ATC Level Tactical Manoeuvring during Descent for Mitigating Impact of ADS-B Message Injection Cyber Attack ^†

Abstract

To reduce delays caused by an ADS-B Message Injection attack, we propose an Air Traffic Control (ATC) level tactical manoeuvring framework for maintaining safe flight trajectories while reducing diversion from the original trajectory during the descent phase. This framework is formed based on three key elements: a high impact attack scenario, the consideration of the standard ATC incidence response, and safety manoeuvring with reduced diversion for the affected aircraft. Simulation results showed that the tactical manoeuvring records a faster time to return to the original path prior to the attack incident compared to a conventional simplified safe diversion instructed by the ATC.

1. Introduction

Today’s civil aviation scene is seeing Automatic Dependent Surveillance-Broadcast (ADS-B) being mandated by more Air Navigation Service Providers (ANSP) globally [1]. It is auspicious in providing additional capability to Air Traffic Control (ATC) for aircraft monitoring and surveillance through simple data types over open channels. Simplicity in operability coupled with high accuracy satellite navigation features [2] has made it a favourable additional surveillance mechanism besides the complex legacy radar detection systems.

Despite all of its advantages, ADS-B is also vulnerable to various kinds of cyber attacks [3]. Among the pertinent attacks which are easy to launch and yet require few hacking skills and knowledge are false message injection types of attacks such as ghost aircraft spoofing [4]. This type of attack aims to confuse ATC and increase their work burden in identifying which aircraft is legitimate and which is a ghost. A recent survey [5] that analysed the risk severity of several possible attacks on Air Traffic Management (ATM) categorised ADS-B-based cyber attacks as high risk, while [6] particularly categorised ghost injection spoofing attacks targeting ground stations as an attack type that could create a high negative impact based on a defined scale level which is low, medium, and high. The impact levels in both studies were referring to consequences in terms of physical damage such as mid-air collisions or service deficiencies such as flight delays and cancellation.

While most previous studies, such as [7,8], demonstrated how ghost aircraft spoofing attacks can bring chaos to ATC’s surveillance system, only a few have explored the operational resilience of ATM through an effective contingency plan whenever hit by cyber attacks. ATM relies heavily on electronic systems for processing a huge amount of data [9]. Therefore, disruptions to its capability to execute its critical function would eventually disrupt the flow of air traffic. The cyber-physical system of the ATM domain would experience a huge blow if any of its cyber components such as the ADS-B surveillance system are compromised as described in [10]. Furthermore, research on radar or other surveillance systems jamming technologies, for instance [11,12], is being highly pursued by certain quarters in the name of ensuring public safety and security. There is the possibility that if these technologies are manipulated by adversarial entities they could cause havoc, even to the extent of causing damage to the critical infrastructure and leading to human casualties. These possibilities motivate us to study the impact of such attacks, also known as ghost aircraft spoofing attacks, so as to understand their immediate impact on ATM and to explore viable mitigation techniques in order to prevent such a catastrophic event from happening.

For this purpose, we collaborated with the Civil Aviation Authority of Malaysia (CAAM) in forming a framework that assesses the trajectory of a ghost aircraft and the risks of collision with a real aircraft which is heading towards an airport to begin approach procedures. By using the ADS-B data provided by CAAM, our study is able to demonstrate how real traffic is impacted by a single ghost aircraft occurrence. After learning the immediate impact, we developed a tactical manoeuvring framework with safety and efficiency as its clear quality objectives.

2. Related Works

To begin analysing the attack behaviour and its impact on aircraft during descent, one of the pertinent aspects of our study was to identify the risk factors, one of which is collision during mid-air.

2.1. Collision Risk Assessment

Numerous previous studies have proposed risk assessment frameworks to assess hazards in air traffic flow. One of the notable frameworks is the Collision Risk Model (CRM) that assesses the probability of mid-air collisions through the consideration of multiple factors such as flight trajectories, ground speed and traffic in the surrounding airspace.

