April 13, 2016

The future of your flight operation may depend on your ability to secure flight manifests, as well as destination and point-of-origin information, according to a leading cybersecurity expert who spoke at the recent Pacific Northwest Business Aviation Association Safety Day.

“If you can tell who’s going where, when, for how long and how many times, there are all sorts of things you can learn,” said Shay Colson, CEO of Colson Research in Bellingham, WA.

Colson relayed the following hypothetical example:

A Seattle-based company is negotiating a merger with a firm based in San Francisco. A hacker, working with one of the Seattle company’s competitors, gets wind of this and hacks into Blue Skies Charter’s computer to steal a flight manifest that shows when the Seattle CEO is traveling to SFO to consummate the deal.

The hacker combines that information with data on the aircraft, using a BARR-hacking site to pinpoint its departure and arrival time. Based on that information alone, the Seattle company’s competitor can either buy up stock in the SFO company to cash in or make a well-timed competing bid to disrupt the deal altogether.

And the key to all that is the manifest, according to Colson.

The leak of manifest information could be devastating to a Part 91 operation, but Colson suggested it may be worse for a charter operator, whose reputation would be irreparably damaged by such a breach. Similarly, the efforts of a scheduler, dispatcher or support company could also lead to an unintentional disclosure of information deemed business-critical.

“You wouldn’t send a business proposal to your competitor before presenting it to your client, would you?” Colson asked. “That’s essentially what you’re doing to your clients if you can’t protect their information.”

Colson suggested that the best way a flight department can protect itself is to strengthen its standard operating procedures. Too many companies, he noted, allow receptionists, line personnel and contractors as much access to email and data as is afforded the CEO. By creating procedures that limit access, eliminate out-of-date email addresses and establish protocol for transmitting sensitive information, Colson said many of the doors used by hackers can be wholly or partially blocked.

“There is a growing vulnerability related to aircraft tracking,” said NBAA Vice President for Regulatory and International Affairs Doug Carr. “NBAA is working with the FAA and Congress to protect the information. But the growing amount of publicly available tracking data continues to be a problem, and it’s important that flight departments understand that and take steps to mitigate the threat.”

NBAA has worked diligently to protect much of this data through its efforts to administer the Blocked Aircraft Registration Request program. However, in September 2013 the FAA changed the process for limiting the availability of aircraft data through the Aircraft Situation Display to Industry.

Aircraft owners and operators can still request flight data blocking at different levels, but some online companies are circumventing those procedures and, for a fee, offering information that aircraft operators hope to keep confidential.