Software Engineering Daily PodcastEpisode 1859
[INTRODUCTION]
[0:00:00] ANNOUNCER: Aviation cybersecurity is becoming an urgent priority, as modern aircraft increasingly rely on complex digital systems for navigation, communication, and engine performance. These systems were once isolated, but are now interconnected and vulnerable to cyber threats, ranging from GPS spoofing to ransomware attacks on airline infrastructure. As nation-state actors and criminal groups grow more sophisticated, the aviation sector faces a rapidly expanding attack surface, with life-or-death consequences. Understanding and addressing these risks is essential, not only for passenger safety but for the resilience of global transportation networks.
Serge Christiaans is a former Dutch Air Force pilot with a background in electronic and hybrid warfare. He later flew commercially for Transavia Airlines/KLM (Netherlands) and Scoot/Singapore Airlines (Singapore) and is now the lead instructor and program director at the Singapore-based Aviation Cyber Academy. He joins the podcast with Gregor Vand to discuss the convergence of aviation and cybersecurity, commercial aircraft as a digital attack surface, hybrid warfare, the urgent need for aviation cybersecurity resilience, and much more. For more on Serge, find him at sergechristiaans.aero, or on LinkedIn.
Gregor Vand is a CTO and founder based in Singapore, currently working at the intersection of communication, security, and AI. His latest venture, Wyntk.ai, reimagines what email can be in the AI era. For more on Gregor, find him at van.hk, or on LinkedIn.
[INTERVIEW]
[0:01:42] GV: Hello. Welcome to Software Engineering Daily. My guest today is Serge Christiaans. Welcome, Serge.
[0:01:49] SC: Hi, Gregor. Thank you for the kind invitation.
[0:01:51] GV: Yeah, this is a very interesting one for us to do today, as we're going to get into based on the fact that you are a practising pilot, but you're also a practising CISO as well. We're going to get into how this has all come about. That's where we should start. We always start with the guest's career journey, if you like to call it that. It almost feels like you have two careers, both of which you've managed, and you're still doing both today. Tell us about how you are doing these two jobs effectively?
[0:02:21] SC: I started my career at the Military Academy in the Netherlands, then flying for the Dutch Air Force for about 16 years. I was involved in operations concerning electronic and hybrid warfare, as well as numerous NATO operations abroad. Then I moved to commercial aviation, flying 737s in the Netherlands. But as an ex-military pilot, that was so incredibly boring. So I started my own IT company in parallel with that. That company actually started focusing on cybersecurity around 2010-2011, when we saw the first cyberattacks.
I was still flying then, but also in my spare time, serving customers, mostly SMEs and managing their infrastructure. Then, at some point, I moved to Singapore, flying for Singapore Airlines' Scoot on the Airbus A320. Then COVID happened, and I took that opportunity to get a master's degree in cybersecurity. During the pandemic, I held several full-time Chief Information Security Officer (CISO) roles, taking responsibility for the entire Asia-Pacific region for multinational corporations operating globally. This was a very different experience from flying. Still, I'd say my management skills from the military academy were very useful. It was, again, exciting. I learned a lot.
Then at some point, I looked in the mirror, and I thought, "Nah, dude. You want to fly again. You miss it." And I did. I started flying again, but now, with all the knowledge and experience I have in military operations, cybersecurity, and my CISO experience, I find myself in the middle of aviation cybersecurity. When digging into that, it's actually a very small world. Not many people are in that intersection, and I needed to do something with the knowledge I have on all sides.
I'm supporting the aviation industry on many occasions. I speak regularly at international conferences, raising awareness that especially aeroplanes, cyber/hybrid and the threat surface that an aeroplane poses, because there are many people, also high-level management of airlines that actually do not understand this risk and what we need to do. Which is actually comparable to what I found when I was an APAC CISO working for large multinational companies. It's the same problem all over. They don't understand the business risk of cyber, which is the most significant risk that any company has, not even aviation or an airline. Cyber is your biggest risk. If you don't understand that your company can go down in a week, regardless of how great your clients feel about you, how low your prices are, or how great your product is, you will go down if you have a ransomware attack you haven't prepared for.
[0:04:58] GV: Yeah. I mean, it's probably quite obvious to many, but worth calling out is that the stakes are incredibly high in aviation, because you just don't have the same time to deal with the problem. We're going to get into what that even means, cyber in the air. Just before we go there, a couple of questions, I guess, as I have quite a few pilot friends actually, and there's obviously a lot of downtime between where you fly to and from. I guess this is how you're able to do both at once. Is it difficult to mentally switch between flying and then being a CISO, or how does that look?
