Speaking at the cybersecurity session at AVSEC World Day, Alex Hampson, Senior Product Leader for Cybersecurity, SITA, said that cyberattacks are too often viewed in isolation and seen purely in IT terms rather than linked to operational processes.
“But there are systemic risks,” he added. “Every organization will be hacked but it is how they deal with that reality that makes the difference.”
Leen van Duijn, KLM’s Vice President, Security Services, agreed that there is a cultural issue at play. “Cybersecurity is not a boardroom topic in general,” he noted. “It is mentioned but without sufficient knowledge. And the fact is that every day brings a new challenge.”
Because there is a lack of understanding at the boardroom level, it is hard for organizations to judge how much to invest in cybersecurity and what are the main vulnerabilities.
Every organization will be hacked but it is how they deal with that reality that makes the difference
The problem is compounded by scant collaboration and an abundance of regulatory bodies. The former is often overlooked as companies often share information but rarely share best practice. The latter obscures global standards making cybersecurity hard to implement and even harder to benchmark.
But a cybersecurity culture might be within touching distance for most aviation companies. The industry is already wrapped in safety and security values. Utilizing these values is a must to improve cyber resilience and achieve the necessary balance between operational efficiency and good cybersecurity.
The entire panel, which was moderated by Pete Cooper, Nonresident Senior Fellow, Atlantic Council and also included Nathalie Feyt, Chief Product Security Officer, Thales and Anna Guegan, Technical Programme Manager, EUROCAE, agreed that the industry is doing more than is realized. Good work is being done to separate cockpit and cabin connectivity, for example.
But the panel insisted that technologies are not magic that will solve a problem instantly. Rather, they are tools to be used. A more holistic approach will be needed as cyberattacks move from preventing the availability of systems to threatening the integrity of data within those systems.
As Cooper put it: “That is more dangerous by an order of magnitude.”