Figure 1 below shows the closest point right before aircraft get into a collision mid-air. We adopted the idea presented in [13] by applying concept of risk modelling for mid-air collision and framed the entire problem in the context of an ADS-B message injection attack. It is interesting to see how the turn of events during the attack incident can be analysed in depth through a discrete approach. The appearance of a ghost aircraft should be taken seriously due to the limited knowledge at that particular point in time. As safety is paramount, risks to flights when in mid-air require resolution as early as possible before the situation worsens.

2.2. ATC Response during Cyber Incidents

The ATC role is pivotal in incident mitigation. Among the related studies that specifically discuss mitigation techniques carried out by ATC during cyber incidents is [14]. The idea for this study was rearranging the progression queues of en-route aircraft from certain air space sectors after they were hit by cyber attacks. In the experiments, ATC would be manipulating the queues using a specific algorithm in order to minimize the impact of certain attack types. As our simulation only involved a single aircraft, the only thing in common with our study is the importance of time progression in the context of critical events that take place once intervention is carried out by ATC. Despite manipulating arrival queues, we provided a tactical solution and close guidance for a single aircraft. Another study by [15] analysed the impact of ADS-B ghost aircraft spoofing and how the impact can be quantified in terms of delay in arrivals and the number of affected aircraft. The study clearly mentioned ATC’s responses in handling unidentified aircraft—ghost aircraft—by slowing down the traffic flow due to the verification procedures of the ghost aircraft. In our proposed framework, we also mention delays induced by the ATC response through diverting the flight path due to collision risks with the ghost aircraft. The delay magnitude is constant in [15], while in our study, reducing the time delay is the novelty that we aim to achieve through our proposed framework.

3. Research Methods

We applied a scenario-based analysis that does not involve real attack execution either physically or through electronic means. Even though the scenario-based analysis was developed qualitatively, we discussed thoroughly with CAAM and received input from the perspective of a national aviation regulatory body on the features and characteristics of a high impact message injection attack. Next, we discussed possible mitigation techniques that could be undertaken to address the incident. For this purpose, we developed the conceptual framework and tested the performance of the technique through simulations using ADS-B data officially obtained from CAAM. Similar to the majority of research that defines parameters and the scope of their work, our study is also bound to specific assumptions to ensure the objectives would be fulfilled.

3.1. High Impact Attack Scenario

An attacker who knows how ATC would respond to the launched attacks would be able to launch the most disruptive attacks. A previous study by [16] predicts the decision making process carried out by an attacker targeting a Cyber-Physical System (CPS) through attack tree analysis and its probable consequences. Even though the study did not specifically touch on any kinds of aviation CPS, the main takeaway is that a well prepared attacker might craft a devastating attack on the ADS-B system through actions in series of events. Each event leads to another and as the stages progress, the consequences of disruption to the ATM become greater and greater. Now there are several available open sources of ADS-B data, enabling the live tracking of flights across the globe. This free and accessible information could somehow nurture understanding on the frequently used routes, and how a normal flight profile should look when flying over a certain air space. Knowledge on normalcy in air traffic can be used negatively by anyone with ill intent. Based on the criticality of possible impacts that could be caused by ghost aircraft spoofing attacks, we have identified three primary criteria for our attack scenario. The identified criteria are:

• Ghost aircraft behaviour;
• Location of spoofing;
• Attack magnitude or density.

The behaviour of a ghost aircraft influences the ATC in its responses. A credible ghost aircraft supposedly imitates the characteristics of a legitimate aircraft. When flying in a certain airspace, the profile of speed, altitude and trajectory plays a significant role in the imitation game. The longer the ATC takes time to verify the ghost aircraft’s identity, the deeper the confusion that can be instilled by the attacker which will gradually create greater disruption to the air traffic flow. Therefore, the attacker would tune these vital parameters in accordance with the profile of a legitimate aircraft to avoid easily being singled out as an anomaly by the ATC.

