DEVELOPING THE FUNDAMENTALS OF AIRCRAFT CYBER COMBAT SURVIVABILITY: PART 1
By William D. Bryant and Robert E. Ball
PART 1 – WHAT IS A CYBER ANTIAIRCRAFT WEAPON, AND HOW CAN IT KILL AN AIRCRAFT?
- Learning Objective 1 – Describe the Major Elements of a Cyber Antiaircraft Weapon
- Learning Objective 2 – Describe How a Cyber Antiaircraft Weapon Can Kill an Aircraft
BRIEF INTRODUCTION TO THE ACS DESIGN DISCIPLINE
Shortly after the advent of the aircraft as a successful flying machine, humans started using military aircraft in the man-made hostile environment known as “combat.” Not surprisingly, given their high visibility, effectiveness, and ultimate importance to military operations, these aircraft quickly became primary targets while operating over hostile enemy territory. In fact, over their first 50 years of combat use, aircraft were attacked by both surface-based and airborne guns and, later, during the 1964–1973 Southeast Asia (SEA) conflict, by new surface-based and airborne guided missiles, which were deployed to down or kill both fixed-wing and rotary-wing platforms. In total, since the beginning of the 20th century, several hundreds of thousands of aircraft—including almost 50,000 U.S. and British fighters and bombers lost during World War II alone—have been killed in world-wide combat by a wide range of guns and guided missiles. (For more information on the use and losses of aircraft in 20th century conflicts, see David Legg’s series of historical articles in Aircraft Survivability [1–3].)
These guns and guided missile antiaircraft weapons, with their warheads, are known today as kinetic energy weapons (KEWs), in recognition of their reliance on the kinetic energy associated with their warhead’s damage-causing mechanisms—or simply damage mechanisms—for their lethality. The primary KEW warhead damage mechanisms include ballistic penetrators fired from guns (armor-piercing [AP]), ballistic penetrators with incendiaries (armor-piercing incendiary [API]), and the air blast and high-velocity warhead case fragments created by the detonation of the high-explosive (HE) core.
In 1971, as a result of an unacceptable number of U.S. aircraft losses during the SEA conflict (which eventually totaled more than 4,000), the U.S. Department of Defense (DoD) established the Joint Technical Coordinating Group on Aircraft Survivability (JTCG/AS). One of the major goals of the JTCG/AS was the development of a new survivability design discipline for combat aircraft threatened by gun and guided missile weapons. Fifty years later, this discipline—known as Aircraft Combat Survivability (ACS)—is well-established within the DoD acquisition process; survivability requirements are routinely imposed on all new U.S. combat (and some noncombat) aircraft; and congressionally mandated, rigorous live-fire testing is conducted on full-scale systems configured for combat. As a result, these aircraft are the most survivable aircraft operating in hostile environments containing KEWs [4].
The only textbook describing “how to do” ACS, titled The Fundamentals of Aircraft Combat Survivability Analysis and Design, was first published by the American Institute of Aeronautics and Astronautics (AIAA) in 1985 [5]. The second edition of the text was published in 2003 [6]. The 900-page second edition covers all aspects of the ACS design discipline for both fixed-wing and rotary-wing aircraft threatened by KEWs. The primary goal of ACS, as stated in the first edition, is “the early identification and successful incorporation of those specific survivability enhancement features that increase the effectiveness of an aircraft as a weapon system.” These textbooks articulate the foundations of ACS and have continued to be widely used across the aircraft survivability design discipline.
THE CURRENT PROSPECT OF CYBER AS A POTENTIAL ANTIAIRCRAFT WEAPON
The vast majority of cyber attacks throughout the world have been conducted on traditional information technology (IT) systems, such as desktop computers and servers that communicate using the transmission control protocol/internet protocol (TCP/IP). In any major conflict with a cyber-capable foe, numerous cyber attacks on critical IT infrastructure, such as command and control (C2) and logistics systems, can be expected. These traditional IT cyber attacks can be extremely dangerous to Warfighters and can even keep their aircraft on the ground. However, because these attacks are now widely discussed in the literature, defenders can successfully use traditional cyber defenses against them. We, on the other hand, are interested in the possibility of enemy cyber attacks directly against our aircraft. And if such an attack did occur, could our aircraft survive it?
