Our connected world now reaches through the sky to our modern aircraft. The expectations of wireless internet service and real-time voice and data communication in the air are fast becoming comparable to what we take for granted for our offices and homes on the ground.
The new technological skyscape offers us great advantages and conveniences. But it’s not without risk. Fortunately, conversations about information protection generated by the European Union’s move to implement General Data Protection Regulation (GDPR) and news stories about security breaches help bring greater awareness to potential problems.
How Should Operators Address Inflight Internet Security?
As a business aircraft operator, you need to take steps to understand the limits of security features and limitations by each service provider. Accountability is a responsibility shared by both parties.
Neither can solve the problem independently, and there’s no one-size-fits-all solution. Providers should realize that the vast majority of operators aren’t security experts. Their core competencies lie elsewhere. Operators are, however, responsible for adopting technology and processes that provide the needed expertise and security to match their requirements.
Staying up-to-date on the current cybersecurity landscape is integral to your business operation. Continual training and cyber assessments of flight departments should be held at least annually. Service providers that offer a comprehensive security package can help flight departments navigate the nuances of cybersecurity requirements.
Expect your service provider to take steps to act as an adviser on the best approach and offer services that comprehensively address challenges and regulations. This relationship should be ongoing and revisited frequently. Security is not a simple “set-it-and-forget-it” approach. What works in 2018 may need adjustments in 2020.
What Should You Look for In Service Providers?
Seek out providers who are at the forefront of innovation. Are providers working with decades-old technology with widely known vulnerabilities? Have they introduced proper security measures, such as engaging software developers through a framework that includes security services? Do providers use third-party security services to validate the security of their systems?
Network speed or capacity can significantly inhibit the effectiveness of some security controls. Many security and privacy products are highly dependent on the consistent, low-latency, high-speed connection that’s typical on the ground, but is not employed by all airborne service providers. Those products can require high speed bidirectional bandwith, with data going both to and from the aircraft.
What Technology Poses Additional Risks for Operators?
Modern avionics with wireless systems updates or flight plan uploading capabilities are potentially vulnerable, as are all parts of the Internet of Things. While the weak security links may vary from system to system, your approach should not. Work with providers who take a holistic approach to security for both airborne and ground networks. Are there proprietary methods for signal transmission which are less likely to be compromised?
Older-generation equipment also is susceptible to attacks. Similar to systems on the ground, older radios have default settings and passwords incorporated. Hundreds of aviation mechanics know these administration passwords, which makes accessing these devices relatively easy.
What Other Steps Should You Take?
Much of the best cybersecurity advice on the ground applies to threats in the air as well. Work with your company’s information technology team to employ best practices specific to your own systems. Undergoing better corporate security training adds to your protection.
Staying alert to and being aware of the potential for threats are your best defense. Always assume your data and information are potential targets for attack: whether in the coffee shop down the street or at 40,000 feet in the air. Preparation always is a less painful path than the consequences of inaction. BAA