The location of the spoofing incident is also a main factor in determining the type of response that should be taken by the ATC. According to CAAM, the Kuala Lumpur Terminal Manoeuvring Area (TMA), shown in Figure 2 [17], is a high density airspace that also includes airport airspace. Usually, the volume of traffic is very high with flight phases of descending, climbing and en route. The appearance of a ghost aircraft at the TMA border and flying towards the TMA would definitely catch the serious attention of ATC, as shown as the red curvy trajectory closing in to the real legit flight represented by the dak red ADSB track heading south in Figure 3. We used both tracks to model and simulate our proposed benchmarking trajectory in addressing this attack. There were also other TMA-inbound flights as depicted in beige, green and fluorescent green ADS-B tracks. However these flights were not interrupted. Once the ADS-B surveillance system detects that a ghost aircraft is closing in on the TMA, ATC will divert other conflicting flights not to fly too close to the unverified ghost aircraft. Rectifying this situation would cost numerous diversions on various scales and these diversions would result in delays either to arrivals or departures. Other than this, the attacker would not want his strings of ghost aircraft attack to be identified by ATC through visual observation. Transmitting the false message in the TMA area or too close to airport airspace would trigger ATC Tower and, with the help of bypassing pilots, they could determine the non-existence of the ghost aircraft. This is why the anonymity of not being able to be scrutinized through optical equipment or physical check is important to ensure attack persistence.

3.2. Simulation of ATC Response during Cyber Incident—Tactical Manoeuvring during Descent

As in Figure 3, we created an attack scenario of a ghost aircraft trajectory interfering with the normal trajectory of an aircraft that has begun descending towards Kuala Lumpur International Airport (KLIA) from 1000 h until 1005 h on 6 January 2020. The ghost aircraft (red trajectory) was injected theoretically in the scneraio-based analysis nearby the Eastern border of the Lumpur TMA. When the ATC detected a possible collision, and after trying to verify the ghost aircraft but to no avail, the ATC would take standard preventive actions by alerting the legitimate aircraft and to slow the affected aircraft down and divert its route.

Several assumptions were applied throughout the simulation which are as follows:

• This scenario is declared as an emergency due to other surveillance methods such as radar and multi-lateration also being suppressed and jammed by adversarial actions. Only the ADS-B system was available and running;
• The tactical manoeuvring technique was not influenced by the presence of the surrounding traffic. This was mainly due to the real traffic conditions based on the tested data. The weather was fine with no warnings issued by Notice to Air Men (NOTAM) or any other communication lines;
• A non-standard descent procedure was simulated due to emergency status;
• The injected ghost aircraft used the same descent profile as the real aircraft except its trajectory was designed with one less way point for simulation purposes.

The main principle of our proposed framework is about constantly benchmarking the trajectory of the ghost aircraft. The tactical diversion adheres to a 6 nautical miles (6nm) lateral separation minima including a threshold of 1 nm buffer airspace. In the event of further incursion inwardly by the ghost trajectory, the tactical diversion will move further away from the ghost trajectory. At the time this event is happening, the separation minima is still more than or equal to 5 nm. The existence of buffer airspace is also meant to accommodate non-instantaneous processing by the aircraft’s pilot based on recommendations given by the framework. The concept of the proposed framework is as shown in Figure 4.

In order to populate the required data to run the simulation in Matlab, we converted the lat–long data obtained from the ADS-B file and converted it into XY coordinates before plotting it on a Cartesian plane. The same was performed for the ground speed, which was converted from knots to meters per second and altitude, which was from feet to meters. Trajectory data for the real aircraft and the ghost aircraft are as shown in

Table 1. Trajectory data for the real legit aircraft.