(Note that the term cyber, as used herein, is meant to refer to computers and their connecting networks; and a cyber attack on an aircraft is the exploitation, by an adversary, of the aircraft’s internal cyber system’s capability to control the aircraft’s essential functioning and capabilities.)
The reality is that modern U.S. military aircraft today have transitioned from mostly physical systems, with little reliance on computers, to extensive “cyber physical” systems, which rely heavily on computers to control flight- and mission-critical physical functions, such as flight, engine, and sensor controls. As a result of this transition, these aircraft are now facing a totally new and different type of threat to their survival in combat. In addition to being threatened by traditional KEWs, they also face the prospect of having to survive encounters with cyber antiaircraft weapons, which can be used in a cyber attack against them.
Instead of causing physical damage to the aircraft’s critical components that can result in the loss of flight- and mission-essential functions or capabilities (as the KEWs do with their physical warhead damage mechanisms), cyber weapons instead cause component “functional damage”—or simply component malfunctions—by commanding critical cyber physical aircraft systems to malfunction in ways that result in the loss of, or significant degradation in, one or more flight- and mission-essential functions.
The cyber weapon’s “warhead” that causes these effects to occur consists of malicious computer code designed to command specific computer-controlled component malfunctions that will cause the intentional loss or degradation of system capabilities. The code that causes components to malfunction is called the cyber weapon’s malfunction-causing mechanism—or simply malfunction mechanism. The cyber weapon’s malfunction mechanism is analogous to the KEW’s damage mechanisms, such as a ballistic penetrator or blast, because both types of mechanisms, once they “hit” an aircraft, are intended to cause a loss or degradation of essential component functions or capabilities.
In many cases, the malfunctions will only prevent the aircraft from accomplishing its mission, known as a mission kill or soft kill. The physically undamaged but functionally affected aircraft can cease the prosecution of its mission and fly back to base; and any permanent malfunctional effects caused by the cyber weapon can be patched or mitigated, just as the physical damage caused by a KEW’s physical damage mechanisms can be repaired. Furthermore, the vulnerability in the aircraft’s operations that allowed the malfunctions to occur can be searched for and removed.
For example, an executed cyber malfunction could degrade an aircraft’s mission computer by deleting the section of code that releases ordnance when the pilot commands. The aircraft could not accomplish its mission (e.g., bombing a target), but it could still return safely to base where the vulnerability that caused the mission kill could be eliminated.
Unfortunately, cyber weapons may also be able to achieve an attrition kill, permanent kill, or hard kill similar to those that can be caused by the KEW damage mechanisms by causing malfunctions that can significantly affect the functioning of flight-critical components within systems such as flight controls or fuel systems.
For example, a single-engine aircraft in flight with a single sump tank and fuel pump can be permanently downed by a gun-fired ballistic penetrator hit on the fuel pump, which causes the pump to stop pumping, followed by a subsequent kill of the engine due to fuel starvation and the eventual crash of the aircraft from the loss of essential engine thrust within minutes after the hit. Likewise, the same sequence of events could occur if the threat was a cyber weapon, with the malfunction mechanism being the malicious command to the fuel pump to stop pumping fuel while the aircraft is in flight.
(Note that although the cyber weapon, in general, causes component malfunctions without any physical damage to the components, there are certain component malfunctions that can be commanded that will result in physical damage to the component [e.g., Stuxnet] [7].)
DEVELOPING THE FUNDAMENTALS OF ACCS BASED UPON THE FUNDAMENTALS OF THE ACS DESIGN DISCIPLINE FOR KEWs
Although the anticipated cause of an aircraft kill by a cyber weapon is not due to physical damage to the aircraft but to malfunctions within the aircraft’s critical operations, many of the fundamentals of the ACS design discipline for damage-causing KEWs are applicable when considering the survivability of aircraft faced with this new, nonkinetic threat weapon. An understanding of the ACS fundamentals and how they relate to the cyber weapon’s effectiveness as a weapon can thus enable aircraft survivability analysts and designers to more quickly and effectively field aircraft that are survivable when attacked by a cyber weapon.
