Security flaws in a standardized component widely used in military and avionics systems threaten the Pentagon’s plans for an Internet of Military Things.
The U.S. military is betting on technological revolution to win the wars of the 21st century. Pentagon futurists are working toward a digitally managed battlefield where commanders use cloud-based software tools to direct autonomous weapons systems anywhere on the globe and even launch coordinated attacks by land, sea and air with the swipe of a finger.
It’s been called the Uber-ization of warfare, but officially the Department of Defense dubs this vision Joint All-Domain Command and Control, or JADC2. And it’s going to fundamentally rewire the military — not just their IT systems, but their guns and bombs, too. Later this year, the Joint Chiefs of Staff will publish new requirements that all weapons systems must be compatible with JADC2 networking requirements to receive funding.
But creating this Internet of Military Things is risky. JADC2 is afflicted with a potentially fatal weakness. A 48-year-old technology standard that nearly all major weapons and avionics systems rely on — the 1553 serial data bus — is vulnerable to hacking, according to cybersecurity experts, military technologists and peer-reviewed academic research.
The 1553 “was never designed with security in mind,” said Josephine Micallef, senior research director for systems and cybersecurity at defense electronics contractor Peraton Labs, a privately held research company that works on cyber and physical security projects for the government and industry.
The vulnerabilities within 1553 could undermine the vision of a networked military — potentially enabling America’s enemies to sabotage advanced weapons systems, or even take them over and turn them against U.S. forces, according to David Goodman, CEO of Vitro, a startup working with Air Force seed money on 1553 security.
“The really big question is how do we have forward offensive weapons that are networked, that are remote [controlled]? God forbid, somebody gets control of them and turns them on us,” he said, “That’s the worst case scenario.”
The Pentagon’s weapon testers seem to agree — they have repeatedly highlighted the vulnerabilities of specialized non-Internet Protocol communications systems like the 1553 bus. In its 2020 annual report, released earlier this year, the DoD’s Directorate of Operational Test and Evaluation acknowledged there aren’t good ways to measure, let alone ensure, their security against online attacks. “Tools and techniques necessary to test specialized protocols, [like the 1553] … are not adequate,” the report states.
In that dry military jargon, the Pentagon’s weapons testers have laid out a frightening truth: As the DoD starts to deploy elements of JADC2 over the next few years, defense contractors and military scientists are in a desperate race to secure the 1553 before it’s brought online — exposing the U.S. military’s Achilles Heel to enemy hackers.
The press office for the Joint Chiefs of Staff did not respond to several requests for comment. The Air Force Research Laboratory, the Directorate of Operational Test and Evaluation and several former officials declined requests for interviews, citing the sensitive and/or classified nature of their work on the 1553. However, in addition to the sources quoted in this story, README spoke with three former or currently serving defense officials, who declined to be named or quoted, but supported the key points in this article.
A photo illustration of an F-35A Lightning II based on an original photo by R. Nial Bradshaw and courtesy of the U.S. Air Force. Source: Flickr
Getting on the bus: Why the 1553 is so ubiquitous
MIL-STD-1553 is an engineering standard defining the mechanical, electrical and functional characteristics of a serial data bus — an electronic subsystem that enables different computer components to communicate with each other. At its most simple, a bus is a connector like the USB (Universal Serial Bus) you plug into your laptop.
The 1553 bus is a connector that enables the flight computer on an aircraft to plug into other parts of the plane — to communicate with the embedded computers that control the sensor, flight and weapons systems. It allows the flight computer, and through that, the pilot, to receive data from sensors such as radar or a GPS receiver, and to send commands to the engines, the wing flaps and the weapons.
Prior to the development of the 1553, electronic subsystems on an aircraft had been connected point-to-point — the same way they had been when they were controlled by physical wires or hydraulics, rather than by digital commands. But as the number of controllable subsystems multiplied, the complexity of all that point-to-point wiring, not to mention the space and the weight it took up, began to be a problem.
