Applications
Products
Services
Company
Defence Open Architecture IDS Configuration Management Certificate Management Zero-Trust Avionics Networks
Aerospace SATCOM System Management Avionics Intrusion Detection Cabin Networking Secure Voice Avionics Data Recording Electronic Flight Bag Data Zero-Trust Avionics Networks
T-⁠RX Tester Avionics Radio Tester Accessories Channel Partners Support Store
Routers and Switches AP-251 Edge Router and WAP AP-561 Micro-WAP AP-155 Air-Gapped Router AP-160 16-Port Switch AP-250 Router and WAP IK-350 ARINC-600 Adapter
DataPHYs AP-555 ARINC-429 AP-553 MIL-1553 AP-558 CAN Bus AP-557 ARINC-717 AP-551 Wideband Audio AP-560 Analog Scope
Antennas IK-200 WiFi IK-201 5G/LTE
Lab Equipment LK-402 ARINC-600 Rack ARINC-600 Trays SystemX Development Kits
SystemX Operating System Avionics IDS Device and User Managers Network and Logs IDS Advanced Routing Application Hosting Remote Managment
Cybersecurity Security Operations Center Cybersecurity Evaluations
Design Customized Products
Company About Us Careers Contact

Falcon Avionics IDS

SystemX Avionics IDS Alerts

CCX Technologies Falcon IDS is an intrusion detection system specifically designed to analyze safety critical real-time data buses. As avionics data is captured by SystemX, it is continuously evaluated against a set of algorithm-based rules. Should the incoming data trigger the conditions of the algorithm, an alert is generated, notifying the air crew or a system administrator.

The Falcon IDS detects, logs, and flags anomalous traffic on avionics networks and other data-buses. It can be used to safeguard aircraft and other vehicles from cyberattacks and provide incite into events requiring active maintenance.

The IDS Systems Open Architecture provides access to system designers and administrators to all rulesets, algorithms, and collected data giving fleet managers unparalleled control over the entire data collection and IDS infrastructure.

Algorithms

Algorithms can be created for a multitude of different scenarios. For example, identifying an anomalous rate of change in a vehicle’s speed due to a GPS spoofing attack, or detecting the injection of malicious data into a MIL-1553 data bus.

SystemX comes with a complete set of default algorithms which can be configured with specific rules to identify many common data-bus anomalies. SystemX also contains a built-in python editor and algorithm development environment that can be used to write and modify algorithms easily on the system.

In addition to the integrated IDE a stand-alone falcon simulator is also available for offline development of more complex algorithms and decoding software.

Falcon IDS Algorithm
Falcon IDS Rule

Rules

Once an algorithm has been developed, one or more rules can be created to use this algorithm for generating alerts. Rules define the parameters to be analyzed and the acceptable boundary conditions.

Rules and the underlying algorithms can be loaded and configured on a single system, or managed fleet-wide using a SystemX Server.

Rulesets

Rules are grouped into rulesets and deployed using a Falcon IDS service.

A Falcon IDS service will begin monitoring data using the defined rulesets as soon as it is enabled. SystemX includes multiple rulesets and algorithms as part of its base installation, or new rules can be uploaded via an archive or pushed from a SystemX Server.

Falcon IDS Service
Falcon IDS Alerts

Alerts

Alerts are generated when data-bus data collected by the system is flagged by an algorithm configured as part of a rule. Alerts can be generated for cyber events, maintenance events, or other operationally interesting events.

On platforms that have in-flight connectivity alerts can be forwarded to operators on the ground for real-time monitoring in a Security Operations Centre (SOC). Alerts can also be forwarded to a SOC post flight using terrestrial connectivity options (like 5G).

All alerts are also stored locally and can be transmitted to a central server post-flight using secure maintenance laptops for platforms that don't allow for any connectivity options.

Alerts can be flagged to a local flight-crew, either using the SystemX GUI, using a discrete annunciator, or via an alert sent to an MCDU.

Falcon In Use, Detecting GPS Spoofing

This scenario illustrates how the Falcon Avionics IDS running on an AP-251 detects an attempted cyber-attack on an aircraft data bus with data collected using an AP-555, and alerts flight crew and ground personnel.

Data Collection

An aircraft Global Positioning System (GPS) unit outputs position data and other information on its ARINC-429 output data-bus. A DataPHY that is connected to this bus captures and stores the raw ARINC-429 data.

The DataPHY securely transmits the captured data to an AP-251 which stores the data in a local database.

ARINC-429 Data Recoring
ARINC-429 Data Decoded

Data Decoding

The ARINC-429 Decoder on the AP-251 then decodes ARINC-429 messages with predefined label definitions into a common data format.

Messages without label definitions are converted to the common data format without decoding.

The data values are passed through a set of configurable rulesets based on programmable algorithms in the Falcon IDS.

Generating an Alert

In this scenario, an attacker intercepts the GPS bus and replaces the longitude, latitude, and altitude values with fabricated data. The Falcon IDS is configured to detect unexpectedly large changes in position values, and flags these.

Falcon IDS Alerts