A CYBERSECURITY ANALYSIS OF RADIO-FREQUENCY ATTACKS ON
AEROSPACE COMMUNICATION SYSTEMS
by
Nicholas Bradshaw
A Dissertation Presented in Partial Fulfillment
of the Requirements for the Degree
Doctor of Science
CAPITOL TECHNOLOGY UNIVERSITY
December [Insert Date], 2021
© 2021 by Nicholas Bradshaw
ALL RIGHTS RESERVED
A CYBERSECURITY ANALYSIS OF RADIO-FREQUENCY ATTACKS ON
AEROSPACE COMMUNICATION SYSTEMS
Approved:
Richard Baker, PhD, Chair
Name of Committee Member, Degree, Committee Member
Name of Committee Member, Degree, Committee Member
Accepted and Signed:
____________________________________________________________
Name of Chair
Date
____________________________________________________________
Name of Committee Member
Date
____________________________________________________________
Name of Committee Member
Date
____________________________________________________________
Ian McAndrew
Date
Dean, Doctoral Programs
Capitol Technology University
ABSTRACT
Over the past decade, the United States government has been the target of cybersecurity attacks
targeting the nation’s critical infrastructure. Regardless of attempts by the government to secure
the nation’s assets, significant gaps remain in the aerospace communications domain. Aerospace
communication systems support our infrastructure in a multitude of industries such as satellite
communications, global navigation, aviation, and national defense. Despite the critical nature of
aerospace communication systems, attacks are becoming more frequent and harder to identify
due to the decrease in cost of consumer technology and technological advances which enable
simplified attack methodologies. This study explores the nature of radio frequency attacks on
aerospace systems and collects data from subject matter experts regarding the frequency, quality
of available federal guidance, and impact to system confidentiality, integrity, and availability
resulting from radio frequency attack incidents. The literature review details the current state of
the aerospace communication industry, with emphasis on currently available government
resources used throughout the industry. This quantitative descriptive correlational study utilized
a cross-sectional survey to reveal that radio frequency attacks on aerospace communication
systems are a prevalent threat to system confidentiality, integrity, and available. Using data
gathered from participants, information regarding the frequency of radio frequency attacks based
upon participant background and years of experience is detailed.
Keywords: cybersecurity, aerospace communication systems, radio frequency, radio
frequency attack, radio frequency interference, space communications, aviation
communications, electronic warfare, radio frequency attack vector, satellite system,
aviation system
iii
DEDICATION
I dedicate this dissertation to my family who has provided an endless source of
compassion, understanding, and support throughout my educational journey. Without them, this
accomplishment would not have been possible.
iv
ACKNOWLEDGMENT
Sir Isaac Newton once wrote, “If I have seen further, it is by standing on the shoulders of
giants,” within a letter addressing his knowledge of science in the mid-1670s. This dissertation is
no exception, as all within it can be attributed to the successes and failures of those before me.
I’d like to acknowledge the multitudes of authors and scientists who I referenced within this text;
without them this paper would not have been possible.
This dissertation was only possible with support of my family. It was with their neverending willingness to support this effort that I was able to shoulder the weight of my own
endeavors. I wish to express my gratitude to my wife, Jordan, who has provided her love and
support throughout this entire ordeal, never hesitating to support me during the endless hours of
research. I’d like to acknowledge my children, who provided me with the drive and ambition to
demonstrate that even the most challenging obstacles can be toppled. Finally, I’d like to
acknowledge my mother, who provided the guidance and motivation to embark upon this
journey of lifelong learning.
I would like to express my gratitude and appreciation to my dissertation chair for the
unrelenting support during this study. Dr. Richard Baker provided a wealth guidance and did not
hesitate to go out of his own way when asked. Throughout the many iterations of this
dissertation, his patience and guidance was greatly appreciated. Lastly, I’d also like to
acknowledge the support provided by Dr. McAndrew and the faculty staff at Capitol Technology
University throughout the past 3 years.
v
TABLE OF CONTENTS
LIST OF TABLES ........................................................................................................... viii
LIST OF FIGURES ........................................................................................................... ix
CHAPTER 1: INTRODUCTION ....................................................................................... 1
Background of the Study ................................................................................................................ 2
Significance of the Study ................................................................................................................ 8
Nature of the Study ......................................................................................................................... 9
Research Questions ....................................................................................................................... 10
Conceptual Framework ................................................................................................................. 12
Definitions..................................................................................................................................... 15
Terms and Definitions ............................................................................................................... 15
Assumptions.................................................................................................................................. 16
Scope, limitations, and delimitations ............................................................................................ 18
Chapter Summary ......................................................................................................................... 19
CHAPTER 2: LITERATURE REVIEW .......................................................................... 21
Title Searches ................................................................................................................................ 22
Historical Overview ...................................................................................................................... 23
United States Federal Guidance ................................................................................................ 26
Department of Homeland Security ............................................................................................ 29
RF Attack Characteristics ............................................................................................................. 42
radio frequency Interference Background. ................................................................................ 42
Aerospace Communications System Vulnerabilities. ............................................................... 48
vi
Chapter Summary ......................................................................................................................... 57
CHAPTER 3: METHOD .................................................................................................. 59
Research Questions ....................................................................................................................... 63
Hypothesis/Variables .................................................................................................................... 64
Population ..................................................................................................................................... 65
Sampling Theory........................................................................................................................... 66
Sample Size................................................................................................................................... 71
Data Collection ............................................................................................................................. 73
Instrumentation ............................................................................................................................. 75
Reliability...................................................................................................................................... 77
Validity: Internal and External...................................................................................................... 78
Pilot study ..................................................................................................................................... 80
Data Analysis ................................................................................................................................ 80
Chapter Summary ......................................................................................................................... 81
CHAPTER 4: RESULTS .................................................................................................. 83
Pilot Study..................................................................................................................................... 84
Pilot Study Procedures .............................................................................................................. 84
Pilot Results............................................................................................................................... 85
Survey Development ..................................................................................................................... 88
Informed Consent ...................................................................................................................... 88
Survey Questions....................................................................................................................... 89
Data Collection ............................................................................................................................. 91
Findings......................................................................................................................................... 94
vii
Assumptions Impact on Data Collection ................................................................................... 94
Quantitative Results .................................................................................................................. 96
Correlative Analysis ................................................................................................................ 106
Correlative Results .................................................................................................................. 115
Chapter Summary ....................................................................................................................... 121
CHAPTER 5: FINDINGS AND RECOMMENDATIONS ........................................... 122
Study Taxonomy ......................................................................................................................... 123
Limitations .................................................................................................................................. 124
Findings and Interpretations ....................................................................................................... 125
Impacts of Radio Frequency Attacks to the CIA of Aerospace Communication Systems ..... 126
Frequency of radio frequency Attacks on Aerospace Communication Systems .................... 128
State of Current US Government Policy ................................................................................. 128
Hypothesis Addressed ............................................................................................................. 129
Research Questions Addressed ............................................................................................... 130
Recommendations for Future Research ...................................................................................... 134
Summary ..................................................................................................................................... 136
REFERENCES ............................................................................................................... 136
APPENDIX A: LITERATURE REVIEW SEARCH ..................................................... 154
APPENDIX B: RESEARCH METHODOLOGY MAP ................................................ 155
APPENDIX C: PARTICIPANT CONSENT FORM ..................................................... 156
APPENDIX D: RESEARCH INSTRUMENT ............................................................... 159
viii
LIST OF TABLES
Table 1 Department of Homeland Security Cybersecurity Goals ...................................... 36
Table 2 Internal RF Interference Examples ....................................................................... 44
Table 3 External RF Interference Examples ...................................................................... 46
Table 4 Pilot Study Feedback ............................................................................................. 86
Table 5 Survey Question Number and Narrative Mapping .............................................. 107
Table 6 Survey Question Number and Variable Measured Mapping .............................. 108
Table 7 Pearson Product-Moment Correlation Coefficient Descriptive Interpretation ... 109
Table 8 Pearson Product-Moment Correlation Coefficient Measurements ..................... 110
Table 9 Pearson Product-Moment Calculation Confidence Interval................................ 111
Table 10 Fisher’s R-to-Z Transformation Results ........................................................... 113
Table 11 Coefficient of Determination Results ................................................................ 114
Table 12 Coefficient of Alienation Results ...................................................................... 115
Table 13 Correlative Analysis: Years of Experience/CIA Impact ................................... 116
Table 14 Correlative Analysis: Years of Experience/Frequency of RF Attack ............... 117
Table 15 Correlative Analysis: Correlation of CIA Model .............................................. 118
Table 16 Correlative Analysis: Frequency of Attacks and Years of Experience ............. 120
ix
LIST OF FIGURES
Figure 1. The RF Interference Mitigation Lifecycle. ........................................................ 41
Figure 2. Methods of radio frequency interference through transport mechanisms. ........ 43
Figure 3. Cyber Threats to Space Systems. ...................................................................... 49
Figure 4. Uplink Jamming ................................................................................................ 51
Figure 5. Downlink Jamming. .......................................................................................... 52
Figure 6. Participant Years of Experience Demographic ................................................. 97
Figure 7. Participant industry of experience domain ........................................................ 98
Figure 8. Years of experience Versus Impact to Availability ........................................... 99
Figure 9. Years of Experience Versus Impact to System Integrity................................. 101
Figure 10. Years of Experience Versus Impact to Confidentiality. ................................ 102
Figure 11. Years of Experience Versus Frequency of RF Attack. .................................. 104
Figure 12. Years of Experience Versus Opinion of Government Resources ................. 105
1
CHAPTER 1: INTRODUCTION
Critical infrastructure and its concomitant technologies play a critical role in the daily
operations of nations around the world. Aerospace communication systems are an essential
component of that infrastructure including, defense capabilities for the United States and
developed nations (Congressional Research Service, 2020). Unprecedented reliance on critical
infrastructure demands strong protective capabilities to defend it from adversaries targeting
systems with cyber-attacks (Cybersecurity and Infrastructure Security Agency, 2017).
In a 2017 a report titled, Securing Cyber Assets: Addressing Urgent Cyber Threats to
Critical Infrastructure, the United States (U.S.) Cybersecurity and Infrastructure Security
Agency (CISA) noted that, while the federal government is responsible for protecting United
States infrastructure from attacks with economic, public safety and national security
ramifications, this role is not well defined in the cyber realm, where costly, sophisticated attacks
carry ever more serious potential consequences, outstripping the capabilities of private
businesses (CISA, 2017). According to the U.S. Federal Emergency Management Agency,
roughly 85 percent of the nation’s critical infrastructure is owned by the private sector, a statistic
which suggests that public and private partnerships are required to ensure the operability of the
assets (Federal Emergency Management Agency [FEMA], 2011).
To defend against new threats, new methods of defense must be created (Bailey,
Speelman, Doshi, Cohen, & Wheeler, 2019). This study will investigate radio frequency attack
vectors in aerospace communication systems and the application of cybersecurity principals to
mitigate them. Chapter one of this study describes the background, nature of study, problem
statement, purpose statement, methodology, design, and research questions of this study. The
structure of the study is further elaborated on with additional decomposition in Chapter 3.
2
Background of the Study
The creation of the United States Space Force (USSF) in December 2019, and its mission
in space domain security, embodies actions necessary to defend U.S. interests in an evolving
battle landscape (United States Space Force, 2021a). The first seminal document released by the
United States Space Force, titled “Space Power Capstone Doctrine,” identifies Cyber Operations
as among primary discipline (United States Space Force, 2020a). The immediate need for Space
Force Cyber Operations was further reinforced by Deputy Commander Maj. Gen. Stephen
Whiting, who, in address to the Advanced Maui Optical and Space Surveillance Technologies
(AMOS) Conference, stated that cyber-attacks are the most probable form attacks in space will
take (Hitchens, 2020).
The doctrine defines three segments of space systems requiring protection: orbital,
terrestrial, and link segment (United States Space Force, 2020a). The orbital segment includes
the environment and vehicle operation in space. The terrestrial segment is comprised of the
support equipment and systems utilized to operate a spacecraft (United States Space Force,
2020a). The link segment of the space system architecture is composed of the Radio Frequency
signals in the electromagnetic spectrum used to establish communications between the terrestrial
and orbital segments (United States Space Force, 2020a; United States Space Force, 2020b).
Aerospace communication systems, some of which span all three segments of space
systems, are integral to the critical infrastructure mission of the United States, which encompass
satellites, antennas, ground stations, launch stations, and miscellaneous support equipment
(United States Space Force, 2020a). Aerospace communication systems may have dependencies
on related support capabilities, such as timing and navigation systems supported by the Global
Positioning Satellite System (Dave, Choudhary, Shiag, You, & Choo, 2021). Core capabilities to
3
protect national interests of space cyber operations are defined in the Space Power Capstone
Doctrine as orbital warfare, space battle management, space electromagnetic warfare, space
access and sustainment, engineering/acquisitions, and military intelligence (United States Space
Force, 2020a).
Cyber Operations, the operational application of cybersecurity, includes methods and
practices protecting sensitive data from unauthorized entities (Joint Chiefs of Staff [JCS],
2018a). It is the goal of cybersecurity to defend system data (McGee, 2021). A fundamental
concept of cybersecurity is the CIA triad, an abbreviation of Confidentiality, Integrity, and
Availability, which categorizes threats to operational capability of information, or operational
technology systems (National Institute of Science and Technology, 2020).
In the CIA triad, confidentiality represents the assurance that information, whether
processed, transmitted, or stored, is protected from unauthorized entities attempting access
(National Institute of Science and Technology, 2020). Integrity assures data processed, stored, or
transmitted remains unmodified and unaltered without authorization. Availability refers to
maintaining availability of information systems without outages caused by system failure or
denial of services (National Institute of Science and Technology, 2020, p. 1).
Information systems, comprising various components of information technology, are
critical to the operation of aerospace systems (Government Accountability Office, 2020).
Information technology is defined as equipment or interconnected systems and subsystems used
in the “acquisition, storage, manipulation, management, movement, control, display, switching,
interchange, transmission, or reception of data or information” (National Institute of Science and
Technology, 2021b). This definition encompasses disciplines such as software development,
business technology systems, network devices, and cybersecurity.
4
As information technology progresses in ability and services, these benefits have been
embraced by the aerospace industry to engender new capabilities. These advances, however,
come at a cost, and have resulted in vulnerabilities to the success of aerospace operations
(Sayler, 2021). One of the most significant vulnerabilities, radio frequency attack, threatens
aerospace communication systems via several attack vectors. In a report published by the
Government Accountability Office (Government Accountability Office, 2020a), Aviation
Cybersecurity: FAA Should Fully Implement Key Practices to Strengthen Its Oversight of
Avionics Risks, the GAO identifies with growing concern the evolving cybersecurity threats
which put future aerospace systems at increased risk if the United States government does not act
to prioritize the establishment of proactive controls to defend against attacks.
Aerospace systems are unlike traditional information systems in several ways (Bailey et
al., 2019). A typical information technology system involves endpoint devices such as personal
computers or servers connected to network devices for communication. These systems are
commonly easily scalable, and range in size from a few dozen devices to thousands. The
traditional information technology system model supports business functions and fits a variety of
user support needs (Boel & Cecez-Kecmanovic, 2015). In contrast, aerospace systems require
specialized equipment such as sensors and embedded software to meet mission requirements
(Bailey et al., 2019).
Aerospace systems also range widely in scope, capability, and size (Pinto, Zeidner,
Khire, Banaszuk, & Reeve, 2010). For example, an aerospace system may support commercial
aircraft control systems to link pilots to control towers using radio frequency communications
(Ragland, 1962). A separate system may provide satellite communications for onboard internet
access to traveling passengers (Grace, Daly, Tozer, Burr, & Pearce, 2001). Aerospace systems
5
may use satellite communication channels for telemetry communications a control center as
another application of radio frequency communication (Stacey, 2008).
System confidentiality, integrity, availability, can all be significantly impacted by threats
originating from radio frequency technology (Bailey et al., 2019). As the nature of Aerospace
systems becomes more complex, simple solutions for protecting systems become less effective.
Complex and layered approaches ensuring system operability are needed to cope with evolving
threat landscapes in the operational environment (Bailey et al., 2019). Bailey et al.’s 2019 report
for the Center for Policy Strategy, entitled Defending Spacecraft in the Cyber Domain, makes
clear, space and cybersecurity policies are not yet in place to address cyber threats to spacecraft
by nation-state actors, and standards and governance by government and industry are needed to
mitigate the growing risk.
The threat landscape of space communications has broadened in scope due to system
dependencies and growing sophistication by attackers (Salyer 2021). Systems using Radio
Frequency (RF) technology are sensitive to impacts from non-adversarial sources, such as
meteorological, in addition to adversarial actors exploiting radio frequency vulnerabilities to
impact system performance (Nadeem, Awan, Leitgeb, & Kandus, 2009). Impacts from nonadversarial actors due to radio frequency spectrum cluttering is a known phenomenon which
creates confusion when trying to isolate the cause of threats (Nadeem et al., 2009; Baird, 2013).
The radio frequency spectrum is governed in the United States by the Department of
Commerce’s National Telecommunications and Information Administration (National
Telecommunications and Information Administration, 2000) and the Federal Communications
Commission (FCC) who work in tandem to oversee spectrum use (National Aeronautics and
Space Administration [NASA], 2016). For federal use, the National Telecommunications and
6
Information Administration (NTIA) holds regulatory authority, and for non-federal use, the FCC
has regulatory authority (NASA, 2016). International regulation of spectrum use is handled by
the International Telecommunication Union (ITU), which ensures compliance with radio
regulations. The FCC, NTIA, and ITU work together to ensure the radio frequency spectrum is
managed, minimizing instances of impacts from spectrum cluttering inadvertently impacting
aerospace systems (NASA, 2016).
Adversarial actors are not limited to attacking authorized spectrum set aside by the NTIA
or FCC (FAA, 2020). Publicly available maps of radio frequency Spectrum allocation facilitate
the development of tools to aid in exploitation of radio frequency vulnerabilities. By allowing
public knowledge of what activities are tied to areas of the spectrum, specific frequency spans of
interest can be targeted (FAA, 2020).
Problem Statement
radio frequency attacks have the potential to disable critical infrastructure assets through
methods which align with current known cybersecurity attack vectors (NIST, 2020; Bailey et al.,
2019). The current lack of cybersecurity mitigation practices in aerospace systems creates an
unacceptable risk environment for systems providing critical services to a wide variety of
customers (White House, 2018). Therefore, radio frequency attack vectors need to be categorized
and addressed with appropriate policies so that commercial and defense organizations can
adequately protect them.
Purpose of the Dissertation Study
Preliminary research on this topic reveals that radio frequency attacks are becoming
increasingly common and that security gaps exist in the aerospace communications industry
7
(Lykou, Anagnostopouloum, & Gritzalis, 2018; Wang, Wei, Chen, Tian, Pham, & Shen, 2016;
Bailey et al., 2019; Sayler, 2021).
The purpose of this quantitative descriptive study is to analyze existing Radio Frequency
and cybersecurity threats to aerospace systems to facilitate the development of guidelines
ensuring aerospace communication systems are protected from attacks. Quantitative research
examines static questions and explores the relationship between two or more variables (Creswell
& Guetterman, 2018). This study will use a cross-sectional survey to collect data from industry
professionals on radio frequency cybersecurity threats to aerospace communication systems. The
specific data sought will be on the frequency and severity of suspected radio frequency attacks,
and the applicability of existing cybersecurity policies to address them.
Cross-sectional surveys collect data from a single point in time to measure the attitudes,
practices, and community needs of a population. Often, cross-sectional surveys are used to
“evaluate a program” (Creswell & Guetterman, 2018, p. 388). Statistical analysis can then be
performed on data sets to identify any correlation. Correlative factors in this study will reveal the
applicability of cybersecurity programs to ensure protection of aerospace communications.
Analysis of survey responses will yield correlations between types of aerospace systems, the
level of impact to system Confidentiality, Integrity, and Availability, and frequency of radio
frequency attacks. The data will then be compared to results reflecting radio frequency attack
impacts to the Cybersecurity CIA triad. By identifying the correlation variables,
recommendations will identify areas of concern regarding cybersecurity mitigation approaches
(Ruel, Wagner, & Gillespie, 2015).
8
Significance of the Study
The findings of this study will offer several significant contributions to the cybersecurity
and radio frequency systems engineering fields. While radio frequency attacks have been
identified as a vulnerability in existing cybersecurity standards and documents such as NIST
800-53 (NIST, 2020), characteristics of the attacks have not been detailed. Furthermore, initial
research found that neither current aerospace nor cybersecurity policy is sufficiently robust to
meet the challenges associated with risks to aerospace systems (Bailey et al., 2019). In addition
to an analysis of scholarly literature regarding radio frequency attack characteristics, this study
will provide recommendations for future research which may be used for the development of a
framework to respond to radio frequency attacks.
The execution of this study will expand the current body of knowledge by providing the
following:
-
An analysis of common radio frequency attacks and their effects on aerospace radio
frequency communication systems. This analysis may be used independent of the study
to provide higher levels of mission and information assurance to cybersecurity and radio
frequency system development efforts.
-
An assessment of the impacts of various radio frequency attacks on aerospace
communication systems to determine the criticality and level of threat. The assessment
can be used by the industry to understand the impacts of radio frequency attacks on
system confidentiality, availability, and integrity.
-
A comparison of identified radio frequency attacks to known cybersecurity models.
Existing documentation of radio frequency attacks lacks an assessment methodology to
facilitate an appropriate respond.
9
-
Utilizing the results from the survey, a final recommendation is presented on the
applicability of radio frequency attack vectors in relation to cybersecurity practices.
Nature of the Study
This dissertation will deploy a quantitative methodology with a descriptive research
design. The descriptive research design utilizes a cross-sectional survey to measure industry
views on whether cybersecurity policy would benefit aerospace radio frequency communication
systems.
Overview of Research Methodology
A quantitative approach was selected to evaluate the relationship between aerospace
radio frequency attack vectors and cybersecurity. Quantitative research sets out to test a
hypothesis (Crewell & Guetterman 2019). In quantitative research, researchers analyze trends or
needs in the field to develop research questions to be answered (Crewell & Guetterman 2019).
Tools such as surveys are often used to collect numerical data from a population. The results of
the research can then be analyzed to shed light on the research questions (Creswell &
Guetterman, 2018).
Quantitative research allows for further statistical analysis and is highly generalizable
(Salkind, 2018). For the purposes of this study, generalizable results are essential, so data
presented can be applied to a broader population. Survey instruments are a scalable method of
collecting data through quantitative measures (Ruel et al., 2016).
Overview of Research Design
A descriptive research design with a cross-sectional survey was selected for use in this
study. The advantage of a descriptive quantitative research model is that it “paints a picture” of a
research topic (Salkind, 2018, p. 161). Descriptive research differs from comparative or
10
experimental research in that it does not include a control group (Ruel et al., 2016; Salkind,
2018). The purpose of this study is not to test the influence of variables, but instead, to represent
the views of subject matter experts on cybersecurity principals in aerospace systems.
1) A quantitative descriptive survey study selection allows evaluation of answers provided
by subject matter experts to correlate them to known phenomena (Creswell &
Guetterman, 2018; Boudah, 2011). The decision to select a survey as the primary vehicle
for research data gathering was evaluated taken with the following considerations in
mind: Survey research is relatively easy to verify compared to other research models and
can be validated by comparing data gathered to alternative sources (Ruel et al., 2016).
2) The amount of effort required to collect data through surveys is minimal and allows for
larger sample sizes (Ruel et al., 2016; Salkind, 2018).
3) Surveys, when administered correctly utilizing best practices, often result in very
accurate and detailed results (Salkind, 2018, p. 164).
This study will use a cross-sectional survey to explore potential application of
cybersecurity principals to aerospace communication systems. Cross-sectional surveys collect
data from a single point in time to measure attitudes, practices, and community needs of a
population. For the purpose of this study, a single data collection is appropriate to answer the
research questions (Crewell & Guetterman 2018).
Research Questions
Aerospace communication system cybersecurity standards fail to meet the needs of the
missions they are designed to protect (Bailey et al, 2019). While there has been increased interest
in improving security of information systems and the support networks of aerospace systems,
little effort has gone into mitigation of radio frequency attacks (Bailey et al., 2019). In that light,
11
this study will explore four research questions developed to address the problem statement. The
focus of the research questions is to further describe the characteristics of radio frequency
attacks, and to gather expert views on whether cybersecurity standards would benefit the security
of aerospace communication systems. The first research question in this study is:
RQ1: Would the implementation of a national standard for the management of radio
frequency attacks contribute to the security of aerospace communication system
missions?
This question seeks to identify if a national standard addressing radio frequency attacks
would increase the security of aerospace communications. A literature review will be conducted
to analyze existing cybersecurity policies protecting critical infrastructure systems, such as
aerospace, to determine if there would be a potential benefit in generating a similar policy for the
purpose of radio frequency attack vector mitigation. A survey also will also be conducted among
industry professionals to determine their informed views on whether the implementation of a
federal policy would be beneficial to the industry. The literature review will provide a foundation
of the current state aerospace communications cybersecurity, while the survey will provide an
objective assessment on the current views of experts in the field (Salkind, 2018).
The second and third research questions for this study will aid in understanding how
prevalent and severe radio frequency attacks on aerospace systems are.
RQ 2: How often do radio frequency attacks target aerospace systems?
RQ3: What is the impact of radio frequency attacks on aerospace systems?
The literature review will inform these questions by shedding light on the types and
frequency of documented attacks. Common attack methodologies will be identified through
publicly available information, such as government reports and commercial data related to
12
aerospace communication system attacks. In addition, survey responses will elicit a better
understanding of the impact, severity, and frequency of attacks, from the viewpoint of experts
who use radio frequency in the aerospace industry in a variety of applications. This data, when
compiled, will be analyzed to determine whether the threat is sufficient to warrant additional
resources from federal organizations.
RQ4: What is the relationship between radio frequency attacks and cybersecurity attacks
among aerospace communication systems?
Research question 4 seeks to understand the correlative relationship between radio
frequency attacks and their impacts on aerospace communication system Confidentiality,
Integrity and Availability. To answer this question, a literature review will be conducted to
reveal the nature of cybersecurity attacks, the current communications security methodology for
radio frequency communications, and conceptual frameworks such as the CIA triad model to
better understand how existing frameworks may be applied to aerospace radio frequency
communication systems. Cybersecurity principles and fundamentals, and existing aerospace
security communication standards will be included in the review. Understanding existing
cybersecurity controls and whether they were adequate in addressing past radio frequency attacks
will be prioritized. This will be complemented by survey participant responses on their informed
view on whether current government resources are adequate for the security of aerospace system
communications.
Conceptual Framework
Three government publications were used to develop the conceptual framework for the
research of this study:
13
1. The National Security Strategy for Aviation Security of the United States of America
(Department of Homeland Security, 2007) highlights the increasing reliance on the radio
frequency spectrum and the concerning reality that it is easily degraded by adversaries
attempting to impact aviation operations. Due to the critical nature of aerospace assets,
vulnerabilities threatening their operations can be considered a national security threat.
The National Security Strategy identifies radio frequency dependency, among other
vulnerabilities, as a threat.
2. The Government Accountability Office (2018) published the High Risk Series: Urgent
Actions Are Needed to Address Cybersecurity Challenges Facing the Nation. The
development and execution of a comprehensive cybersecurity strategy is identified as a
major need for both federal and private critical infrastructure in this document. This
publication served as the foundation for the primary research question, “would the
implementation of a national standard for the management of radio frequency attacks
contribute to the security of aerospace communication system missions?” Given that
aerospace communications are a critical infrastructure asset of the United States, the
development of a comprehensive cybersecurity strategy is a potential approach for
mitigating the increasing threat of radio frequency attacks.
