LONDON: Airline bosses ignore cyber security concerns at their peril, and must ensure that thorough mitigation plans are in place to deal with potential hacking of their systems, as aircraft move ever closer to becoming fully e-enabled.
This was the warning given to the industry by Boeing’s chief engineer cabin and network solutions, John Craig, during Aircraft Commerce magazine’s recent Aircraft e-Enablement conference in London.
With inflight connectivity suppliers “coming out of the woodwork” offering various different solutions and “talking about bringing operational data over Ku and Ka pipes”, an airline chief executive “has to understand the risk to their company” posed by cyber security threats, says Craig.
Pointing to recent high-profile hacking incidents at US-based retail giants Home Depot and Target, Craig warned that “people are starting to look at aviation now”. Aside from the potential for the hacking of software systems, airlines need to be “ever vigilant” of malicious use of social media, says Craig. As an example he highlights a case earlier this year in which hoax bomb threats were sent to American Airlines via its Twitter page.
The key difference between safety and cyber security is that when an aviation safety incident occurs, “the authorities come in and a report is published” which reduces the risk of similar incidents happening in the future, whereas with cyber security the goal posts are constantly shifting.
“You may fix something but it may not stay fixed,” notes Craig, likening staying on top of cyber security threats to “flying through the mountains, but the mountains are moving”.
“The aviation system is extremely complex and there are lots of areas to address when it comes to cyber security,” he adds. Craig’s advice to airline chiefs is to ensure that they understand their entire systems, put in place incident response plans, develop a “security culture”, and develop and incorporate “advanced security features”.
To help with this, a newly-formed aviation ISAC (Information Sharing and Analysis Center) was incorporated last month. ISAC provides “comprehensive sector analysis which is shared within the sector, with other sectors and with government”, according to the National Council of ISACs website. They provide services such as risk mitigation, incident response and information sharing.
“We’re spending time with the financial services folks and trying to learn from them,” says Craig, adding that Boeing is keen to “take this [ISAC] international”.