usually, theGPS performance is given by the estimation errors of velocity, position and altitude measurement, which aredenoted by the variance of Gaussian distributions: σ2

V , σ2P and σ2

A. Then, the covariance of the white noisecan be calculated via:

E[vGPS vTGPS ] := RGPS = diag

(σ2V , σ

2V , σ

2V ,σ2P

R2,

σ2P

cos(L)2R2, σ2A

)(4)

III.C.3. IMU measurements

The IMU provides noisy measurements for the input U to the navigator dynamics, i.e.,

zIMU =[ωx ωy ωz fx fy fz

]T+ vIMU (5)

where vIMU is the zero-mean white Gaussian noise whose covariance RIMU is given by the product specifi-cation of the IMU.

7 of 18


III.C.4. Magnetometer measurements

To derive the nonlinear observation model for the magnetometer, we need to compute the local magneticfield. The National Oceanic and Atmospheric Administration (NOAA) provides a software library that givesthe magnetic inclination MI , and the declination MD of the magnetic field lines at the current location.15

Expressed in the north-east-down, frame the magnetic field vector [BN BE BD]T is given by:BNBEBD

=

cos (MI) cos (MD)

sin (MI) cos (MD)

sin (MD)

(6)

Using the quaternion rotation to rotate this magnetic field unit vector into the frame of the aircraft, thenonlinear observation model of the magnetometer is given by:

zmag = hmag(x) + vmag (7)

where

hmag(x) :=

BN(−d2 − c2 + b2 + a2

)+BD (2 b d− 2 a c) +BE (2 a d+ 2 b c)

BE(−d2 + c2 − b2 + a2

)+BD (2 c d+ 2 a b) +BN (2 b c− 2 a d)

BD(d2 − c2 − b2 + a2

)+BE (2 c d− 2 a b) +BN (2 b d+ 2 a c)

(8)

and vmag is the zero-mean white Gaussian noise with covariance Rmag specified by the magnetometermanufacturer.

The Scicos block diagram magnetometer is shown in Figure 5. The NOAA library used to compute MI

and MD is contained in the geoMag block. The other components of the diagram use the vehicle attitudeto rotate the magnetic field line given by the NOAA library into the frame of the aircraft.

1

generatorrandom

11

1x

Extra..

Extra..

mag field u_vec

MAT..

++

Mux

Extra..

Extra.. ft2m

geoMag

euler2Dcm

"s..

Goto

Figure 5. The magnetometer model.

III.C.5. Extended Kalman Filter (EKF)

Combining Equations 1, 3, 5, and 7 yields the navigator system model:

x(t) = f (x(t), zIMU (t))

z =

[zGPS

zmag

]= h (x) + v

(9)

where h (x) = [hGPS (x) hmag (x)]T and v = [vGPS vmag]T with the covariance matrix

R = diag (RGPS ,Rmag). With this model, the EKF can be applied to perform state estimation for thenavigator. Let x be the state estimation and P be the estimate covariance. The algorithm consists of twosteps: propagation and correction which are detailed as follows:

8 of 18


• Propagation: The propagation involves computing the evolution of the prior estimate x(tk−1) =

xk−1|k−1 and P(tk−1) = Pk−1|k−1 when there is no arrival of new observations. Let ∆t be theinterpolation time interval of the continuous dynamics Equation 9. The navigator’s state estimate andits covariance can be updated using Equations 10 and 11 during the time interval from (k − 1)∆t till(k∆t):16

˙x(t) = f(x(t), zk−1IMU

)(10)

P(t) = FP(t) + P(t)FT + GRIMUGT (11)

where zk−1IMU is the last measurement from the IMU and F ≡ ∂f∂x

∣∣∣x=xk−1|k−1,zIMU=zk−1

IMU

is the Jaco-

bian matrix of f(x, zIMU ) evaluated at xk−1|k−1, zk−1IMU and G ≡ ∂f∂zIMU

∣∣∣x=xk−1|k−1,zIMU=zk−1

IMU

is the

Jacobian matrix of f(x, zIMU ) evaluated at xk−1|k−1, zk−1IMU .