3. The Department of Homeland Security (DHS) Cybersecurity Strategy Guide (2018)
identifies the telecommunication industry as one of the critical infrastructure areas
needing improvement in the areas of risk identification, vulnerability reduction, threat
reduction, and mitigation. In the telecommunication industry, satellite communications
and aerospace communications are two critical domains within the purview of the
Department of Homeland Security. This publication provides an increased emphasis on
14
critical infrastructure needing diverse and new approaches to mitigate attacks. For this
research, radio frequency attacks were chosen as the threat under study.
The concepts derived from the three publications provide a foundation for the literature
review and survey to investigate the current body of knowledge and to collect data from subject
matter experts on radio frequency threats to aerospace communication systems. Two dependent
variables were selected based on the publications which form the foundation of the conceptual
framework. Aerospace communication systems can range in purpose and architecture, which
implies that respondents could provide vastly different answers to the survey questions
depending on the type of system with which they were most experienced (Bailey et al., 2019).
Therefore, participant aerospace communication system background was identified as a
dependent variable for measurement. Number of years of experience of participants was chosen
as a dependent variable.
The primary purpose of this study is not to test the influence of variables for cause and
effect , but instead, to represent the views of subject matter experts on cybersecurity principals in
aerospace systems. Surveys allow the collection of many responses covering a wide variety of
research questions (Ruel et al., 2016; Creswell & Guetterman, 2018). Respondents completing a
survey may have anonymity using a flexible online survey instrument (Ruel et al., 2016). The
ease in accessibility, anonymity, and scalability enables surveys to reach larger audiences than
alternative research methods (Ruel et al., 2016; Gorvine, Rosengren, Stein, & Biolsi, 2018). A
survey allows for the assessment of data with quantitative measurements which can then be
generalized to the larger field of aerospace communications (Ruel et al., 2016).
15
Definitions
Terms and Definitions
The following terms are used throughout this study and are defined for purposes of this
research:
Aerospace: “Earth’s envelope of air and the space above it, the two considered as a
single realm for activity in the flight of air vehicles and in the launching, guidance, control of
ballistic missiles, earth satellites, dirigible space vehicles, and the like” (Tomsic & Eastlake,
1998).
Aerospace Communications System: Any communication system used in aerospace
applications for the support or operation of an aerospace system (Sacchi, Jamalipour &
Ruiggieri, 2011).
Critical space vehicle functions: “Vehicle functions necessary to “ensure intended
operations, positive control, and retention of custody. The failure or compromise of critical space
vehicle functions could result in the space vehicle not responding to authorized commands, loss
of critical capability, or responding to unauthorized commands” (DHS, 2007).
radio frequency Communications: Radio-frequency waves are electrical waves of
repeating peaks and valleys propagating through free space. The pattern of a radio-wave signal
before it repeats itself is known as a cycle, and the number of times that it repeats per second
itself is known as the frequency. Radio-frequency is measured using the Hz unit.
Communications equipment such as receivers and transmitters convey data using radiofrequency signals (Manning, 2021).
16
radio frequency Attack: An attack which uses radio frequency as a method of impacting
system performance, or the effects of it, to result in a degradation to the operational capabilities
of an information system (Quisquater & David, 2005).
Satellite Communications: Communication systems which use radio frequency
to communicate either directly to space vehicles to receive bus telemetry or transmit commands,
or to provide communication from two or more terminals on Earth (Kodheli, Lagunas, Maturo,
Sharma, Shankar, Montoya, & Goussetis, 2021).
Space System: A system which “typically has three segments: a ground control network,
a space vehicle, and a user or mission network. These systems include Government national
security space systems, Government civil space systems, and private space systems” (White
House, 2020).
Space Vehicle: the section of a space system which operates entirely in space. Specific
examples of space vehicles include space launch vehicle sections, spacecraft, satellites, and
peripheral space hardware (White House, 2020).
Assumptions
To conduct a study, researchers must make assumptions based on the nature and design
of their research topic (Salkind, 2018). Assumptions have the potential to insert bias and
influence a study (Salkind, 2018). Therefore, it is essential to recognize researcher or participant
bias, assumptions, or beliefs (Corbin & Strauss, 2015). Several assumptions are made regarding
this study. However, to ensure internal validity, assumptions will be kept to a minimum and the
study will be conducted as objectively as possible to ensure no bias or influence arise.
The research will assume that participants of the survey answer the survey in good faith –
without intent to answer questions incorrectly or to negatively influence results. Due to the
17
professional nature of the population, it is assumed that participants answer with integrity.
Research results will be reviewed for any intentional sabotage and results will be cross
referenced with separate samples to ensure accuracy. Results deemed incorrect with intent will
be removed from the final data collection.
The study assumes the researcher can acquire an adequate number of responses to the
survey to form a conclusive analysis. Surveys are most effective when many respondents
participate (Ruel et al., 2016). This researcher intends to exhaust the available avenues of
communication to acquire adequate survey participation.
The research assumes data, publications and communication provided by the White
House, GAO, DHS, FCC, and related federal authorities are an accurate depiction of U.S. policy
and are accurate and trustworthy. In addition, this study depends on the interpretation of these
sources to form the research design, conduct a literature review, design a survey instrument,
analyze data, and draw conclusions. The research assumes that publicly available information
correctly represents the industry climate and attitude towards radio frequency attack vectors on
aerospace systems.
Given the sensitive nature of the topic, it is expected that there will be limitations on what
information is publicly available. The researcher will use publicly available policies and
publications, rather than sensitive data of existing systems to describe the types of radio
frequency attack vectors. The final assumption is that the subjects who complete the survey have
prior experience in the aerospace communications field. By design, the survey will be limited to
industry specific LinkedIn and Facebook groups. Individuals without experience in the aerospace
communication field will be asked to cease participation in the introduction material and survey.
18
Demographic questions in the survey will further ensure appropriate levels of experience and
knowledge.
Scope, limitations, and delimitations
This study will utilize a quantitative descriptive cross-sectional survey to reveal
correlations in cybersecurity attack vectors and aerospace system radio frequency attack vectors.
This study will be limited in scope by information available from aerospace industry
stakeholders. Radio Frequency attack types and types of aerospace communication systems
mentioned will be described using publicly available information. As a result, references in this
study will be unclassified in nature, derived from publications, or found in reports or guidance
released to the public.
Systems and attack vectors resulting from communication systems dependent upon radio
frequency technology are generally unclassified, however, mitigations and existing
vulnerabilities on operational systems are often considered classified. Information specific to
time, events, or systems in operation are considered classified if it jeopardizes operations.
Therefore, this study will not address individual vulnerabilities on systems or precise
methodologies of how attacks are performed.
This study will be limited in size due to the specific nature of the material under research.
Aerospace systems using radio frequency for communication are only a small subset of
technologies supporting aerospace operations. Participation will be limited to professionals
familiar with aerospace radio frequency communication systems to ensure capture of relevant
data. According to Salkind (2016), it is important to select the largest possible sample size to
determine the most accurate results. The limited population under study may result in a limited
sample size.
19
Delimitations are the characteristics limiting the scope of a study (Theofanidis, Dimitrios
& Fountouki, Antigoni, 2019). Researchers are required to define these boundaries to clearly
demonstrate an understanding of the scope of the research (Simon and Goes, 2011). This study is
delimited by two boundaries. First, this study will not attempt to establish a new policy or
framework to address radio frequency attacks on aerospace systems. Instead, the purpose of this
research is to better understand the characteristics of radio frequency attacks, and the use of
cybersecurity methodology as a possible mitigation strategy.
The development of detailed security controls or guidance for mitigation of these threats
is reserved for future research. Secondly, this study will not explore the technical characteristics
of radio frequency attacks and aerospace systems. Individual technologies exploited by radio
frequency attackers will not be investigated, as this study is focused on research surrounding
evaluation of cybersecurity impacts to aerospace communications based on feedback from
experts, rather than the mitigation of threats. Research exploring the implementation of security
controls to mitigate radio frequency attacks on aerospace systems is reserved for future efforts.
Chapter Summary
radio frequency communications are an important part of our nation’s critical
infrastructure. The increasing reliance on radio frequency communications and easy availability
of technology facilitating radio frequency attacks have generated a need for a coordinated
response to how such attack vectors are approached (GAO, 2020a). Aerospace systems, often
considered among the most critical infrastructure in the nation, require secure and reliable radio
frequency communications to operate safely (DHS, 2018).
Lack of federal guidance and direction currently puts both government owned systems
and private entities at risk of attack potentially critically impacting success of aerospace missions
20
(Bailey et al., 2019). To gain knowledge on possible mitigation strategies to secure aerospace
systems, quantitative data needs to be gathered to understand the current baseline of industry
knowledge and to describe possible solutions which can mitigate the threats.
A thorough literature review will be completed in addition to a cross-sectional survey to
understand the history and context of radio frequency attacks on aerospace systems. The
literature review will describe the current state of cybersecurity measures regarding aerospace
communication system and a description of attack methodologies. The literature review will also
provide a foundation for survey questions to answer the research questions mentioned in this
section.
The relationship between radio frequency attacks and cybersecurity policy has not been
thoroughly explored (Bailey et al., 2019). To fill this gap, this study will utilize a descriptive
quantitative research design to collect subject matter expert opinions regarding the
characteristics, frequency, and applicability of a cybersecurity strategy on various aerospace
communication systems. Specifically, this study was driven by the idea of using existing
cybersecurity practices and methodologies to address radio frequency attack vectors on
aerospace systems. Chapter 2 will present a review of pertinent scholarly literature, white papers,
and industry reports to provide context and content for the study as well as a foundation for the
survey instrument.
21
CHAPTER 2: LITERATURE REVIEW
A literature review is a substantial and thorough review of the previous work conducted
on a topic (Creswell & Guetterman, 2016; Salkind, 2018). The purpose of the literature review is
to provide background and explain how the study fits into the larger body of knowledge. The
literature review aids in the detailing the existing gaps of knowledge which provide context for
the research instrument utilized in the study (Gorvine et al., 2018). This study explores radio
frequency attack vectors of aerospace communication systems, and the application of
cybersecurity principals to mitigate them. This literature review presents a summary of current
pertinent scholarly literature, government publications, and industry thought on radio frequency
attacks on aerospace systems and existing mitigation approaches.
Throughout the course of this literature review, the three domains (RF Threat Analysis,
Aerospace System Communications, and Policy/Guidance) were divided into additional
subcategories for clarity. For example, Aerospace System Communications was decomposed into
further composites such as aviation, satellite, unmanned aerial vehicles, and aerial electronic
warfare. Appendix A: Literature Review Search documents and provides a summation of the
scope and description of literature which was reviewed during this study including all references
reviewed, not just those cited in this study.
The literature review began with an in-depth investigation of current United States
government publications and standards to develop a thorough understanding of the nation’s
approach to the cybersecurity of aerospace systems. Investigating the current climate of
cybersecurity in the federal regulatory body of knowledge will reveal key concepts applicable to
development of the survey instrument, research questions, and findings. As detailed in Chapter 1,
several government publications inspired the conceptual framework for this study, as the
22
cybersecurity methodologies and risk vectors therein were relevant to the development of the
survey questionnaire.
Title Searches
Resources reviewed during this study were sourced from the following online databases:
SAGE Journals, ProQuest, EBSCO Host, Google Scholar, ACM Digital Library, IEEE Xplore,
White House Office of Science and Technology, NIST, and Science Direct. For each of the
databases, a baseline search methodology was followed to ensure a thorough search. The search
terminology included: radio frequency attacks, aerospace radio frequency attack, wireless
industrial cybersecurity threats, industrial radio frequency cybersecurity, wireless aerospace
cybersecurity attack, radio frequency vulnerabilities, space radio frequency attacks, radio
frequency attack vectors, radio frequency threats on Federal information systems, space
electronic warfare, aerospace electronic warfare, aerospace system attacks, cybersecurity attack
methodology, and aerospace system design.
In addition to the use of sources identified by querying the resource databases, citation
chaining (Cribbin, 2011) provided additional sources which did not initially arise in search
results. Identifying relevant information in other key material such as dissertations or studies
provided an avenue to generate additional references.
Aerospace systems using radio frequency technology range in terminology depending on
domain. In the communications domain, aerospace systems such as SATCOM, Line-Of-Sight,
and broadcast systems use specific terminology applicable to their domain. Similarly, domains
such as electronic warfare also use radio frequency technology, with specific terms relevant to
the applications of systems in the domain. For clarification on the differences between terms
23
within the separate domains of aerospace systems, please review the Definition of Terms in
Chapter 1 for further elaboration.
Historical Overview
radio frequency communications is a form of telecommunication which utilizes electrical
signals to communicate data through open space (NASA, 2021). While radio frequency
technology has existed since the early 1900s (Sarkar, Banerjee, & Bose, 2006) in applications
such as communications, RADAR, and navigation (National Telecommunications and
Information Administration, 2000), threats targeting the technology have increased exponentially
in recent years (Dave et al., 2021). The increase in threat frequency and impact can be partially
attributed to increased supply of readily available radio frequency interference capable devices
(Dave et al., 2021; GAO, 2020a).
radio frequency, which was once reserved only for large government organizations with
resources to invest in large-scale systems, is now a key feature of many commercial electrical
products capable of exploiting radio frequency applications through radiation, conduction, or
other means. The FCC provides an allocation table which is used to reserve the frequency bands
between 9 kHz and 275 GHz for radio frequency applications (FCC, 2021; National Academies
of Science, Engineering, and Medicine, 2015). Commercial products are tested to demonstrate
compliance with FCC and adversaries have been observed modifying commercial equipment to
utilize as an offensive tool to impact the Confidentiality, Integrity, and Availability of legitimate
resources (Riahi Manesh & Kaabouch, 2017).
Devices capable of deliberately emitting malicious interference are available to purchase
online for a low cost (National Security Strategy for Aviation Security of the United States of
America, 2007). In addition to increase in availability and decrease in cost, the technology has
24
also seen a vast decrease in operational complexity. As more industries adopt use of the
technology to increase innovation, profits, or capabilities, advancements have been made to
automate the technology (Yaacoub, Noura, Salman, & Chehab, 2020). The increased level of
dependency on radio frequency has resulted in an operational environment with a considerable
attack surface (Ukwandu, Farah, Hindy, Atkinson, Tachtatzis, & Bellekens, 2021). Recent
growth of rogue states and advancements in technological capabilities of commercial products
have left both the commercial industry and the defense industry in a position where federal
guidance is necessary to ensure the confidentiality, integrity, and availability of their assets
(Bailey et al., 2020).
Aerospace communication systems can trace their dependency on radio frequency
communications to World War II when Allied and Axis aerial forces used radio communications
for air navigation (Foley, 2011). To ensure aerial resources had the most recent intelligence,
communicating with moving assets was essential. Radio Frequency systems provided this,
without the restraint of cabling or ground infrastructure (Morton, 2019). Radio frequency
technology was further utilized in applications such as RADAR, which was deployed during
World War II using radio frequency as a method of reconnaissance in the battle landscape
(Foley, 2011).
The ability to apply radio frequency technology to Aerospace applications was
accompanied by new threats jeopardizing operational security of war-fighters (Foley, 2011).
Attack methods during this time included both interference or jamming, and spoofing: retaliatory
actions by adversaries seen almost immediately (Price, 1989). Hijacking Allied force frequencies
during WWII was the first example of operational radio frequency system jamming (Price,
2005). Shortly thereafter malefactors deployed spoofing, which provides misinformation to
25
intended targets (Price, 1989). In the decades following, aerospace systems increased their
reliance on radio frequency communications in both the aerial and space domains (Price, 1989).
Today, radio frequency interference still presents a significant risk to aerospace
communication systems. Elbert (2016) states that RFI incidents are among the most serious
challenges to radio communication systems, particularly in cases where an attacker is
unidentified. Unintentional misconfiguration or malfunction of equipment are common causes of
interference; however, it is often difficult to distinguish deliberate versus unintentional
interference sources . Therefore, all incidents must be treated as intentional until proven
otherwise (Wang et al., 2016).
radio frequency communication systems bear concomitant vulnerabilities due to the
nature of free-space electromagnetic radio waves, which serve as the vital transportation
mechanism (Shing, et al., 2015). Methods of common Radio-frequency attacks include spoofing,
Man-in-the Middle, jamming, fuzzing, and repeating (Wang et al., 2016; Bailey et al., 2019).
Methods of radio frequency Attacks are further detailed in the radio frequency attack
characteristics section of this chapter.
Additional attack strategies are constantly evolving as adversaries develop new
capabilities. As the Secure Wireless Agile Networks (SWAN) group (Security Wireless Agile
Networks, 2021) states, that radio systems “are vulnerable at the ‘air interface’ level, since, by
nature, this is an open interface.” Despite these vulnerabilities, use of radio frequency technology
has only increased. As a result of the increased levels of adoption, radio frequency
communications technology has become a central part of our nation’s defense strategy and
critical infrastructure (Baird, 2013).
26
United States Federal Guidance
Recent United States government publications detail national positions on Aerospace
cybersecurity. Key publications searched for this literature review include the National Security
Strategy for Aviation Security of the United States of America (DHS, 2007), Space Policy
Directive 5 (SPD-5) Cybersecurity Principals for Space Systems (United States Space Force,
2020b), and the U.S. Department of Homeland Security Cybersecurity Strategy (Department of
Homeland Security, 2018). The U.S. position on space cybersecurity is in a transformative state
given the establishment of the United States Space Force in 2019, and recent efforts made by
Department of Homeland Security’s Critical Infrastructure Security Agency to establish a
relationship with the new organization. The literature review is interrogative of current publicly
available publications.
Space Policy Directive 5 (SPD-5). The fifth directive released by the United States
government was released in September 2020. The Space Policy Directive suite was initiated in
2017 when the US government took steps to revise the National Space Policy (USSF, 2020b).
SPD-5 established the need for cybersecurity-oriented protective action against potential attack
vectors inherent in space systems. As defined in SPD-5 (USSF, 2020b)
Space systems enable key functions such as global communications; positioning,
navigation, and timing; scientific observation; exploration; weather monitoring; and
multiple vital national security applications. Therefore, it is essential to protect space
systems from cyber incidents to prevent disruptions to their ability to provide reliable and
efficient contributions to the operations of the Nation’s critical infrastructure.” (USSF,
2020b)
27
This directive encompasses most space systems and space support systems reliant on information
systems such as computers, network devices, and various endpoints to enable operability
throughout the system lifecycle (USSF, 2020b). This classification of system, coined space
support systems, is often involved in the processing of scientific data or telemetry on the ground,
in facilities supporting operations of space vehicles. Similar to traditional complex information
systems, these networks are vulnerable to attacks attempting to disrupt or degrade the level of
service provided. A lack of positive control of the space environment could damage the space
vehicles themselves (USSF, 2020b).
Pertinent to this dissertation, the wireless transmission of data such as command-andcontrol between space vehicles and ground control networks is encompassed in this document
(USSF, 2020b). The directive recommends space system owners and operators develop and
implement cybersecurity plans for their space systems. Incorporation of controls ensuring
successful recovery of space vehicles if positive control is lost is also recommended. The
Confidentiality, Integrity, and Availability of space system functions is identified as an area of
primary concern for space system owners. The directive goes into further detail to address
several domains of space cybersecurity, including:
1) The protection of space vehicles against unauthorized access to functions such as
command, telemetry, or control. Potential methods of ensuring this control include
implementation of technology such as command-link authentication or encryption.
Emphasis is placed on ensuring space vehicles are protected for their complete
lifecycle (United States Space Force, 2020).
28
2) The physical protection of security controls designed to reduce physical
vulnerabilities which may occur if space support hardware is targeted (United States
Space Force, 2020).
3) Layered protection against spoofing and jamming attack vectors. Examples of
security controls designed to protect against this threat include the integration of
spectrum monitoring software, security driven transmitters and receivers, and
encryption technologies ensuring protection of the space vehicle throughout the entire
lifecycle (United States Space Force, 2020).
4) Increased protection of ground support systems, operational technology (OT), and
information systems in accordance with existing National Institute of Science and
Technology Standards such as NIST 800-53R5. Protections taken to ensure
operational confidentiality, integrity, and availability include logical and physical
protections necessary to meet allocated NIST 800-53R5 security controls. Practices
such as patching, malware protection, controlled removable media processes, and
information assurance training are all aspects identified by SPD-5 as measures to be
protect space systems (United States Space Force, 2020).
5) The integration of existing cybersecurity practices, such as physical monitoring of all
support hardware including antennas and ground terminals. In addition, the
integration of intrusion detection systems to protect related local and wireless
networks is advised (United States Space Force, 2020).
6) Steps to perform risk management of the space system supply chain should be taken
and attack vectors such as supplier infiltration, counterfeit parts, or malicious attacks
should be addressed (United States Space Force, 2020).
29
The establishment of this directive marks a significant change in the attitude of space
cybersecurity (United States Space Force, 2020). SPD-5 identifies current vulnerabilities in
space infrastructure and establishes expectations and accountability for the federal government.
Prior to this directive, federal information systems were required to comply with FISMA
reporting requirements, however, they were not required to implement the National Institute of
Science and Technology 800-53 Risk Management Framework (NIST, 2020) on space systems
(United States Space Force, 2020).
Implementation of formal risk management for critical infrastructure systems varies
widely between individual government customers and commercial system owners (NIST, 2020).
Due to this gap in security control protocol, government direction for space systems to address
the concerns was not previously highlighted (Bailey, 2020). While this publication establishes
the need to protect space systems and space support systems, there is no supporting
documentation detailing how space system owners will meet the recommended security controls
outlined (United States Space Force, 2020).
Department of Homeland Security
As cybersecurity and radio frequency attacks have becoming increasingly complex, the
United States Department of Homeland Security (DHS, 2018) has responded with multiple
guidebooks designed to respond to different types of radio frequency attacks. Key Department of
Homeland security publications covered in this literature review include:
1) National Security Strategy for Aviation Security of the United States of America (2018)
2) The DHS Cybersecurity Strategy Guide (2018)
3) The DHS CISA Communications Sector-Specific Plan (2015)
4) The DHS CISA radio frequency Interference Best Practices Guidebook (2020)
30
National Security Strategy for Aviation Security of the United States of America. This
2018 publication, which represents the U.S. government position on aviation security and
cybersecurity, includes an in-depth analysis of the aviation industry environment. The directive
addresses the changing landscape challenging the security of aviation systems. Examples of
emerging technology which skirt existing security protocols include unmanned aircraft, radio
frequency spectrum-dependent systems, and cybersecurity threats targeting aviation systems.
The publication acknowledges that, while aviation systems can be designed to harden them to
threats, emerging and future threats to security controls in a volatile landscape must also be
considered (DHS, 2018).
The aviation directive values the U.S. aviation industry at more than 5% of the Gross
Domestic Product (GDP) (DHS, 2018). To protect an industry of such significant value, it is
essential to deploy a security-in-depth approach, also known as layering, to security controls.
The concept of defense-in-depth is not new to aviation and is seen in many information systems
(Bailey, 2020).
Security-in-depth can be achieved by layering controls such as physical, logical, and
administrative, to result in systems secured by multiple protective measures. In the case of one
failure, multiple layers in the model remain operational (DHS, 2018). This approach is seen in
many critical infrastructure systems having a wide attack surface or vulnerable to many different
categories of attack (CISA, 2016).
Aviation saw a significant overhaul in security practices in the aftermath of the terrorist
attacks of September 11, 2001, during which domestic flights were grounded until there was
assurance the risk level had been mitigated. As a result of this transformative event, security
practices in aviation adopted a strict risk mitigation approach (DHS, 2018). In the National
31
Security Strategy, several assumptions are made with this mentality in place, among them that
the United States constantly confronts a diverse portfolio of adversaries who continually attempt
to exploit the aviation industry for malicious or nefarious purposes (DHS, 2018).
Secondly, the policy assumes that while the aviation industry will prosper from the
advancement of new and emerging technology, it will also face threats from emerging
technologies such as unmanned aerial systems and new attack vectors from increased
connectivity (DHS, 2018). The policy assumes that no single mitigation effort is invulnerable to
exploitation by adversaries and identifies the collective responsibility of government, private,
and public sectors to ensure the protection of aviation assets. Specific recommendations are
given to deploy security-in-depth to reduce the likelihood of an attack impacting aviation critical
infrastructure (DHS, 2018).
The aviation security strategy discusses obstacles and challenges in detail, including the
shifting nature of attack vectors and adaptive behavior of adversaries. Insider threats, malicious
or reckless use of aviation technology, sophisticated explosives, and transnational criminal
adversaries are identified as the greatest threats to aviation (DHS, 2018). According to the
national strategy for aviation security guideline, the cyber domain has not been fully exploited.
However, cybersecurity attacks are not only being coordinated by rogue organization, but also
nation-state actors (DHS, 2018). Given the increased availability of resources against rogue
organizations, the vulnerabilities these entities attempt to exploit have seen an increase regarding
the variety of attack methodologies (DHS, 2018).
However, the guideline highlights the urgency of cybersecurity risk management to ensure
the safety and security of the aviation industry. The national strategy for aviation security (DHS,
2018) publication identifies six major threat origins targeting aviation systems including:
32
1) Terrorists – individuals who have demonstrated a clear intent or capability to conduct
malicious activity to damage the United States and its global interests. Groups such as
ISIS in the Middle East have been documented using aerospace systems such as
Unmanned Aerial Vehicles to attack the United States and ally assets (DHS, 2018).
Terrorists have been observed adapting their tactics, techniques, and procedures (TTPs)
in response to changes in the technological landscape. Given the historical record, the
exploitation of radio frequency vectors is a growing threat, not only due to the increase in
terrorist activity, but also the increased reliance in our own national assets (DHS, 2018).
2) Nation States – countries or large territories demonstrating deliberate hostile
activity toward the United States and its allies (DHS, 2018). While most countries
do not openly participate in threatening behavior against the United States, the
emergence of aerospace radio frequency technology systems such as UAVs in
terrorist organizations hints at the involvement of nation-states behind many
attacks. Hostile Nation-States have coordinated large-scale cybersecurity attacks
against United States assets and interests.
Aimed at gathering intelligence or to observe, Nation-State originating attacks
have the potential to disable or damage critical U.S. assets. The National Security
Strategy states that offensive cyber capability is a means for advancing objectives,
such as military, political, or economic and may constitute a risk to civil aviation
due to inadequate de-conflicting civil and military activities such as missile
launches, GPS interference or combat support operations (DHS, 2018). Given the
increase in radio frequency attacks on systems such as GPS, it is expected that
attacks will continue to proliferate.
33
3) Criminals – individuals or organizations conducting illicit activity by proliferating attacks
on aviation infrastructure, often with the support of insiders, or in conjunction with
terrorist organizations (DHS, 2018). Criminals have historically used cybersecurity
attacks to either exploit aviation-related companies for financial gain or to interrupt
operations using radio frequency technology. Criminals are active in cyberspace with
evolving tactics to circumvent emerging mitigations. The anonymity of cyberspace has
made identification of the attackers, their motivations, and capabilities difficult (DHS,
2018).
4) Insider threat – individuals with access to secure or sensitive data who work in the
aviation ecosystem, and who are either exploitable or willing to take actions damaging
aviation infrastructure (DHS, 2018). Examples of insider threats include airport
employees or stakeholders. Internationally, insider threats have been aided attacks
orchestrated by organizations such as ISIS and Al-Qaeda (DHS, 2018).
5) Foreign intelligence activities by hostile nation-states and related intelligence agencies
who are continuously developing new ways to exploit vulnerabilities in the Aviation
Ecosystem (DHS, 2018). This can include exploitation of physical controls or
information systems. Foreign intelligence will often explore current aviation technology
to identify vulnerabilities such as radio frequency attacks (DHS, 2018).
