CTO Vision on the increasing difficultly the aviation industry is having with cyber security:
The aviation industry has attempted to follow the structure of the traditional terrestrial cyber networks, but it has not been successful. Due to the complex ecosystem involved in setting up cyber security within the aviation landscape and the increase in In-Flight Connectivity (IFC), the aviation cyber networking cannot mirror that of the terrestrial.
With multiple systems providers, airlines and IFC providers managing various components of an airplane, gaps are becoming more frequent in the aviation landscape. The question becomes how to manage the threats effectively. Vinit Duggal said the aviation industry is “an an extremely complex ecosystem and when you marry it to what’s happening onboard the plane, you have quite a large attack surface that’s exploitable, essentially, to the threat actors [Gourley] mentioned.” With the increase and demand for new in-flight technology, it has opened the Pandora’s box of weak areas exposed to potential hacks.
The increase of technology does not match the increase in technology security. Duggal said, “technology moves so fast, security sometimes gets left behind because you’re trying to get to the consumer, you’re trying to give them what they want, and sometimes when you try to address security after the fact you add complexity to the mix.” The threat level is increased when systems are not secured prior to installation. Security is often overlooked when ensuring for the consumer’s satisfaction with a rapid implementation and deployment. Making the consumers happy with the latest and greatest technology without first securing the systems before installation merely increases the threat level.
The only way to properly secure systems is to introduce security at inception. While the airlines surely need to address the needs and demands of their consumers, they need to do so in a secure manner.
So, for instance, if customers demand in-flight wifi, the aviation industry needs to research and develop a secure solution from conception to inception. From the moment an engineer begins designing the architecture, cyber security needs to be discussed and implemented in every facet and phase of the project. Otherwise, security ends up being duct-taped on after-the-fact, and then the industry will be faced with unexpected consequences.
This is no easy task yet it is also not insurmountable.