• Correction: The correction step computes the posterior estimate xk|k and Pk|k from the prior estimate

xk|k−1 = x(tk) and Pk|k−1 = P(tk) by using the measurements from GPS and magnetometer. Since theGPS and magnetometer measurements are updated at different frequencies (GPS: 10Hz, magnetometer:50 Hz), the correction steps may happen at different times. If the cross-correlation between the positionand attitude states is neglected, a more computationally efficient algorithm results. This requirestwo separate EKFs where x := [xatt xpos] and P ≈ diag(Patt,Ppos). Here xatt := [a b c d]T andxpos := [VN VE VD L l h]T . This is a typical approximation in UASs.17 Under this decomposition,the following equations can be used for GPS measurement correction:

SGPS = HGPSPk−1|k−1pos HT

GPS + RGPS

KGPS = Pk−1|k−1pos HT

GPSS−1GPS

yGPS = zGPS −HGPSxk−1|k−1pos

xk|kpos = xk−1|k−1pos + KGPSyGPS

Pk|kpos = [I−KGPSHGPS ] Pk−1|k−1

pos

(12)

where HGPS = ∂hGPS

∂x

∣∣∣xk−1|k−1

is the Jacobian matrix of hGPS evaluated at xk−1|k−1.

During the arrival of magnetometer measurements, the following equations can be used for correction:

Smag = HmagPk−1|k−1att HT

mag + Rmag

Kmag = Pk−1|k−1att HmagS

−1mag

ymag = zmag −Hmagxk−1|k−1att

xk|katt = x

k−1|k−1att + Kmagymag

Pk|k−1att = [I−KmagHmag] P

k−1|k−1att

(13)

where Hmag =∂hmag

∂x

∣∣∣xk−1|k−1

is the Jacobian matrix of hmag evaluated at xk−1|k−1.

9 of 18


Navigation System

Covariance Integration

FGPuP

P

updatereset

P..

Inertial Navigator

x

imux

updatereset

1imu

[i..

[mag]

2mag

"imu"

["imu"]

Aux

x

imu

xC

C_bn1x

Select

xMag

xGpsx

["xNav"]

"xNav"

"Pvp"

"C_bn"

"xEst"

insErrorDynam..

[g..

Magnetometer Update

z_magxP

xP

GPS Update

zxP

xP

3gps

["imu"]

insErrorDynam..

["imu"]

Covariance Integration

FGPuP

P

updatereset

P..

[i..[mag]

[i.. [g..

"Patt"

P..

Figure 6. The EKF based navigation system.

In the navigation system used for this analysis, one EKF is nested within another. The inner EKF fusesthe attitude measurement data from the magnetometer with the integrated gyroscope rates from the inertialmeasurement unit (IMU). Outside this loop, the other EKF fuses the GPS position and velocity informationwith the integrated accelerations from the IMU. Note that the directions of these accelerations stronglydepend on the attitude estimate of the inner loop.

III.D. ADS-B Modeling

ADS-B stands for Automatic Dependent Surveillance-Broadcast. This is a method of sharing data amongaircraft in a vicinity through mutual information broadcasts.6

III.D.1. Data Packet

In this analysis, we will focus on the navigation information in the ADS-B broadcast. This includes theposition and velocity of the aircraft. In the future, aircraft intent will be added. Other services exist forweather, terrain, and general flight information.

Table 2. ADS-B Packet Information

Position latitude, longitude, altitude

Velocity north, east and down velocities

Time Stamp date and time of broadcast

III.D.2. Collision Avoidance Algorithm

Geodesic calculations for waypoint navigation were performed using the great-circle distance equations. Thevariables used for these calculations are defined in Table 3.