	Time (s)	X (m)	Y (m)	Altitude (m)	Course (${}^{\circ }$)	Ground Speed (m/s)	Descent Rate (m/s)	Roll (${}^{\circ }$)	Pitch (${}^{\circ }$)	Yaw (${}^{\circ }$)
1	0	−122	−14	7315	−170.15	246.45	6.35	0	−1.48	−170.15
2	60	−12,287	−1174	6927	176.63	201.66	6.60	9.01	−1.87	176.63
3	120	−24,287	−1174	6523	−160.22	201.15	3.12	−23.17	−0.89	−160.22
4	180	−32,550	−10,294	6401	−115.19	205.78	2.74	4.74	−0.76	−115.19
5	240	−37,115	−21,851	6149	−111.08	204.23	5.01	1.86	−1.40	−111.08
6	300	−41,142	−31,528	5776	−113.35	197.03	7.24	0	−2.10	−113.35

and

Table 2. Trajectory data for spoofed ghost aircraft.

	Time (s)	X (m)	Y (m)	Altitude (m)	Course (${}^{\circ }$)	Ground Speed (m/s)	Descent Rate (m/s)	Roll (${}^{\circ }$)	Pitch (${}^{\circ }$)	Yaw (${}^{\circ }$)
1	0	1807	−10,479	7315	−170.22	246.45	22.53	0	9.17	130.49
2	20	−2572	−9577	6927	−164.64	201.66	13.77	25.39	0.03	151.51
3	60	−11,089	−6981	6523	−171.02	201.15	3.54	11.94	−0.37	−140.36
4	120	−25,691	−11,860	6401	−137.92	205.78	2.74	1.17	0.17	−117.76
5	180	−32,907	−28,655	6149	−87.47	204.23	5.01	17.75	0.66	−93.18
6	240	−30,186	−39,927	5776	−70.92	197.03	7.24	0	0.72	−68.07

. Meanwhile our proposed tactical diversion trajectory and the conventional simplistic diversion trajectory data can be referred at

Table 3. Trajectory data for proposed tactical diversion.

	Time (s)	X (m)	Y (m)	Altitude (m)	Course (${}^{\circ }$)	Ground Speed (m/s)	Descent Rate (m/s)	Roll (${}^{\circ }$)	Pitch (${}^{\circ }$)	Yaw (${}^{\circ }$)
1	20	−5464	−952	7250	158.37	160.09	2.60	0	−0.93	158.37
2	47	−12,605	1425	7179	168.03	160.09	2.78	6.68	−0.99	168.03
3	150	−27,768	−975	6874	−149.19	180.09	3.06	9.46	−0.97	-149.19
4	207	−38,257	−14,133	6600	−112.05	200.09	3.07	5.92	−0.88	−112.05
5	303	−41,761	−25,765	6400	−105.01	200.09	3.06	−1.20	−0.88	−105.01
6	352	−44,382	−34,938	6247	−106.41	200.09	3.17	0	−0.91	−106.41

and

Table 4. Trajectory data for conventional simplistic diversion.

	Time (s)	X (m)	Y (m)	Altitude (m)	Course (${}^{\circ }$)	Ground Speed (m/s)	Descent Rate (m/s)	Roll (${}^{\circ }$)	Pitch (${}^{\circ }$)	Yaw (${}^{\circ }$)
1	20	−5283	−221	7250	141.22	160	2.21	0	−0.79	141.22
2	46	−11,353	3818	7179	156.64	160	3.36	11.01	−1.20	156.64
3	110	−21,809	4531	6874	−167.48	180	4.00	8.26	−1.27	−167.48
4	190	−34,404	2598	6600	−134.98	180	2.52	6.29	−0.80	−134.98
5	292	−43,672	−18,045	6400	−110.32	200	1.86	3.27	−0.53	−110.32
6	378	−47,712	−33,730	6247	−99.21	200	2.37	2.32	−0.68	−99.21
7	424	−48,900	−42,760	6100	−96.64	200	3.73	0	−1.07	−99.64

respectively.