Accordingly, this article is the first of a series of articles written for the Aircraft Survivability journal that develop the extension of the ACS guns and missiles fundamentals to the new discipline we call the Aircraft Cyber Combat Survivability (ACCS) design discipline. In addition, the goal of ACCS will be the same as the goal of ACS—“the early identification and successful incorporation of those specific survivability enhancement features that will increase the combat cost effectiveness of an aircraft as a weapon system.”
It is also crucial to understand that the cyber weapons we are considering are only those that directly impact the aircraft in flight, similar to an antiaircraft KEW’s damage mechanisms hitting an aircraft in flight, regardless of when the set of malicious instructions was implanted in the aircraft’s internal cyber system. Admittedly, this limitation in scope provides a much smaller subset of a much wider world of expected cyber attacks against many types of systems [8]. However, even a small number of cyber weapon attrition or mission kills of U.S. aircraft could be extremely costly in the loss of life and aircraft over time.
COMPARISON OF KEWs AND CYBER WEAPONS AND HOW THEY KILL AIRCRAFT
The fundamentals associated with any antiaircraft weapon include the following three primary weapon elements:
- A warhead that consists of, contains, or generates the entities that can cause either physical damage to (the damage mechanisms) or malfunctions of (the malfunction mechanism) an aircraft’s critical components (those components whose kill or loss or degradation of capability results in the loss of a flight- or mission-essential function).
- An aircraft detection and tracking subsystem that is capable of detecting or determining the presence of a potential target aircraft and of determining the physical or cyberspace location of the aircraft that can be sent to the third element of the weapon.
- The warhead transporter subsystem that transports the warhead from the warhead’s current location (the shooter’s location) to the target aircraft’s location and subsequently delivers the weapon, with its damage or malfunction mechanisms, to or into the targeted aircraft. (Note that in the second edition of the AIAA ACS textbook [6], the term used to denote either a ballistic projectile or a guided missile was threat propagator.)
Our comparison of cyber weapons with KEWs thus starts with the weapons themselves, their three primary elements, and their effects on aircraft (see Table 1).
CONTRASTS BETWEEN KEWs AND CYBER WEAPONS
Not surprisingly, there are also some important differences between the operations and physics of the KEWs and those of the cyber weapon that can have critical implications when using the fundamentals of ACS to develop the fundamentals of ACCS.
One important difference is that the kinetic effects of the KEWs are easily observable, follow the laws of physics, and can be repeated in a lab. Admittedly, the dynamics of ballistic projectiles and fragmenting warheads hitting an aircraft can be complicated; however, analysts today largely understand the underlying physics, which has allowed them to create accurate models and predictions. A certain type of warhead exploding at a certain distance from an aluminum plate will produce a measurable blast wave and various-sized fragments with predictable kinetic energy.
Cyber weapons, on the other hand, fundamentally consist of a set of malicious instructions that attackers insert into an immensely complex set of instructions in a computer that likely has millions of lines of code and numerous connections to other computing elements. The interactions and results, even inside a carefully controlled lab, are thus often much more unpredictable and unconstrained.
For example, consider how often the dreaded “BSOD” (Blue Screen of Death) appears on Windows computers that are carefully engineered, extensively tested, and not under attack. The cyber warhead triggering (detonating) within an aircraft or weapon system may do absolutely nothing because the friendly cyber system is ever so slightly different then the attacker thought. Alternatively, it might do catastrophic damage beyond what the attacker intended or even knock out an airliner hundreds of miles away that was not targeted.
Another important difference between KEWs and cyber weapons is that there are more than 100 years of kinetic air combat history that analysts can rely on to validate models and theories. While modelling ACS in future threat environments can have a large amount of uncertainty, any model that cannot provide reasonably accurate results when applied to historical campaigns is typically considered deeply suspect. For cyber attacks on aircraft, however, there is no historical campaign to compare models against because they have not happened yet. But that doesn’t mean cyber weapons can thus be ignored.