To increase efficiency and maintain productivity, the aviation sector continuously
updates its infrastructure with new technology, such as wireless technology, communications and
navigation systems, screening equipment, and UAVs operating through radio frequency-based
command and control systems (DHS, 2018). These new technologies present new risks which
can be exploited by any of the threat actors. As aviation systems continue to transition away
34
from terrestrial navigation systems in favor of space-based systems such as GPS, the increased
reliance on radio frequency spectrum is one of the greatest growing threats to the aviation
ecosystem. For aviation systems to perform successfully, a broad range of technology including
communications, position finding/navigation, timing, and surveillance all perform critical tasks
(DHS, 2018). This transition increases the number of attack vectors which adversaries can
exploit through purposeful jamming of technology, or through the infiltration of systems to harm
data integrity (Scott, 2021, pp. 619-653).
radio frequency is foundational to all four domains of traditional aircraft systems
including air-to-air, ground-to-air, air-to-ground, and ground-to-ground. As stated by SPD-5, the
United States government must take steps to safeguard its use, including physical and technical
security measures to prevent interference from jamming or spoofing, and assure authentication
and cybersecurity (United States Space Force, 2020; DHS, 2018). As devices for exploitations of
radio frequency systems proliferate, the ability of threat actors to target aviation systems
increases.
The strict interoperability of technology common to the aviation environment is a
vulnerability (DHS, 2018). For example, aircraft depend upon GPS to communicate through
radio frequency communication channels. This requires a reliable common timing source.
Spoofing or jamming of the timing source could disrupt the GPS and communication system
channels (Scott, 2021, pp. 619-653).
The increased use of unmanned aircraft systems (UAS), capable of autonomous or
controlled flight (Spencer, 2018), is an emerging risk affecting the aviation ecosystem.
Traditionally used by the military primarily for surveillance since World War I, the primary
limiting factors of the utilization of these platforms involved are cost and supply chain
35
supportability (Spencer, 2018). As unmanned aircraft systems increase in capabilities, their use
in cyberwarfare has brought the emergence of new attack vectors. Small UAS devices deployed
by malefactors can be pre-programmed with flight routines or controlled remotely and have
already been used to attack aerospace communication systems (Nichols et al., 2019).
DHS Cybersecurity Strategy Guide. This 2018 guide identifies the communications
industry as one of the critical infrastructure areas needing improvement in risk identification,
vulnerability reduction, threat reduction, and mitigation. Satellite and aerospace communications
are domains within the purview of the Department of Homeland Security, whose role is to
predict, anticipate, and respond to outages affecting the communication industries and identify
vulnerabilities affecting the ability of national leadership to communicate during an event. The
Department of Homeland Security Cybersecurity Guide identifies five pillars to protect the
nation and its citizens’ interests which define DHS goals and guide their cybersecurity strategy.
The Department of Homeland Security cybersecurity goals are:
36
Table 1
Department of Homeland Security Cybersecurity Goals
Pillar
Goal
Detail
Pillar I – Risk
Goal 1: Assess Evolving
Pillar I involves understanding risk
Identification
Cybersecurity Risks.
posture at a national level, allows for the
allocation of resources and prioritization
of cybersecurity threats.
Pillar II –
Goal 2: Protect Federal
Pillar II addresses vulnerabilities, such
Vulnerability
Government Information
as those which might be exploited by
Reduction
Systems.
radio frequency attack vectors, are
Goal 3: Protect Critical
addressed in pillar two. It is the DHS’s
Infrastructure.
goal to mitigate threats on federal
information systems, including
communications systems.
Pillar III –
Goal 4: Prevent and Disrupt
Pillar III focuses on identification and
Threat
Criminal Use of Cyberspace.
prevention of threats. This section
Reduction
includes both domestically and
international criminals.
Pillar IV –
Goal 5: Respond Effectively to
Pillar IV focuses on the mitigation of
Consequence
Cyber Incidents.
potential consequences from
Mitigation
cybersecurity attacks.
37
Pillar V – Enable Goal 6: Strengthen the Security
Pillar V includes the management of
Cybersecurity
and Reliability of the Cyber
risk through formal risk management.
Outcomes
Ecosystem
The DHS collaborates with international
Goal 7: Improve Management
partners to foster a proactive approach
of Department of Homeland
towards the defense of critical
Security Cybersecurity
infrastructure and national assets.
Activities.
Note. This table provides a description of the Department of Homeland Security Cybersecurity
Goals as defined in the 2018 Cybersecurity Strategy. Adapted from the Cybersecurity Strategy of
the United States. Department of Homeland Security, 2018, pp. 7-22
Presidential Policy Directive (PPD) 21: Critical Infrastructure and Resilience. PPD 21,
signed in February 2013, provides communication and intent from the federal government. The
PPD 21 establishes a call to action to leverage government and commercial partnerships to
develop approaches to critical infrastructure risk management (White House, 2013). As a result
of PPD 21, CISA set out to establish the National Infrastructure Plan in accordance with the
directive CISA (2015).
National Infrastructure Protection Plan. Federal and commercial partnering for Critical
Infrastructure Security and Resilience was required as part of Presidential Policy Directive 21
(CISA, 2013). Tasked with guiding national efforts, informing decisions, and jointly setting
multi-year priorities to be reviewed annually with input from all levels of the critical
infrastructure community (CISA, 2013) The National Infrastructure Protection Plan was
developed through collaborative information sharing between the DHS and relevant
38
stakeholders. Based on an evaluation of emerging risks, technological capability gaps, resource
limitations, and best practices, NIPP’s Call to Action #1 calls to:
“(1) Strengthen management of cyber and physical risks to critical infrastructure
(2) Build capabilities and coordination for enhanced incident response and
recovery
(3) Strengthen collaboration across sectors, jurisdictions, and disciplines
(4) Enhance effectiveness in resilience decision-making
(5) Share information to improve prevention, protection, mitigation, response, and
recovery activities.” (CISA, 2013)
The DHS CISA Communications Sector-Specific Plan (CSSP). The CSSP is an annex
to NIPP’s 2013 Goals and Joint National Priorities and established several objectives for the
sector in 2015-2019 (CISA, 2015). These goals included protecting and enhancing critical
infrastructure communications, reconstituting communications in cases of disruption to mitigate
cascading effects and improving the national security and emergency preparedness (NS/EP)
posture with government and private entities to reduce risk. The plan guides the organization’s
efforts to provide resiliency, security, informed decisions, risk management practices, and
identifies key dependencies on both commercial and federal entities to meet chartered goals
(CISA, 2015).
CSSP identifies several key sectors including Broadcast, Cable, Satellite, Wireless, and
Wireline. Satellite communication is specifically identified as a key component in this guidance
(CISA, 2015). The goals of the Communications Sector-Specific Plan risk management
framework include:
39
Resilient Infrastructure: protect critical infrastructure to withstand natural or
manmade hazards—except for extreme events, such as a long-term outage—with
minimal interruption or failure.
Diversity: refers to primary and backup communication capabilities not sharing
common points of failure, be they physical or logical.
Redundancy: Use of multiple communication capability types to sustain
operations and eliminate disruption of primary services due to single points of
failure.
Recoverability: refers to plans to rapidly restore operations in the event of an
interruption or failure. (CISA, 2015)
To achieve the goals outlined in the plan, CISA strategic framework provides guidance to
federal and private critical infrastructure organizations to protect the Nation’s communications
infrastructure.
NIST Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for
Information Systems and Organizations
NIST 800-53R5 is the most recent revision of the security and privacy controls developed
to provide guidance necessary to strengthen and support the Federal Government (NIST, 2020).
NIST 800-53R5 is used by both federal and critical infrastructure providers to protect
information systems from a wide range of vulnerabilities. The NIST Risk Management
Framework 800-53R5 does not specifically include security controls for managing radio
frequency attacks, however. Furthermore, while the framework does provide security controls
mandating redundant information systems, little information is provided on implementation. In
the case of radio frequency vulnerabilities, NIST focuses on security controls regarding wireless
40
network access through protocols such as 802.11x, the IEEE’s standard for the definition of
wireless communication mechanisms. No reference is made to aerospace communication
systems used as a transport for critical infrastructure (NIST, 2020).
radio frequency Interference Best Practices Guidebook. The Department of
Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA)
published a radio frequency Interference Best Practices Guidebook in 2020. Prepared in
cooperation with the ITU, the guidebook provides information on mitigation and
response to radio frequency interference. It is designed to aid public entities to respond to
communication network threats such as Radio, LOS, GPS, and broadcast interference,
but does not include recommendations for Aerospace systems. The need for the
guidebook stems from the continuous presence of threats challenging public voice and
data communications (CISA, 2020). The guidebook uses International
Telecommunication Union’s (ITU) definition of interference as:
“The effect of unwanted energy due to one or a combination of emissions,
radiations, or inductions upon reception in a radio communication system,
manifested by any performance degradation, misinterpretation, or loss of
information which could be extracted in the absence of such unwanted energy.”
(2020)
Mitigating risks from radio frequency interference is challenging, given the large variety
of radio frequency jamming attack vectors, coordinated jamming efforts, and significant
implications these have for public safety systems (Wang et al., 2019; CISA, 2020). The
guidebook highlights current laws relating to radio frequency interference, and summarizes
current efforts related to preparation, awareness, and mitigation of threats. In the guide, DHS
41
CISA provides five steps, referred to as the radio frequency Interference Mitigation Lifecycle for
public entities: (1) Recognize, (2) Respond, (3) Report, (4) Resolve, (5) Resilience. These steps
are displayed in figure 1.
Figure 1. The RF Interference Mitigation Lifecycle, consisting of five steps; Recognize,
Respond, Report, Resolve, and Resilience. Reprinted from radio frequency Interference Best
Practices Guidebook, by Critical Infrastructure and Security Agency, 2020, p. 12.
For the Recognize phase, CISA recommends network operators are informed on and
responsible for recognizing radio frequency interference events using reports of equipment
malfunctions or disruptions and characterizing any interference using monitoring tools such as a
spectrum analyzer (CISA, 2020). During the Response phase, CISA recommends performing
immediate mitigation actions singly or in combination, depending on the type of incident.
Examples of mitigation activities include transitioning to new communication
frequencies, switching to a backup or a redundant means of telecommunication, and physically
shielding vulnerable apertures if the source of interference is known (CISA, 2020). Reporting the
radio frequency interference to national authorities is recommended to ensure all appropriate data
is retained or measured and in case of future legal action. Absent complete reporting, it is
42
extremely difficult for authorities to detail characteristics of an interference event (CISA, 2020).
The DHS stresses the importance of Resolving verified radio frequency interference events after
reporting is completed. Resolving interference events can be done by increasing education
throughout the organization, preparing agencies for future events, and evaluating current
infrastructure for persisting vulnerabilities (CISA, 2020).
RF Attack Characteristics
radio frequency Interference Background.
radio frequency Interference (RFI) is a term used to describe a category of threat which
degrades of radio frequency performance or capabilities (National Academies of Sciences,
Engineering and Medicine, 2015). The radio frequency system availability incidents can
commonly be categorized as either malicious or accidental radio frequency interference (CISA,
2020). For the scope of this research, RFI can include interference due to either electromagnetic
interference (EMI) or electromagnetic compatibility (EMC) (CISA, 2020; Perez, 2018).
Electromagnetic interference (EMI) is any disturbance to a circuit caused by external
electromagnetic induction or radiation (Elbert, 2016). Electromagnetic susceptibility may occur
due to physical proximity of components and elements to an electronic device or system
(Williams, 2016). Electromagnetic compatibility, or EMC, seeks to mitigate unintentional
interference caused by electromagnetic energy (Elbert, 2016).
In figure 2 below, various paths of EMC coupling are shown. Electromagnetic
coupling is the tendency for components in a system to conduct emissions from internal
or external actors, which can act as source of interference (Perez, 2018; Williams, 2016).
Coupling can present as interference in any of the paths illustrated. All paths are
vulnerable to emissions originating from non-shielded components acting as apertures for
43
electromagnetic energy to radiate through free space. External factors such as
environment and component material can cause systems to exhibit wide-ranging levels of
susceptibility (Perez, 2018; Williams, 2016).
Figure 2. Methods of radio frequency interference through transport mechanisms. The figure
above displays the possible directions of potential coupling in a simple radio frequency system
diagram. Reprinted from Radio Frequency Interference in Communication Systems. Artech
House: Elbert, Bruce, p. 4.
Electromagnetic interference and compatibility can be categorized into two major
domains: emissions vulnerability and susceptibility of system components.
Electromagnetic emission vulnerabilities are defined as unintended generation of
electromagnetic energy bearing the potential to damage equipment or communications.
Susceptibility is the level of impact that a victim may endure while in the presence of
malicious or unintended electromagnetic disturbances (Elbert, 2016).
The categorization of interference aids system operators in identifying the nature
of a threat among all possible causes, be they malicious or unintended (CISA, 2020). The
44
distinction between attacker and misconfigured equipment can be very difficult to
establish. For example, a user’s communication channel may read as a jammer from the
perspective of a distant end user, due to the low tolerance for error in radio frequency
emissions and susceptibility compliance (Elbert, 2016).
The International Telecommunications Union (ITU, 2020), a body of over 193 countries,
was established in 1865 as part of the United Nations with the purpose of handling issues and
topics concerning communication and information technologies. The ITU maintains and releases
The Radio Regulations (2020) publication which defines three types of general interference:
permissible, accepted, and harmful. Permissible interference is observed or predicted but
complies with ITU criteria. Accepted interference is at a higher level but has been agreed upon
between two administrations. Harmful interference is of a level that endangers the proper
function of radio navigation or other safety services.
The International Telecommunications Union identifies two sources of harmful
interference: intentional and unintentional. Intentional interference includes jamming or use of
unauthorized frequencies. Unintentional jamming may arise from internal sources, resulting from
equipment malfunction, or frequency band saturation, which impacts a receiver’s ability to
distinguish legitimate carriers (National Academies of Sciences, Engineering and Medicine,
2015; Wang et al., 2016).
CISA (2020; Wang et al., 2016) identifies the following sources of internal radio
frequency interference:
Table 2
Internal RF Interference Examples
Internal RF Interference Examples
45
Equipment
Interruptions may be caused by new installations of or
problem
updates to communications technologies. For example,
updates to physical infrastructure (e.g., new additions to a
tower or relocation of a receiver), as well as upgrades of
radio consoles or hubs may cause this kind of internal
interference
Receiver
Interruptions may be caused by “non-linear mixing” of
intermodulation
external signals inside the receiver.
Front-end
Interruptions may be caused by inadequate filtering of radio
overload
equipment, or equipment that needs adjustment.
Note. This table provides a breakdown of types of potential internal radio frequency
interference events. Copied from “radio frequency Interference Best Practices
Guidebook,” by Critical Infrastructure and Security Agency, 2020, p. 2.
CISA (2020; Wang et al., 2016) identifies the following sources of external radio
frequency interference:
46
Table 3
External RF Interference Examples
External RF Interference Examples
Co-Channel
Caused by more than one transmitter communicating on the
same channel due to improper frequency coordination,
deteriorating or malfunctioning equipment, or anomalous
propagation.
Adjacent
Caused by a transmitter operating on an adjacent frequency and
Channel
its energy spilling over into the desired receive channel.
Spurious
Caused when a transmitter emits on frequencies on which it is
Emissions
not meant to operate.
Natural
Caused by natural events such as solar flares, northern lights,
Occurrences
and other electromagnetic activities. Natural disasters,
including hurricanes and floods, can also disrupt and damage
RF communications infrastructure.
Note. This table provides a breakdown of types of potential external radio frequency
interference events. Copied from “radio frequency Interference Best Practices
Guidebook,” by Critical Infrastructure and Security Agency, 2020, p. 3.
The U.S. Department of Defense has released standards to ensure compliance with
electromagnetic emissions and susceptibility levels. These standards include, but are not
limited to:
47
1) MIL-STD-461G, Requirements for the Control of Electromagnetic Interference
Characteristics of Subsystems and Equipment (DOD, 2015). This standard
includes requirements and verification methods to ensure aerospace systems meet
a baseline level of performance when exposed to radio frequency energy. Systems
compliant with MIL-STD-461G are tested for susceptibility and emissions
performance.
2) MIL-STD-464C, Electromagnetic Environmental Effects Requirements for
Systems (DOD, 2010). This standard includes requirements focused on radio
frequency environmental conditions which may impact or degrade system
performance. Verification tests are provided to evaluate system susceptibility or
emissions compliance.
radio frequency communication systems are limited in terms of power and available
bandwidth, therefore proper spectrum management practices must also be considered
(MITRE, 2021) The amount of available power and bandwidth are dependent on external
factors such as power source or transport mechanism. In the case of SATCOM systems,
where satellites are the primary bottleneck, available resources are often very limited.
Other system architectures such as Line-of-Sight may be impacted by power availability
or visibility (MITRE, 2021).
To ensure efficient management of resources, spectrum management, the “analytical,
procedural, and policy approach to planning and managing the use of the electromagnetic
spectrum” (MITRE, 2021) is required (Elbert, 2016). In cybersecurity terminology,
spectrum management can be considered a control mechanism implemented to reduce
risks introduced by sources of RFI (Elbert, 2016). Through proper spectrum management
48
practices, the likelihood of unintentional jamming is greatly reduced, and safeguards may
be implemented to protect against signal noise, the background energy which can cause
interference in a signal environment (Elbert, 2016; Bailey 2019).
Aerospace Communications System Vulnerabilities.
According to the National Air and Space Intelligence Center (2018), Russia and China
consider electronic warfare and offensive cyber to be key assets to maintain military advantage,
and actively pursue their development. Electronic warfare includes systems which utilize radio
frequency technologies to detect, deny, or deceive adversarial electronic capabilities (United
States Army, 2021). Electronic Warfare is a broad discipline, dealing with the defense and
weaponization of the electromagnetic spectrum (NASIC, 2018; United States Army, 2021).
The United States categorizes radio frequency attacks in the Electronic Warfare domain
of cyberspace (United States Army, 2021). FM 3012: Cyberspace Operations and
Electromagnetic Warfare, is the field manual for Electromagnetic Warfare and describes the
military’s approach towards denying, deceiving, and degrading radio frequency adversaries
(United States Army, 2021). To deny, deceive, or degrade space services, attackers may use
spoofing, jamming, or command-link replay, the replay of control logic to impact space vehicle
capabilities (Martin, 2019).
Satellite communications broadcast sensitive data over visible frequencies using radio
frequency electromagnetic signals, exposing their channels to adversaries seeking to intercept
them (National Air and Space Intelligence Center [NASIC], 2018). Like terrestrial
communications, these channels or links are vulnerable to a variety of threats. Figure 3 illustrates
segments of a generic satellite communication system and vulnerabilities unique to each of its 4
segments: space, link, user, and ground.
49
In Figure 3, the space segment contains a space domain element in the form of a space
vehicle. The user segment consists of the interface between the vehicle and ground support
equipment. The ground segment consists of support networks and infrastructure associated with
enabling the collection of data from space system. The link segment includes the electromagnetic
radio frequency communication link used to transmit data between the ground segment and
space segment (NASIC, 2018).
Figure 3. Cyber Threats to Space Systems. Reprinted from “Competing in Space,” by the
National Air and Space Intelligence Center, (NASIC, 2018) 2018, p. 18.
Space segments are particularly vulnerable to radio frequency attack vectors (Manulis et
al., 2021). As depicted in figure 3, radio frequency threat vectors on the space segment include
command intrusion, payload control, and denial of service. The user segment includes spoofing,
50
Denial-of-Service, and Malware. The link segment, or the segment consisting of the transport
between the ground segment and space segment, includes command intrusion, spoofing, and
replay as attack vectors. The ground segment is depicted as being vulnerable to hacking,
hijacking, and malware.
The National Air and Space Intelligence Center (NASIC, 2018; Velkovsky, P., Mohan,
J., & Simon, M., 2019) states foreign adversaries may conduct electronic attacks to disrupt, deny,
deceive, or degrade space services through uplink or downlink jamming (NASIC, 2018). Uplink
jamming is interference with signals from a ground station or terminal to a space vehicle
(Velkovsky et al., 2019). This can be accomplished by tuning jammers or interferers to the same
frequency as the transmitting system. By directing a signal tuned to the same frequency as the
satellite, it is possible to impact the availability of the communications. Often, uplink jamming is
considered more difficult as the infrastructure and power to reach the satellite create larger
requirements than downlink methods (Velkovsky et al., 2019).
Downlink jamming is accomplished by tuning jammers or repeaters at frequencies which
a receiver is configured to receive from a space vehicle (Velkovsky et al., 2019). By identifying
those frequencies and targeting a ground station, impacts to system availability is possible.
Downlink jamming is often more conspicuous, as interference to a downlink terminal must only
overpower the strength of a satellite signal on the ground (Velkovsky et al., 2019)
Malware can potentially impact a spacecraft through vulnerabilities introduced during the
supply chain, which is the process during which components of a system are manufactured,
packaged, stored, shipped, and procured. During operations, the space segment may be
vulnerable to remote exploits via radio frequency communication vulnerabilities (Unal, 2019).
Denial of service is a unique challenge to solve since directed receive antennas must listen to a
51
specific geographic area to receive signals from intended users (Akan & Yazgan, 2020). In
Figure 4 below, signals are exchanged between legitimate uplink and downlink earth stations.
Highlighted in red, the jamming site displays a third earth station or terminal which is being used
to interfere with legitimate signals passing the spacecraft.
Figure 4. Uplink Jamming. A graphic representation of the types of signals and actors in a space
communication system. Reprinted from “Competing in Space,” by the National Air and Space
Intelligence Center, 2018, p. 18.
Attacks on user and ground segments are also vulnerable to analogous attack methods.
Malicious attackers can, without significant levels of technical expertise, monitor antenna
locations for active frequency use (Manulis, Bridges, Harrison, Sekar, & Davis, 2021). Upon
identification of target signal characteristics, threat actors can resort to spoofing, denial of
service, or replay attacks to exploit the system (National Air and Space Intelligence Center,
2018). Figure 5 depicts a Downlink Jamming scenario: a denial-of-service attack using a
52
localized jammer to prohibit communications from an earth station to its intended target, in this
case, a satellite phone.
Figure 5. Downlink Jamming. Reprinted from “Competing in Space,” by the National Air and
Space Intelligence Center, 2018, p. 18.
The Ground Segment Systems Engineering Handbook (Johnson-Roth, Chaudhri, &
Tosney, 2016) identifies NIST 800-53R5 as the primary cybersecurity compliance document for
protecting ground assets from attacks. However, aerospace communication and satellite system
vulnerabilities and are not included in the document (NIST, 2020). NIST explicitly addresses
that the 800-53R5 is intended to provide a generalized approach towards security controls. The
standard does not provide implementation details for integrating aerospace radio frequency
attack mitigations (NIST, 2020).
Satellite communication channels are used by critical infrastructure and government
entities to provide vital data link over extended distances, or to areas where traditional
infrastructure does not exist (DHS, 2018). In the Space Operations Directive JP 3-14, released by
53
the US Joint Chiefs of Staff in 2018 (JCS, 2018b), the importance of satellite communication
systems is outlined. Key capabilities of satellite communication systems include:
(1) Global Coverage. Collectively, SATCOM systems provide global coverage
and can focus capacity to areas of special interest.
(2) Real-Time, Over-the-Horizon Transmission of Voice and Data. Like other
communications media, most SATCOM systems provide real-time connectivity
for both voice and data.
(3) Independence from Terrestrial Communications Architecture. Some
SATCOM links obviate the need for long terrestrial communications links.
(4) Flexibility. Satellite systems enable global coverage and interlinking between
frequency bands and systems, and certain systems can provide a relatively low
probability of detection (LPD).
(5) Support to Mobile Forces. SATCOM systems can provide the
communications required by mobile forces operating over wide areas (JCS, 2018).
Space Communication Vulnerabilities. Satellite communication service
providers are often responsible for leasing sections of bandwidth to commercial and
government customers (Kodheli et al., 2021). However, potential attacks on frequencies
leased by these service providers are often opaque due to limited insight into customer
communications and the challenges associated with detecting interference. This makes a
proper response difficult. While service providers are responsible for maintaining a
specified availability times with their contracts, few mitigations can be performed in the
short available timespan to respond to an attack. Past examples of satellite outages have
had wide-reaching effects across many industries (Chicago Tribune, 1998).
54
As identified by the Department of Homeland Security Cybersecurity Strategy report
(2018), telecommunication providers, including satellite communications, are classified as
Critical Infrastructure (CI). In the case of satellite communications, this encompasses entities
such as the national weather service, FEMA, national guard, active-duty military, television,
radio, and many others. The loss of availability of these resources would cause immediate and
detrimental impacts on much of our technological backbone (Defense Intelligence Agency,
2019).
In addition to the increased availability and decreased cost of radio frequency
technology, there has been a decrease in complexity as more industries deploy radio
frequency to increase innovation, profits, or capabilities, driving an exponential rise in
radio frequency attack vector threats (CISA. 2017). CISA’s 2017 report adds that
malicious tools, easily purchased online, can be used by lone actors, organized criminals,
terrorist groups or nation-states. CISA cites the Stuxnet 2010 attack on Iranian nuclear
facilities as an example of the low cost, high impact consequences of advancements in
attack methodologies. During the Stuxnet event, USB device used to deploy malware on
industrial control systems (ICS) to destroy 984 centrifuges. Significant parallels have
been established between SCADA-type systems such as power generation facilities and
satellites (Falco, 2020). CISA (CISA, 2017; DHS, 2018) further elaborate on the
difficulty of identifying attackers in a cyber war space, and the complexities involved in
defending against an unknown attacker.
Vulnerabilities in GPS. The concept of Global Satellite Positioning, or GPS, was
conceived at Johns Hopkins University merely hours after Sputnik I was launched in Russia. By
inspecting the satellite downlink as the craft orbited Earth, two researchers quickly identified the
55
ability to accurately track its position (Simpson, 2000). This was realized by comparing multiple
observations of the Doppler Effect from different locations. The Doppler Effect is the shift in
frequency of a signal which an observer experiences relative to the source of the original signal
(Neipp et al., 2003).
This characteristic enables the precise tracking and geolocation of GPS users (Jason et
al., 2006).). As a result, DARPA began work on the development of a satellite system called
TRANSIT to support the military application of submarine-based missile systems (Danchik & L.
Lee, 1990). With the success of this application, future versions of global navigational satellite
systems began development (Mai, 2017)
As military capabilities of global navigational satellite systems proliferated, competitors
to the United States began to invest in the technology as well (Sarkar, Banerjee, & Bose, 2018).
Soon, similar systems were seen being tested by the Soviet Union. As foreign nations began
using the technology, commercial companies increased their contribution to the value of the GPS
industry in the form of new consumer goods (NIST, 2019).
In 1983, a Soviet Union aircraft shot down a civilian airliner which strayed into their
airspace. This accident may have been avoided, had navigational systems been available to
aircraft in the region. In response, the United States announced that GPS would become available
for commercial and civilian uses once completed (Sagdeev, 2009), marking a considerable
change. Previously, the Department of Defense owned and maintained GPS satellites, with the
primary application being defense support. At the time, there had been a requirement that only
federally approved applications use GPS. The announcement meant commercial companies
could also use and profit from the technology (NIST, 2019).
56
The first GPS system used by consumers was initialized by the US Air Force in 1978.
Known as GPS I, it was the first in a series of satellites launched over the next 13 years,
eventually growing to 24. Gradually, commercial applications such as telecommunications and
aircraft navigation using GPS became available (NIST, 2019). In addition, GPS was adopted as a
national defense asset when it was integrated into the Conventional Air Launched Cruise Missile
(ALCM).
Neilson (2012) noted GPS is easily integrated into existing weapons systems using a
“cascaded filter” approach, with the result that 35 GPS enabled missiles were used in the Gulf
War conflict in 1991. The availability of this system not only ensured critical defense
capabilities, but also provided immensely important commercial critical infrastructure
applications for technologies ranging from aircraft navigation to telecommunications (Kepchar,
2017). In 1990, the Gulf War was the first instance of GPS jamming use during an armed
confrontation (NIST, 2019; Baird, 2013).