[0:05:31] SC: Not really. It's like switching languages. If you speak both languages well, you switch without knowing. You sometimes even think in another language without knowing. Or, compared to driving in Singapore, I drive on the left side. But when in Europe, I drive on the right side. I get in a car and drive. Sometimes, if I'm tired, I approach a roundabout, and I need to think, "Okay. Left or right. What is it here?" In general, I don't have that problem, because I speak both languages well.
[0:05:58] GV: I think that's a good way of describing it. Then, if we just think about it, just to lay the land here, cybersecurity in aviation. How would you describe? I mean, you've touched on it, I think, just in what you were saying a few minutes ago. How would you describe the maturity of cybersecurity compared to other critical infrastructure sectors?
[0:06:22] SC: We have statistics on that. There is research on that. Aviation is about in the middle, which aligns with my experience as well. In general, the financial sector, financial services, healthcare, and the energy sector are more mature. Manufacturing is generally much less mature. We're about in the middle. One of the main reasons is, of course, that in the aviation industry, we focus primarily on physical security threats. We don't like change because anything we change might affect our safety posture. It's all about safety. What we do now is safe. Everything we change might compromise that safety, because in aviation, safety is written in blood, we say. It's based on experience. With an open culture, we want to learn about everything that happens so we can prevent it from happening again.
Then, when everything is balanced, coordinated, and it works like this, and we have a high safety level, you don't want to change it a lot, because you're introducing more risks. That's a part of our culture that doesn't help get more cyber resilience. That's one of the things I'm fighting at the moment.
[0:07:32] GV: Got it. Okay, that makes a lot of sense. Let's dive into what cybersecurity even means in aviation. Some of our listeners will be familiar with the term attack surface, in terms of just conventional, what an attack surface is in cybersecurity, i.e. what an attacker might see and be able to think about attacking. How does that look in terms of aircraft? What does the attack surface of an aircraft even look like? What are the things that people might just not realise even exist as part of that attack surface?
[0:08:05] SC: Okay, let's start with describing a modern aircraft as a flying server room with hundreds of computers onboard. If you look at it like that, that is a huge attack surface on its own. There's a lot of digital stuff onboard, but also cyber-physical elements that are hybrid, and it's the hybrid things, the hybrid attacks, and hybrid warfare that's actually falling in between. Nobody understands that one, except the ex-military guys. It's not cyber, and it's not warfare, and it's not in the newspapers. But that's a different topic.
Talking about threat surfaces of my aeroplane, it's all the computers, all my navigation systems, my flight management systems, big and small computers, GPS receivers, ACARS, SATCOM, ADS-B, VHF radios; it can all be spoofed, it can all be exploited. Even my maintenance systems can be compromised, and one of my biggest worries that nobody talks about is actually my engines. Half the buying price goes to the engines. These things are incredibly expensive and complex. If I open a few of these hatches, you're going to be amazed at what you see. It's a miraculous piece of high tech.
These devices constantly send data to the manufacturer. This is also part of my threat surface. If someone could switch these things off in flight, I wouldn't be an aeroplane anymore. I can do without a computer. I have backups on this, backups on that, we have workarounds. That's all fine. As long as I'm still an aeroplane, I have fuel and a landing gear to land on, then I'm fine. Without engines, I'm a glider.
[0:09:45] GV: That's an interesting one. Let's just stick to engines for a second. You mentioned that the engines are sending telemetry to the manufacturers. In theory, is there a risk around that communication, the other way around, where something goes wrong at the manufacturer, and some kind of communication can be sent to the engine that does something nefarious? I mean, is that a possibility?
[0:10:10] SC: Theoretically, yes. It's the same as your phone. Somebody could switch it off. Somebody could DDOS it, or make it unusable, or find a switch. That is exactly what nation-state threat actors are doing right now with our critical infrastructure, mainly China. They're creating switches they can push, which creates chaos and hinders defensive reactions when needed most.
[0:10:28] GV: Interesting. Looking at general connectivity, could you actually explain, I believe, there's this acronym, ARINC systems. Perhaps, you could just explain what does that stand for? I believe it's a protocol. Could maybe just dive into that protocol a little bit, and how has that increased the threat landscape?
[0:10:48] SC: ARINC is a protocol that was, in 1927 in the previous century, a radio communication protocol that was designed for standardisation purposes. In aeroplanes, we have an ARINC 429 bus. That was the first communication bus, actually. It's called the 429 bus, which was built into the digital backbone of aeroplanes to enable communication between different systems onboard.