Most analysts agree that cyber weapons are sure to play a major role in future high-end kinetic combat between capable nation states. Accordingly, the cyber warfare analyst today is in much the same position as an air warfare analyst was just before World War I. Primitive aircraft existed in 1913, and some people (largely dismissed as crazy) had started to talk about these aircraft possibly being used in combat. However, there was no complete data set available, and the discussion was based solely on conjecture and limited experiments.
A third critical difference between kinetic and cyber weapons is in their “range” and breadth of targeting. A kinetic surface-to-air missile can engage any aircraft flying in its weapons engagement zone, which normally extends to the effective flyout range from the launcher to the target. Cyber weapons, on the other hand, can typically target only a particular aircraft containing a particular piece of hard-ware and running a particular version of software. Sometimes changes in hardware and software versions may be completely transparent to users (who are often unaware the systems are different), but these changes can radically alter whether or not cyber weapons function.
That said, if cyber weapons do function, they can have essentially unlimited range, extending to virtually any place cyberspace reaches. And while cyber weapons are extremely narrow in target focus, a cyber weapon’s effect can be extremely wide. Depending on the method of transport and delivery, it might be able to target every aircraft of a particular variant at the same time no matter where each is physically located. This gives cyber weapons essentially unlimited “magazine depth.”
Also, despite a cyber weapon’s potentially unlimited range, aircraft can still “terrain mask” and be hidden from the weapon. An aircraft that is powered down and not connected to anything may be unreachable to a cyber weapon until that aircraft “unmasks” by connecting to some communication medium accessible to an attacker. Unfortunately for defenders, typical operations require numerous communication pathways onto and off of modern combat systems, so staying masked can normally only be done for a short time.
A fourth significant difference between kinetic and cyber weapons is that while there are numerous ways for operators to know they are under attack from kinetic weapons, it is often extremely difficult for operators to know they are under attack from cyber weapons. Typical combat aircraft are heavily instrumented with defensive systems that are intended to defeat the KEWs, that detect hostile radars, that sense incoming missiles, and that dispense last-ditch countermeasures. And even during the early days of Vietnam, when aircraft did not have this equipment, the explosion of the warhead close to the aircraft generally left no doubt that the aircraft was under attack.
But current systems do not have any cyber equivalent of radar warning or missile approach sensors. Operators may even not know they are under attack after the cyber warhead “detonates.” The effects may be deliberately hidden (i.e., enemy aircraft are no longer detected, or the bomb “just misses”) or may be taken as random system failures. At the current time, essentially every cyber threat is mobile and can attack from anywhere, is stealthy because it cannot be seen, and is unknown because its signature and characteristics are unfamiliar.
A final important difference between KEWs and cyber weapons is that when the latter lose their stealth, they are typically easy to render harmless. When a combat aircrew knows that a SA-10 surface-to-air missile system is in the target area, they can take precautions and adjust their tactics; but the SA-10 can remain an extremely lethal and ongoing threat. However, when a cyber weapon is discovered, it is normally easy for defenders to block, find, and remove it or, alternatively, reset the system (if there is a clean backup available to reload from), thus rendering the cyber weapon ineffective [9].
For example, when eight known nation-state cyberspace attacks were examined several years ago, only Stuxnet lasted more than a few weeks (and that was only because the defender did not know it was under attack) [10]. In short, cyber weapons can be lethal and sharp, but they tend to shatter on the first swing. Thus, attackers may sometimes be hesitant to use them and risk having them unavailable for future use.
CONCLUSION OF PART 1
Cyber weapons present a real and growing threat to our current and future combat aircraft. Accordingly, the effort presented herein (as well as in following issues of Aircraft Survivability) to develop a set of fundamentals for an ACCS design discipline is increasingly vital in helping the aircraft survivability community develop the needed tools and methodologies to design and operate future generations of cyber-survivable aircraft.