The emphasis on GPS has resulted in vulnerabilities to national and commercial assets
(Kepchar, 2017). In addition to positional data gathered from GPS signals, the
telecommunication and information technology community has developed a reliance on GPS
signals as a source of timing from signals generated by spacecraft for navigation (NIST, 2019).
Timing is vital for information systems to successfully transmit and receive data to distant ends.
Any impact on the integrity of timing has immediate and disastrous implications for information
systems depending on it (Betz, 2021).
Jafarnia-Jahromi, Broumandan, Nielsen, and Lachapelle (2012) describe in detail
spoofing vulnerabilities in GPS implementations, and reviews potential mitigation techniques.
GPS spoofing, a relatively recent emerging threat, is the malicious transmission of packets
57
masquerading as legitimate GPS signals by an attacker for the purpose of gathering data or
information., In other cases, the malicious message may provide inaccurate data to disable a
system (Jafarnia-Jahromi et al., 2012).
Recently, North Korea demonstrated technology to simulate and spoof a GPS signal
(Westbrook, 2019). Signals were used to disable timing and navigation systems on naval vessels
(NIST, 2019). By disabling timing on a target, an attacker can ensure systems relying on it are no
longer able to communicate (Kepchar, 2017), and render the navigational system offline, with
the target losing its ability to accurately determine position (Westbrook, 2019). This vulnerability
is present on a majority of current defense and commercial systems (NIST, 2019).
Jamming, another vulnerability impacting GPS systems, (Scott, 2021; Westbrook, 2019)
is the transmission of a signal at a particular frequency with the sole intent of disabling
communication (Baird, 2013). Classified as a denial-of-service attack by NIST (NIST, 2020),
this attack is simple and inexpensive to deploy. Furthermore, such attacks can be launched from
miles away (Westbrook, 2019).
A third vulnerability of Global Positioning Systems, space missiles, can target satellites
or objects in space from the ground. Currently, only a few nations in the world (US, China, India,
Russia) have attempted and succeeded in this type of attack. A primary concern in the aerospace
industry is that, in a wartime scenario, if an adversary decides to target GPS satellites or ground
stations, it is possible to disable their use (Kehler, 2018; Bailey et al., 2019).
Chapter Summary
This chapter presented a survey of government and scholarly literature on radio
frequency vulnerabilities and attacks on aerospace systems including a background on aerospace
communication systems, with an emphasis on cybersecurity practices for Radio Frequency attack
58
vectors. Recent federal publications were summarized to establish the current landscape of radio
frequency threats. Types of attacks on aerospace systems were presented, including vectors, such
as radio frequency interference, jamming, and spoofing, potential threat actors and their
motivations, vulnerabilities, and vectors were detailed, proving the need for research on this
topic. Scholarly literature on relevant technologies, such as GPS, was investigated to provide an
increased understanding of radio frequency attack methods and how they can impact aerospace
communication system confidentiality, integrity, and availability.
The combination of these data points provides a holistic look at the current body of
knowledge and landscape which today’s aerospace communication systems operate under and
will inform the survey instrument. The foundation established in the literature review will inform
the study and research instrument. Chapter 3 will present research rationale, methodology
chosen, and design, and how they will unite to answer the research questions.
59
CHAPTER 3: METHOD
The purpose of the study is to explore radio frequency attack vectors associated with
aerospace communication systems, and the application of cybersecurity principals to mitigate
them by surveying expert opinion on radio frequency threats. Chapter 3 focuses on the research
design and study methodology. Research questions are reviewed and details of the hypothesis,
variables, population, sampling method, data collection methodology, instrumentation,
reliability, procedure, validity, pilot study, and data analysis approach are provided.
The study will use a cross-sectional survey with a quantitative descriptive research design
to gather survey data from participants. Given the quantitative nature of this research design, the
data collection method, a survey, will be distributed to a targeted population to gather
meaningful quantitative measurements for statistical analysis. Participants will be screened to
ensure appropriate experience and expertise in radio frequency systems. The survey instrument
will be tested in a Pilot Study and adjusted as necessary prior to release.
Research method and design appropriateness research methodologies are of three types:
quantitative, qualitative, and mixed-methods (Patten & Newhart, 2018). Quantitative research
uses numerical data to evaluate a subject to answer, assess or test research questions or a
hypothesis (Patten & Newhart, 2018). Quantitative studies emphasize reliable measurement tools
and allow for further statistical analysis (Salkind, 2018). In addition, the literature review is
completed first, to aid in the generation of a research tool such as a survey (Salkind, 2018).
Quantitative research is often highly generalizable (Patten & Newhart, 2018).
Creswell & Guetterman (2019) identified several different types of quantitative research,
such as correlational, experimental, and descriptive. Correlational data uses statistical analysis to
provide quantitative measurements using multi-variate comparisons. Experimental studies are
60
utilized to determine to test for cause-and-effect relationships. Descriptive research sets out to
describe the characteristics of a phenomenon (Salkind, 2019, p. 20).
Qualitative research, by contrast, is usually exploratory in nature and uses interviews,
focus groups, or case studies to better understand the nature of an issue (Creswell & Guetterman,
2018). In quantitative research, researchers attempt to answer research questions by addressing
why and how questions, capturing a population’s experience of a phenomenon. The literature
review in a qualitative study is performed iteratively rather than in advance (Creswell &
Guetterman, 2018). While qualitative research may set the foundation for later quantitative
research to study ideas, outcomes from qualitative research are often narrative-oriented and have
limited generalizability due to the smaller populations (Creswell & Guetterman, 2018; Meyers,
2000). Therefore, the qualitative method was rejected.
The third alternative often seen in research is mixed-methods. Mixed-methods research
uses both quantitative and qualitative methods to answer research questions which cannot be
satisfied with just one methodology (Dawadi, S., Shrestha, S., & Giri, R., 2021). However, as
Dawadi, S., Shrestha, S., & Giri, R. mention in their report Mixed-Methods Research: A
discussion on its Types, Challenges, and Criticisms (2021), mixed methods may not be practical
due to resource limitations. In addition, limitations in merging the qualitative and quantitative
methodologies can impact the effectiveness of a study as it can be challenging to accurate relate
the findings (Dawadi, S., Shrestha, S., & Giri, R., 2021). Due to the nature of this study, the
mixed methods approach was rejected.
The quantitative methodology was deemed most appropriate due to the need for concrete
data for analysis to generate findings answering the research questions. Responses provided by
subject matter experts will enable the capture of data for analysis to reveal details surrounding
61
the phenomenon of radio frequency attacks on aerospace communication. Instrument questions
will be designed to generate generalizable results and allow for quantitative interpretation and
meaningful findings.
A descriptive research design was selected for use in this study. Descriptive research
“paints a picture” of the research topic (Salkind, 2018, p. 161). It differs from comparative or
experimental research in that it does not include a control group (Drummond, K. & MurpheyReyes, A., 2018). The purpose of the survey is not to test the influence of variables, but to gather
expert views from experienced aerospace system cybersecurity principals familiar with radio
frequency interference. A quantitative descriptive survey design allows for the collection and
evaluation of responses provided by subject matter experts to correlate them to known
phenomena (Drummond, K. & Murphey-Reyes, A., 2018).
Creswell & Guetterman (2019) describe four methods of survey research: instrument,
population sampling, interviews, and questionnaires. In this study, instrumentation and
population sampling will be used. Instrumentation includes the use of tools such as surveys to
collect data. Population sampling involves the collection of a subset, or sample, of a population
to draw generalizable results for a greater population (Creswell & Guetterman, 2018).
An online survey tool will serve as the instrument for data collection during in the study.
A survey allows for the collection and assessment of qualitative, measurable data which can then
be generalized to the larger field of aerospace communications (Salkind, 2018). Online surveys
provide the additional benefit of ease of accessibility which traditional in-person surveys do not
have, thereby increasing the potential number of participants (Salkind, 2018).
The survey will be administered using Survey Monkey, a third-party survey service
(Regmi et al., 2016). According to Nagalakhmi and Trivedi (2015), online survey tools including
62
SurveyMonkey are suitable for academic research since collected data collected can be exported
for further analysis and translation. Survey questions will be uploaded to the instrument tool and
accessed through a direct link to the survey webpage hosted on the third-party site.
A cross-section survey approach will be used to collect demographic information and
other data from participants. Cross-sectional surveys consist of only one data collection cycle
and collect participant opinion from a single point in time (Creswell & Guetterman, 2018; Raul
et al., 2016). This is most suitable since the survey seeks to identify current views of subject
matter experts anonymously. Additional iterations of samples would not be representative of the
same population sample.
The survey will be designed to administer questions relevant to this research subject and
will incorporate information gathered during the literature review. Population sampling will be
used during data collection to reduce the margin of error and to increase the level of confidence
in the results of research (Creswell & Guetterman, 2018). Population sampling involves the
collection of a subset, or sample, of a population to draw generalizable results for a greater
population (Creswell & Guetterman, 2018).
Due to the nature of online survey instruments, a high-response rate is not expected, as it
is typical for surveys to have less than a ten percent completion rate (Saleh & Bista,
2017).Completion rate is the percent of individuals the survey instrument is distributed to who
complete the entire survey. Several factors may foster a low response rate, including extended
completion time required, personal security settings which may limit the ability of participants to
receive a participation request, and lack of response by choice (Saleh & Bista, 2017).
63
Research Questions
In chapter one, the four research questions for this study were presented. They were
designed to investigate the problem statement, which identifies the lack of a cybersecurity policy
or framework to aid in the mitigation of radio frequency attack threats. The literature review shed
additional light on some aspects of the study, and specific contributions to the research questions
made by it are noted in the discussion below. The research questions for this study are:
RQ1. Would the implementation of a national standard for the management of radio
frequency attacks contribute to the security of aerospace communication system
missions?
RQ2. How often do radio frequency attacks target aerospace systems?
RQ3. What is the impact of radio frequency attacks on aerospace systems?
RQ4. What is the relationship between radio frequency attacks and cybersecurity attacks
amongst aerospace communication systems?
Due to the wide variety of technical implementations and techniques of radio frequency
technology in aerospace systems, it is not the intent of this study to describe or address every
possible attack scenario. For example, while the research questions reference aerospace systems,
there is no distinction between aerospace platform systems and aerospace support systems.
The exact application of radio frequency technology is not limited to one stereotype. This
study focuses on radio frequency attack vectors which can be exploited by malicious actors. By
surveying industry experts, a collective measurement of industry proficiency and concerns can
be gathered. While performing the literature review in chapter two, specific attack vectors and
scenarios were identified which aided in focusing the survey questions. By analyzing current
64
United State government publications from entities such as the Government Accountability
Office and the Department of Homeland security, specific areas of high concern were identified.
Hypothesis/Variables
The hypothesis under test for this research study is, radio frequency attack vectors pose a
significant threat to the operational capabilities of aerospace systems, and current federal
cybersecurity policies fail to protect aerospace communication systems from radio frequency
attacks which align to known cybersecurity threats. To address this hypothesis, seven variables
were identified to understand the impacts, frequency, and current state of policy regarding radio
frequency vulnerabilities on aerospace communication systems. This study will measure and
analyze the seven variables using a survey research tool to understand subject matter opinion of
the survey questions presented. The seven variables are: participant background industry, years
of experience, impact to confidentiality, impact to availability, impact to integrity, frequency of
radio frequency attacks, and assessment of the effectiveness of current policy and guidance.
The first variable to be measured is the aerospace communication system background of
participants. Aerospace communication systems can range in purpose and architecture, which
implies that respondents may provide different answers to the survey questions depending on the
type of system with which they are most experienced. By analyzing results using this variable,
statistical analysis can be performed to identify potentially revelatory trends.
The second variable to be measured is the number of years of experience of survey
participants in the aerospace communication system industry. This variable will be measured to
determine if there is a correlation between experience level and the responses of participants. By
analyzing results using this variable, correlations can be identified between the other measured
65
variables to determine if years of experience influenced the perceived threat of radio frequency
attack vectors on aerospace communication systems.
Responses from participants on radio frequency impacts on system confidentiality,
integrity, and availability will account for an additional three of the variables to be measured.
The impact level of radio frequency attack vectors on each of the three domains of the CIA triad
will be presented as a question during the survey and measured for statistical analysis. The
survey intends to avoid the decomposition of Confidentiality, Integrity, or Availability into
further granularity, to ensure that respondents can answer confidently and accurately.
Participants will be asked to identify the frequency of occurrence of suspected radio
frequency attacks on aerospace communication systems. This variable will be collected to
determine how often radio frequency attacks were seen on active aerospace communication
channels among respondents. This data will then be used to produce correlation coefficients with
other variables such as years of experience and domain expertise.
The final variable to be measured during the survey will ask participants to evaluate the
current level of documentation/policy supporting the defense of aerospace communication
systems from radio frequency attack vectors. This question is largely subjective in nature but
provides a valuable measurement from industry experts on whether adequate documentation
exists.
Population
A population is the group of potential participants to whom the results of a study may be
generalized (Salkind, 2018; Creswell & Guetterman, 2018). Generalizable results can be applied
to a wider population having similar characteristics as the study population, regardless of
environment or setting (Salkind, 2018, p.85). The population should consist of a “group of
66
individuals who have the same characteristic” (Salkind, 2018, p. 139). Raul et al. (2016)
elaborates on the definition of population by differentiating between the target population, also
known as the intended population, and the accessible population. The target population
represents the complete population from which the sample will be drawn. In other words, this
target population is the complete group to which the research is intended to generalize. The
accessible population is the specific group of participants measured by the research (Ruel et al.,
2016).
The definition of accessible population considers constraints possibly limiting inclusion
of additional participants, such as native geographical limitations or demographics (Ruel et al.,
2016). The target population under study in this research paper will include the population of U.
S. aerospace professionals involved with the operation, development, or integration of radio
frequency technology on aerospace systems. Given the electronic format of this survey, the
accessible population can be further defined as those who were reachable through electronic
means on Facebook and LinkedIn. Only participants with appropriate verified experience who
are members of aerospace executive groups on Facebook or LinkedIn will be included in the
population.
Sampling Theory
Both Salkind (2017) and Creswell (2019) describe the sample of a population as a subset
of the population where the sample’s characteristics can be applied to the greater whole
population. The sample for this study will be the population of aerospace professionals who are
identified as participants for the survey. The sample includes those with verifiable experience in
the aerospace field and who are members of groups representing the population – a subset of the
greater population of professionals.
67
There are two sampling strategies described by Ruel et al., (2016) and Salkind (2017):
nonprobability sampling and probability sampling. In probability sampling, the likelihood of an
individual in a population being selected for sampling in a study is known beforehand.
Probability sampling methods “use random chance to select members of the population to be
included in the sample. Using probability sampling, researchers are able to ascertain that no bias
influenced the selection of random samples” (Ruel et al., 2016, pg 123). For example, in a
population of aerospace industry experts, if one quarter of the population works with satellite
systems, then there is approximately a 25% chance of selecting a satellite system expert as part
of the sample from the greater population.
In contrast, nonprobability sampling does not define the number of individuals in the
population sampled in advance, and it is therefore impossible to accurately compute the
likelihood of a participant being selected (Ruel et al, 2016). Ruel et al. (2016) state the following
regarding nonrandom sampling methodologies:
Non-random sampling methods do not use randomness or chance to ensure representation
in a sample. This means that a whole host of things other than chance may be affecting
who is in the sample, and these things may keep the sample from being
representative…Thus, despite efforts to represent the population, we can never know
with any certainty if the sample does or does not, in fact, represent the population” (pp.
149).
According to Salkind (2018), the most frequently used probability sampling procedure is
simple random sampling. In a simple random sampling strategy, everyone in the population
being sampled has an equal chance of being selected as a participant. There are no variables or
factors affecting a person’s selection. The process for simple random sampling consists of first
68
defining the population from which samples will be selected, identifying the members of the
population, assigning of numbers to each participant, and then the use of a criterion to select
samples from the population (Salkind, 2018).
The selection of criteria can be handled in several ways. Salkind (2018, p. 87) identifies
the table of random numbers approach as an example of a probabilistic sampling criterion. In this
approach, the researcher uses a table consisting of randomly derived numbers, matching the
number of participants. By randomly selecting numbers from a matrix, independent of the
process during which numbers were assigned to the participants, random selection can be
achieved (Salkind, 2018).
A second method of probabilistic sampling is systematic sampling (Salkind, 2018, p.
140). To perform systematic sampling, a researcher first determines the total population and
selects a sample size. Once selected, a starting point is chosen randomly, and a step size is
calculated based on the number of samples to be gathered from the population. Samples are then
taken from the population in steps. Systematic sampling is considerably easier than random table
sampling, and as a result, is less precise. Depending on the starting point of systematic sampling,
the chances of selecting individuals in a sample can be influenced, thus removing the assumption
of equal representation in samples (Salkind, 2018, p. 141).
Like probability sampling, nonprobability sampling includes several methods to select
samples (Salkind, 2018, p. 143). In nonprobability sampling, the likelihood of picking a
participant is not known, and therefore, the participants being selected in a sample do not have an
equal and independent chance of being selected. One method of nonprobability sampling is
convenience sampling (Salkind, 2018, p. 140; Ruel et al. 2016).
69
“Convenience sampling refers to, for example, including a sample of the closest
respondents to those administering the survey, such as family, friends, or colleagues. Such
samples are known to be subject to several types of bias, including subjectivity; researchers tend
to ask people to be part of a survey if they are comfortable asking” (Ruel et al., 2016).
Convenience sampling may include bias and is not random, depending on the sampled
population. Due to the significant chance of error, this method of sampling is unlikely to produce
a truly representative sample of a target population.
A second nonprobability sampling method is quota sampling. In quota sampling, samples
are first selected using desired characteristics, such as industry background or years of
experience. Raul et al. (2016) defines quota sampling as:
Convenience sampling with the addition of quotas or limits to the number of people of a
particular demographic who can be included in the sample. Often the quotas are used to
reflect known properties of the population… This method does at least guarantee that the
sample will reflect variation in the population with respect to the variables used to create
the quota… Including only participants with the desired characteristics, the study
continues until a certain quota has been met. This sampling strategy is not completely
random, as potential participants who were not included due to the quota are not
considered. (p. 150)
The third nonprobability sampling technique considered was purposive sampling, also
known as judgmental sampling (Raul et al., 2016, p. 151). Purposive sampling is a unique type
of convenience sampling in which participants are chosen based on their background or
knowledge of the subject matter under investigation (Raul et al., 2016, p. 151). This is also
70
known as key informant interviewing, a method of research in which the key participants are
experts in the field under research.
Purposive sampling has several limitations when applied to social media (Raul et al.,
2016). For example, due to the configuration of individual social media profiles dictating visible
group members on Facebook and LinkedIn, some prospects may be excluded. This can be further
compounded when sampling the population as the participants are often not located in the same
geographic region (Raul et al., 2016).
However, using online research tools provides considerable benefits when using
purposive sampling, as it is possible to identify potential experts with greater ease. Like the
previous two sampling methods identified, purposive sampling is a nonprobability sampling
technique (Raul et al., 2016). This limitation means that sample size cannot be representative of
the larger population, which impacts the ability to estimate sampling error or bias. However,
given the specialized nature of the information the subject matter experts provide, large samples
can still be used to produce high quality data (Raul et al. 2016).
Two additional methods of nonprobability sampling were considered during the selection
of the methodology: snowball sampling and respondent-driven sampling. Both these
methodologies require collection of identifiable participant data (Salkind, 2018; Raul et al,
2016). Given the sensitive nature of the survey, it was determined that the collection of personal
data would erode participation. To ensure the highest level of accuracy of results, it was
determined that no personal data would be retained, thus eliminating these options.
The survey requires respondents have expertise in the field of aerospace system
technologies. Thus, the population of this research will include only professionals in the
aerospace field. Nonprobability purposive sampling was selected to ensure that only subject
71
matter experts will be included as a participant. Randomness of survey participants is not an
influencing factor, due to the nature of the participant population pool and sampling technique
(Raul et al., 2016).
Prospective participants will be individuals whose experience was validated by an
industry-specific group on Facebook or Linked In. Randomness cannot be achieved due to
limitations inherent to the inclusive nature of purposive sampling (Ruel et al., 2016). Per the
validation procedures of the “Military SATCOM” Facebook group (US Military SATCOM,
n.d.), potential members are reviewed through a multi-stage process, whereby current members
of the group are required to validate the expertise and vouch that the individual has prior
experience in the field of aerospace communications. This common characteristic defines the
participant population of this survey. The survey was not released to anyone not validated as an
approved member of the group.
Sample Size
As with any data collection research methodology, it is essential to ensure sample size is
sufficient to yield generalizable results (Salkind, 2018, p. 144). By calculating sample size, it is
possible to calculate the number of participants required to produce generalizable results. There
are several variables influencing calculation of sample size. For example, as population size of a
study increases, the number of required samples to maintain an acceptable confidence interval
increases in kind (Ryan, 2013).
To counter this effect, an increased number of samples is required to represent the
increase in population (Salkind, 2018). The same relationship exists when determining margin of
error; as the margin of error increases, the accuracy of the results decreases. Conversely,
increases in sample size and confidence level increase the level of accuracy for which the sample
72
can be generalized; decreases in sample size and confidence level negatively affect this
generalizability. To calculate this, a sample size formula equation (Fink, 2013; Daniel, 2013)
was used:
𝑧 2 ∗ 𝑝(1 − 𝑝)
𝑒2
𝑆𝑎𝑚𝑝𝑙𝑒 𝑠𝑖𝑧𝑒 =
2
(𝑧 ∗ 𝑝(1 − 𝑝)
1+
𝑒 2𝑁
(1)
Where N = Population size; p = proportion of population; e = Margin of Error (percentage in
decimal form); z = z-score.
The sample size formula is tailorable depending on a study’s desired confidence level,
population size, and desired margin of error (Fink, 2013; Daniel, 2013). The confidence level is
determined by the level of confidence in response accuracy (Crewell & Guetterman 2018). For
example, a confidence level of 99% means that the researcher can be 99% certain results are
accurate. For this survey, a confidence level of 95% was selected (Ryan, 2013). To insert this
selection into the Sample Size formula, the confidence level must be converted to a z-score,
which, for a confidence level of 95%, is 2.58. The Altman Z-score is used it statistics to provide
a measurement of how far from the mean of a data set a particular measurement is (Altman,
1968). The Z-score was used to calculate the deviation from the mean. The formula for
calculating Z-score is:
𝑍 =
𝑥−𝜇
𝜎
(2)
Where Z = standard score; x = raw score, 𝜇 = population mean; σ = the population standard
deviation.
The population size of the study is the total population invited to participate. A total of
8,109 participants were targeted as the population. The survey will continue until the quota
73
sample size is met. The survey assumes a margin of error of 6%, yielding a suggested sample
size of 259. The margin of error, also known as confidence interval, heavily influences the size
of the sample, and the selection of 6% was determined to be appropriate given the non-linear
number of increased samples needed to lower the margin of error. For example, to lower the
margin of error to 4% would require an additional 300 respondents in the sample.
Data Collection
The data collection process will be integral to the execution of the survey. Surveys have
the advantage developing an accurate description of the subject under study (Crewell &
Guetterman 2019; Salkind, 2018; Ruel et al., 2016). The collected data measurements can
effectively be generalized to larger populations. The ability to generalize data benefits not only
future research, but also decreases time and cost of future studies (Salkind, 2018).
There are two approaches to data collection: longitudinal and cross-sectional. In
longitudinal survey data collection, participants are asked to complete the survey questionnaire at
different, multiple points in time (Creswell & Guetterman, 2018, p. 388). Researchers use
longitudinal studies when the study requires data to be sampled at multiple times, such as a
survey evaluating a subject’s understanding of a concept before and after a training session
(Creswell & Guetterman, 2018, p. 388). The involvement of participants during multiple sessions
results in an increase overhead in cost and time. In addition, survey participants not completing
both iterations of the data collection yield incomplete results and must be discarded (Creswell &
Guetterman, 2018, p. 388). In cross-sectional surveys, data is collected at a single point in time;
there is no need for researchers to follow up for additional iterations of data collection (Creswell
& Guetterman, 2018, p. 386).
74
In this study, a cross-sectional survey data collection instrument reduces cost and time
spent collecting data (Creswell & Guetterman, 2018, p. 386). In cross-sectional surveys, there is
only one period of data collection. Given the large number participants included in the sample
(approximately 259), a longitudinal survey would have required, at a minimum, double the
amount of data collection time. Given the nature of the study, the research questions, and the
scope of the effort, a cross-sectional survey satisfies the research requirements (Creswell &
Guetterman, 2018, p. 386).
Interviews allow room for descriptive answers, providing detailed responses through oneon-one sessions with participants. Interviews can be formal or informal, allowing for use of
multiple platforms depending on the interview goals (Ruel et al., 2016). An advantage of
interviews is the detailed description participants provide on the research subject and questions
(Salkind, 2018). This detailed description comes with a significant increase in both cost and
time. For the interview to succeed, the researcher and interviewee must both allocate the
appropriate resources to conduct the interview session.
Surveys reduce the amount of effort required by participants (Creswell & Guetterman,
2018; Ruel et al., 2016). While interviews may require a significant amount of time, surveys are
brief and restricted to multiple choice (Ruel et al., 2016). A restrictive, closed-question survey
allows for answers to be categorized and assigned numeric values. Survey questions are best
applied using numerical systems which can be extracted for statistical analysis of trends. In the
case of this survey, the Likert scale was chosen due to its ability to confer quantitative values to
degrees of opinionated response (Robinson, 2014).
For each question on the survey, participants will be asked to quantify their opinion using
a set selection of ratings. Respondents will be offered a choice of five measurements to reflect
75
their assessment of a statement. These measurements correspond to a five-point Likert Scale:
None (0), Low (1), Moderate (2), High (3), Severe (4) (Likert, 1932).
Instrumentation
The survey instrument will be designed to provide the highest level of generalizability to
the wider aerospace industry by screening participants based on their experience. Confining
respondents to those with aerospace systems experience will ensure only validated participants
have access to the survey. Limiting responses to people of such expertise allows for a holistic
and accurate representation of the current opinion of subject matter experts. As mentioned in the
problem statement of this survey, the survey was designed to identify whether the
implementation of cybersecurity practices would aid in the security of aerospace systems.
Various design types were analyzed to select the most appropriate survey instrument.
Raul et al. (2016) describes several survey types such as mail, telephone, group interview, faceto-face, and web-based. Given the sensitive nature of the survey, it was previously determined
that personal information would not be collected. In addition, the disparate geographic locations
of participants prevent any face-to-face interaction. Given these constraints, it was determined
that a web-based survey would provide the highest level of accessibility and participation among
participants.
Prior to conducting the main study, to receive feedback on survey content, a pilot study
will be conducted among five people meeting all the participant criteria. Their recommendations
will be tracked, and the final survey will be adjusted to incorporate feedback as necessary, and
any criticism will be incorporated into the final survey. The pilot and final surveys will be
reviewed by the dissertation committee at Capitol Technology University for approval prior to
76
distribution. Institutional Review Board approval will be obtained before moving forward with
data collection.
As stated earlier in this section, efforts were made to ensure the most appropriate research
tool is used for the data collection phase of the study. To ensure all potential instruments were
considered, an analysis of research methodologies was conducted. This analysis included two
additional instrumentation methods considered as part of this study: (a) interviews and (b) case
study.
Interviews were initially considered as a viable option of collecting data and likely would
have provided a detailed assessment of the current opinion of select experts in the field.
Interviews are inherently prone to bias influence (Aamodt, Brecher, & Kutcher, 2006). Also, it
can be difficult to assure participants that their identity and responses are confidential (Salkind,
2018), resulting in omissions or slanted responses. Due to the variables affecting individual
participant responses, and the difficulty of contacting many qualified participants in the allotted
time, this alternative was rejected.
