I work in an industry that has always had one main concern: security. We can collectively pride ourselves on the fact that, even as more and more passengers travel by plane each year, there have never been fewer aviation accidents.
Although this concern for safety is not new, it has however greatly evolved in the last three or four years. One important evolution is that the aviation industry has geared up to face the issue of cybersecurity and other threats head-on, as attacks all over the world are becoming more digital and sophisticated — be they motivated by terrorism, financial crime or hacktivism.
We can all recall the 2015 episode when hacker Chris Roberts claimed he could control an aircraft engine through its entertainment system.
As the Chairman & CEO of a company that enables more than one million passengers per day to interact with these in-flight entertainment systems, which make it possible to use Wi-Fi on aircraft and connect to smartphones, I believe cybersecurity will remain our biggest challenge in the years to come.
What can we do to make aerospace a cyber safe place and thus maintain a high level of trust in the aviation industry?
Let me, first, assess the threat level.
Aviation systems benefit from a safety design that enables them to withstand even in the event of an incident or failure. One example is the isolation of cockpit systems and self-contained in-flight entertainment systems.
These designs have had to evolve — they are, in fact, constantly evolving — as air traffic management, ground services, airports and aircraft themselves (passengers, cockpits) are more and more digitised, more and more connected to each other in what now works as a global ecosystem.
The digitisation of aerospace is, of course, an opportunity that enables companies to ease congestion as well as to transform the customer experience, with more personalised services. It also makes it possible to detect potentially disruptive issues and respond more proactively, with new e–troubleshooting and e-maintenance services. These technologies make our industry more competitive.
But more digitisation also means new vulnerability: more surfaces to attack and more appeal to attackers. The rising interconnection between aircraft, service and data providers means expanding vectors of threats to national security and public safety but also threats in terms of data privacy and public trust.
And the Atlantic Council report on aviation cybersecurity, underwritten by Thales, concludes with the “absence of clear or strong foundations in aviation cybersecurity to adequately counter emerging threats”.
Which brings me back to my original question: What can we do?
We must, first of all, accept that there is no such thing as total protection. There will be breaches in aerospace infrastructures: the question is not if, but when.
Our responsibility is therefore first and foremost to become more cyber-resilient; to make sure that the aircraft remains safe and secure whatever the attack. Key to this is the enabling of systems and personnel to develop real-time monitoring capability, to know exactly what to do when something happens and of course to respond instantly.
The real issue is that of governance and accountability. We must address the complexity of a concern that ties in with different legal systems, public and private actors and all the different links in the supply chain. We need to reinforce the chain of trust — cyber-trust — in civil aviation.
Public actors have taken on their responsibilities.
The American Department of Homeland Security, for one, organises briefings to security professionals to share the information they have on possible threats, on attackers’ new tools and modus operandi. However, legislative procedures take too long for regulations to still be relevant at the time of issue, whereas we need to respond immediately.
The new Information Sharing and Analysis Centers (ISAC), set up both in the US and in Europe, and the European Center of Cyber-Security in Aviation (ECCSA), an EASA (European Aviation Safety Agency) initiative, supported by Thales, will surely play a very important role in the sharing of cybersecurity information.
But they are still very new; they must continue to grow before they can reach their full capacity. We, of course, also have our part to play.
Some of our clients are relying on us to explain threats and give them confidence that their system is, or can become, secure; others are already very savvy.
All of them count on us to provide them with secured solutions in an environment that is increasingly unpredictable. Some of our clients ask us to help them deploy our solutions in a secured overall architecture.
We also help them with identifying risks, prioritising protection measures, setting-up cyber-response teams and security operation centres, and training staff members.
We also participate in the AeroSpace and Defence Industries Association of Europe (ASD), where we make proposals to obtain state of the art security practices for the rest of the community.
Nonetheless, we cannot act alone. All of us - aviation and cybersecurity industries - must work together under the rule of the International Civil Aviation Organization (ICAO), more than we already do.
Sharing information, assets and resources, building secure worldwide interoperability, acting on an international level is the only way for us to become more cyber-resilient.
Cybersecurity is not a static state but a dynamic condition; we must be able to adapt to constantly evolving legal environments, but also to ever more malicious threats. Let us face this challenge together, make this continuous commitment not just as a company but as an industry. The decisive moment is now.