Now, the ARINC 429 was designed in the 70s, of the previous century. A long time ago, there weren't any cyber threats. Cyber didn't exist. The first computers, we had MS-DOS back then, just came out. The word cybersecurity didn't even exist. These things were designed for reliability, and not secured for message injection or spoofing attacks. Now, next to that, the long operational lifespans we have in aviation mean that many old systems will continue flying for many years to come. That doesn't mean there's no improvement. There are great developments. We have the ARINC 629, which is much more secure. We have the ARINC 664, the AFDX, which is a full duplex, which can handle encryption, which is a significant improvement, but it's only for the newer aeroplanes.
[0:12:04] GV: For example, when you say newer aeroplane, are we talking like A350? Or does it have to be? I guess the A350 is one of the newest aircraft, but do A320S have that newer one? If they rolled out the factory today, do the A320S get that new protocol or a new bus?
[0:12:19] SC: Yes, that's a funny thing. Every time I ask Airbus, they don't tell me. Every time I ask Boeing, they don't tell me. The same goes for Embraer. I visit many aviation events and talk to the chief pilots and test pilots of these aeroplanes. I think you can imagine that this is proprietary information, and they're not going to give it out to the first idiot wearing a Boeing cap who shows up at their booth. It isn't easy to find out. We have to believe that they are doing their absolute best, that they have a very well-equipped cyber-team, and that they're looking at it.
At the end of the day, I cannot do a penetration test on my aeroplane. Because to do that, it actually needs to be in the air, all systems running. You can understand, it's physically an air gap, no pun intended. That's nice. But if you want to do a pen test, you have to have the engines running as well, because then you know all the systems are online. Even then, the air-ground switch will be on the ground switch. Not all will be working. It isn't easy to do that.
[0:13:13] GV: Yeah, okay. Interesting. Let's talk about actual cyber-attacks mid-flight. I mean, I believe, you do actually train pilots to understand what a cyber-attack might look like mid-air, and I guess, how to deal with that. Could you walk us through what you teach pilots in this context? What are they looking out for? Then, crucially, what are they supposed to do? Like, what are some high-level steps they're supposed to follow to help mitigate that whilst they're literally flying a plane at 35,000 feet?
[0:13:46] SC: First of all, in 2024, only about 20% of pilots globally received actual training in this. All the other ones receive memos. It's not being trained on simulators because aviation authorities aren't requiring it. We do what we need to do to be compliant. We don't have time for other stuff. When I'm in the simulator for four hours, there's a very intense program. There's no 10-minute window to look at GPS spoofing or jamming, for instance. It's just not in the program. That's the same reason: upper management doesn't understand that this is needed. There is no awareness of the risk, the business risk of cyber. It needs to be top-down. The board needs to decide, "Yes, we need to train this." Then it goes to the training department. They will make a training program. Then we go to the simulator. Then we learn how to react to this.
Until that happens, nothing happens. Only 20% of pilots are actually being trained in 2024. The other ones, and there's also scientific data on that, the other ones are uncomfortable in a situation like that, because they don't actually know what's going on.
[0:14:56] GV: Yeah. Can you walk us through what a cyber-attack might look like in the cockpit, for example?
[0:15:03] SC: In aviation, we're trained in emergencies, practice them, and learn how to identify them. Quite often, the aeroplane helps you identify them. Let's say I have an oil pressure sensor on my left engine that's going below limits, and the aeroplane will pop up a message, a notification, if you will, that says, "Hey, have a look at your engine pressure, because it's not going great." Then I make a decision. We look at it, and we take out a checklist, or we divert, or whatever we feel we need to do to keep the operation and the people in the aeroplane, and my crew, safe.
Now, a cyber-attack on your aeroplane is actually something you have never seen before, most likely. By now, everybody has experienced GPS jamming or GPS spoofing. However, there are still plenty of pilots who do not yet understand the difference between them, because they have not been adequately trained, or shown the results, or the long-term effects of a spoofing attack on their aeroplane. What we usually do: the basic rules for handling any emergency in any aeroplane, anywhere in the world, are aviate, navigate, communicate. The first thing you do, whatever is going on, fly the aeroplane. Use your primary instruments, keep flying it.