A case study of radio frequency threats on aerospace systems was considered, however,
this was rejected due to the sensitive nature of the subject matter. Detailing the process
methodology of a realistic radio frequency attack in this study would have likely changed its
classification. The description of a radio frequency attack on an aerospace system raises concerns
when combined with potential interview data. This limited the possible methods of data
collection for the case study. The selected structure and design of the survey instrument for data
gathered to be applied to future research and to accurately represent views of the participants.
77
Reliability
Reliability in research refers to how repeatable measurements are (Salkind, 2018).
Reliability is essential to ensure that the data is dependable and consistent. Salkind (2018) states
reliability means “individual scores from an instrument should be nearly the same or stable on
repeated administrations of the instrument and that they should be free from sources of
measurement error and consistent” (p. 627). To establish reliability, researchers must take steps
to minimize random error.
Random error can arise either when a respondent guesses a response based on ambiguous
wording or directions, or when a respondent inadvertently selects and unintended choice. In such
cases, responses do not accurately reflect a true value (Ruel et al., 2016). Survey questions for
this study will be designed to ensure reliability, avoiding vague wording or uncommon terms,
which risk misinterpretation.
To ensure accuracy of responses, participants will be asked to quantify their opinion
using a set selection of quantitative ratings. The selectable options were generating using the
Likert Scale model (Robinson, 2014). Five selections will be offered to measure subject matter
expert opinion on the survey questions. Each measurement will be followed with a brief
description to reduce ambiguity. These measurements include:
1) None (no level of impact)
2) Low (some level of impact; barely noticeable)
3) Moderate (moderate level of impact; noticeable frequency or impact)
4) High (high level of impact; significant presence or impact to capabilities)
5) Severe (extremely high level of impact; presence is frequent or complete disables
capabilities)
78
By reducing any ambiguity in survey questions and responses, participants are less likely
to randomly guess, enhancing the probability that results are consistent and repeatable.
Furthermore, validity and reliability share a close relationship; when results are not repeatable, or
reliable, they are also not valid (Creswell & Guetterman, 2018, p. 261). While not all repeatable
results have validity, reliability is certainly a contributing factor (Raul et al., 2016).
Validity: Internal and External
Validity can be internal or external. External validity indicates how well a population in a
study applies to a wider population, outside the domain of the study but possessing similar
characteristics (Creswell & Guetterman, 2018). Internal validity is the degree to which a survey
design evaluates the relation of the independent and dependent variables (Chambliss and Schutt,
2013; Raul et al., 2016). To establish external validity, a study must first establish internal
validity. Both internal and external validity can be threatened by many factors. (Patino &
Ferreira, 2018).
To ensure internal validity, researchers must examine the design, structure, and
methodology of a study to ensure that there are no threats, such as errors in measurement or bias
in the selection of participants, to mar findings of the study (Brewer & Crano, 2014; Raul et al.,
2016). During the data analysis portion of this study, variables will be analyzed for any
correlation using a proven method of variable correlation known as the Pearson product-moment
correlation (Salkind, 2019). An in-depth investigation of the research design will ensure the data
collection methodology and analysis is reliable and valid.
Internal validity will be enhanced by survey questions informed by expertise gained
during the literature review. During the literature review, emphasis was placed on analysis of
common radio frequency attacks, cybersecurity methodologies, and existing aerospace
79
cybersecurity practices. The review of federal reports, standards, and frameworks facilitated the
identification of the current knowledge gap and influenced wording of survey questions which
will be used for data collection. This, combined with adherence to procedural accuracy regarding
execution of the survey, suggests the study will have strong internal validity.
External validity is the extent to which results of a study are generalizable to, and
representative of, the wider population from which the sample was created (Salkind, 2018;
Creswell & Poth, 2018). A lack of external validity implies the research cannot be adopted to the
field (Creswell & Guetterman, 2018). In this study, external validity will be ensured by limiting
the survey to professionals with relevant work experience.
The survey questions administered to participants were general in nature and do not
identify specific scenarios or systems; thus, external validity is reinforced by ensuring the
questions are applicable to a wide scope of relevant conditions. However, external validity will
be limited due to the use of nonprobability sampling, which was selected due to the nature of the
survey questions and content. While nonprobability sampling does impact the generalizability of
results to the external population, the accuracy of results increases with the sample size and
quantity of participants (Raul et al., 2016).
Raul et al. (2016) and Creswell and Guetterman (2018) state that question format can
significantly impact both reliability and validity. Closed-ended questions are often very
repeatable, increasing reliability of a survey. However, closed-ended questions limit the ability
of respondents to describe an event, potentially reducing validity of results. As Gorvine et al.
(2018) state, open-ended questions are often avoided because of the “potential problem of
interpreting participant answers, difficulty in summarizing and quantifying responses across
participants, and constraints open-ended responses place on potential statistical analyses” (p.
80
168). Open-ended questions will not be used for the collection or interpretation of data and did
not influence correlational analysis.
Pilot study
A pilot study will be conducted among five individuals with appropriate professional
experience in the aerospace communications field, chosen from the same pool of participants.
Individuals included in the pilot study will meet the same qualifications as full participants.
Consistency between the pilot study population and the final survey will ensure feedback
provided from the pilot study participants is relevant to the subject matter (Ruel et al., 2016).
Data gathered during the pilot study will be used to refine the questionnaire and ensure
success of the research instrument but will not be tabulated in the findings. The preliminary
analysis of survey responses will allow verification of accuracy and capability of the instrument.
This process will reveal potential issues with the survey instrument that have the potential to
impact survey results (Gorvine et al., 2018). A detailed description of the pilot study and how it
will be conducted is provided in Chapter 4.
Data Analysis
A correlation coefficient is “a quantified summary of the linear relationship between two
continuous variables” (Raul et al, 2016, p. 79). The Pearson Product-moment correlation will be
used to measure relationships between variables to reveal correlations. The Pearson productmoment correlation can be calculated using the following formula:
𝑟𝑥𝑦 =
𝑛 ∑ 𝑋𝑌 − ∑ 𝑋 ∑ 𝑌
(3)
√[𝑛 ∑ 𝑋 2 − (∑ 𝑋 2 )][𝑛 ∑ 𝑌 2 − (∑ 𝑌 2 )]
Where 𝑟𝑥𝑦 = the correlation coefficient between X and Y; ∑ = the summation sign; n =
the size of the sample, X = the value of the X variable; Y = the value of the Y variable; XY = the
product of X and Y.
81
To interpret the Pearson product-moment correlation, an additional analysis will be
performed: the coefficient of determination. The “coefficient of determination is the amount of
the variation in the dependent variable that can be predictable from the independent variable”
(Salkind, 2018). This allows for estimation of the “amount of variance that can be accounted for
in one variable by examining the amount of variance in another variable” (Salkind, 2018, p. 169;
Gorvine et al., 2018, p.357). The coefficient of determination can be calculated with the
following equation:
𝐶𝑜𝑒𝑓𝑓𝑖𝑐𝑖𝑒𝑛𝑡 𝑜𝑓 𝐷𝑒𝑡𝑒𝑟𝑚𝑖𝑛𝑎𝑡𝑖𝑜𝑛 = 𝑟𝑥𝑦 2
(4)
Where r is the proportion of the variation which can be explained by the independent variable in
relation to the dependent variable (Salkind, 2019).
Through the measurement of variance between variables, the coefficient of alienation was
also calculated. The coefficient of alienation, or non-determination, is used to determine the
amount of variance in the dependent variable which is not explained by the independent
variables (Salkind, 2019). The Coefficient of Alienation can be used to determine the potential
error of measurements. The coefficient of alienation can be calculated using the following
equation:
𝐶𝑜𝑒𝑓𝑓𝑖𝑐𝑖𝑒𝑛𝑡 𝑜𝑓 𝐴𝑙𝑖𝑒𝑛𝑎𝑡𝑖𝑜𝑛 = 1 − 𝑟 2
(5)
Chapter Summary
This chapter presented the rationale for the chosen research design, population, and
methodology after a discussion about each available approach. A discussion of issues
surrounding bias, and internal and external validity followed, and how this study will ensure
generalizable results, with minimal bias and high validity. Details of statistical measurements
and analysis to be performed on the collected data was described.
82
A quantitative descriptive study will be used, and a cross-sectional survey will facilitate
gathering data on radio frequency attack vectors targeting Aerospace systems from experts to
address the research questions. Correlational data of variables from the survey answers will be
used to identify trends or variances among responses. Among the survey population, the use of
purposive sampling was used to identify participants based upon their background in the field of
radio frequency communications.
83
CHAPTER 4: RESULTS
The purpose of this study was to explore radio frequency attack vectors
associated with aerospace communication systems, and whether the application of cybersecurity
principals to mitigate them would be beneficial. To investigate this topic, response data from 133
aerospace industry experts with experience in aerospace communication systems was gathered.
The data set included responses from experts in satellite communication, aviation, and support
telecommunication. Potential respondents were identified through verified Facebook groups and
LinkedIn members with relevant backgrounds.
Chapter 4 begins with a detailed description of the structure of the pilot study. This
chapter also presents the data collection process and provides a detailed analysis of the gathered
survey results. The chapter concludes with a general summary of the findings observed from the
correlational analysis.
Surveys for participants meeting inclusion criteria were administered through
SurveyMonkey, where data was gathered, stored, and organized. Once the data collection period
was completed, results were exported and ingested into a Microsoft Excel workbook. Using the
Excel Toolpak (Salkind, 2018), descriptive statistics were computed to produce correlational
results. Excel was used to perform several calculations such as the Pearson Correlation
Coefficient, coefficient of alienation, coefficient of determination, and Fisher’s r-to-z
transformation. Graphical representations of data were generated using the IBM SPSS statistical
data analysis software. Results were methodically analyzed using descriptive statistics to address
the research questions of this study.
Pilot Study
84
The researcher collected results from five aerospace industry professionals within the
target population to test the survey instrument in the pilot study. Pilot study participants were
asked to evaluate the survey for potential issues or areas needing improvement. This enabled
refinement of the survey instrument, to improve focus of the survey questions to optimize
completion rates, and ensure the survey will yields reliable results.
Pilot Study
Pilot studies increase the quality and validity of research instruments (Salkind, 2018;
Creswell & Guetterman, 2018). Creswell & Guetterman (2018, pp. 399) stated that pilot studies
“help determine individuals in the sample are capable of completing the survey and can
understand the questions.” Adams & Lawrence (2019), and Ruel et al., (2016) both state that a
well-organized pilot study enhance a study’s validity, reliability, and efficacy. They can also
uncover significant or critical flaws in the research instrument itself, allowing researchers to
mitigate issues prior to conducting the final study (Ruel et al., 2016).
Pilot Study Procedures
A pilot study collected preliminary data from five aerospace communication system
industry experts. Upon completion of the pilot study, results were analyzed, and changes were
made to the survey to reflect the concerns of pilot participants. Pilot study responses were
excluded from final survey data (Creswell & Guetterman, 2018).
The pilot study facilitated confirmation that the survey instrument, a web-based survey
tool, was operational and coded appropriately. Throughout the pilot study, research conditions
were as similar to actual data collection procedures as possible. Participants were not informed
of the questions prior to execution, and no discussion of the content or features of the instrument
occurred. Participants were asked to give independent and critical reviews any flaws found in the
85
research instrument. Pilot study group members were contacted directly and asked to participate.
Specific measures were taken to ensure integrity of the survey environment was not
compromised; respondents were introduced to the survey in the same way the survey population
would be.
Pilot Results
Five pilot study requests were distributed to the survey participant pool. All five were
returned with comments and feedback. The pilot study responses and feedback data are
summarized in Table 4 below:
86
Table 4
Pilot Study Feedback
Pilot
Participant
Number.
Comments
Duration
1
Survey questions utilized the phrase, “radio-frequency attack” but
did not specify the difference between suspected or confirmed
events. Clarification is needed for respondents to answer accurately.
3:59
2
Survey questions made sense and the research seemed valuable.
There were a few misleading phrases/typos in the introduction of the
survey referencing satellite control.
5:11
3
Survey questions were clear and concise. The introduction portion
of the research was very lengthy, it took almost as long to read the
introduction/waiver as it did to complete the survey.
4:22
4
Survey questions were clear and concise, it was appreciated that the
survey was short. More questions would likely result in fewer
responses. It was noticed that the screening question, which asked
participants to agree to the introduction/waiver, did not correctly
reject participants who answered, “No.”
2:54
5
Slightly concerned regarding the sensitivity of the subject data and
likelihood that potential participants would be reluctant to
participate due to national security concerns. Highly recommend
using LinkedIn as well as the Facebook group due to increased pool
of participant backgrounds.
3:43
Note. This table shows feedback from pilot study participants with the corresponding time for
survey completion duration.
The pilot study identified three flaws requiring correction to finalize the survey. First, the
introduction to the survey had several ambiguous phrases that could potentially mislead
participants with a satellite background. The specific phrasing issues identified were adjusted to
87
provide clarity and remediate any confusion. The pilot study introduction erroneously referred to
satellite command and control as satellite command, which was unfamiliar terminology to a
respondent. The introduction section was updated to reflect the correct terminology, “Satellite
Command and Control.”
Second, for questions relating to the CIA triad, additional description was needed to
clarify that term “attack” in the survey refers to both suspected and confirmed radio frequency
attacks. The survey questionnaire was updated to include “both suspected and confirmed attacks”
wherever the phrase, “radio frequency attack” was mentioned. The pilot study respondent
confirmed the change was effective.
One pilot study participant attempted to test to see if the survey was viewable using the
SurveyMonkey mobile application, where it was found that some of the introduction page text
was being truncated, This error resulted in the participant being unable to acknowledge the
waiver. The last issue found was remediated by splitting the introduction page into two separate
pages, allowing for all the text to be viewable in the mobile application. Previously, the entirety
of the introduction was in the first page and the acknowledgement question was asked after
selecting a next page dialogue box. By splitting the introduction and waiver text into two pages,
the respondent was then able to complete the survey successfully.
Last, one pilot study participant noted the possibility that it may be difficult to locate
participants using only Facebook, and highly recommended increasing the participant sample
sources to include LinkedIn. The cause of this recommendation was rooted the nature of the
research questions and the demographics of the SATCOM Facebook group being primarily
military. Increasing the social media platform options to LinkedIn also allowed for more
visibility by aerospace communication experts outside of the satellite communications field.
88
It should be noted that while a pilot study is very useful for revealing potential issues that
may arise during the research process, it is impossible to predict all variables which may
influence the outcome of a full survey. Pilot studies cannot predict response rates from the final
survey. Raul et al. (2016) state that, “Even if a study has been vetted by a well-designed and
successfully executed pilot study, the full-scale study may still suffer from extremely low
response rates” (p. 116). Therefore, given the known constraints, the pilot study was conducted
without any assumptions as to final survey participation.
Survey Development
The survey instrument was uploaded into the SurveyMonkey platform. A standard
SurveyMonkey subscription was sufficient to support the survey as detailed in Chapter 3.
SurveyMonkey includes several features in their toolset to assure Human Subject Research is
conducted in accordance with university and IRB practices. Examples of these features include
an informed consent page, ability to record the time of acceptance of the informed consent page,
and ability to opt out at the end of a survey.
Informed Consent
Upon opening the survey instrument, participants were presented with an Informed
Consent form. The form comprised seven sections offering highlights of the research topic,
contact information of this research, details of supporting organization, Capitol Technology
University, format of the survey, screening for protected populations, information regarding
reward or benefits, and information detailing anonymity practices regarding management of
study data. Upon reading the Informed Consent form, participants were asked to select “next” to
advance to the next page.
89
The second page of the Informed Consent section included details of any risks and
benefits of participating in the study. Participants were provided guidance to back out or cease
participation if any noticeable sensitivity to the data collection tool was experienced. Participants
were also informed that there would be no financial or significant personal benefits from
participating in the survey. A link to SurveyMonkey’s privacy policy was included at the end of
the Risk and Benefits of Participating section.
Upon reviewing the introduction explaining the purpose, use, and privacy protections
involved in the survey design, participants were required to respond “yes” or “no” to a
confirmation question. Should participants answer no, they were omitted from the survey and
sent to a thank you page. If the participants responded with yes, they were sent to the next page
containing the eleven survey questions.
Survey Questions
All eleven of the survey questions were displayed on the same page, allowing for
participants to easily view the length of and progress completing the survey. This was
intentional, as it is typical for a significant percentage of survey participants to not complete a
survey which requires significant investment (Kost & Rosa, 2018). Advancing through multiple
pages requires additional selections and time spent awaiting questions to load. Presenting all
information on one-page enabled participants to navigate and complete the survey without
unnecessary selections to advance through survey pages. The participation agreement asked
respondents to confirm their participation in the survey was voluntary, with no expectation of
reward or payment.
Four demographic questions followed the participation agreement. The first question
asked participants if they were at least 18 years of age. The second demographic question asked
90
participants to verify whether they had experience working with aerospace communication
systems that utilized radio frequency technology. During the analysis phase of this study, any
participant who answered this question with “No” was removed from the data pool.
The third demographic question asked participants to select how many years of experience they
had working with aerospace communication systems. There were five possible answers which
included no experience, 0-5 years, 6-10 years, 10-15 years, and 15 or more years. Participants
who answered this question with the no experience selection were not included in the final data
pool for the sample. This demographic question was used later used to correlate answers with
industry and years of experience to determine if there were any relevant trends in responses.
Following the demographic questions, subsequent questions sought to collect the
concrete data needed for analysis. For these questions, a Likert scale was offered to participants
to choose among: None (no level of impact), Low (some level of impact; some capabilities are
degraded), Moderate (moderate level of impact; noticeable degradation of capabilities of a
system), High (high level of impact; significant impact to the capabilities of a system), and
Severe (extremely high level of impact; capabilities of a system are no longer possible to
maintain). Specific questions are discussed below.
Question seven asked participants to evaluate the level of impact radio frequency attacks
(suspected or confirmed) have on the availability of aerospace communication systems.
Participants were provided a supplemental introductory paragraph to this question defining the
terms “impact” and “availability.” Question eight asked participants to identify the level of
impact of radio frequency attacks (suspected or confirmed) on the integrity of aerospace
communication systems. Participants were again provided a supplemental introductory paragraph
to this question defining the terms “impact” and “integrity.”
91
Question nine asked participants to evaluate the level of impact radio frequency attacks
(suspected or confirmed) have on the confidentiality of aerospace communication systems.
Participants were again provided a supplemental introductory paragraph to this question defining
the terms “impact” and “confidentiality.” Question 10 asked participants to estimate the
frequency of suspected or confirmed radio frequency attacks on aerospace communication
systems. Participants were provided a supplemental sentence defining “frequency” in the context
of the question. The Likert scale selections offered for question 10 were: None (incidents have
never occurred), Rare (incidents are unlikely to occur), Uncommon (incidents are expected to
occur), and Common (incidents will almost always occur).
Question 11 asked participants to evaluate current United States government resources
and guidance regarding the protection of aerospace communication systems from radio
frequency threats, and if they felt prepared to respond to an event. Likert scale responses for this
question allowed participants to select between Unsure (no knowledge of relevant resources and
guidance), none (there are no resources or guidance which I can use to respond to an event; I am
unsure if I am able to respond to an event), good (there is a significant amount of resources and
guidance which I can use to respond to an event; I am somewhat prepared to respond to an
event), and very good (there is an adequate amount of resources and guidance; I am very
prepared to respond to an event).
Data Collection
This study was designed to garner information from aerospace communication system
professionals, the target population. To reach experts in the field, social media sites Facebook
and LinkedIn were both used to identify and invite the target population to participate. The
primary group targeted was the US Military SATCOM group page on Facebook, which had
92
8,119 members at the time of the study (Facebook, n.d.). The administrative team of the page
approved the concept and allowed the researcher to promote on their announcement page and
identify prospective respondents on page.
Early in the data collection phase it was revealed that the group’s Facebook’s
announcement page is not readily visible to members due to which prevented the distribution of
the survey to the group. Making it unlikely the membership would be aware of the survey. It was
therefore necessary to directly message individuals to provide prospective participants the link to
the survey instrument.
It was also revealed during this phase that Facebook implements a throttle after a user
account contacts 50 individuals. Once the throttle has been activated, it takes approximately 24
hours before the Facebook account can resume using the messenger feature. The throttle heavily
impacted this researcher’s ability to collect responses, with the result that only 50 messages per
day could be sent, necessitating a two-week timespan of data collection on Facebook. However,
this survey was not time-dependent, and therefore the extended data collection period did not
impact the results of this study. Facebook direct messages to non-friends are directed to a
secondary, less-accessible inbox, reducing the number of prospective respondents who would see
the invitation to participate.
LinkedIn was also used to identify and validate prospective participants. The researcher
targeted the Satellite Group (Satellite Group, n.d.) which is comprised of aerospace
communication professionals involved in the area of satellite communications. This researcher
reviewed 4,550 accounts in the Satellite group in search of potential participants. LinkedIn
organizes group membership starting with the most recently added member and lists members
until the oldest continuous member has been reached. Prospects were reviewed on an individual
93
basis and requests for participation were only sent to those with a documented aerospace
communication system background. Participation requests were sent individually to 689
members based upon the experience detailed in their profile.
LinkedIn allows members of the same group to directly message each other. However,
this message is often filtered out due to individual user security settings, resulting in prospective
participants not seeing the message. LinkedIn also throttled attempts to collect data through
messaging users directly. While LinkedIn’s security protocols are not available publicly, it was
found that after approximately 150 direct messages, the site forced a logout of the platform
before resuming activity. In addition, a message acknowledged unusual network activity and
warned continued excessive messaging could result in a temporary ban.
Despite use of a premium LinkedIn account, data collection attempts were throttled. To
skirt these controls, approximately 100 messages were sent daily over a ten-day timespan. This
survey was not time-dependent and therefore the extended data collection period did not impact
the results of this study. Respondent profiles were reviewed on an individual basis and only
responses from those with a documented background in the industry were included.
A total of 155 survey responses was collected in the survey data sample. Of the 155 total
survey responses, 133 were complete in accordance with the survey design and were used during
data analysis. The remaining 22 incomplete responses were discarded. Upon the conclusion of
the data collection phase, the total number of individuals to whom the survey was distributed was
1,439. Several participants refused to participate due to concerns of sensitivity issues in their
work surrounding aerospace communication systems. Several respondents requested access to
this dissertation and its results upon completion.
94
As discussed in Chapter 3, with the intended population of 8,109, a confidence level of
95%, and a margin of error of 6%, a sample of 259 participants would be required. Due to
limitations of resources and time, the survey was terminated upon reaching a sample of 133
complete responses with a total population of 1,439 participants. Using the sample same size
formula consistent with what was used in Chapter 3, this resulted in an updated confidence
interval of 8% versus the intended 6% at a confidence level of 95%.
Findings
Assumptions Impact on Data Collection
In Chapter 3, five assumptions were identified due to the nature and context of the study.
These assumptions were made to document topics which had the potential to impact the outcome
of the study based on the nature and design of the research topic (Salkind, 2018). Assumptions
have the potential to insert bias and influence a study (Salkind, 2018). Therefore, it is essential to
recognize researcher or participant bias, assumptions, or beliefs (Corbin & Strauss, 2015). The
five assumptions identified in Chapter 1 were:
1) The research will assume that participants of the survey answer the survey in good faith –
without intent to answer questions incorrectly or to negatively influence results.
2) The study assumes the researcher can acquire an adequate number of responses to the
survey to form a conclusive analysis.
3) The research assumes data, publications and communication provided by the White
House, GAO, DHS, FCC, and related federal authorities are an accurate depiction of U.S.
policy and are accurate and trustworthy.
4) Given the sensitive nature of the topic, it was expected that there would be limitations on
what information is publicly available.
95
5) The final assumption is that the subjects who complete the survey have prior experience
in the aerospace communications field.
While assumptions one and three may have not had an impact on the results of the
survey, assumptions two and five both impacted the ability to gather data in large samples sizes.
The second assumption assumed that the researcher would be able to acquire an adequate
number of responses to form a conclusive analysis. This assumption was proven true due to the
difficulty in gathering survey responses via social media platforms, which restricted the ability of
this research to disseminate the survey. Through the use of LinkedIn, assumption four limited
qualified applicants as it was difficult to identify qualified candidates.
As mentioned in the data collection section. due to limitations of resources and time, the
survey was terminated upon reaching 133 complete responses with a total sample size of 1,439
participants. Using the sample same size formula consistent with what was used in Chapter 3,
this resulted in an updated confidence interval of 8% versus the intended 6%.
Surveys are most effective when many respondents participate (Ruel et al., 2016). While
all available methods of collecting data from potential survey participants were exhausted, social
media platform algorithms impacted the ability to distribute the survey to a large quantity of
participants which could be included in the sample frame. Due to a lack of publicly available
information, factoring in these limitations by Facebook and LinkedIn was not foreseeable prior
to conducting the survey.
The fifth assumption was that group members, and therefore respondents completing the
survey, would have prior experience in the aerospace communications field. Individuals without
experience in the aerospace communication field were asked to cease participation in the
research study during the introduction material and survey. This exclusion limited the number of
96
potential respondents more significantly than foreseen. An unexpectedly large number of
members in the social media groups did not complete the survey distributed to them, citing that
they did not have recent experience in the field. This impacted the data collection and resulted in
additional effort to replace them with qualified respondents.
Quantitative Results
In Chapter 3, the research method presented the structure of the research study to the
Institutional Review Board (IRB) in order to obtain approval and begin the study. The results
presented in this section reflect measurements taken in accordance with the approved research
method. As defined in Chapter 3, survey participants were asked a sequence of closed-ended
questions, the results of which were analyzed for correlative indications. Several questions used
a Likert scale to garner data using a quantifiable scale which could then be cross-correlated to
other survey responses.
Following the Quantitative Results section, this chapter will discuss the correlative
process in the Correlative Analysis and Correlative Results section. The data presented in this
section will be referenced in the subsequent sections of this Chapter. Correlative findings based
upon the data presented in this section will be used to develop findings and recommendations
presented in Chapter 5.
97
Participant Years of Experience.
Figure 6. Participant Years of Experience Demographic breakdown provides a graphical
representation of the sample experience using data gathered from the survey. This figure groups
the 133 participants by their years of experience.
The survey asked respondents to select their range of years of experience working with
aerospace communication systems. The purpose of this question was to provide a dependent
variable to be used to identify trends or correlations with other variables. This question was
presented as: “How many years of experience do you have working with aerospace
communication systems?” Only responses from participants who answered all questions were
included.
Responses to the years of experience question were evenly distributed. Out of the 133
respondents, 9% indicated that they had between 0 and 5 years of experience, 29% indicated that
98
they had between 5 and 10 years of experience, 21% indicated that they had between 10 and 15
years of experience, and 41% indicated that they had more than 15 years of experience. 38% of
participants had between 0 and 10 years of experience, while 62% of participants had more than
ten years of experience.
Participant Industry Background.
Figure 7. Participant industry of experience domain breakdown provides a graphical
representation of the sample. This figure groups the 133 participants by the industry which best
describes their experience in the workplace.
The survey asked respondents to select the primary industry in which they gained their
experience. Aerospace communication systems may encompass domains such as satellite
communications, line of sight, aviation communications, and understanding the may yield
deviations. This question was presented as: “Please select the type of aerospace communication
99
system you have experience with. If you have experience with multiple types of aerospace
communication systems, select the answer which corresponds with your greatest amount of
experience (in years).” Respondents who did not answer all questions were excluded from the
survey results.
Responses to the participant industry background question distributed throughout among
potential responses. Out of the 133 respondents, 71 (53%) indicated that they worked in the
Satellite Communications/Control field, 3 (2%) indicated that they worked in the Unmanned
Aerial Vehicles field, 10 (8%) indicated that they worked in the Line-of-Sight Communications
field, 23 (17%) indicated that they worked in the Aviation Communications field, and 3 (2%)
indicated that they worked in a field not described by the answer options.