10 of 18


Table 3. Collision Variables

Variable Physical Meaning Units

Ψc Bearing to obstacle from vehicle rad

Ψv/o Bearing of vehicle commanded velocity relative to obstacle rad

Ψr Required Ψv/o to maintain separation rad

rc Distance to obstacle ft

rs Separation distance ft

α Difference between Ψv/o and Ψc rad

β Magnitude difference in bearing between a collision course and acourse tangent to the separation window

rad

γ Change in Ψv/o required for vehicle path to be tangent to separa-tion window

rad

Collision avoidance was achieved using the velocity of the vehicle relative to the obstacle to move theobstacle into a static reference frame. Then the only requirement for avoiding collision is that the relativevelocity be shifted such that it will not violate the separation distance.18 The initial commanded bearing,Ψv will always be chosen to point directly towards the commanded waypoint. If this bearing will cause thevehicle to violate the separation distance at any point in the future, a desired vehicle velocity relative to theobstacle will be calculated as:

α = Ψv/o −Ψc (14)

β = arcsinrsrc

(15)

γ = sgn(α)(β − α) (16)

Ψr =

−Ψc if rc ≤ rs, |α| ≥ π2

Ψc − π2 if rc ≤ rs, |α| < π

2 , α < 0

Ψc + π2 if rc ≤ rs, |α| < π

2 , α ≥ 0

Ψv/o + γ if rc > rs, |α| < β

Ψv/o otherwise

(17)

β is calculated using trigonometric operations on a right triangle formed with the distance to the obstacle,rc, as the hypotenuse and the radius of the circle and vehicle path tangent to the separation window formingthe legs. If the vehicle is within the separation window, this triangle cannot be formed and β is undefined.In this case, the relative velocity vector is chosen to be orthogonal to a collision course vector if the vehicleis in front of the obstacle and inside the separation window, and is chosen to point directly away from theobstacle if the vehicle is behind the obstacle and inside the separation window. If the separation distanceis not violated, the direction of the relative velocity vector will be rotated such that it is tangent to theseparation window in the case that the current relative velocity intersects the separation window. Thisrotation will be performed while keeping the vehicle’s velocity constant, if possible.

11 of 18


IV. Simulated Cyberattacks

Single mode attacks are attacks in which only one attack avenue is pursued. The different types ofidentified single mode attacks are categorized in Table 4.

Table 4. Single Attacks Considered

fuzzing attack Introduction of extra noise to sensor data.

actuator attack Physical modification of actuators (rudders, ailerons, etc.).

digital update rate attack Slowing the processing rate of the controller / navigator.

navigator state attack Modification of the on-board navigator state.

sensor spoofing attack Providing false sensor data.

disguised attack An attack masquerading as another attack.

undetectable attack An attack that can’t be detected.

When multiple single mode attacks are used on a target simultaneously, it is considered a combinedattack. Successful combined attacks are especially dangerous because it gives an attacker additional degreesof freedom with which to achieve their objective. If an attack can be intelligently designed, these additionalfreedoms can be used to amplify the effect of the attack, reduce the detectability of the attack, and/orachieve a result that is not possible with a single attack. We will now simulate attacks of this type. We willdetermine which combinations of attacks are most dangerous and hypothesize the cause for the dangerouscoupling. To provide a basis for testing, we will simulate the nominal case of an unmanned plane travelingto a waypoint.

The time till failure metric presented above will be used as the measurement of the effectiveness of theattack. The simulations were iterated using varying attack magnitudes, and the results are presented as atwo dimensional contour map showing the time till failure. In these plots, the yellow and red colors representthe fastest failures, while blue colors represent delayed or no failure within the simulation time window.

12 of 18


In the first attack considered, the yaw rate sensor gain is varied from 80-120% and a sinusoid is insertedin the GPS longitude with a frequency varying from 0-30 Hz. The results of this simulation is shown inFigure 7. The nominal operating point in this figure is at the center bottom. The yaw rate sensor gaincreates vehicle instability with as little as 5% change in magnitude, although it is less sensitive to a changein gain that increases the measured value. Attenuation in the vehicle failure time begins to occur at a 10%increase in the gain. The GPS longitudinal frequency does contribute to system instability as can be seenby the narrowing of the center region of stability as the GPS frequency gets larger. It even causes failures atthe nominal yaw rate gain for longitudinal frequencies near 7 Hz, possibly due to resonance at that point.As the frequency increases beyond this point, the effect it has on the system becomes less apparent. This islikely due to the higher frequency oscillations being filtered out by system poles.

