Business Aviation Insider nameplate
Operations

Management: Best Practices for Aviation Cybersecurity

The recent Garmin hack showed how serious cyber threats can be.

“Recent incidents continue to demonstrate that any of us are vulnerable to these scenarios because of the dependence we all have on software,” said Jim Kazin, senior captain and aviation security advisor for a Southeast-based Fortune 150 flight department. “Scheduling, flight planning, maintenance and even the operation of the aircraft itself can be corrupted by malware.”

How can you protect your organization from a cybersecurity attack?

First, establish policies and procedures that support cybersecurity by conducting a vulnerability assessment. Work closely with your IT department and outside vendors, if appropriate, keeping in mind that aviation involves unique cyber risks.

“Understand what kind of data you generate, transmit and consume,” advised Patrick Morrissey, technical fellow of product cybersecurity at Collins Aerospace. “What is the criticality of that information to the system and to your business operations? Set up a policy framework that is helpful in supporting, protecting and managing that data, not only through day-to-day operations like IT systems, but in your contracts so you are conveying your risks to the vendors and customers you work with and can manage those risks together.”

Know how your vendors use the information you supply to them, and be sure they know your expectations regarding information protection by asking them how they manage and protect your data.

“It must be understood there is a shared risk, which drives the need for understanding why it’s so important to protect the data we have, and inspect the data we receive,” said Morrissey.

Education is also key. Conduct regular cybersecurity training and drills to ensure everyone in the organization is prepared to respond to a breach. Remember, cybersecurity isn’t limited to the aircraft, so use a holistic approach.

“As an industry, we’re really good at training for physical situations – like the safety of crewmembers and passengers – but not for these [cybersecurity] issues.”

Josh Wheeler Senior Director of Cybersecurity Solutions, Satcom Direct, Inc.

The current cyber threat has been heightened during the pandemic, with more hacking occurring because more people are working from home.

“As an industry, we’re really good at training for physical situations – like the safety of crewmembers and passengers – but not for these [cybersecurity] issues,” noted Josh Wheeler, Satcom Direct’s senior director of cybersecurity solutions.

Don’t just educate your staff and crewmembers. Talk with passengers because they can inadvertently become the weakest link in your aircraft’s cybersecurity by adding unsecured devices to secure networks, for example. In fact, cybersecurity polices should address what types of devices can be used on your aircraft.

Practice good situational awareness during trips. Learn about risks specific to your travel area. Avoid free WiFi networks, and use a VPN whenever possible. In high-risk regions, limit the number of electronic devices you carry and assume they will be compromised.

Finally, Morrissey encourages a top-down approach to cybersecurity, with strong executive commitment to support bottom-up initiatives.

“There are plenty of standards to improve a company’s cyber posture, but, in many cases, what’s missing is the leadership and business support for implementing those standards, which comes with a cost,” Morrissey concluded.

Review NBAA’s security resources at nbaa.org/security.

February 20, 2024

Podcast: Enhancing Privacy for Business Aircraft Operators

The FAA has been working with NBAA and others to address privacy concerns with the Privacy ICAO Address program (PIA), which recently was expanded beyond the contiguous U.S. to include overwater routes.
Listen Now

January 4, 2024

DOT, FAA Increase Civil Penalties for Aviation Violations

Fines imposed by the Department of Transportation (DOT), including the FAA, for violating regulations have increased under the DOT’s annual adjustment to its civil penalty amounts.
Read More

July/August 2023

Aviation Cybersecurity: Risks and Mitigations

You must to view this content.
Read More

April 17, 2023

Podcast: How Cyber-Secure Is Your Flight Operation?

With just a few keystrokes, hackers may be able to collect personal data from aircraft passengers or flight operations employees and even damage a company’s IT infrastructure. Guarding against cyberattacks requires participation and vigilance by everyone in your aviation operation, as well as cooperation from vendors and support providers.
Listen Now