Figure 8. Years of experience Versus Impact to Availability. This bar graph displays a graphical
representation of the sample using data gathered from the survey. This figure displays the impact
100
of radio frequency attacks on the Availability of Aerospace Communication Systems aligned
with the 133 participants years of experience.
Respondents were asked to choose which range most accurately describes the impact
level of radio frequency attacks on the Availability of a system. This question was presented as:
“What level of impact do radio frequency attacks (suspected or confirmed) have regarding the
availability of aerospace communication systems? For this question, “Impact” is defined as a
degradation in the capabilities of the aerospace communication system. “Availability” is defined
as the reliability of access to data communicating to/from the aerospace communication
system.” Participants who did not correctly respond to all questions were excluded from the
survey results.
Responses to this question provide insight into the impacts of radio frequency attacks on
the availability of Aerospace Communication Systems. 29 of the 133 (22%) indicated that radio
frequency attacks have a Severe impact to system availability. 42 of the 133 participants (23%)
indicated that radio frequency attacks have a High impact to system availability. 27 of the 133
participants (20%) indicated that radio frequency attacks have a Moderate impact to system
availability. 25 of the 133 participants (19%), indicated that radio frequency attacks have a Low
impact to system availability. One respondent (1%) indicated that radio frequency attacks have
no impact to system availability.
101
Years of Experience Versus Impact to System Integrity.
Figure 9. Years of Experience Versus Impact to System Integrity. This bar graph displays a
graphical representation of the sample using data gathered from the survey. This figure displays
the responses addressing the impact of radio frequency attacks on the Integrity of Aerospace
Communication Systems aligned with the 133 participants years of experience.
The survey asked respondents to the choose the range most accurately describing the
impact level of radio frequency attacks on Integrity of a system. This question was presented as:
“What level of impact do radio frequency attacks (suspected or confirmed) have regarding the
integrity of data on aerospace communication systems? For this question, “Impact” is defined as
a degradation in the capabilities of the aerospace communication system. “Integrity” is defined
as the consistency and accuracy of data communicating to/from the aerospace communication
102
system.” Responses from individuals who did not answer all questions were excluded from
survey results.
Responses to this question provide insight into impacts of radio frequency attacks on
integrity of Aerospace Communication Systems. 7 of the 133 surveyed participants (5%) indicate
that radio frequency attacks have a Severe impact to system integrity. 30 of the 133 participants
(23%) indicate that radio frequency attacks have a High impact to system integrity. 41 of 133
participants (31%) indicate radio frequency attacks have a Moderate impact to system integrity.
43 of the 133 participants (32%) indicate radio frequency attacks have a Low impact to system
integrity. 12 respondents (9%) indicate that radio frequency attacks have no impact to system
integrity.
Figure 10. Years of Experience Versus Impact to Confidentiality. This bar graph displays a
graphical representation of the sample using data gathered from the survey. This figure displays
103
the responses addressing the impact of radio frequency attacks on the Confidentiality of data in
Aerospace Communication Systems aligned with the 133 participants’ years of experience.
Respondents were asked which range most accurately describes the impact level of radio
frequency attacks on the Confidentiality of a system. This question was presented as: “What level
of impact do radio frequency attacks (suspected or confirmed) have regarding the confidentiality
of data on aerospace communication systems? For this question, “Impact” is defined as a
degradation in the capabilities of the aerospace communication system. “Confidentiality” is
defined as the assurance that data being communicated is only accessible by authorized
parties.”
Responses to this question provide insight into the Confidentiality of system data from
radio frequency attacks on Aerospace Communication Systems. 4 of 133 (3%), indicated that
radio frequency attacks have a Severe impact to system confidentiality. 15 of 133 (11%)
participants indicated that radio frequency attacks have a High impact to system availability. 26
of the 133 (20%) indicate that radio frequency attacks have a Moderate impact to system
confidentiality. 49 of the 133 (39%) indicated that radio frequency attacks have a Low impact to
system confidentiality. 28 respondents (19%) indicated that radio frequency attacks have no
impact to system confidentiality.
104
Figure 11. Years of Experience Versus Frequency of RF Attack. This bar graph displays a
graphical representation of the sample using data gathered from the survey. This figure displays
responses addressing the frequency of radio frequency attacks on Aerospace Communication
Systems aligned with the 133 participants’ years of experience.
Respondents were asked to select the range which most accurately describes the
frequency of radio frequency attacks on aerospace communication systems. This question was
presented as: Regarding Aerospace systems, what is the frequency of suspected or confirmed
radio frequency attacks on aerospace communication systems? For this question, “Frequency”
is defined as the rate of occurrence that a particular event will take place.”
Responses to this question provide insight into the frequency of radio frequency attacks on
Aerospace Communication Systems. 4 of the 133 (3%) indicated that radio frequency attacks
were best described as common, or extremely likely. 34 of the 133 (26%), indicated that radio
105
frequency attacks are uncommon or expected to occur. 62 of 133 (47%) indicated that radio
frequency attacks are rare, or unlikely to occur. 32 of the 133 (24%) indicated that radio
frequency attacks have a Low impact to system confidentiality. 5 respondents (4%) indicated that
radio frequency attacks never occur.
Figure 12. Years of Experience Versus Opinion of Government Resources. This bar graph
displays a graphical representation of the sample using data gathered from the survey. This
figure displays the responses addressing the frequency of radio frequency attacks on Aerospace
Communication Systems aligned with the 133 participants’ years of experience.
Respondents were asked which range most accurately describes the quality of current
United States government resources and guidance available to protect aerospace systems from
radio frequency attacks. This question was presented as: “In your opinion, how would you rate
current United States government resources and guidance regarding the protection of aerospace
106
communication systems from radio frequency threats?” Responses from participants who did not
complete the entire survey were excluded from results.
Participant opinion regarding the available government guidance and resources varied
among survey responses. Figure 12 displays survey response by years of experience. 13
respondents (10%) were unsure what documentation exists for radio frequency attack response,
10 respondents (8%) indicated that there are no available resources, 55 participants (41%)
responded that there are with either inadequate or no resources, 48 participants (36%) responded
that there were adequate or a good number of resources available, and 7 participants (5%) of
responded that there were very good resources available.
Correlative Analysis
The correlational analysis of data involved four calculations. The calculations included
the Pearson Product-Moment correlation coefficient, the coefficient of alienation, the coefficient
of determination, and Fisher’s R-to-Z transformation. Throughout the following sections, Table 5
ties question number to question narrative.
107
Table 5
Survey Question Number and Narrative Mapping
Question Number
1
2
3
4
5
6
7
Question Narrative
How many years of experience do you have working with aerospace
communication systems?
Please select the type of aerospace communication system you have
experience with. If you have experience with multiple types of aerospace
communication systems, select the answer which corresponds with your
greatest amount of experience (in years).
What level of impact do radio frequency attacks have regarding the
availability of aerospace communication systems?
What level of impact do radio frequency attacks have regarding the
integrity of data on aerospace communication systems?
What level of impact do radio frequency attacks have regarding the
confidentiality of data on aerospace communication systems?
Regarding Aerospace systems, what is the frequency of radio frequency
attacks on aerospace communication systems?
In your opinion, how would you rate current United States government
resources and guidance regarding the protection of aerospace
communication systems from radio frequency threats?
Note. This table provides a traceability matrix between the survey question number and the
corresponding narrative.
The survey questions were used to measure variables for analysis to reveal correlative
trends. The mapping of questions to variables is identified in the table 6 below.
108
Table 6
Survey Question Number and Variable Measured Mapping
Question Number
Variable Measured
Participant number of years of experience working with aerospace
systems
Participant domain of aerospace communication systems (e.g., SATCOM,
LOS)
1
2
Participant view of impact of radio frequency attacks on confidentiality of
an aerospace communication system
Participant view of impact of radio frequency attacks on data integrity of an
aerospace communication system
Participant view of impact of radio frequency attacks on availability of an
aerospace communication system
Participant view of frequency of RF attacks on Aerospace communication
systems
Participant views on adequacy/effectiveness of current policy and
guidance regarding Radio Frequency attacks on aerospace
communication systems.
3
4
5
6
7
Note. This table provides a mapping of survey question number to the corresponding variable
used to address the research questions.
Pearson Product-Moment Correlation Coefficient. As identified in Chapter 3, the
Pearson product-moment correlation was used to analyze the data gathered using the following
formula:
𝒓𝒙𝒚 =
𝑛 ∑ 𝑋𝑌 − ∑ 𝑋 ∑ 𝑌
(4)
√[𝑛 ∑ 𝑋 2 − (∑ 𝑋 2 )][𝑛 ∑ 𝑌 2 − (∑ 𝑌 2 )]
Where 𝑟𝑥𝑦 = the correlation coefficient between X and Y; ∑ = the summation sign; n =
the size of the sample, X = the value of the X variable; Y = the value of the Y variable; XY = the
product of X and Y.
109
Correlations of the Pearson Product-Moment correlation coefficient formula range in
value from -1 through +1. A positive correlation indicates there is a correlation between two
variables, while a negative correlation indicates that there is an inverse relationship between the
two variables. Schober, Boer, and Schwarte (2018) provide a conventional approach to interpret
correlation coefficients their article, Correlation Coefficients: Appropriate Use and
Interpretation. In the table below, possible values of the Pearson Product-Moment calculation
are displayed with the interpretation of the value:
Table 7
Pearson Product-Moment Correlation Coefficient Descriptive Interpretation
Pearson Product-Moment
Correlation Coefficient
Interpretation
0.00-0.20
Negligible Correlation
0.20-0.39
Weak Correlation
0.4-0.69
Moderate Correlation
0.7-0.89
Strong Correlation
0.9-1.0
Very Strong Correlation
Note. This table provides interpretations for the Pearson Product-Moment Correlation
Coefficient measurements.
The interpretations in Table 8 above provide a categorization to aid in identifying which
results are most significant. Schober et al. (2018) acknowledge the difficulty in grouping
coefficients using qualitative interpretations by noting that it is capricious to label data measured
with a correlation coefficient of 0.19 as weak, while a coefficient of 0.2 would be moderate.
The Pearson Product-Moment correlation coefficient measurements from the survey data
are displayed in Table 9 below.
110
Table 8
Pearson Product-Moment Correlation Coefficient Measurements
Question1 Question2 Question3 Question4 Question5
Question1 Pearson
Question6
Question7
.004
.171*
.061
.051
.132
-.092
.962
.049
.485
.563
.130
.294
133
133
133
133
133
133
133
.004
1
.206*
-.165
.001
.158
-.140
.017
.058
.987
.069
.109
133
133
133
133
133
1
.387**
.389**
.297**
.057
.000
.000
.001
.517
133
133
133
133
1
.565**
.122
.155
.000
.161
.075
1
Correlation
Sig. (2-tailed)
N
Question2 Pearson
Correlation
Sig. (2-tailed)
.962
N
133
133
.171*
.206*
Sig. (2-tailed)
.049
.017
N
133
133
133
.061
-.165
.387**
Sig. (2-tailed)
.485
.058
.000
N
133
133
133
133
133
133
133
.051
.001
.389**
.565**
1
.114
.053
Sig. (2-tailed)
.563
.987
.000
.000
.191
.544
N
133
133
133
133
133
133
133
.132
.158
.297**
.122
.114
1
.015
Sig. (2-tailed)
.130
.069
.001
.161
.191
N
133
133
133
133
133
133
133
-.092
-.140
.057
.155
.053
.015
1
Sig. (2-tailed)
.294
.109
.517
.075
.544
.867
N
133
133
133
133
133
133
Question3 Pearson
Correlation
Question4 Pearson
Correlation
Question5 Pearson
Correlation
Question6 Pearson
Correlation
Question7 Pearson
.867
Correlation
Note. This table displays the resulting Pearson Product-Moment Correlation Coefficients in a
matrix format. Correlation is significant at the 0.05 level (2-tailed), noted with an asterisk.
Correlation is significant at the 0.01 level (2 tailed), annotated by two asterisks.
133
111
Table 9
Pearson Product-Moment Calculation Confidence Interval
90% Confidence Intervals (2tailed)a
Pearson
Correlation
Sig. (2-tailed)
Lower
Upper
Question1 – Question2
.004
.962
-.139
.147
Question1 – Question3
.171
.049
.029
.307
Question1 – Question4
.061
.485
-.083
.203
Question1 – Question5
.051
.563
-.093
.193
Question1 – Question6
.132
.130
-.011
.270
Question1 – Question7
-.092
.294
-.232
.052
Question2 – Question3
.206
.017
.065
.340
Question2 – Question4
-.165
.058
-.301
-.022
Question2 – Question5
.001
.987
-.142
.145
Question2 – Question6
.158
.069
.015
.295
Question2 – Question7
-.140
.109
-.277
.004
Question3 – Question4
.387
.000
.258
.502
Question3 – Question5
.389
.000
.260
.504
Question3 – Question6
.297
.001
.161
.423
Question3 – Question7
.057
.517
-.087
.198
Question4 – Question5
.565
.000
.459
.655
Question4 – Question6
.122
.161
-.021
.261
Question4 – Question7
.155
.075
.012
.292
Question5 – Question6
.114
.191
-.030
.253
Question5 – Question7
.053
.544
-.091
.195
Question6 – Question7
.015
.867
-.129
.158
Note. This table displays correlation coefficients calculated using the Pearson Product-Moment
correlation coefficient formula results when compared to the confidence interval of 90% upper
and lower bounds.
Fisher’s R-to-Z Transformation. Fisher’s R-to-Z Transformation was applied to the
results of the Pearson Correlation Coefficient table to normalize the results of bivariate samples
(Salkind, 2007). Fisher’s R-to-Z transformation converts skewed sampling distribution,
112
represented by Pearson’s R, of the correlation coefficient into a normal distribution, represented
by Z. Fisher’s transformation was performed to verify results due to the relatively small sample
size (Salkind, 2007).
The Fisher’s R-to-Z transformation was calculated using results from the Pearson
Product-Moment Correlation Coefficient results described in this section to yield confidence
intervals of the collected data (Salkind, 2007). Fisher’s r-to-z calculation was utilized to calculate
the confidence intervals for r and the delta between the bivariate correlations. The formula is
utilized to calculate the significance of the difference between the bivariate correlation
coefficients from independent samples. If r1s a greater value than r2, the resulting z product will
be positive; If r1 is a smaller value than r2, the resulting z product is negative (Salkind, 2007).
The Fisher’s R-To-Z transformation is depicted below:
z’ = .5[ln(1 + r) – ln(1 − r)]
(5)
Where ln is the natural log; z is the Fisher Z score; r is Pearson’s r derived from the
Pearson Product-Moment Correlation Coefficient formula (Salkind, 2007).
113
Table 10
Fisher’s R-to-Z Transformation Results
Pearson Correlation
Fisher’s Z Result
Question1 – Question2
.004
.004
Question1 – Question3
.171
.173
Question1 – Question4
.061
.061
Question1 – Question5
.051
0.51
Question1 – Question6
.132
.133
Question1 – Question7
-.092
-.092
Question2 – Question3
.206
.209
Question2 – Question4
-.165
-.167
Question2 – Question5
.001
.001
Question2 – Question6
.158
.159
Question2 – Question7
-.140
-.141
Question3 – Question4
.387
.408
Question3 – Question5
.389
.411
Question3 – Question6
.297
.306
Question3 – Question7
.057
.057
Question4 – Question5
.565
.64
Question4 – Question6
.122
.123
Question4 – Question7
.155
.156
Question5 – Question6
.114
.114
Question5 – Question7
.053
.053
Question6 – Question7
.015
.015
Note. This table displays correlation coefficients calculated using the Pearson Product-Moment
correlation coefficient formula results when applied to the Fisher’s R-to-Z transformation.
Coefficient of Determination. The Coefficient of Determination table was calculated
using results from the Product-Moment Correlation Coefficient results detailed in the previous
section. The results of the Coefficient of Determination analysis are displayed in Table 11 below.
The Coefficient of Determination “explains the amount of variance accounted for in the
114
relationship between two or more variables” (Salkind, 2018). Using this variable, the amount of
change in the independent variable of a correlation may be explained by the change in the
correlated value (Salkind, 2018).
Table 11
Coefficient of Determination Results
Question 1
Question
1
Question
2
Question
3
Question
4
Question
5
Question
6
Question
7
Question 2
Question 3
Question 4
Question 5
Question 6
Question 7
N/A
2.29044E-05
N/A
0.029179427 0.035618184
N/A
0.003572499 0.034548684
0.15017649
0.00256543
N/A
1.99367E-06 0.153825168 0.318971017
N/A
0.017131958 0.017459466 0.095729983 0.018544564 0.014398252
N/A
0.008409751 0.023407066 0.003427731 0.028006777 0.002695998 0.000523579
Note. This table displays the calculated Coefficient of Determination reflecting the results
of the survey. Estimation is based on Fisher’s r-to-z transformation.
Coefficient of Alienation. The Coefficient of Alienation table was calculated using the
results from the Product-Moment Correlation Coefficient results detailed in the previous section.
The Coefficient of Alienation is used to describe the amount of unexplained variance in a
bivariate correlation coefficient (Salkind, 2018). The results of the Coefficient of Alienation
analysis are displayed in Table 12 below.
N/A
115
Table 12 Coefficient of Alienation Results
Question 1
Question 2
Question 3
Question 1
N/A
Question 2
0.999977096
Question 3
0.970820573 0.964381816
N/A
Question 4
0.996427501 0.965451316
0.84982351
Question 5
Question 4
Question 5
Question 6
Question 7
N/A
N/A
0.99743457 0.999998006 0.846174832 0.681028983
N/A
Question 6
0.982868042 0.982540534 0.904270017 0.981455436 0.985601748
N/A
Question 7
0.991590249 0.976592934 0.996572269 0.971993223 0.997304002 0.999476421
Note. This table displays the calculated Coefficient of Alienation reflecting the results of the
survey. Estimation is based on Fisher’s r-to-z transformation.
Correlative Results
Years of Experience Correlated to Impact on CIA. The correlative results shown in
Table 10, Pearson Product-Moment Calculation Confidence Interval, reveals a slight correlation
between years of experience and response to questions regarding the impact on CIA of radio
frequency attacks on aerospace communication systems. This can be seen with the key results in
Table 13 below:
N/A
116
Table 13
Correlative Analysis: Years of Experience/CIA Impact
Pearson Product Correlation
Variable X
Question 1
Pearson Product Correlation
Variable Y
Question 3
Pearson Correlation
Question 1
Question 4
.061
Question 1
Question 5
.051
.171
Note. This table displays correlation between years of experience by industry professionals and
the CIA triad model.
The greater the positive correlation coefficient, the stronger the correlation between two
answers. In this case, Questions 1 and 3 reflect weak positive correlation between years of
experience and radio frequency attack impact on the Availability of aerospace communication
systems, representing that those with more experience are more likely to say that radio frequency
attacks have an impact on System Availability. Questions 1 and 4 reflect an insignificant
correlation between years of experience and radio frequency attacks on the Integrity of system
Data. Questions 1 and 5 reflect an insignificant correlation between years of experience and
radio frequency attacks on the Confidentiality of system data.
Denial-of-Service attacks include RF attacks which jam signals, impacting availability of
systems. As reviewed in Chapter 2, jamming is one of the greatest threats facing Aerospace
communication systems. The correlative data displayed in Table 13 above corresponds with this
threat vector. The results show that respondents view the availability of aerospace
communication systems as being impacted most by radio frequency attack vectors.
117
Years of Experience Correlated to Frequency of RF Attacks on Aerospace Systems.
The correlative results shown in Table 10, Pearson Product-Moment Calculation Confidence
Interval, identified a weak positive correlation between years of experience and the frequency of
suspected radio frequency on aerospace communication systems. This can be seen in the Pearson
Product-Moment Correlation Coefficient breakdown below:
Table 14
Correlative Analysis: Years of Experience/Frequency of RF Attack
Pearson Product Correlation
Variable X
Question 1
Pearson Product Correlation
Variable Y
Question 6
Pearson Correlation
.132
Note. This table displays the Pearson Product-Moment correlation coefficients between
experience of industry professionals and frequency of radio frequency attacks on Aerospace
communication systems.
As with the previous results, the greater the positive coefficient, the stronger the
correlation between the two answers. In this case, the frequency of RF attacks is deemed greater
among aerospace professions with significant experience in the field. Senior members of the
aerospace communication system community recognize that RF attacks occur on a frequent
basis. Figure 11 displays a graphical representation of the data. Interestingly, the number of
aerospace communication professions who selected radio frequency attacks “never” affect
aerospace systems was very low, with only 5 individuals stating that radio frequency attacks on
aerospace systems do not occur. Responses indicating no occurrence of radio frequency incidents
were distributed equally across experience groups.
118
During the literature review, it was revealed that CISA (2017) recognizes cybersecurity
attacks are decreasing in complexity and increasing in frequency. Concerningly, CISA (2017)
identified in the same report that the telecommunication industry, including aerospace
communications as vulnerable critical infrastructure. The correlative results of this study show
that radio frequency attacks are occurring, and those with more experience believe they occur
more frequently that their less-experienced counterparts.
Correlation of CIA Responses. The correlative results shown in Table 10, Pearson
Product-Moment Calculation Confidence Interval, identified a positive correlation between the
CIA triad pillars and respondent perception of the impact of radio frequency attacks on them.
This can be seen in the Pearson Product-Moment correlation coefficient breakdown below:
Table 15
Correlative Analysis: Correlation of CIA Model
Pearson Product Correlation
Variable X
Question 3
Pearson Product Correlation
Variable Y
Question 4
Pearson Correlation
Question 3
Question 5
.389
Question 4
Question 5
.565
.387
Note. This table displays the Pearson Product-Moment correlation coefficients results between
level of correlation between the CIA model and the frequency of radio frequency attacks on
radio frequency attacks.
As in previous results, the greater the positive coefficient, the stronger the correlation
between the two responses. Regarding table 15, questions 3 and 4 correlate participant responses
119
on the impact of radio-frequency attacks on availability of aerospace communication systems to
the impact of radio-frequency attacks on the integrity of data on aerospace communication
systems. Questions 3 and 5 correlate participant responses on impact of radio-frequency attacks
on availability of aerospace communication systems with the impact of radio-frequency attacks
on the confidentiality of data on aerospace communication systems. Questions 4 and 5 correlate
participant responses regarding impact of radio-frequency attacks on the integrity of aerospace
communication systems to impact of radio-frequency attacks on the confidentiality of data on
aerospace communication systems.
While all the Pearson Product-Moment correlation coefficients in this table were
significant, the correlations between question 4 (integrity) and question 5 (confidentiality) stood
out as being moderate. This data reflects participants view that radio frequency attacks have a
strong impact on the integrity and confidentiality of a system. Given the positive trend of the
correlative responses, it is apparent that aerospace professionals believe that radio frequency
attacks impact each domain of the CIA model, justifying the need for cybersecurity guidance and
strategy to respond to the radio frequency specific vulnerabilities.
Frequency of Radio Frequency Attacks Correlation to Industry Years of
Experience. The correlative results shown in Table 16, Correlative Analysis: Frequency of
Attacks and Years of Experience, identified a positive correlation between each of the CIA triad
pillars when compared to the rate of occurrence of radio frequency attacks. This can be seen in
the Pearson Product-Moment Pearson product-moment Correlation breakdown below:
120
Table 16
Correlative Analysis: Frequency of Attacks and Years of Experience
Pearson Product Correlation
Variable X
Question 3
Pearson Product Correlation
Variable Y
Question 6
Pearson Correlation
Question 4
Question 6
.122
Question 5
Question 6
.114
.297
Note. This table displays the Pearson Product-Moment correlation coefficients results between
the frequency of radio frequency attacks and the CIA triad.
As in previous results, the greater the positive coefficient, the stronger the correlation
between the two responses. Regarding Table 16, questions 3 and 6 correlate participant
responses on the impact of radio-frequency attacks on availability of aerospace communication
systems to the frequency of attacks on aerospace communication systems. A correlation of .297
indicates a weak correlation exists between the availability of aerospace communication systems
and the frequency of attacks. A weak correlation was also found between questions 5 and 6,
which indicates that respondents found a correlation between the confidentiality of aerospace
communication systems and the frequency of attacks.
Participant Opinion on Government Guidance.
Respondents with more experience were more likely to choose there is inadequate or no
government guidance and resources available. Of the individuals with 10 years or more of
experience, 44, 33%, indicate that there are inadequate or no resources available. Participants
with more than 10 years of experience were less likely to indicate that there was a good or very
121
good, number of resources available. Of the individuals with 10 years or more of experience, 31
respondents, 23%, indicated that there were good or very good resources available.
Respondents who had less experience were less likely to select that there are inadequate
or no government guidance and resources available. Of the individuals with less than 10 years of
experience, 24 respondents, or 18%, indicated that there are inadequate or no resources available.
Participants with less than 10 years of experience were more likely to indicate that there was a
good or very good, number of resources available. Of the individuals with less than 10 years of
experience, 21 respondents, or 16%, indicated that there were good or very good resources
available. This factor is largely inconclusive, but potential causes may be that it is either
attributed to experts with less experience having more recent training, or in the inverse case, that
those with more experience having an increased level of situational awareness regarding the gaps
in existing governance.
Chapter Summary
Chapter 4 presented details and results of a pilot study and subsequent corrections made
to the instrument to improve clarity and response rate. Sampling methodology and data
collection procedure were detailed. Limitations and assumptions impacting the study were noted.
Details of statistical analysis used to process the data to yield correlations were presented in
narrative and graphic form. Significant correlations were detailed.
Chapter 5 will cover the findings and recommendations of the data represented in this
chapter. Details regarding the impacts of the Chapter 1 assumptions will be highlighted, as well
as limitations of the survey instrument identified during the data collection period.
Recommendations for future research will be provided, as well as a final summary of the
research effort.
122
CHAPTER 5: FINDINGS AND RECOMMENDATIONS
In July 2002, the Department of Homeland Security published the National Strategy for
Homeland Security. It excluded the satellite industry from the list of critical infrastructure,
leaving large gaps in national policy for the protection of aerospace communication assets
(GAO, 2002). In 2015, the Department of Homeland Security published the Communications
Sector-Specific Plan (CSSP), which does name the aerospace industry as vital to the critical
infrastructure of the United States. In 2020, the first United States policy for comprehensive
cybersecurity of space systems, (SPD-5), was released (United States Space Force, 2020b). SPD5 addresses the growing need for cybersecurity on space systems.
The problem statement of this research was designed to address the growing need for
improved cybersecurity on aerospace communication systems, with specific emphasis on
concerns associated with radio frequency vulnerabilities to radio frequency attacks on critical
infrastructure assets, by collecting and analyzing data from industry experts. The ongoing lack of
cybersecurity practices designed to mitigate radio frequency vulnerabilities in aerospace systems
constitutes an unacceptable risk for systems providing critical services to a wide variety of
customers (National Security Strategy for Aviation Security of the United States of America,
2007).
The purpose of this research was to analyze industry views on existing radio frequency
and cybersecurity threats to provide evidence enabling federal policy makers to develop
guidelines ensuring aerospace communication systems are protected from radio frequency
attacks by performing a quantitative descriptive study. Quantitative research examines research
questions that are static and explore the relationship between two or more variables (Creswell &
Guetterman, 2018).
123
This study deployed a cross-sectional survey to collect data from industry professionals
regarding radio frequency cybersecurity threats on aerospace communication systems.
Specifically sought were views on the frequency of suspected or confirmed radio frequency
attacks, severity of radio frequency attacks, and applicability of existing cybersecurity policies to
provide policy makers a comprehensive understanding of the criticality of radio frequency attack
vectors in the aerospace communication domain.