66.1

79.6

79.6 79.6

93 93

107

107

80 85 90 95 100 105 110 115 120

0

5

10

15

20

25

30

Time till failure

Yaw Rate Sensor Gain, %

GP

S L

on

gitu

din

al F

req

ue

ncy,

Hz

53

69

86

1e+02

1.2e+02

Figure 7. The effect of yaw rate sensor gain and GPS longitudinal offsets on failure time.

13 of 18


The next attack that is considered is an attack that varies the digital update rate from 50 to 100%and injects Gaussian noise with standard deviation varying from 0-1 ft/s2 into the IMU accelerometer. Theresults of this attack are shown in Figure 8. In this plot, the region of instability is fairly heterogeneous. If theprocessor is running at full speed (100%), the IMU accelerometer noise cannot drive the system unstable withnoise less than 0.5 ft/s2. Interestingly, when the processor is running at 85%, no simulated accelerometernoise is able to introduce failure. In that sense, a cyberattack that reduces the processor to that rateactually increases the system’s resillience to accelerometer noise. As the processor rate decreases, less IMUaccelerometer noise is required to induce failure. At 50% processor speed and 0.5 ft/s2 accelerometer noisethere is an irregularity. It is possible that this is due to complex phenomenon such as harmonic resonanceswithin the autopilot. It is also possible that this is an unlikely event that occurred in this simulation andwould be homogenized with several Monte Carlo iterations.

6.67

6.67

6.67

12.5

12.5

12.5

18.3

18.3

18.3

24.2

24.2

24.2

0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0

50

55

60

65

70

75

80

85

90

95

100

Time till failure

IMU Accelerometer Noise, ft/s^2

Dig

ita

l U

pd

ate

Ra

te,

%

0

7.5

15

22

30

Figure 8. The effect of IMU accelerometer noise and processor digital update rate on failure time.

14 of 18


The next attack that is considered is Gaussian noise injection in both the IMU yaw gyroscope andthe IMU accelerometer. The standard deviation of the gyroscope noise is varied from 0-10 rad/s, and thestandard deviation of the accelerometer noise is varied from 0-1 ft/s2. The results of the simulation areshown in Figure 9. The nominal point of zero noise in either sensor is in the lower left of the plot. It is clearfrom this plot that if the accelerometer noise is below 0.3 ft/s2 that instability is not possible. Increasingthe IMU yaw gyro noise standard deviation does not directly lead to increased stability. If the gyro noise islow, there is a large pocket of instability from 0.55 ft/s2 to 1.0 ft/s2 accelerometer noise standard deviation.Near 5 rad/s of yaw gyro noise the instability caused from the accelerometer noise is reduced. This complexbehavior may again be caused by harmonic resonances in the system.

6.7

12.5

12.5

18.3

18.3

18.3

24.2

24.2

24.2

0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0

0

1

2

3

4

5

6

7

8

9

10

Time till failure

IMU Accelerometer Noise, ft/s^2

IMU

Ya

w G

yro

No

ise

, ra

d/s

0

7.5

15

22

30

Figure 9. The effect of IMU accelerometer noise and gyro noise on failure time.

A combination of three attacks is shown in Figure 10. In this attack, noise is injected to the altitudemeasurement, a phantom ADS-B intruder is inserted and removed with varying frequency, and an initialnavigator error in the down velocity is introduced. The failure region is fairly homogeneous except whenthe initial down velocity error is 50 ft/s, where an unstable pocket can be seen to develop. This pocketconstitutes the smallest magnitude attack that causes instability. This case demonstrates the difficulty inprotecting cyberphysical systems. The coupling between various system components is so complex that it isvery difficult to intuit which attacks cause instability, and the existence of these isolated instability regionscan make it very difficult to completely characterize the safe region.

