The recent Garmin hack showed how serious cyber threats can be.
“Recent incidents continue to demonstrate that any of us are vulnerable to these scenarios because of the dependence we all have on software,” said Jim Kazin, senior captain and aviation security advisor for a Southeast-based Fortune 150 flight department. “Scheduling, flight planning, maintenance and even the operation of the aircraft itself can be corrupted by malware.”
How can you protect your organization from a cybersecurity attack?
First, establish policies and procedures that support cybersecurity by conducting a vulnerability assessment. Work closely with your IT department and outside vendors, if appropriate, keeping in mind that aviation involves unique cyber risks.
“Understand what kind of data you generate, transmit and consume,” advised Patrick Morrissey, technical fellow of product cybersecurity at Collins Aerospace. “What is the criticality of that information to the system and to your business operations? Set up a policy framework that is helpful in supporting, protecting and managing that data, not only through day-to-day operations like IT systems, but in your contracts so you are conveying your risks to the vendors and customers you work with and can manage those risks together.”
Know how your vendors use the information you supply to them, and be sure they know your expectations regarding information protection by asking them how they manage and protect your data.
“It must be understood there is a shared risk, which drives the need for understanding why it’s so important to protect the data we have, and inspect the data we receive,” said Morrissey.
Education is also key. Conduct regular cybersecurity training and drills to ensure everyone in the organization is prepared to respond to a breach. Remember, cybersecurity isn’t limited to the aircraft, so use a holistic approach.
“As an industry, we’re really good at training for physical situations – like the safety of crewmembers and passengers – but not for these [cybersecurity] issues.”
Josh Wheeler Senior Director of Cybersecurity Solutions, Satcom Direct, Inc.
The current cyber threat has been heightened during the pandemic, with more hacking occurring because more people are working from home.
“As an industry, we’re really good at training for physical situations – like the safety of crewmembers and passengers – but not for these [cybersecurity] issues,” noted Josh Wheeler, Satcom Direct’s senior director of cybersecurity solutions.
Don’t just educate your staff and crewmembers. Talk with passengers because they can inadvertently become the weakest link in your aircraft’s cybersecurity by adding unsecured devices to secure networks, for example. In fact, cybersecurity polices should address what types of devices can be used on your aircraft.
Practice good situational awareness during trips. Learn about risks specific to your travel area. Avoid free WiFi networks, and use a VPN whenever possible. In high-risk regions, limit the number of electronic devices you carry and assume they will be compromised.
Finally, Morrissey encourages a top-down approach to cybersecurity, with strong executive commitment to support bottom-up initiatives.
“There are plenty of standards to improve a company’s cyber posture, but, in many cases, what’s missing is the leadership and business support for implementing those standards, which comes with a cost,” Morrissey concluded.