Trust is everything in the aviation industry. And a successful cyber attack – even a minor one against something like an in-flight entertainment system – could undermine confidence in airlines or even the entire aviation industry. That’s why global cyber security provider F-Secure has launched a specialized Aviation Cyber Security Services offering that’s designed to help airlines and similar organizations protect their aircraft, infrastructure, data, and reputations.
Cyber security has emerged as a significant issue for many industries, including those working in aviation. 85 percent of airline CEOs identified cyber security as a significant risk in a 2015 survey.* And while many industries have been dealing with data breaches and cyber attacks for many years, F-Secure’s Hugo Teso says that changes in the aviation industry are bringing new risks for airlines.
“Off-the-shelf communication technologies are finding their way into aircraft, which makes security much more complicated than in the past,” said Teso, a former pilot and current head of F-Secure’s Aviation Cyber Security Services. “Because these off-the-shelf technologies weren’t necessarily created to meet the rigorous safety requirements of airlines, the aviation industry is making cyber security a top priority. But they need a partner that understands both cyber security and the details of airline operations, because it’s an industry where those details make a big difference.”
F-Secure’s Aviation Cyber Security Services was designed to help airlines and other companies working in aviation secure their operations from the ground up. It integrates security assessments of avionics, ground systems and data links, vulnerability scanners, security monitoring, incident response services, and specialized cyber security trainings for IT managers as well as cabin and cockpit crews, into a single package that helps airlines harden their operations against cyber attacks.
Security assessments play a particularly vital role in aviation cyber security by flagging potential issues before airlines or manufacturers attempt to certify devices or services for use. Security assessments can focus on individual components such as specific pieces of hardware and software, or broader issues, such as how different systems interact with one another in an entire aircraft program.
F-Secure’s head of Hardware Security Andrea Barisani works with a team of experts that has nearly a decade of experience in performing security assessments for avionics and aircraft manufacturers, and places particular focus on designing and verifying data diodes – a defense mechanism that mitigates worst case scenarios by restricting how an aircraft’s systems can communicate with one another.
“A key issue we help organizations with is how to protect an aircraft’s safety-critical systems from compromises in systems that are, in a sense, more exposed but less significant to an airplane’s operations,” said Barisani. “A key protection measure is separating systems into different ‘trust domains’, and then controlling how systems in different domains can interact with one another. This prevents security issues in one domain, like a Wi-Fi service accessible to passengers, from affecting safety-critical systems, like aircraft controls or air to ground datalinks.”
But the service isn’t limited to simply assessing different technologies or components. According to Teso, the offering aims to help airlines achieve-long term security for all their operations and systems.
“In aviation, trust is everything, and airlines know that if they lose trust they lose business. And even though cyber security is a relatively new concern for them, they understand that they need to get on top of problems right away and stay ahead of potential issues as technologies, operations, and threats evolve,” said Teso. “The overlap between security and safety is 100 percent clear to airlines, so even an attack that’s not intended to affect the safety of an aircraft in reality – like hacking into a database to steal passenger data – is an unacceptable risk that threatens to undermine customer confidence in other operations.”