Don't look inside at the instruments yet, don't try to get checklists out, and don't start a discussion with your first officer while the aeroplane is going in the wrong direction. That's not a good idea. Aviate first. Then navigate. Where are you going? Where are you heading? Where do you want to go? Make sure you have a heading that indicates you're not going into a mountain, for instance, or over a busy airport. Get out of dangerous airspace. Then the last one, communicate this, not only to air traffic control, but to your crew, to your cabin, to your passengers, if you have time, in the correct order.
Now, for any hybrid or cyber-attack, things will be happening that you don't understand. You will have contradictory information. For instance, this system says my position is here, while this system says it's there. Where am I? I don't know. Or, hey, suddenly my engine data is blank. Maybe your engine is being hacked. I don't know. Or in hybrid warfare, maybe your ACARS is spitting out a message from supposedly operations that you're not expecting. You need to think. You need to start thinking about scenarios.
What we need to do is to isolate and disconnect the suspected system, and try to resolve the problem after isolation. Then the last one is to document. We need documentation about this, because every attack is probably new. One of the most critical aspects of cyber resilience is sharing cyber threat intelligence. We need to document this so we can immediately notify all other pilots worldwide that this is happening in this area, most likely at the hands of this threat actor. Sharing is caring. It's essential. We're stronger together.
[0:17:56] GV: Yeah. We're going to get on to culture a bit as well, this idea of just culture versus blame culture, but we'll get there. Yeah, I think that's very interesting, just to think for a second, just about that situation where, as you're calling out a pilot, you can never know for sure if what's going on is an attack. And so, that's half the problem. Then the second problem is that, in this situation, your overarching approach to training is, as you say, to fly the plane. That's the first thing. Don't take your eye off what you should be doing: flying the plane. Obviously, you're having to make a whole bunch of other mental assessments. I mean, you mentioned the ACARS. I'm a hobbyist sim flyer, so that's the messaging system, I guess, where literally, an airline can, or I mean, I think pilots can also send messages, as the toilet is broken. So, when they land, people know to come and fix it and that kind of thing.
[0:18:49] SC: The ACARS is our onboard fax. An old system. It's not encrypted. Anybody can read it. I can build a simple ACARS radio at home and receive and read messages. There's no classified information going over that communication channel, but operational information for sure. You can also send up, and imagine the chaos you can cause with unverified false messaging. In the military, we verify all messages. In civil aviation, not yet. Working on it.
[0:19:16] GV: We're going to move on to, I mean, you've been using this phrase a lot, hybrid warfare. I think I'd just like to understand that one a bit more. When we talk about critical infrastructure, hybrid warfare, let's start with what you've touched on, obviously, nation states already, Russia, China, Iran, for example. I mean, we're not maybe here to dig into exact nations so much, but to understand the landscape. What is hybrid warfare at all? I guess, how does, especially commercial, I mean, I guess, are we talking commercial aviation comes into this, or military aviation drones? Just what is all this?
[0:19:51] SC: Classic warfare, we call it now kinetic warfare. Kinetic warfare is when things are flying around, like missiles, bullets, rockets, and it's about destruction. In hybrid warfare, there's actually nothing flying around. It's not peace, but it's not a kinetic war either. It's everything in between. Cyber warfare is a part of hybrid warfare. But there are many other shades of grey in hybrid warfare, such as disrupting a country's critical infrastructure. Quite often, the goal of hybrid warfare is disruption. It's showing power below the threshold of war. This means NATO will be challenged to invoke Article 5, as Putin is doing nowadays. We need to agree to invoke Article 5 among all member states, but this is a problem because for some, it might not constitute an act of war. For others, it's an apparent act of war.
Blowing up a bridge might be an act of war, but a cyber-attack on the bridge control system might not be. But both have the same effect. The bridge is unusable for logistics or for moving ammunition to the front line. That is hybrid warfare, creating chaos. A cyber-attack on my aeroplane is probably not aimed at killing us, but creating chaos. About showing, "Hey, look. See what we can do. Better be careful." It's threatening. It's what Putin is doing all the time, of course. He's threatening with nuclear weapons, but he's also attacking the whole digital infrastructure, the critical infrastructure of every country in Europe, and all the disinformation campaigns that he's been throwing out for many years. That is also warfare. It's hybrid warfare, below the threshold of visibility, but it's still warfare. It's part of russia's war doctrine.
[0:21:37] GV: Understand. I mean, especially given that many airlines today are still effectively extensions of countries. Most countries have a national airline. I mean, in the UK, British Airways is not owned by the government, but I think most people still associate British Airways with being the national airline, for example. Then, obviously, we have the big nation players, like Emirates and Qatar. Does that play into it, where, as you say, causing chaos by signalling through cyber warfare on commercial aircraft, by extension, targets a government, for example?