Despite the differences between kinetic and cyber-based weapons, it has been shown that the previously developed ACS fundamentals provides a useful foundation and framework for engineers to understand how to design aircraft to survive in hostile threat environments, whether the weapons targeting the aircraft are kinetic, cyber, or both. In addition, the terminology defined herein shows how neatly ACCS fits within the larger ACS construct.
The taxonomy that will be presented in subsequent articles will likewise illustrate how the terms are interconnected and nested within the larger mission assurance context. With these tools, threat weapon characteristics and their effects on the survivability of an aircraft will be further explored and developed. These weapon characteristics and their effects include the warhead damage and malfunction mechanisms, target detection and location methods, and warhead transport and delivery methods, which will ultimately lead us to the survivability enhancement features, the goal of ACS and ACCS.
Part 2 of this series will discuss a cyber attack on an aircraft and the associated cyber kill chain, the definition of aircraft susceptibility and vulnerability to the cyber weapon, and the definition of ACCS. Succeeding articles will then be devoted to how to measure and test an aircraft’s cyber survivability, how to enhance an aircraft’s cyber survivability, and how to determine which survivability enhancement features and mitigation strategies should be included in an aircraft’s design and operations.
ABOUT THE AUTHORS
Dr. William D. “Data” Bryant is a cyberspace defense and risk leader with a diverse background in operations, planning, and strategy. His experiences includes more than 25 years of service in the Air Force, where he was a fighter pilot, planner, and strategist. Dr. Bryant helped create Task Force Cyber Secure and also served as the Air Force Deputy Chief Information Security Officer while developing and successfully implementing numerous proposals and policies to improve the cyber defense of weapon systems. He holds multiple degrees in aeronautical engineering, space systems, military strategy, and organizational management. He has also authored numerous works on various aspects of defending cyber physical systems and cyberspace superiority, including International Conflict and Cyberspace Superiority: Theory and Practice [10].
Dr. Robert E. Ball is a Distinguished Professor Emeritus at the Naval Postgraduate School (NPS), where he has spent more than 33 years teaching ACS, structures, and structural dynamics. He has been the principal developer and presenter of the fundamentals of ACS over the past four decades and is the author of The Fundamentals of Aircraft Combat Survivability Analysis and Design (first and second editions) [5, 6]. In addition, his more than 57 years of experience have included serving as president of two companies (Structural Analytics, Inc., and Aerospace Educational Services, Inc.) and as a consultant to Anamet Labs, the SURVICE Engineering Company, and the Institute for Defense Analyses (IDA). Dr. Ball holds a B.S., M.S., and Ph.D. in structural engineering from Northwestern University.
References
- Legg, David. “Aircraft Survivability – The Early Years (Pre-World War I to World War I).” Aircraft Survivability, spring 2017.
- Legg, David. “Aircraft Survivability: New Challenges for a New Global Conflict World War II).” Aircraft Survivability, fall 2017.
- Legg, David. “Aircraft Survivability – The Korean War.” Aircraft Survivability, fall 2018.
- Ball, Robert E., Mark Couch, and Christopher Adams. “The Development of Aircraft Combat Survivability as a Design Discipline Over the Past Half Century,” Aircraft Survivability, summer 2018.
- Ball, Robert E. The Fundamentals of Aircraft Combat Survivability Analysis and Design. First edition, American Institute of Aeronautics and Astronautics, 1985.
- Ball, Robert E. The Fundamentals of Aircraft Combat Survivability Analysis and Design. Second edition, American Institute of Aeronautics and Astronautics, 2003.
- Zetter, Kim. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. New York: Broadway Books, 2015.
- Bryant, William D. “Surfing the Chaos: Warfighting in a Contested Cyberspace Environment.” Joint Force Quarterly, first quarter, January 2018.
- Libicki, Martin C. Conquest in Cyberspace: National Security and Information Warfare. Cambridge: Cambridge University Press, p. 74, 2007.
- Bryant, William D. International Conflict and Cyberspace Superiority: Theory and Practice. New York: Routledge, pp. 71–72, 2015.