Bienes inmuebles declaradas BIC (bienes de interés cultural)

Integrating HECAD into a UAV CPS offers many benefits that can help improve cyber- attack detection in small, low power, and low cost UAVs. It offers a solution that can be integrated onto the hardware of the FCS, using an FPGA design approach, to aid in quick attack detection and isolation of malicious on-board sensor behavior. The hierarchical architecture offers benefits of collaboration between sub-modules to increase the ability to detect and locate malicious attacks, as well as potentially increasing the amount of information gathered about the system using a hardware-software solution.

4.9.1 Sub-module collaboration and increased information

Traditional approaches to monitoring systems typical monitor a systems software at the information level. At the information level, there is no information about a fault/attack that may occur below the software layer of the system; for example, if the hardware peripheral on the system or hardware on the slave device that the system is receiving data from is tampered with. At the software layer, the data may show signs of tampering, however it can be difficult to determine where the attack originated. HECAD has the capability to detect hardware peripheral attacks, such as an adversary modifying a sensors hardware protocol configuration or tampering with the physical signal between the main processor and a sensor. An example of a hardware peripheral attack is shown in Figure 26. It demonstrates how an attack at the hardware level may go unnoticed by other methods of detection, since an attack may not modify the data to an extent that can easily be identified. It is also shown how the attack can trickle through the various levels of HECAD, where it gets immediately detected at the HRIM sub-module, however, the data passes through the information layer checks such as bounds checking, and the information received from the sensor is similar to the data received on the main processor in the EIM.

Figure 26 Hardware Peripheral Attack Example

However, in the FIM, Cross-verification throws a flag that there is a possible error between two sensors, since the error may not be drastic enough to be caught by the requirements or restrictions placed in the FIM, it may not be able to accurately determine if a fault/attack has occurred. This demonstrates HECADs ability to use collaboration amongst the sub-modules to potentially gather more information on a fault/attack.

4.9.2 Improved Isolation and Location Detection of Faults

A fault/attack at the hardware level not only allows HECAD to make a more informed decision, it also allows for better isolation and determination of the location of the fault/attack. When a fault is detected at any level, HECAD has the ability to isolate the slave device from the main processor; a continuation of the previous example is shown in Figure 27. Once the fault/attack has been detected by the HRIM, a signal is emitted to all of the other sub-modules that are in the hierarchy of that specific slave device, and mitigation can begin.

Figure 27 Sensor isolation upon HRIM attack detection

The mitigation techniques for the slave devices on the UAV FCS are out of the scope of this research and will be considered in future work. It is important to note that HECAD provides the foundation for mitigation techniques to be possible to implement on a UAV FCS, where there is currently no framework that allows such an integrated approach. Currently, when a fault/attack is detected, the slave device is isolated from the main processor, and the hardware peripheral on the main processor is held at an IDLE state, while HECAD provides a mitigation technique such as performing a reconfiguration routine to reset the slave device and reconnect the device once it has been successfully reconfigured.

4.9.3 Hardware-Software Boundary Attack Detection

In most monitoring systems that are developed for cyber-attack detection, the emphasis is focused on the information layer, which is where the software is contained and do not verify the hardware peripherals that communicate between the main processor and the on- board slave devices. HECAD takes into account the possibility that the firmware on a sensor can be a potential attack surface and HECAD has the capability to monitor the information layer as well as the hardware peripheral layer. This additional monitoring capability can potentially provide more information allowing for quicker fault/attack detection, isolation, and location. It also provides a basis for a hierarchical architecture allowing for multi-level verification and collaboration between different sub-modules that monitor different characteristics of the system.

Breaking the hardware/software barrier through monitoring hardware resources as well as software on a system is becoming more necessary among Cyber-Physical systems where a principle of assessing the physical processes as well as the cyber aspect of the system is necessary to prevent system failure [70], [71] . Software failures remain to be the leading cause for computer based cyber-physical systems, however hardware failures have a larger impact with the number of devices affected [72]. With COTS UAS becoming more widely available amongst the civilian community, sensor firmware attacks can potentially have more of an impact during the manufacturing and distribution process. A firmware attack can remain undetected longer and be more difficult to detect, since autopilot firmware can easily be patches and updated, hardware sensor firmware is not.