4. Simulation Results

Our simulation results, as shown in Figure 5, show that our proposed ATC level tactical manoeuvring—$T_{1c}$ which started at coordinate x = −5464 m, y = −952 m—took 352.3 s to get close to the track of the original trajectory—$T_{1a}$, which began at coordinate x = −122.2 m, y = −14.0 m. Throughout the entire simulation, the plotted trajectories adhered to the separation minima rule whilst both the ghost aircraft and the legitimate aircraft continued to descend with a similar profile. The benchmarked tactical manoeuvring was triggered when the ATC spotted that the ghost aircraft was closing into the real aircraft’s path and eventually arrived at a location less than 6nm away, in particular, at $E_{1a}$ from coordinate $T_{1b}$, which is x = −2572 m and y = −9577 m. At the time the real flight trajectory arrives at the finishing point at t = 300 s, the simplistic deviation, $T_{1}d$, was only able to reach a location close to coordinate x = −43,672 and y = −18,045, approximately 66.7% from its full trajectory course. At the end of the simulation, the simplistic deviation took a total of 423 s to arrive at the end of its trajectory.

Apart from the time taken by both compared trajectories to finish its course, other readings, such as trajectory data, are shown in Table 3 and Table 4 accordingly. The state of the tactical manoeuvring trajectory framework can be described as:

The current state of each of the trajectories is as per the progression of the trajectory at the inferred time $S_n$ ($T_n$). Properties for a trajectory, T, at any state

$$=\left\{latitude,longitude,altitude,course,speed,descent\left(rate\right),roll,pitch,yaw\right\}$$

Based on the proposed tactical manouevring framework’s linear separation, e at n state,

$$S_n=e\left(T{c}_n\right)⩾5nm⩾e\left(T{b}_n\right)$$

with Tc is the proposed tactical trajectory for deviation and Tb is the ghost aircraft trajectory.

5. Discussion

Based on the results, it is obvious that the conventional simplistic deviation trajectory requires more time to reach the location close to the tactical benchmarking trajectory. A visual observation of the end state of the simplistic deviation trajectory is suggesting a substantive distance to fly before being able to join the original flight path. We can also infer that the distances travelled by each trajectory differ from each other based on their time of arrivals through comparison with the original real aircraft’s trajectory as the focal point. The difference between $T_{2a}$ and $T_{2c}$ (at endpoint) is more than 52.3 s as of t = 300 s. This is primarily due to the tactical benchmarking trajectory had flown longer distance and at lower speeds.

Meanwhile, the difference between the coordinates of $T_{2a}$ $T_{2c}$ and $T_{2d}$ is more than 1 nm apart from a fixed angle. This tells us that, with a faster speed profile, there is a possibility that tactical benchmarking and a simplistic deviation trajectory would be able to get closer to the real trajectory by covering more distance, thus be able to complete its designated path within the simulation run time. However, this argument is still inconclusive as the original ADS-B data that were used were insufficient to produce a clear projection of each of the trajectories into airport airspace. Nevertheless, based on the findings of 300 to 423.5 s of the simulation run, the tactical benchmarking trajectory provides a guided trajectory that is safe and quicker to merge with the original trajectory compared to the simplistic deviation trajectory resulting from a generic and unguided action by the ATC.

Furthermore, the analysis of discrete events within our proposed framework always looks for the optimal state by safely and quickly finding an updated path to join the original trajectory depending several conditions such as current surrounding air traffic and consideration of existence of of meteorological factors. Besides these clear advantages, we are also considering the possibility of coming out with an optimization option in our future work in terms of determining the economical aspect of trajectories based on fuel consumption rate by comparing the fuel burn rate in a simplistic diversion against the fuel burn rate in the tactical benchmarked trajectory mode.

6. Conclusions

Our proposed ATC level tactical manoeuvring has been proven as an ideal framework in ADS-B false message injection cyber attack especially in situations whereby nature of such attacks could not be verified in the early stages as what our crafted high impact attack scenario had demonstrated. With safety as the utmost priority, adherence to safe distance and concurrently trying as best as possible not to deviate excessively from the original flight path. This could only be achieved through consistent benchmarking of the ghost aircraft trajectory with defined separation thresholds so that ideal deviation in the proposed trajectory is sustained throughout the attack period.