Last month, there was a great cybersecurity seminar with very knowledgeable speakers. They are working hard in the aviation industry to make sure flying is safe. I believe it is.
What does not seem to be addressed is the security of the data the passengers bring on board with them. If you think about the who uses company aircraft, they would be the people that have some of the most confidential, most valuable information regarding the organization.
Most cyberattacks are for financial gain, not military secrets. Meaning the passengers and the people around them, are being targeted to find a weak spot in the system. This may mean the employees, their family members, and/or vendors are targets.
The bad guys are experts at crafting campaigns that fool the best of us. Take an overworked employee, who has been trained to help C-Suite people achieve their goals and to make their working lives easier, they have been and could easily be, tricked into providing info that should not be shared. Info that allows the hackers to gain more access to data that they can use to target the organization. My example and I am in the cybersecurity business: I was attending an online seminar, at the same time I was texting a co-worker about an upcoming client visit and looking at emails…Way over multitasking, I was, as Yoda would say. An email came in from a streaming company that said my credit card that is used to auto-renew was not working and I needed to click the link and fix the issue. I had just moved. Duh, probably forgot to change my billing address, right? I clicked the link, and at the same time, I realized this email came to my work account and not my personal email. My steaming account has my personal email. I had to quickly disconnect my computer from the internet and network and let my IT department know my utter failure. It can happen to anyone.
When the passengers use aircraft to travel, they are in one spot, easy to detect and track, flying a billboard with a large, non-secret number tattooed on the side that identifies the aircraft type, and often, who uses the aircraft. It funnels the high dollar data to one location that is easily tracked and targeted. Ever see the people taking pictures of the aircraft at airports? There are many with very expensive lenses. They congregate at the regional airport where private aircraft are more likely to appear. They then share that data on social media and with each other. Some will also share with hackers looking to gain more info to help with their social media campaign to target employees. You would be surprised with how effective this is to make their hack seem real.
Focus on the Following:
People! Your employees, your passengers, your vendors.
People are your biggest threat and they usually do not even know that they have been compromised. If they do not know it, how can flight departments be expected to know who is the threat? Yet, if an incident occurs on the aircraft, the flight departments have been held accountable for something that is really outside the scope of flying aircraft.
How to immediately reduce the risk of a cyberattack getting into the system:
1. Continuously educate you employees.
2. Do NOT berate them when they make a mistake, or they will quit reporting mistakes which could be catastrophic.
3. Know who is working on the aircraft including mechanics, avionic techs, caterers, communication specialists and anyone to touches the aircraft.
4. Monitor vendors while they are working onboard.
5. Research your vendors, give them your cybersecurity policies and get a Business Associate Agreement (BAA) that states they will conform to those cybersecurity policies. Update the BAA as the policies changes and it will change!
6. Make sure you have a router onboard your aircraft that provides firewall services that monitors both avionics and cabin WIFI.
7. If your router cannot be upgraded to provide firewall services, make sure the data passes through a firewall on the ground before it enters the aircraft and before it goes out to the internet.
8. Change passwords on WIFI monthly! I know, this is a pain and hard with passengers, but it is the least costly and probably the most effective item that can be done to stop intrusions.
9. Have a procedure of what to do if you believe a breach has or is occurring.
10. Have a policy to know who gets informed of what, when.
This is an active war. There is not one thing we can do to eliminate the threat. The threat will always be evolving and changing. We must recognize that cybersecurity vigilance will be with us always. This risk is not going away. We need to be proactive and aware so we can mitigate the risks. We will never eliminate them.
Rob Hill has cyber security is in his blood. His father hired retired CIA operative to test software for his company. IT has been a passion and cybersecurity has been his focus since the Internet started becoming essential to everyday life. He made his transition to satellites and aviation five years ago. It was then he realized that standard cyber security measures only went so far in protecting passengers and crews aboard aircraft. He specializes in helping aviation companies bridge the gap with their IT and cybersecurity departments to ensure that each and every passenger and crew is protected. He can be reached at Rob@TheAeroConsult.com.