15 of 18


25.8 30.6 35.4

40.1

40.1

0 20000 40000 60000 80000 100000 120000 140000 160000 180000 200000

0

1

2

3

4

5

6

7

8

9

10

Time until failure with Down Velocity Attack of 0.000000ft/s

GPS Altitude Noise, ft

AD

S−

B f

req

ue

ncy,

Hz

0

11

22

34

45

(a) Down velocity error, 0 ft/s

26.4 31 35.7

40.3

40.3

40.3

0 20000 40000 60000 80000 100000 120000 140000 160000 180000 200000

0

1

2

3

4

5

6

7

8

9

10



AD

S−

B f

req

ue

ncy,

Hz

0

11

22

34

45

(b) Down velocity error, 25 ft/s

24.5

24.5

29.6 34.7

39.8

0 20000 40000 60000 80000 100000 120000 140000 160000 180000 200000

0

1

2

3

4

5

6

7

8

9

10



AD

S−

B f

req

ue

ncy,

Hz

0

11

22

34

45

(c) Down velocity error, 50 ft/s

27.3

27.3

31.7

31.7

36.1

36.1 40.5

0 20000 40000 60000 80000 100000 120000 140000 160000 180000 200000

0

1

2

3

4

5

6

7

8

9

10



AD

S−

B f

req

ue

ncy,

Hz

0

11

22

34

45

(d) Down velocity error, 75 ft/s

26.2

26.2

30.9

30.9

35.6

35.6

35.6

40.2

40.2

0 20000 40000 60000 80000 100000 120000 140000 160000 180000 200000

0

1

2

3

4

5

6

7

8

9

10



AD

S−

B f

req

ue

ncy,

Hz

0

11

22

34

45

(e) Down velocity error, 100 ft/s

Figure 10. Time till failure for altitude noise vs. ADS-B frequency vs. down velocity initial error.

16 of 18


An undetectable attack is an attack that is not discovered by the fault monitoring systems, an attackthat targets an unmonitored subsystem, or an attack that is able to induce an irrecoverable instability beforebeing discovered by the monitoring systems. In Figure 11, the GPS altitude noise is plotted against initialerror in the navigator down velocity and the processor is running at 20% of the nominal speed. The 1 sigma,2 sigma, and 3 sigma measurement ellipsoids are plotted. These ellipsoids represent the ability of the faultdetection system to detect an attack. As the attack moves farther from the nominal point, the probabilityof the attack being detected increases.

13.7

13.7

15.2

15.2

15.2

16.7 16.7

16.7

18.2 18.2

18.2

1 3 9

0 10 20 30 40 50 60 70 80 90 100

−10

−8

−6

−4

−2

0

2

4

6

8

10

Time till failure, Processor speed 20%


Do

wn

Ve

locity,

ft/s

0

4.9

9.9

15

20

Figure 11. The effect of GPS altitude noise and initial down velocity error on failure time with the processor runningat 20% nominal speed. The detection ellipsoids for 1, 3 and 9 sigma (covariance ellipsoids) are plotted.

A disguised attack is an attack that is designed to be detected but identifies as a different type of attack.This false identification could cause the vehicle to perform fault mitigation actions that, while effectiveagainst the type of attack that was identified, can be leveraged by the actual attack to further its objectives.In this way, the vehicle’s defense systems are themselves a vulnerability that can be exploited by an attacker.This type of attack requires a more detailed fault detection scheme for analysis and will be investigated infuture work.

17 of 18


V. Conclusion

In this paper, we have presented a simulation platform designed to test the robustness of UASs to cy-berattack and identify their vulnerabilities. A high-fidelity model of the vehicle dynamics and autopilotwas created and interfaced with a proven flight simulation software package, enabling accurate simulationof UAS operations. This capability was leveraged to simulate the response of a UAS to several identifiedcyberattacks and combinations of cyberattacks, including sensor noise injection, changing the system up-date rate, modifying sensor gains, and modifying the navigator state. These attacks were shown throughsimulation to be capable of impeding mission objectives and introducing instability into the vehicle, result-ing in airframe failure. This capability, along with the great risk to life and property that a UAS crashpresents, demonstrates the need for further development of cybersecure autopilots for UAS systems. Forfuture study, we intend to further investigate fault detection systems that can identify and protect againstspecific cyberattacks, as well as methods to recover control of a vehicle that has been compromised by anattack.