Study Taxonomy
As stated by Yazdani, Shirvani. And Heidarpoor (2021), taxonomies are the fundamental
building blocks of information architecture used in research for knowledge management. In
scientific fields, knowledge is complex and requires detailed taxonomies to manage information.
The American philosopher John Dewey once defined knowledge as the acquisition of
information, truth, and facts (Dicker, 1972). This study’s research taxonomy was designed to
provide effective management of the information as the study progressed through each stage of
development.
This research used a research taxonomy to provide structure to the scientific method and
ensure that information was categorized in accordance with established research practices. In the
initial stages of this research effort, a research methodology map was developed detailing the
taxonomic research process for the study. The methodology was peer reviewed and approved by
the Academic Review Board and Institutional Review Board at Capitol Technology University.
Once approved, the study was conducted according to the methodology map to ensure research
best practices were followed.
The study taxonomy decomposed the study into 6 iterative phases. These steps included
research methodology, subject matter literature review, a pilot study, data collection, data
124
analysis, and reporting of results. The research methodology map and concomitant details are
included in Appendix B of this dissertation.
Limitations
Limitations are an inherited part of research processes (Salkind, 2017; Creswell &
Guetterman, 2018). They represent weaknesses in a research design which may result in bias
towards conclusions. It is therefore essential that a researcher communicate limitations, their
effect upon the research, and the steps taken to mitigate them so data being reported is correctly
represented (Ross & Zaidi, 2019).
This study identified several limitations in Chapter 1 which bore the potential to impact
the survey. The first of these limitations focused on a lack of accessible material. Due to the
classified nature of cybersecurity attacks on aerospace communication systems and critical
infrastructure, this survey was limited by the difficulty deriving publicly available data from
publications, reports, or guidance. Information specific to time, events, or systems in operation,
or details of current hardware systems in place is often considered classified since it can
compromise those systems. Systems and attack vectors in communication systems dependent
upon radio frequency technology are generally unclassified, however, mitigation methods and
existing vulnerabilities are considered sensitive.
This study was limited in size due to the strict requirements of the survey structure, which
required that participants have validated experience in the aerospace communication system
field). The survey population was sourced from closed, industry-specific groups on Facebook
and LinkedIn to identify prospective respondents. Limitations of those platforms reduced the
number of prospects reachable. To partially skirt this issue, survey instruments were
disseminated up to the permissible limit, 50 per day for Facebook, and 150 per day for LinkedIn.
125
Online survey instruments are known to have a lower response rate than other methods (Saleh &
Bista, 2017). This survey realized a response rate of 10.7% with a sample size of 133 participants
and a sample frame of 1,439 participants.
In Chapter 3, the methodology of the study was defined where which estimated a study
population of 8,109, a confidence level of 95%, and a margin of error of 6%, a sample of 259
participants would be required. Due to limitations of resources and time, the survey was
terminated upon reaching a sample of 133 complete responses with a total population of 1,439
participants. Using the sample same size formula consistent with what was used in Chapter 3,
this resulted in an updated confidence interval of 8% versus the intended 6% at a confidence
level of 95%.
Findings and Interpretations
The study provided insight into the current state of United States federal guidance
regarding the state and nature of cybersecurity in the aerospace domain. The literature review
revealed that aerospace system cybersecurity has little specialized guidance to address the unique
attack vectors associated with radio frequency attacks. In the last decade, the DHS, White House,
and associated entities have released numerous documents to characterize the vulnerabilities
facing Aerospace systems. The review revealed a lack of pertinent governance associated with
the protection of aerospace communication systems from radio frequency threats. While the
issue has been highlighted by entities such as the White House and CISA in recent years, little is
available on the implementation of the controls.
The quantitative descriptive cross-sectional survey collected data from industry experts in
effort to further characterize the impacts and frequency of radio frequency attacks on Aerospace
systems. This data expands on data publicly released by the United States government with
126
aerospace communication system industry opinion regarding the current state of aerospace
systems.
Impacts of Radio Frequency Attacks to the CIA of Aerospace Communication Systems
The research survey used the Confidentiality, Integrity, and Availability triad
cybersecurity classification model to measure subject matter export opinion on impact of radio
frequency signal attacks on aerospace communication systems. For each of the three domains of
the CIA model, participants were asked to reflect on their professional experience to provide a
measurement of the level of impact successful cybersecurity attacks have exploiting
vulnerabilities in operational systems. Participant responses showed that the majority of
respondents indicated that radio frequency attacks impact aerospace communication systems in
all three domains of the CIA triad model.
As discussed in Chapter 1I, radio frequency attacks are most often deployed using
spoofing and jamming. Attacks impacting data integrity involve the intentional modification of
data to result in misinformation, or an inability to establish communications. Interestingly,
respondent answers indicate that radio frequency attacks adversely impact aerospace
communication systems across all three areas of the CIA model.
During the literature review, the dominant attack vector for radio frequency attacks,
jamming, was explored. In an aerospace communication system context, jamming is the
intentional prevention of communications using radio frequency signals to saturate a specified
frequency by use of an emitter. Analogous attacks on traditional information systems are
deployed using denial-of-service attack called a Distributed Denial of Service (DdoS) attack,
which floods a network. In radio frequency communication systems, attackers flood a particular
frequency range with an emitter, preventing successful communication with the intended
127
recipient. In a DdoS attack, an attacker sends a flood of network traffic over a network
communication medium, preventing the appropriate messages from transmitting successfully.
In Chapter 2, predominant cybersecurity attack vectors, such as spoofing, on radio
frequency systems were discussed. A spoofing attack attempts to exploit vulnerabilities in a
system by fooling the victim into believing they are communicating with an intended party rather
than an attacker. This can deceive the target victim into revealing sensitive information or
causing them to act on incorrect information. This attack method has been present in both the
traditional information system domain and the Radio Frequency communication domain for
decades. The high prevalence of positive responses from respondents regarding confidentiality
attacks demonstrates the low level of effectiveness of current attack mitigation methods for
protecting operational systems.
While traditional information system security controls have been developed to mitigate
these threats (NIST, 2020), survey responses on questions surrounding the impact of
confidentiality attacks imply that level of protection does not currently exist on aerospace
communication systems. Furthermore, the positive correlation between attack frequency and
existing supporting policy revealed by participant responses suggests current policy is
inadequate. This adds force to the argument that the industry is ill-prepared to respond to threats
(Sayler, 2021). Additional research, guidance, and governance is needed from the United States
to provide aerospace communication system owners the tools they need to prepare, mitigate, and
respond to realized radio frequency centric attacks on their systems.
Survey results indicated that the majority of experts believed that radio frequency attacks
impacted each pillar of the CIA model. There was a moderate level of correlation between
experts with greater years of experience and impacts to system confidentiality, integrity, and
128
availability. Similarly, those who selected a higher frequency rate of radio frequency attacks
occurring indicated increased impact to each pillar of the CIA model.
Frequency of radio frequency Attacks on Aerospace Communication Systems
Question number 6 of the survey instrument measured subject matter opinion regarding
the frequency of radio frequency attacks. This question tied directly to the study’s research
questions, which set out to evaluate the prevalence of radio frequency attacks on Aerospace
Communication Systems. It is difficult to accurately measure perception of subject matter
experts regarding the frequency of an attack occurring, as the possibility exists that radio
frequency attacks were not identified or mischaracterized. This demonstrates the importance of
experience level of the professionals monitoring the communication capabilities, and the
importance of applying security controls which can detect abnormal signal characteristics.
The study results indicated a slightly positive correlation between years of experience and
reported frequency of radio frequency attacks on aerospace systems with a .132 Pearson
Correlation. The majority of respondents identified radio frequency attacks were prevalent
enough on today’s operational systems to be described as either expected or extremely likely. As
technology continues to become more accessible to threat actors, it is likely that the frequency of
attacks will only increase.
State of Current US Government Policy
The survey data of this study indicate that participants were divided regarding the current
level of United States governance on radio frequency attack vectors. Those with the most
experience indicated a perception that the current level of documentation was inadequate.
Inversely, participants with 5-10 years of experience indicated that cybersecurity controls were
adequate. This response could reflect changing perceptions of guidance as new professionals are
129
trained on the newly available resources within the past few years, while additional emphasis has
also been placed on the cybersecurity of critical infrastructure. This researcher interprets the data
as showing that the most experienced respondents, those with greater than 10 years of
experience, perceive a need for additional policy and guidance.
With the leap of quantum computing, advances in technologies among nation-state
attackers, and the simplification in attack methods to impact aerospace communication systems,
the defense of our nation’s critical infrastructure has never been more at risk. Cybersecurity
controls must now be developed to protect space systems which will be in service for many
years. Any lapses in policy now may damage critical infrastructure of the future. Aerospace
systems are a part of that critical infrastructure, having been recognized by CISA as one of the
key areas of concern in their 2017 report (CISA, 2017).
This research recommends that the United States government implement a top-down
approach, akin to the approach taken for traditional information system security. The guidance
and policies implemented by NIST 800-53R5 has served as a critical template for the nation’s
information systems. A similar approach is needed for aerospace critical infrastructure. However,
due to the dependency of traditional information systems, the complexity of domain-specific
technologies, and the high value impacts incurred in the case of disruption, domain-specific
guidance may be required.
Hypothesis Addressed
The hypothesis of this study was: radio frequency attack vectors pose a significant threat
to the operational capabilities of aerospace systems, and current federal cybersecurity policies
fail to protect aerospace communication systems from radio frequency attacks which align to
known cybersecurity threats. To address this hypothesis, seven variables were identified to
130
understand the impacts, frequency, and current state of policy regarding radio frequency
vulnerabilities on aerospace communication systems.
The first half of the hypothesis suggested that radio frequency attack vectors pose a
significant threat to the operational capabilities of aerospace systems. This hypothesis was
proven correct using the survey data collected from industry experts, which identified that radio
frequency attacks are not only common, but also impact each domain of the CIA model. The
second half of the hypothesis, which suggested that current federal cybersecurity policies fail to
protect aerospace communication systems from radio frequency attacks, was inconclusive when
analyzing the data. A large magnitude of data found during the literature review identified gaps
in the current state of aerospace communication system security guidance, however, survey data
from participants was split in responses. Further research is required to understand the variance
between responses.
The study’s research instrument, a cross-sectional survey administered through
SurveyMonkey, was designed to utilize survey questions as a means of collecting data to address
the research questions. In the subsequent sections of this chapter, each of the four research
questions are addressed in detail. Interpretations of the data presented in Chapter 4 are provided
for each of the research questions to address the study’s problem statement.
Research Questions Addressed
In Chapter 1, the research questions of this study were introduced. These research
questions were then framed into the study in Chapter 3, where the structure of the study was
defined, and the survey instrument was defined along with the survey questions. The research
questions for this study included:
131
1) Would the implementation of a national standard for the management of radio frequency
attacks contribute to the security of aerospace communication system missions?
2) How often do radio frequency attacks target aerospace systems?
3) What is the impact of radio frequency attacks on aerospace systems?
4) What is the relationship between radio frequency attacks and cybersecurity attacks
amongst aerospace communication systems?
Research Question 1. “Would the implementation of a national standard for the
management of radio frequency attacks contribute to the security of aerospace communication
system missions?” The first research question was directly tied to question 11 in the survey.
Question 11 asked participants to evaluate the current United States government resources and
guidance regarding the protection of aerospace communication systems from radio frequency
threats. To answer the question, a Likert scale offered participants one of five qualitative inputs;
unsure (no knowledge of relevant resources and guidance), none (there are no resources or
guidance which I can use to respond to an event; I am unsure if I am able to respond to an event),
good (there is a significant amount of resources and guidance which I can use to respond to an
event; I am somewhat prepared to respond to an event), and very good (there is an adequate
amount of resources and guidance; I am very prepared to respond to an event). The Likert scale
was chosen due to the correlational properties which can be derived between quantitative values
and the respondent’s qualitative answer. This study later used the quantitative values for
statistical data analysis Results from the survey were largely inconclusive, with half of
respondents indicating that there were existing adequate resources. The literature review
conflicted with this data, revealing that the United States as a whole is moving towards
addressing cybersecurity controls and guidance for aerospace systems.
132
Research Question 2. “How often do radio frequency attacks target aerospace systems?”
Figure 11, Years of Experience versus Frequency of RF Attacks on Aerospace Systems, illustrates
responses on frequency of radio frequency attacks on aerospace communication systems among
industry experts. A combination of the survey data gathered, and an analysis of the literature
review aided in answering this research question. In the literature review, it is apparent that radio
frequency attacks are a vulnerability which the United States government can no longer ignore as
dependency on space systems grow and attack methodologies simplify.
The study’s statistical analysis indicated a correlation between years of experience and
reported frequency of radio frequency attacks on aerospace systems with a .132 Pearson
Correlation. Most respondents identified that radio frequency attacks were prevalent enough on
today’s operational system to be described as either expected or extremely likely. The combined
results of the literature review and subject matter opinion makes it apparent that radio frequency
attacks are a common threat which adversaries are actively using to disable critical infrastructure
capabilities.
Research Question 3. “What is the impact of radio frequency attacks on aerospace
systems?” To provide an answer for research question three, several questions were included in
the survey instrument to collect data from industry experts. To address this research question
questions seven through nine were formulated offering participants to signify the level of impact
of radio frequency attacks on each domain of the CIA model. The answers for questions seven,
eight, and nine used a Likert scale allowing participants to select between five qualitative inputs;
None (no level of impact), Low (some level of impact; some capabilities are degraded),
Moderate (moderate level of impact; noticeable degradation of capabilities of a system), High
133
(high level of impact; significant impact to the capabilities of a system), and Severe (extremely
high level of impact; capabilities of a system are no longer possible to maintain).
Notably, very few participant responses indicated that there was no level of threat on
aerospace communication systems from radio frequency attacks for all three domains of the CIA
triad. Responses for availability trended upwards in impact more when compared with integrity
or confidentiality. Integrity provided an overall moderate level of impact while confidentiality
results indicated the lowest level of threat from radio frequency attack vectors. For all three of
the CIA-oriented questions, there was a significant positive Pearson correlative coefficient
between years of service and high impact, implying that the most experienced subject matter
experts believe that radio frequency-dependent aerospace systems are more at threat from
cybersecurity-oriented attacks.
Research Question 4. What is the relationship between radio frequency attacks and
cybersecurity attacks amongst aerospace communication systems? Research Question four was
addressed during the literature review of this dissertation. Chapter 2 reviewed the existing body
of knowledge to analyze existing cybersecurity policy, typically focused on traditional
information systems, to understand the characteristics of known attack methodologies. Notably,
the attacks identified in the literature review for traditional information systems, mirrored attacks
which exist in the radio frequency domain (NIST, 2021a).
Furthermore, there was significant research found for the proposal of the utilization of the
CIA model for the categorization of radio frequency attack vectors on aerospace communication
systems (NIST, 2021a). At the time of writing this dissertation, the United States National
Institute of Science and Technology has released the draft form of the publication, “Introduction
to Cybersecurity for Commercial Satellite Operations” (2021a). While only a subset of the
134
overall domain of aerospace communication systems, this publication focuses on the
cybersecurity of crewless space vehicles. The standard contents show clear intent by the United
States government to begin addressing long-awaited commercial sector need for security controls
tailored for space vehicles. Table 1 of the standard provides a mapping of radio frequency attack
vector to existing NIST 800-53R5 security controls (NIST, 2021a).
Recommendations for Future Research
The survey results of this quantitative study can be used by aerospace organizations to
better understand perceptions of radio frequency threats among industry professionals. The data
provides an internal perspective of the state of aerospace communication systems from the
standpoint of professionals who operate and respond to threats first-hand. Regardless of the
experience level of participant answering the survey tool, there was a significant response when
answering questions regarding the impacts of radio frequency attacks on the confidentiality,
integrity, and availability of aerospace systems.
This study identified that radio frequency based attacks are prevalent on aerospace
communication systems and result in significant impacts to the confidentiality, integrity, and
availability of the system. Further research may be done on the frequency of each specific
vulnerability within the CIA model, adding granularity by providing data on which types of
attack methods are most common. Furthermore, as guidance and defensive controls mature,
future researchers may choose to repeat this study to determine whether or not radio frequency
attacks reduce effectiveness as guidance and defensive controls mature.
The results and findings of this survey show that defensive cybersecurity controls are
lacking in the aerospace communication industry, revealing a gap in our nation’s ability to
protect critical infrastructure. 96 of 133 participants (72%) of this survey reported that radio
135
frequency attacks on aerospace systems were expected to occur. The results of the survey
reflected the historical overview detailed in Chapter 2; aerospace communication systems are
critically lacking in the necessary defenses to respond to a threat. Responses from participants
regarding the state of current guidance inconclusive and did not yield a significant correlation
between impact of attacks and state of available guidance. However, the significant impacts of
these incidents suggests that controls need to be implemented to mitigate the impact of attacks.
Using the data gathered from the historical overview and survey instrument, future
researchers may choose to use it as a basis for a cybersecurity framework to address Radio
Frequency vulnerabilities. A cybersecurity model blending traditional cybersecurity components
of an information system security model with a critical infrastructure security model would aid
industries such as aerospace in developing measures to identify or mitigate new threats.
The results of this study indicate that commercial and defense aerospace organizations
currently lack an adequate level of cybersecurity protective controls when compared to
traditional information systems. Cybersecurity models may be used in conjunction with the
development aerospace system cybersecurity controls in the areas of confidentiality, integrity,
and availability specifically designed to address the unique threats originating from radio
frequency attack vectors.
The historical overview section of this study categorized several types of radio-frequency
attack vectors for aerospace communication systems. The data gathered during the historical
overview, reinforced by the research study, can form a foundation for future research to
decompose the various types of radio-frequency attacks. Thorough characterization of the threat
types and modes may be used in conjunction with applied security controls to provide industry
users increased situational awareness when responding and mitigating threats.
136
Summary
In this chapter, the research questions which were defined in Chapter 1 were reviewed
and addressed. This researcher used the quantitative survey data to support data found in the
literature review and expanded upon the previous body of knowledge by reaching out to industry
experts to gather data on the impact, frequency, and severity of radio frequency attacks on
aerospace communication systems. This study found that industry experts consider radio
frequency attacks to be common, of high severity, and data from the results was largely
inconclusive when considering the current state of governmental guidance. The findings of this
study reinforce what was discussed in the literature review; the United States has a gap in its
defenses of critical infrastructure when confronting attacks stemming from radio frequency
attack vectors. Furthermore, findings indicate the problem is known, yet cybersecurity policies
are lagging when compared with other industries such as traditional information technology
system security. This research recommends that the government review the existing publications
and guidance for federal aerospace communication systems and address the flaws using a
combination of specialized security controls and models developed in conjunction with
commercial organizations, with emphasis on the implementation of protective controls. Further
research into the implementation of a security framework to address aerospace communication
system radio frequency vulnerabilities is a suggested avenue for future research.
REFERENCES
Aamodt, M., Brecher, E., Kutcher, E., & Bragger, J. (2006). Do structured interviews eliminate
bias? A meta-analytic comparison of structured and unstructured interviews. Paper
presented at the annual meeting of the Society for Industrial-Organizational Psychology,
Dallas Texas. Abstract retrieved from
137
https://www.researchgate.net/publication/308753199_Do_structured_interviews_eliminat
e_bias_A_meta-analytic_comparison_of_structured_and_unstructured_interviews
Adams, K., & Lawrence, E. (2018). Research Methods, Statistics, and Applications. New York,
NY: Sage Publications, Inc.
Akan, V., & Yazgan, E. (2020). Antennas for Space Applications: A Review, Advanced Radio
Frequency Antennas for Modern Communication and Medical Systems. In Advanced
Radio Frequency Antennas for Modern Communication and Medical Systems (pp. 139171). London, UK: IntechOpen
Altman, E. I. (1968). Financial ratios, discriminate analysis, and the prediction of corporate
bankruptcy. The Journal of Finance, 23(4), 589–609. doi:10.1111/j.15406261.1968.tb00843.x
Bailey, B., Speelman, R., Doshi, P., Cohen, N., & Wheeler, W. (2019). Defending Spacecraft in
the Cyber Domain. The Aerospace Corporation. Retrieved from The Aerospace
Corporation website: https://aerospace.org/sites/default/files/201911/Bailey_DefendingSpacecraft_11052019.pdf
Baird, M. A., USAF. (2013). Maintaining Space Situational Awareness and Taking It to the Next
Level. Air & Space Power Journal, 27(5), 50–72. Retrieved from Advanced
Technologies & Aerospace Collection; ProQuest Central. (1475073677)
Betz, J. W. (2020). Fundamentals of Satellite-Based Navigation and Timing. In Position,
Navigation, and Timing Technologies in the 21st Century (pp. 43–64). Hoboken, NJ:
John Wiley & Sons, Ltd. doi:10.1002/9781119458449.ch2
Berelson, B. (1952). Content analysis in communication research. (p. 220). New York, NY,
United States: Free Press.
138
Boell, S. K., & Cecez-Kecmanovic, D. (2015). What is an Information System? 2015 48th
Hawaii International Conference on System Sciences, 4959–4968.
doi:10.1109/HICSS.2015.587
Boudah, D. (2021). Conducting Educational Research: Guide to Completing a Major Project
(By pages 152-177). Thousand Oaks: SAGE Publications, Inc.
doi:10.4135/9781483349138
Brewer, M. B., & Crano, W. D. (2014). Research design and issues of validity. In H. T. Reis &
C. M. Judd (Eds.), Handbook of research methods in social and personality psychology
(pp. 11–26). Cambridge University Press.
Censor, D. (1973). The generalized doppler effect and applications. Journal of the Franklin
Institute, 295(2), 103–116. doi:10.1016/0016-0032(73)90222-6
Chambliss, D., & Schutt, R. (2016). Making Sense of the Social World: Methods of Investigation
(Fifth). Los Angeles, CA, USA: Sage. Retrieved from
https://digitalcommons.hamilton.edu/books/30/
Chicago Tribune. (1998). Satellite outage felt by millions. Retrieved from
https://www.chicagotribune.com/news/ct-xpm-1998-05-21-9805210138story.html+&cd=1&hl=en&ct=clnk&gl=us
Creswell, J. W., & Guetterman, T. C. (2019). Educational research: Planning, conducting, and
evaluating quantitative and qualitative research. Harlow, England: Pearson.
Creswell, J. W., & Poth, C. N. (2018). Qualitative inquiry & research design: Choosing among
five approaches. Thousand Oaks: SAGE Publications, Inc.
Cribbin, C. (2011). Citation chain aggregation: An interaction model to support citation cycling.
Paper presented at the 20th ACM Conference on Information and Knowledge, Glasgow,
139
United Kingdom. Abstract retrieved from
https://www.researchgate.net/publication/221615375_Citation_chain_aggregation_An_in
teraction_model_to_support_citation_cycling
Critical Infrastructure Security Agency. (2013). National Infrastructure Protection Plan (NIPP)
2013: Partnering for Critical Infrastructure Security and Resilience. Retrieved from
https://www.cisa.gov/publication/nipp-2013-partnering-critical-infrastructure-securityand-resilience
Critical Infrastructure Security Agency. (2015). Communications Sector-Specific Plan, An Annex
to the NIPP 2013. Retrieved from
https://www.cisa.gov/sites/default/files/publications/nipp-ssp-communications-2015508.pdf
Critical Infrastructure Security Agency. (2016). Recommended Practice: Improving
Industrial Control System Cybersecurity with Defense-in-Depth Strategies. Retrieved
from https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICSCERT_Defense_in_Depth_2016_S508C.pdf
Critical Infrastructure Security Agency. (2017). Securing Cyber Assets: Addressing urgent Cyber
Threats to Critical Infrastructure. Retrieved 22 August 2021, from
https://www.cisa.gov/sites/default/files/publications/niac-securing-cyber-assets-finalreport-508.pdf
Critical Infrastructure Security Agency. (2020). Radio Frequency Interference Best Practices
Guidebook. Retrieved from https://www.cisa.gov/sites/default/files/publications/safecomncswic_rf_interference_best_practices_guidebook_2.7.20_-_final_508c.pdf
140
Danchik, R., & L. Lee, P. (1990). The navy navigation satellite system (TRANSIT). Johns
Hopkins PAPL Technical Digest, 11(1–2), 97–104.
Dave, G., Choudhary, G., Sihag, V., You, I., & Choo, K. (2021). Cyber Security Challenges in
Aviation Communication, Navigation, and Surveillance. Computers & Security, 102516.
doi: 10.1016/j.cose.2021.102516
Dawadi, S., Shrestha, S., & Giri, R. (2021). Mixed-Methods Research: A Discussion on its
Types, Challenges, and Criticisms. Journal of Studies in Education, 2, 25–36.
Defense Intelligence Agency ). (2019).Security in Space. Retrieved from
https://www.dia.mil/Portals/27/Documents/News/Military%20Power%20Publications/Sp
ace_Threat_V14_020119_sm.pdf
Department of Defense. (2010). Electromagnetic Environmental Effetcs Requirements for
Systems. Retrieved from
https://www.dau.edu/cop/e3/Pages/Topics/Military%20Specifications%20and%20Standa
rds.aspx
Department of Defense. (2015). Requirements for the Control of Electromagnetic Interference
Characteristics of Subsystems and Equipment. Retrieved from
https://www.dau.edu/cop/e3/Pages/Topics/Military%20Specifications%20and%20Standa
rds.aspx
Department of Homeland Security. (2018). National security strategy for aviation security of the
United States of America. Retrieved from https://www.whitehouse.gov/wpcontent/uploads/2019/02/NSAS-Signed.pdf
Department of Homeland Security. (2013). Joint National Priorities for Critical Infrastructure
and Resilience. Retrieved from https://www.hsdl.org/?abstract&did=821736
141
Department of Homeland Security. (2018). U.S. Department of Homeland Security
Cybersecurity Strategy. Retrieved 17 May 2020, from
https://www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-Strategy_1.pdf
Dicker, G. (1972). John Dewey on the Object of Knowledge. Transactions of the Charles S.
Peirce Society, 8(3), 152–166.
Drummond, K. E., & Murphy-Reyes, A. (2018). Nutrition research: Concepts and applications.
Falco, G. (2020). When Satellites Attack: Satellite-to-Satellite Cyber Attack, Defense and
Resilience. Presented at the ASCEND, Online. doi:10.2514/6.2020-4014
Federal Aviation Administration. (2020). Spectrum Engineering & Policy -Radio Frequency
Bands Supporting Aviation. Retrieved from
https://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/techops/safe
ty_ops_support/spec_management/engineering_office/rfb.cfm
Federal Communications Commission. (2021). Radio Spectrum Allocation. Retrieved from
https://www.fcc.gov/engineering-technology/policy-and-rules-division/general/radiospectrum-allocation
Fink, A. (2013). How to conduct surveys: A step-by-step guide (5th ed.) Los Angeles: SAGE.
Foley, S. (2011). World War II Technology that Changed Warfare—Radar and Bombsights.
Academic Symposium of Undergraduate Scholarship. Retrieved from
https://scholarsarchive.jwu.edu/cgi/viewcontent.cgi?article=1011&context=ac_symposiu
m
Gomez, C. (2015). Cybersecurity of unmanned aircraft systems (UAS). Master’s Thesis.
Retrieved from ProQuest Dissertations & Theses Global; Publicly Available Content
Database (1750068515).
142
Gorvine, B., Rosengren, K., Stein, L., & Biolsi, K. (2018). Research methods: From theory to
practice.
Government Accountability Organization. (2002). Critical Infrastructure Protection:
Commercial Satellite Security Should Be More Fully Addressed. Retrieved from
https://www.govinfo.gov/content/pkg/GAOREPORTS-GAO-02781/html/GAOREPORTS-GAO-02-781.htm
Government Accountability Office (GAO). (2018). High Risk Series: Urgent Actions Are
Needed to Address Cybersecurity Challenges Facing the Nation. Retrieved 22 April
2020, from https://www.gao.gov/assets/700/693405.pdf
Government Accountability Organization. (2020a). Aviation Cybersecurity: FAA Should Fully
Implement Key Practices to Strengthen Its Oversight of Avionics Risks. Retrieved from
https://www.gao.gov/products/gao-21-86Government Accountability Office. (2020b).