Erwin Gangl, the engineer widely viewed as the inventor of the 1553, first came up with the idea in the late 1960s, he told Aviation Today. An early version was used in the F-15, in the early 70s. The standard was first adopted by the U.S. Air Force in 1973, and two years later became a DoD-wide standard. It was updated once, in 1978, but otherwise has remained unchanged.
Like a USB, the 1553 standard ensures compatibility. A printer, mouse or other peripheral made by one manufacturer can be connected to a laptop made by another using a cable made by a third — because all the manufacturers are following the same USB standard.
Likewise, the 1553 also solved another problem besetting the U.S. military at the time: How to ensure that the increasingly complex weapons systems and sensors mounted on planes were properly integrated — when they were designed and manufactured by competing vendors.
Just like with your USB, 1553 ensured that each component in a military avionics system — the radar, the engine, the weapons — can be made by different companies. The open standard allows products made by competing vendors to work together, without requiring the manufacturers to give up any confidential data. Partly because it ensures compatibility like that, the 1553 has become ubiquitous. It is in every major U.S. and NATO warplane, most helicopters — and even in land vehicles like the Abrahams main battle tank.
Because it’s a published standard, anyone can use it, and in addition to U.S and NATO weapons systems, the 1553 bus is used in the International Space Station and many other satellites, the Airbus A350 jetliner, and in military avionics in Israel, Japan, India — and even China and Russia.
But research has shown it’s extremely insecure: Vulnerable to attacks from the crudest denial-of-service, through man-in-the-middle eavesdropping, all the way to more sophisticated data exfiltration and substitution. “When the standard was published,” said Micallef, “People didn’t worry about cybersecurity.”
And in traditional deployments of the 1553, they still don’t need to worry very much. The aircraft is a closed system with a correspondingly small attack surface. The 1553’s vulnerabilities are hidden away.
But the JADC2 vision of a networked military changes all that for U.S. systems. The 1553 bus — along with a handful of other key components built to legacy standards — will be subject to a massively expanded attack surface, as the weapons and avionics systems it controls are brought literally online — connected to cloud architectures designed to make them part of a synchronized, networked U.S. military force.
“The more you are adding new capabilities to the aircraft, adding more connections into the bus, that’s when you get into trouble,” said Frank Konieczny, who retired in February as CTO of the Air Force, “Because that opens the possibility that someone could do something that will disrupt the bus or build some malware that can be injected somewhere to cause a problem.”
Unfortunately, the design characteristics of the 1553 make that nightmare outcome all too possible.
Photo illustration of an F-35A Lightning II based on original image by U.S. Air Force Staff Sgt. Jensen Stidham. Source: FlickrAttacking the bus: Why the 1553 is so vulnerable
“The 1553 is a shared bus,” Micallef explained, “That means that when a transmission is sent over this bus, any device connected on that bus can see the message. From a security perspective, this has obvious issues.” It means an attacker with a foothold on the bus could eavesdrop on messages revealing the aircraft’s location, speed, direction and other critical information.
There’s more: Because there‘s no way of authenticating messages on the bus, a rogue or malware-infected embedded system connected to the bus could send out messages pretending to be some other component. An attacker with that access could send the flight computer, and through that, the pilot, bogus data about fuel levels, or altitude or location.
Worst of all, the lack of authentication means an attacker could pretend to be the flight computer. “You can impersonate the Bus Controller” — the role the flight computer typically plays on the bus — and send bogus data or bogus instructions, said Micallef. “This could be severely damaging — causing operational confusion, untrustworthy situational intelligence, and platform instability as well as aborted missions, mission failure and ensuing loss of materiel and loss of life,” she said.
Even a crude denial-of-service type attack that overwhelmed the bus with bogus traffic could have broader and unpredictable effects, according to Goodman. “If you overwhelm the bus, you can get it into some weird [race condition-like] state … an overflow situation,” he said, at which point, safety protocols might cause the device to dump its encryption keys or other data. “It’s one of these things where sometimes a safety measure ends up being the flaw,” notes Goodman.
But the most insidious kind of hack might be the least obvious: attacks that target a mission-critical device on the 1553 bus and trigger only when a specific condition holds, could, for example, prevent a weapon from firing if its target is within a particular area. Attacks that corrupt altitude data only at very low altitude could lead to aborted take-offs or landings.