Acknowledgments

We would like to thank Sypris electronics for supporting this work.

References

1Banerjee, A., Venkatasubramanian, K. K., Mukherjee, T., and Gupta, S. K. S., “Ensuring Safety, Security, and Sus-tainability of Mission-Critical Cyber–Physical Systems,” Proceedings of the IEEE , Vol. PP, No. 99, 2011, pp. 1–17, EarlyAccess.

2Nilsson, D. K. and Larson, U. E., “A Defense-in-Depth Approach to Securing the Wireless Vehicle Infrastructure,”Journal of Networks, Vol. 4, No. 7, September 2009, pp. 552–564.

3Air Force Space Command, “Flying operations of remotely piloted aircraft unaffected by malware,”http://www.afspc.af.mil/news1/story.asp?id=123275647, Oct 2011.

4US-China Economic and Security Review Commission, “2011 Report to Congress,”http://www.uscc.gov/annual report/2011/annual report full 11.pdf, 2011.

5Warner, J. S. and Johnston, R. G., “GPS spoofing countermeasures,” Tech. rep., Los Alamos National Laboratory, 2003.6Krozel, J. and Andrisani II, D., “Independent ADS-B verification and validation,” AIAA 5th ATIO , September 2005.7Mitchell, R. and Chen, I., “Survivability analysis of mobile cyber physical systems with voting-based intrusion detection,”

Proc. 7th Int. Wireless Communications and Mobile Computing Conf. (IWCMC), 2011, pp. 2256–2261.8Zhu, Q., Rieger, C., and Basar, T., “A hierarchical security architecture for cyber-physical systems,” Proc. 4th Int

Resilient Control Systems (ISRCS) Symp, 2011, pp. 15–20.9Colgren, R. D. and Johnson, T. L., “Flight mishap prevention for UAVs,” Proc. Aerospace Conf. IEEE , Vol. 2, 2001.

10Wilson, J. M. and Peters, M. E., “Automatic flight envelope protection for light general aviation aircraft,” Proc.IEEE/AIAA 28th Digital Avionics Systems Conf. DASC ’09 , 2009.

11Shin, H., Kim, Y., Kim, E. T., and Seong, K. J., “Flight envelope protection controller using dynamic trim algorithm,”Proc. ICCAS-SICE , 2009, pp. 3228–3232.

12Bateman, F., Noura, H., and Ouladsine, M., “Fault Diagnosis and Fault-Tolerant Control Strategy for the AerosondeUAV,” Vol. 47, No. 3, 2011, pp. 2119–2137.

13Stevens, B. and Lewis, F., Aircraft control and simulation, Wiley, New York, 2003.14Titterton, D. and Weston, J., Strapdown Inertial Navigation Technology, The Institute of Electrical Engineers, 2004.15NOAA, “The World Magnetic Model,” http://www.ngdc.noaa.gov/geomag/WMM/soft.shtml, 2010.16Julier, S. J. and Uhlmann, J. K., “Unscented filtering and nonlinear estimation,” Vol. 92, No. 3, 2004, pp. 401–422.17Du, D., Liu, L., and Du, X., “A low-cost attitude estimation system for UAV application,” Proc. Chinese Control and

Decision Conf. (CCDC), 2010, pp. 4489–4492.18Fiorini, P. and Shiller, Z., “Motion planning in dynamic environments using the relative velocity paradigm,” Robotics

and Automation, 1993. Proceedings., 1993 IEEE International Conference on, may 1993, pp. 560 –565 vol.1.

18 of 18


Documents

Numerical Analysis of Cyberattacks on Unmanned Aerial Systems