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics Risks.
Retrieved from https://www.gao.gov/assets/gao-21-86.pdf
Grace, D., Daly, N.E., Tozer, T.C., Burr, A.G. and Pearce, D.A.J. (2001), Providing multimedia
communications services from high altitude platforms. Int. J. Satell. Commun., 19: 559580. doi:10.1002/sat.698
Hitchens, T., “Cyber Attack Most Likely Space Threat: Maj. Gen. Whiting,”
BreakingDefense.com, 2020.
International Telecommunications Union (ITU). (2017). Terms and definitions. Retrieved from
https://life.itu.int/radioclub/rr/frr.htm
International Telecommunications Union (ITU). (2020). Radio Regulations. Retrieved from
https://www.itu.int/pub/R-REG-RR-2020
143
Jafarnia-Jahromi, A., Broumandan, A., Nielsen, J., & Lachapelle, G. (2012). GPS Vulnerability
to Spoofing Threats and a Review of Antispoofing Techniques. International Journal of
Navigation and Observation, 2012, 127072. doi:10.1155/2012/127072
Jason, Z., Zhang, K., Grenfell, R., & Deakin, R. (2006). Short Note: On the Relativistic Doppler
Effect for Precise Velocity Determination using GPS. Journal of Geodesy, 80, 104–110.
doi:10.1007/s00190-006-0038-8
Javaid, A. Y. (2015). Cyber Security Threat Analysis and Attack Simulation for Unmanned
Aerial Vehicle Network (Doctoral Dissertation). Retrieved from ProQuest Dissertations &
Theses Global (1840157048).
Johnson-Roth, G., Chaudhri, G., & Tosney, W. (2016). Ground Segment Systems Engineering
Handbook (Technical Report No. AD1067478). Retrieved from
https://apps.dtic.mil/sti/citations/AD1067478Joint Chief of Staff. (2018a). Cyberspace
Operations. Retrieved from
https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_12.pdf
Joint Chief of Staff. (2018b). Space Operations. Retrieved from
https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_14ch1.pdf?ver=qmkgYPy
KBvsIZyrnswSMCg%3D%3D
Kepchar, K. (2016). CYBERSECURITY & CRITICAL INFRASTRUCTURE - ARE WE
MISSING THE OBVIOUS? INSIGHT, 19, 54–58. doi:10.1002/inst.12129
Kodheli, O., Lagunas, E., Maturo, N., Sharma, S. K., Shankar, B., Montoya, J. F. M., …
Goussetis, G. (2021). Satellite Communications in the New Space Era: A Survey and
Future Challenges. IEEE Communications Surveys and Tutorials, 23(1), 70–109.
doi:10.1109/COMST.2020.3028247
144
Kolbe, R. H., & Burnett, M. S. (1991). Content-analysis research: An examination of
applications with directives for improving research reliability and objectivity. Journal of
Consumer Research, 18(2), 243–250. doi:10.1086/209256
Kost, R. G., & de Rosa, J. C. (2018). Impact of survey length and compensation on validity,
reliability, and sample characteristics for Ultrashort-, Short-, and Long-Research
Participant Perception Surveys. Journal of Clinical and Translational Science, 2(1), 31–
37. PubMed (30393572). doi:10.1017/cts.2018.18
Likert, R. (1932). A technique for the measurement of attitudes. Archives of Psychology, 22 140,
55–55.
Scott, L. (2021). "Interference," in Position, Navigation, and Timing Technologies in the 21st
Century: Integrated Satellite Navigation, Sensor Systems, and Civil Applications, IEEE,
2021, pp.619-653, doi: 10.1002/9781119458449.ch24.
Lykou, G., Anagnostopoulou, A., & Gritzalis, D. (2018). Smart Airport Cybersecurity: Threat
Mitigation and Cyber Resilience Controls. Sensors (Basel, Switzerland), 19(1), 19.
doi:10.3390/s19010019
Mai, Thuy. (2017). Global Positioning System History. Retrieved from
https://www.nasa.gov/directorates/heo/scan/communications/policy/GPS_History.html
Manning, C. (2021) What are radio waves? Retrieved from
https://www.nasa.gov/directorates/heo/scan/communications/outreach/funfacts/what_are_
radio_waves
Manulis, M., Bridges, C. P., Harrison, R., Sekar, V., & Davis, A. (2021). Cyber security in New
Space. International Journal of Information Security, 20(3), 287–311.
doi:10.1007/s10207-020-00503-w
145
McGee, W. (2021). Improve Cybersecurity for Information System Defense. Spotlight on the
Coast Guard, 147. United States Naval Institute. Retrieved from
https://www.usni.org/magazines/proceedings/2021/august/improve-cybersecurityinformation-system-defense
MITRE. (2021). Radio Frequency Spectrum Management. Retrieved from
https://www.mitre.org/publications/systems-engineering-guide/enterpriseengineering/enterprise-technology-information-and-infrastructure/radio-frequencyspectrum-management#
Morton, T. (2019). LINGUISTS GET THEIR WINGS. Air Power History, 66(3), 21–28.
JSTOR. doi:10.2307/26802350
Myers, M. (2000). Qualitative Research and the Generalizability Question: Standing Firm with
Proteus. The Qualitative Report, 4(3), -. doi:10.46743/2160-3715/2000.2925
Nadeem, K., Awan, S., Leitgeb, M., & Kandus, G. (2009). Weather effects on hybrid FSO/RF
communication link. IEEE Journal on Selected Areas in Communications, 27(9), 1687–
1697. doi:10.1109/JSAC.2009.091218
National Academies of Sciences, Engineering and Medicine. (2015). A Strategy for Active
Remote Sensing Amid Increased Demand for Radio Spectrum. Washington, DC: The
National Academies Press.
National Aeronautics and Space Administration (NASA). (1965). Dictionary of Technical Terms
for Aerospace Use. Retrieved May 20, 2020, from https://er.jsc.nasa.gov/seh/a.html
National Aeronautics and Space Administration. (2016). Retrieved 13 December 2020, from
https://www.nasa.gov/sites/default/files/atoms/files/spectrum_101.pdf
146
National Aeronautics and Space Administration. (2021). Communications. Retrieved from
https://www.nasa.gov/smallsat-institute/sst-soa/communications#9.4.1
National Air and Space Intelligence Center. (2018). Competing in Space. page 18. Retrieved
from https://media.defense.gov/2019/Jan/16/2002080386/-1/-1/1/190115-F-NV7110002.PDF.
National Institute of Science and Technology (NIST). 2019. Economic Benefits of the Global
Positioning System (GPS). Retrieved from
https://www.nist.gov/system/files/documents/2020/02/06/gps_finalreport618.pdf
National Institute of Science and Technology. (2020). Security and Privacy Controls for
Federal Information Systems and Organizations. Retrieved from
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53R5.pdf
National Institute of Science and Technology. (2021a). Draft NISTIR 8270: Introduction to
Cybersecurity for Commercial Satellite Operations. Retrieved from
https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8270-draft.pdf
National Institute of Science and Technology. (2021b). Information technology (IT). Retrieved
from https://csrc.nist.gov/glossary/term/information_technology
National Telecommunications and Information Administration. (2000). Radars and the
Electromagnetic Spectrum. Retrieved from
https://www.ntia.doc.gov/legacy/osmhome/reports/ntia00-40/chapt3.htm
Nichols, R., Mumm, H., Lonstein, W., Ryan, J., Carter, C., & Hood, J.-P. (2019). Unmanned
Aircraft Systems (UAS) in the Cyber Domain (2nd ed.). Manhattan: New Prairie Press.
Retrieved from https://newprairiepress.org/ebooks/27/
147
Neipp, C., Hernández, A., Rodes-Roca, J., Márquez, A., Beléndez, T., & Beléndez, A. (2003).
An analysis of the classical Doppler effect. European Journal of Physics, 24, 497.
doi:10.1088/0143-0807/24/5/306
Neuendorf, K. (2017). The content analysis guidebook (Second ed.). SAGE Publications, Inc
doi:10.4135/9781071802878
Patino, C. M., & Ferreira, J. C. (2018). Internal and external validity: can you apply research
study results to your patients? Jornal brasileiro de pneumologia : publicacao oficial da
Sociedade Brasileira de Pneumologia e Tisilogia, 44(3), 183. doi:10.1590/S180637562018000000164
Patten, M. L., & Newhart, M. (2018). Understanding research methods: An overview of the
essentials (10th ed.). New York, NY: Routledge.
Petersen, K., & Gencel, C. (2013). Worldviews, Research Methods, and their Relationship to
Validity in Empirical Software Engineering Research. 2013 Joint Conference of the 23rd
International Workshop on Software Measurement and the 8th International Conference
on Software Process and Product Measurement, 81–89.
Perez, R. (2019). Handbook of aerospace electromagnetic compatibility. Piscataway, NJ: IEEE
Press. Retrieved from
https://search.ebscohost.com/login.aspx?direct=true&scope=site&db=nlebk&db=nlabk&
AN=1985323
Pinto, A., Zeidner, L., Khire, R., Banaszuk, A., & Reeve, H. (2010). Design System for
Managing Complexity in Aerospace Systems. Retrieved 31 October 2021, from
https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.458.4424&rep=rep1&type=pd
f
148
Price, A. 2005. Instruments of Darkness: The History of Electronic Warfare, 1939-1945.
Greenhill. Ragland, E.L. (1962) "A Common System Approach to Aviation Data
Communications," in IRE Transactions on Aerospace and Navigational Electronics, vol.
ANE-9, no. 2, pp. 91-99, June 1962, doi: 10.1109/TANE3.1962.4201855.
Price, A. (1989). The History of US Electronic Warfare: “The renaissance years, 1946 to 1964.”
Association of Old Crows. Retrieved from
https://books.google.com/books?id=77kMAQAAIAAJ
Quisquater, J., & David, S. (2005). Electromagnetic Attack. In H. C. A. van Tilborg (Ed.),
Encyclopedia of Cryptography and Security (pp. 170–174). Boston, MA: Springer US.
doi:10.1007/0-387-23483-7_120
Riahi Manesh, M., & Kaabouch, N. (2017). Analysis of vulnerabilities, attacks, countermeasures
and overall risk of the Automatic Dependent Surveillance-Broadcast (ADS-B) system.
International Journal of Critical Infrastructure Protection, 19(C), 16–31.
doi:10.1016/j.ijcip.2017.10.0
Regmi, P. R., Waithaka, E., Paudyal, A., Simkhada, P., & van Teijlingen, E. (2016). Guide to the
design and application of online questionnaire surveys. Nepal journal of
epidemiology, 6(4), 640–644. doi:10.3126/nje.v6i4.17258
Robinson, J. (2014). Likert Scale. In A. C. Michalos (Ed.), Encyclopedia of Quality of Life and
Well-Being Research (pp. 3620–3621). Dordrecht: Springer Netherlands.
doi:10.1007/978-94-007-0753-5_1654
Ross, P. T., & Bibler Zaidi, N. L. (2019). Limited by our limitations. Perspectives on medical
education, 8(4), 261–264. doi:10.1007/s40037-019-00530-x
149
Ruel, E., Wagner, W., & Gillespie, B. (2015). The practice of survey research: Theory and
applications (1st ed.). Thousand Oaks, CA: SAGE Publications.
Ryan, T. P. (2013). Sample size determination and power (1st ed.). Hoboken, NJ: John Wiley &
Sons, Ltd. Retrieved from http://onlinelibrary.wiley.com/book/10.1002/9781118439241
Sacchi, C., Jamalipour, A., Ruiggieri, M. (2011). Aerospace Communications and Networking
in the Next Two Decades: Current Trends and Future Perspectives [Scanning the Issue].
Proceedings of the Institute of Electrical and Electronics Engineers, USA, 99, 18351839. doi:10.1109/JPROC.2011.2165761
Sagdeev, R. (2009). The slow slide towards a new battlefield? Nature, 460(7253), 326–327.
doi:10.1038/460326a
Saleh, A., & Bista, K. (2017). Examining Factors Impacting Online Survey Response Rates in
Educational Research: Perceptions of Graduate Students. Journal of MultiDisciplinary
Evaluation, 13(29), 63–74.
Salkind, N. (2007). Encyclopedia of Measurement and Statistics (Vols. 1–0). Thousand Oaks,
CA: SAGE Publications, Inc. Retrieved from
https://methods.sagepub.com/reference/encyclopedia-of-measurement-and-statistics
Salkind, N. (2021). Encyclopedia of Research Design. Thousand Oaks, California: SAGE
Publications, Inc. doi:10.4135/9781412961288
Salkind, N. J., ,. (2018). Exploring research (9th ed.). Harlow, England: Pearson.
Sarkar, S., Banerjee, P., & Bose, A. (2018). A Review of 36 Years of GLONASS Service from
India. Gyroscopy and Navigation, 9(4), 301–313. doi:10.1134/S2075108718040065
Satellite Group. (n.d.). About [LinkedIn Page]. LinkedIn. Retrieved 1 October 2021, from
https://www.linkedin.com/groups/56469/
150
Sayler, K. (2021). Emerging Military Technologies: Background and Issues for Congress (p.
37). Congressional Research Service. Retrieved from Congressional Research Service
website: https://sgp.fas.org/crs/natsec/R46458.pdf
Schober, P., Boer, C., & Schwarte, L. A. (2018). Correlation Coefficients: Appropriate Use and
Interpretation. Anesthesia and analgesia, 126(5), 1763–1768.
doi:10.1213/ANE.0000000000002864
Secure Wireless Agile Networks (2021) Radio Frequency Vulnerabilities. Retrieved from
https://cpb-euw2.wpmucdn.com/blogs.bristol.ac.uk/dist/6/635/files/2021/05/SWANWH2.pdf
Shing, LeeHur., Astacio, Jessica, Figuera, Alejandro, Shing, Chen-Chi. (2015). Vulnerabilities of
radio frequencies. 2015 12th International Conference on Fuzzy Systems and Knowledge
Discovery (FSKD), 2682–2686. doi:10.1109/FSKD.2015.7382381
Simpson, J. (2000). Guiding Satellites. Johns Hopkins Magazine. Retrieved from
https://pages.jh.edu/jhumag/0400web/04.html
Spencer, D. (2018). The Unmanned Aerial Systems (UASs) Industry and the Business Impacts of
the Evolution of the Federal Regulatory Environment (Dissertation, University of South
Florida). University of South Florida, Florida. Retrieved from
https://digitalcommons.usf.edu/cgi/viewcontent.cgi?article=8773&context=etd
Stacey, D. (2008). Aeronautical Radio Communication Systems and Networks. Hoboken, NJ:
John Wiley & Sons, Ltd.
Strauss, A. L., & Corbin, J. M. (2014). Basics of qualitative research: Techniques and
procedures for developing grounded theory. Thousand Oaks: Sage Publications.
151
Theofanidis, D, & Fountouki, A. (2019). Limitations And Delimitations In The Research
Process. Perioperative nursing (GORNA), E-ISSN:2241-3634, 7(3), 155–162.
doi:10.5281/zenodo.2552022
Tomsic, J. L. & Eastlake, C. N. (1998). SAE Dictionary of Aerospace Engineering. Society of
Automotive Engineers. Retrieved from
https://books.google.com/books?id=3Z5TAAAAMAAJ
Ukwandu, E., Farah, M. A. B., Hindy, H., Bures, M., Atkinson, R., Tachtatzis, C., & Bellekens,
X. (2021). Cyber-Security Challenges in Aviation Industry: A Review of Current and
Future Trends.
Unal, B. (2019). Cybersecurity of NATO’s Space-based Strategic Assets. Retrieved from
https://www.chathamhouse.org/sites/default/files/2019-06-27-Space-Cybersecurity-2.pdf
United States Army. (2021). FM 3-12: Cyberspace Operations and Electromagnetic Warfare.
Retrieved from https://irp.fas.org/doddir/army/fm3-12.pdf
United States Military SATCOM. (n.d.). About [Facebook Page]. Facebook. Retrieved 1 October
2021, from https://www.facebook.com/groups/USMIL.SATCOM
United States Space Force. (2020a). Space Capstone Publication: Spacepower Doctrine for
Space Forces. Retrieved from
https://www.spaceforce.mil/Portals/1/Space%20Capstone%20Publication_10%20Aug%2
02020.pdf
United States Space Force. (2020b). Memorandum on Space Policy Directive-5—Cybersecurity
Principles for Space Systems. https://history.nasa.gov/SPD-5.pdf
United States Space Force. (2021). United States Space Force History. Retrieved from
https://www.spaceforce.mil/About-Us/About-Space-Force/History/
152
Velkovsky, P., Mohan, J., & Simon, M. (2019). Satellite Jamming. Retrieved from
https://ontheradar.csis.org/issue-briefs/satellite-jamming/
Wang, G., Wei, S., Chen, G., Tian, X., Pham, K., & Shen, D.. (2016). Cybersecurity with radio
frequency interferences mitigation study for satellite systems. In Sensors and Systems for
Space Applications IX, Baltimore, MD: SPIE Defense + Security. Retrieved from
https://www.researchgate.net/publication/303324074_Cyber_security_with_radio_freque
ncy_interferences_mitigation_study_for_satellite_systems
Westbrook, T. (2019). The Global Positioning System and Military Jamming: The geographies
of electronic warfare. Journal of Strategic Security, 12(2), 1–16. doi:10.5038/19440472.12.2.1720
White House. (2010). National Space Policy of the United States of America. Retrieved from
https://obamawhitehouse.archives.gov/sites/default/files/national_space_policy_6-2810.pdf
White House. (2013). Presidential Policy Directive -- Critical Infrastructure Security and
Resilience. Retrieved from https://obamawhitehouse.archives.gov/the-pressoffice/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil
White House. (2018). National Cyber Strategy of the United States of America. Retrieved from
https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/09/National-CyberStrategy.pdf
White House. (2020). National Space Policy of the United States of America. Retrieved from
https://trumpwhitehouse.archives.gov/wp-content/uploads/2020/12/National-SpacePolicy.pdf
153
Yaacoub, J. P., Noura, H., Salman, O., & Chehab, A. (2020). Security analysis of drones
systems: Attacks, limitations, and recommendations. Internet of Things, 11, 100218.
doi:10.1016/j.iot.2020.100218
Yazdani, S., A. Shirvani, and P. Heidarpoor. (2021). A Model for the Taxonomy of Research
Studies: A Practical Guide to Knowledge Production and Knowledge Management.
Archives of Pediatric Infectious Diseases In Press(In Press):e112456. doi:
10.5812/pedinfect.112456.
154
APPENDIX A: LITERATURE REVIEW SEARCH
Peer Reviewed
Works Reviewed
Key Word Search
Germinal
Works
Reviewed
Books
Reviewed
Studies
Reviewed
Research Methodology
Quantitative Analysis
9
9
5
9
Qualitative Analysis
6
2
2
3
12
5
3
13
radio frequency Methods
32
7
4
2
Cybersecurity Methods
27
8
2
4
Aviation
29
12
7
13
Space
16
5
4
9
Unmanned Aerial Vehicles
14
2
5
8
US Federal Policy
26
0
3
13
Industry
23
0
0
11
194
50
35
85
Survey Research Design
RF Threat Analysis
Aerospace System Communication
Policy/Guidance
Total Documents Reviewed (364)
155
APPENDIX B: RESEARCH METHODOLOGY MAP
•
•
•
•
Quantitative Descriptive Study Research
Identify types of radio frequency attack vectors and define their
relationship to Cybersecurity
Contribute to body of knowledge in regard to RF attack vectors on
Aerospace Systems
Literature Review
Review seminal and significant peer-reviewed literature in the Aerospace
Communication Systems field.
Contribute to the quality of the quantitative research analysis by
providing a foundation for research
•
•
•
Pilot Study
Conduct pilot study to ensure validity of survey
Collect measurement data and participant feedback for improvements
Adjust survey questions and process as appropriate
•
•
•
Data Collection
Use online survey tool as the research instrument to collect data
Disperse survey to study population
Use design outlined in Chapter 3 to ensure data is collected in accordance
with IRB approval.
•
•
Data Analysis
Review results of survey from data collection instrument
Apply Pearson coefficient and generate correlational measurements
•
•
•
•
Interpret Data and Report Results
Interpret survey results and measurements
Discuss potential meaning of any correlation or results
Determine final recommendations and recommend future research
Submit final Dissertation to Capitol Technology University
156
APPENDIX C: PARTICIPANT CONSENT FORM
Participant Consent Form
Thank you for participating in this survey. This survey is part of a research study which
will measure aerospace system expert opinion on the effectivity of cybersecurity methodologies
designed to protect aerospace assets from radio frequency attack vectors. This study will
examine specific areas of cybersecurity methodologies and radio frequency characteristics to
determine potential high-impact domains.
Your informed consent is requested to participant in this survey as part of a research
study for a doctoral program at Capitol Technology University. The Principal Researcher of this
study is Nicholas S. Bradshaw (nsbradshaw@captechu.edu). This survey is not affiliated with
and has not received any funds from a federal or commercial entity.
Please read the entire introduction so you understand the purpose and use of your
answers. When ready to see the survey questions, click the NEXT button at the bottom of the
page. You can submit your answers at any time, today or later, but you must do so in a single
session. The web site will not remember you, so you cannot start answering, leave the site, and
return later to finish. Please complete the survey only one time.
This survey is for any adult (18 or older) who has experience as a technician, operator,
engineer, or professional utilizing an aerospace communication system with radio frequency
applications. Examples of aerospace communication systems include Satellite Communications
(SATCOM), Unmanned Aerial Vehicles (UAVs), Satellite Telemetry and Control Systems,
Line-of-Sight Aerospace Communication Systems, Aviation Communications Support Systems,
and related support systems.
157
If you are a minor (under 18 years of age) or considered to be in a protected group
(prisoner, pregnant woman, or a child), you are asked to not participate in this survey.
Participation in this study is completely voluntary. You are not required to participate in this
survey. All survey records and data will be kept strictly confidentially. There is no personal data
collection taken with this survey.
There is no payment or reward for taking this survey. There is no penalty for not taking
or not finishing the survey. This survey has been designed to be completed in 10-15 minutes. The
survey will be completed once you have answered all questions in the included questionnaire.
This survey is anonymous. While it is not possible to guarantee full anonymity on the
Internet, the researcher has taken steps to protect your identity while taking part in the survey.
You will not be required to log in or identify yourself throughout the completion of this survey.
The survey begins with a few questions to confirm you understand and agree to the terms of the
survey. Please ensure that you are within the correct group for the study. The survey will ask you
to identify what your domain of aerospace system expertise is in, as well as your level of
experience. When the survey period has elapsed, the researcher will save all completed survey
responses offline. However, the research will not save any identifiable information such as your
Internet (IP) address which could be used to identify you. No one will be authorized to contact
you in any way for follow-up questions or additional information. The researcher has configured
this survey tool to not collect the address of your computer. The research will have no
identifiable record of who took the survey. All data gathered will be deleted no longer than one
month after completion of this study.
Risks and Benefits of Participating
158
You will have no significant risk by taking this survey. No one can share your answers
with any employers, supervisors, or managers. No one, including the researcher, will know who
you are, where you are, what your job is, or where you work. The questions within this survey
are designed to be general in nature. Please do not detail existing vulnerabilities on systems
(defense or commercial). These questions are opinion oriented, and do not ask to reflect the
status of operational systems.
During the duration of this survey, if you experience sensitivity to the survey instrument,
please cease participation immediately. If you experience any symptoms of fatigue, you are
asked to take a break and continue the survey at a later time.
By completing this survey, you may benefit personally when considering cybersecurity
implications of radio frequency attacks on Aerospace assets. The intent of this study is to
improve how radio frequency attack vectors are handled on Aerospace systems. The results of
this study may be used to improve the standardization of security practices on Aerospace
communication systems which utilize radio frequency technology.
For any questions regarding SurveyMonkey’s privacy policy, information can be
provided at: https://www.surveymonkey.com/mp/legal/privacy/
159
APPENDIX D: RESEARCH INSTRUMENT
Survey Questions
1. Have you read the introduction explaining the purpose, use, and privacy protections
involved?
a. Yes
b. No
2. Do you agree that you are taking part in this survey voluntarily, with no expectation of
reward or payment, and no penalty for not participating?
a. Yes
b. No
3. Are you at least 18 years old?
a. Yes
b. No
4. Do you have experience working with aerospace communication systems which utilize
radio frequency technology?
a. Yes
b. No
5. How many years of experience do you have working with aerospace communication
systems?
a. 0-5 years
b. 6-10 years
c. 10-15 years
d. 16+ years
e. No experience
6. Please select the type of aerospace communication system you have experience with. If
you have experience with multiple types of aerospace communication systems, select the
answer which corresponds with your greatest amount of experience (in years).
a. Satellite Communications/Satellite Control
b. Unmanned Aerial Vehicles
c. Line-of-Sight Aerospace Communication Systems
d. Aviation Communications Systems
e. Other
7. What level of impact do radio frequency attacks have regarding the availability of
aerospace communication systems?
For this question, “Impact” is defined as a degradation in the capabilities of the aerospace
communication system. “Availability” is defined as the reliability of access to data
communicating to/from the aerospace communication system.
160
a. None (no level of impact)
b. Low (some level of impact; some capabilities are degraded)
c. Moderate (moderate level of impact; noticeable degradation of capabilities of a
system)
d. High (high level of impact; significant impact to the capabilities of a system)
e. Severe (extremely high level of impact; capabilities of a system are no longer
possible to maintain)
8. What level of impact do radio frequency attacks have regarding the integrity of data on
aerospace communication systems?
For this question, “Impact” is defined as a degradation in the capabilities of the aerospace
communication system. “Integrity” is defined as the consistency and accuracy of data
communicating to/from the aerospace communication system.
a. None (no level of impact)
b. Low (some level of impact; some capabilities are degraded)
c. Moderate (moderate level of impact; noticeable degradation of capabilities of a
system)
d. High (high level of impact; significant impact to the capabilities of a system)
e. Severe (extremely high level of impact; capabilities of a system are no longer
possible to maintain)
9. What level of impact do radio frequency attacks have regarding the confidentiality of
data on aerospace communication systems?
For this question, “Impact” is defined as a degradation in the capabilities of the aerospace
communication system. “Confidentiality” is defined as the assurance that data being
communicated is only accessible by authorized parties.
a. None (no level of impact)
b. Low (some level of impact; some capabilities are degraded)
c. Moderate (moderate level of impact; noticeable degradation of capabilities of a
system)
d. High (high level of impact; significant impact to the capabilities of a system)
e. Severe (extremely high level of impact; capabilities of a system are no longer
possible to maintain)
10. Regarding Aerospace systems, what is the frequency of radio frequency attacks on
aerospace communication systems?
For this question, “Frequency” is defined as the rate of occurrence that an event will take
place.
a. None (incidents have never occurred)
b. Rare (incidents are unlikely to occur)
c. Common (incidents are expected to occur)
d. Very Common (incidents will almost always occur)
161
11. In your opinion, how would you rate current United States government resources and
guidance regarding the protection of aerospace communication systems from radio
frequency threats?
a. Unsure (no knowledge of relevant resources and guidance)
b. None (there are no resources or guidance which I can use to respond to an event; I
am unprepared to respond to an event)
c. Inadequate (there is not enough resources and guidance which I can use to
respond to an event; I am unsure if I am able to respond to an event)
d. Good (there is a significant amount of resources and guidance which I can use to
respond to an event; I am somewhat prepared to respond to an event)
e. Very Good (there is an adequate amount of resource and guidance; I am very
prepared to respond to an event)