Cybersecurity and Commercial Aviation

Jim Vasatka Director, Aviation Security

Boeing Commercial Airplanes

Pascal ANDREI Chief Security Officer

Airbus Group

Aviation Cybersecurity

Agenda

External Drivers

Challenges

Drivers Influencing

our Success

Threat Outlook

Strategy

Next Steps

Conclusions

title line

subtitle line

content top margin

center

content bottom margin

title line

subtitle line

content top margin

center

content bottom margin

left margin center

right margin

left margin

center right margin

• Safety, security and efficiency of the air transportation

system is an imperative

• Economics and business drive increased connectivity

• Increasingly complex and dynamic environment

• Unintended consequences of enhancements to security

layers sought without full understanding of the impacts

• Players acting with malice

The External Drivers

3

title line

subtitle line

content top margin

center

content bottom margin

title line

subtitle line

content top margin

center

content bottom margin

left margin center

right margin

left margin

center right margin

• Aviation operates in silos

• Success depends on many stakeholders

• Slow, deliberative pace of change

• Broad spectrum of technology deployed

• Unwillingness to share data necessary for system-wide

risk management

The Challenges

4

Drivers Influencing our Success

a) Aviation cyber standards

b) Security culture

c) Understand the threats & vulnerabilities

d) Understand the risk end-to-end

e) Communicate the threats / vulnerabilities & assure situational awareness

f) Incident response

g) Strengthen the defensive system

h) Design principles

i) Operational principles

j) National R&D Plan

k) Work together on strategy, policy and plans

l) Ensure common (or compatible) management of security within and across civil aviation (all regions & countries)

5

2. Attack surface of civil aviation sector to

cyber security threats is getting bigger and

bigger

1. Attractiveness : Increasing number of

diversely motivated, dynamic and active

threat sources investigating/ targeting (or

not) air transport

The cyber security concerns in civil aviation sector mainly result from

the combination of two factors:

December 2016

The reasons for cybersecurity concerns

6

Hangar

Maintenance &

Engineering Centre

Warehouse

Aircraft data

& parts suppliers

Outstation

Gate

Operations &

Dispatch centre

7

7

Air/Ground

Links

Satellite Communications

(SATCOM)

GateLink

(Wireless)

Passenger Connectivity

HF & VHF

Non exhaustive list

CYBERSECURITY

THREATS

Electronic Flight Bag, BYOD,

Portable data Loader…

7

Improvement Tracks Civil Aviation Players: United in Multiplicity and Diversity

• Currently, not all civil aviation

players share a common set of

objectives, methods, and criteria

for evaluation

• Perception of Risk depends

upon region, culture, values,

practices, objectives, interests,

oversight, duties, roles

• “My defense is your protection” -

Only true if we are singing from

the same sheet of music!

But the Maestro is missing…

… or not ready

8

title line

subtitle line

content top margin

center

content bottom margin

title line

subtitle line

content top margin

center

content bottom margin

left margin center

right margin

left margin

center right margin

• Understanding the risk and the needs of all stakeholders

all over the world (no country/region left behind)

• Priority-driven, industry-wide alignment of organizational

strategies and courses of action

• Addressing technical, economic and political realities

• Government policy decisions based on data-driven, risk-

informed analysis

• Openness to consideration of emerging foundational and

mitigation technologies

Aviation’s Strategy Must Include

9

Next Steps

• Develop a cybersecurity roadmap for aviation

• Government-industry consensus on path forward

• Uniform, system-wide threat analysis capability

• In-common risk management methodology

• Information sharing

• Incident response capabilities

• Robust, ongoing assessment of emerging mitigation

technologies

• Define next-generation connectivity

• Define international norms of behavior

10

Lessons Learned on Global Threat

Sharing

Jeffrey Troy Executive Director

Aviation Information Sharing and

Analysis Center

Lessons learned in global threat sharing

Acceptance of Cyber RISK in aviation runs the entire

spectrum • Need industry-view of the cost to remediate

• C-Suite commitment

• Growing the capability of the under resourced companies

12

A community of TRUST is the key to successful risk reduction

• Across and within all industry segments

• Leaders are sharing

• War gaming, Red Teaming

Incident response is everybody’s business

• Individual, industry and government TTXs