“The scariest attacks are those where you do not know it is happening,” said Micallef. A denial of service attack that prevented the bus from operating at all would be detected during pre-flight checks, and would stop the aircraft from leaving the ground, “But the worst attack would be one that was not apparent, where it appears that the mission failed, not because of the cyberattack, but because some piece of equipment failed.”
Neither Micallef nor any other of the half-dozen sources interviewed for this article would comment on whether 1553 buses had been cyber-attacked for real (“I like you,” noted one, “but not enough to go to prison — that is highly classified”), but the danger is clearly not just theoretical. In a paper published in January, academics at the Aeronautical Institute in Italy revealed they had actually built a device which could execute cyberattacks on the 1553.
Defending the bus: How to protect 1553
Many enterprises find themselves saddled with chronically insecure operational technology or legacy IT systems. But they mitigate that risk by putting the vulnerable system behind a firewall or other gateway, or by using intrusion prevention technology.
And, years before JADC2 envisaged putting 1553 systems online, the U.S. military was aware of the threat posed to the bus by the development of digital maintenance tools, which plug into and interact with aircraft systems. Indeed, the Pentagon’s resident mad scientists in DARPA, the Defense Advanced Research Projects Agency, have been working for years, mainly in secret, to figure out how to protect weapons systems based on the 1553 bus.
So, what makes 1553 so difficult to defend? To understand that, we need to go back to the characteristics that have made it so successful as a real-time avionics control system — reliability and predictability. To achieve the reliability required for real-time control, the 1553 protocol has strict timing constraints. This makes it impossible to use conventional cybersecurity tools such as firewalls or network intrusion prevention systems on the bus, according to Micallef.
“When one of the embedded computers [on the 1553 bus] receives a request, they must respond back within 12 microseconds. If they don’t, if the sender doesn’t receive that response within 14 microseconds, then the sender times out … If that happens too often, these systems are unable to communicate and fail.”
Typical cybersecurity tools will introduce delays in the 20-plus millisecond range — several orders of magnitude greater than the 1553 bus will allow. “If you put one of these cybersecurity products that we use on our traditional networks on a 1553 bus, it will break the protocol because of the timing constraints,” she notes.
Moreover, to be predictable enough to be certified as flightworthy, the 1553 bus must function deterministically — with no room for doubt, uncertainty or error. Conventional cybersecurity technology generally involves the possibility of false positives or other errors. It is, in a word, probabilistic — the opposite of deterministic — which makes it impossible to use in safety-critical flight systems like the 1553. “You can’t plug one of these cyber tools into that bus structure … You don’t want to blow up the bus,” said Konieczny.
As a result, most early approaches to 1553 security focused on anomaly detection: passively monitoring traffic on the bus — which doesn’t violate either reliability or predictability requirements — and generating a warning to the pilot if abnormal messages or commands are found.
In 2017, a team of scientists from BAE Systems patented a Cyber Warning Receiver (CWR), a device intended to “detect anomalous behavior” on the 1553 bus and “alert an operator.” A 2018 article published in the U.S. Army’s Cyber Defense Review by the same team describes the device’s function in more detail. The CWR uses machine learning to build a baseline model of normal traffic on the bus and identify anomalous messages. The paper identifies two possible configurations for the CWR.
One could position the CWR “inline with critical 1553 bus subsystems, prepared to take rapid and decisive action to stop cyberattacks in their tracks.” The article doesn’t address either the timing issues for bus traffic or the need for determinism to achieve airworthiness certification, and BAE Systems declined repeated requests for an interview.
Alternatively, the CWR can be configured offline, “passive[ly] …monitoring the system for malicious activity and alerting operators of anything suspicious, but never actively interacting with the network.”
Raytheon took a similar offline tack with their Cyber Anomaly Detection System, which they rolled out in 2019, with great fanfare. CADS “notifies aircraft and vehicle crews” of the “slightest deviations on the MIL-STD-1553 communication bus,” according to a company blog post. Raytheon also declined several requests for an interview.
But the problem with alerting the pilot, as the Cyber Defense Review article makes clear, is that she has other things to do. CWR warnings “should never distract a pilot or other key mission personnel unless the findings suggest an imminent survivability threat,” the article states, adding that “Providing too much information, or generating excessive nuisance false alarms, might be cause for an operator to disable a system, eliminating the protection.”
More importantly, alerting the pilot that a cyberattack has disabled their weapons systems is what military jargon might call a sub-optimal outcome. An optimal outcome would be to prevent or mitigate the attack and allow the weapons to work. “It’s not just doing detection, it’s doing the prevention and mitigation to ensure operational continuity of the weapons system,” said Micallef.
To that end, her team at Peraton Labs has developed a solution that confronts the low delay and determinism requirements of the 1553 head on.
The 1553 Bus Defender is a plug-in hardware component that performs real-time security filtering for messages traversing the bus, adding only around 300 nanoseconds of delay — and does so deterministically. As a hardware-in-line module, the 1553 Bus Defender doesn’t require any modifications to the components on the bus or to their configurations or software.
“You have a set of rules that says who can talk to whom,” Micallef explained, so a rogue or compromised subsystem on the bus couldn’t impersonate the flight computer or another subsystem and send bogus data. These rules are configured for each platform. “Bus Defender needs to know what [systems] are on the bus and where they are,” so it can enforce the rules about who can speak to whom. The system also enforces the 1553 communications protocol, eliminating the possibility that a compromised device or malware infection could overwhelm the bus in a denial of service attack. “If it’s not your turn to speak, you don’t speak,” she said.
Bus Defender offers an anomaly detection capability as an add-on, but Micallef said while it may be useful for alerting and post-incident forensics, anomaly based algorithms “are typically challenging to certify” for flight safety because they are “by definition, probabilistic.”
“Our primary focus is on our patented, real-time and deterministic algorithms that can protect weapon systems from cyberattacks while also being able to achieve flight-qualification,” she said.
Micallef said Peraton Labs is working with all three military services to develop Bus Defender solutions and form factors appropriate for different 1553-based weapons systems. Another alternative to anomaly based detection is offered Vitro, the tech startup. Their approach is in line with the Pentagon’s security philosophy of Zero Trust, according to founder and CEO David Goodman. “Rather than securing the channel” — the 1553 — “we secure the data, the messages themselves,” he said.
Vitro’s solution uses an inexpensive hardware add-on in certain selected subsystems connected by the bus, and relies on a cloud-based public key infrastructure (PKI) encryption architecture. “We don’t use that PKI to secure the channel, like you would in a VPN,” said Goodman, noting that would not be in line with Zero Trust principles. “We use it to authenticate the sender and validate the message.”
Photo illustration of an F-15E Strike Eagle based on original image by U.S. Air Force Tech. Sgt. Matthew Plew. Source: Flickr
Getting used to the bus: 1553 is here to stay
All of the factors that have made the 1553 ubiquitous over almost 50 years also ensure its longevity. There are no greenfield projects in the military, so backward compatibility is always a requirement, and there are no plans to replace it.
The vision of JADC2 requires that commanders are able to call upon multiple weapons and sensor systems across all domains. That universal connectivity is a requirement for victory, explained Jennifer McArdle, an adjunct senior fellow at the Center for a New American Security, since it ensures that U.S. forces bring the most effective attack against the target, and at the same time creates multiple dilemmas for the enemy.
But increasing connectivity increases your attack surface, she cautioned. “In the cyber community, we call this the capability/vulnerability paradox: The more exquisite and complex systems become, the more capable they are. And at the same time they paradoxically present greater vulnerabilities.”
The key is resilience, she said, the ability to fight through a cyberattack. In addition to the information assurance approaches being developed to mitigate the vulnerabilities of the 1553, the military needs to be thinking about “mission assurance,” said McArdle. “That means embracing the fact that JADC2 is going to operate in a highly contested environment where [communications are] going to be subject to sabotage, espionage, subversion. And so you’re running experiments, you’re putting in place processes, training, so that when it’s degraded, when it’s spoofed, you can still find a way to complete the mission.”