[0:22:10] SC: I would say so. Yes. It's a show of force, definitely. Don't forget that in China, all Chinese companies are controlled by the Chinese government. If you look at global flight patterns, you see Chinese aeroplanes flying over Russia, no problem at all. We in the West need to avoid conflict zones and conflict areas because there are trigger-happy russian soldiers down there with high-tech equipment built to shoot you down, and that has happened before, and it will happen again.
[0:22:40] GV: I mean, if we look at the cyber side, does proximity come into this as well, as you call it, flying over, flying in certain airspace? I think it's clear why flying in an airspace would make you more at risk of a physical missile, for example. But does it also increase the attack surface you're flying in?
[0:23:03] SC: Actually, it doesn't, because these missiles can fly hundreds of miles. I don't even have to fly near the border. They can easily hit me hundreds of miles away from the conflict zone if they want. But that must be an intentional order given by some high-up commander. Quite often, it's just trigger-happy, untrained soldiers on the ground that see a target and think, "Oh, crap. This is not ours," and they fire. If your military is poorly trained and has a corrupt command and control structure, which we see in russia, everybody's trigger-happy. There's no discipline, only fear.
[0:23:38] GV: Moving away from pure aircraft for a second, actually looking at airports as well. Now, I mean, I think maybe the one that our audience might be aware of recently, which was not a cyber-attack, but it clearly showed that what could happen was obviously a crowd strike and how crowd strike managed to inadvertently take out airports, control systems, well, not control systems, but a lot of display systems and just logistic system so people simply couldn't fly. Is that something you advise on or deal with as well? Not in the air, but actually on the ground as well.
[0:24:11] SC: Yes, one of the basics of cybersecurity, that all CISOs will preach, is to stay away from single points of failure. It's not aviation-related. With a recognised single point of failure, you need a plan B. Remember, I think it was Heathrow that shut down for a few days due to an electrical substation failure. A classic single point of failure. Very effective disruption, actually, but not intended like that. Those are basics.
In general, whenever I am consulting any party in aviation, we often fall back to basics first. Basic cyber hygiene. That's not only in aviation. That's also in every sector, every industry. Everybody needs to have the basics right first. Simple, vulnerability reduction, and simple identity management. It's not rocket science. We have all the knowledge. We have all the tools. We can implement it. But somebody has to put the money aside, organise it and say, "This is how we're going to do it." Until then, we are vulnerable. Everybody, not only in aviation. Back to basics. Basic cyber hygiene is what we need to focus on for the next couple of years.
[0:25:22] GV: Yeah. I think that's very interesting, where people maybe think it's more complicated than it needs to be, quite frankly, to keep on top of this stuff, where, even though it's an airport. It's a critical piece of infrastructure in a country, the people actually running the airport, unfortunately, might still be a bit behind when it comes to, as you call out, just basic cyber hygiene. Very interesting.
Let's move on to, I know that you've got a lot of thoughts around leadership and culture in this space. I think it's very interesting to cross over here into how the aviation industry operates. Cybersecurity could probably learn a few things. I think the big one here is the idea of a just culture, rather than a blame culture. I think let's go there, and maybe you could help us understand what just culture is. Why has it been a while since aviation? How does that maybe translate into, or should be translating into, cybersecurity as well?
[0:26:17] SC: That is an exciting bridge indeed. I gave a presentation at Black Hat last year on what cybersecurity teams can learn from aviation's just culture. It's actually straightforward. Just culture is one in which you encourage incident reporting without fear of punishment, enabling the organisation to learn and improve. Because humans make mistakes. We are human; we make mistakes by default. That is okay, as long as you don't do it intentionally. There's a grey area there, but this is what it is.
If I make a hard landing, I make a mistake. Okay, then I'll report it so others can learn from it. If a new system is spoofing me and I see data I've never seen before on my instruments, I report it so everybody can understand. Then, I don't want it to stay inside my company. I want the companies to share. I want the aviation sector to share. Not only sovereign, but we also need global sharing with allies. That's why we need Information Sharing and Analysis Centres (ISAC) to share all this threat intelligence with our friendly allies. Not just an Aviation ISAC, but a combined Critical Infrastructure ISAC.
Back to just culture. We see many large corporations, not only aviation companies, where people are clicking a phishing email and, "Oh, I think that was wrong. I'd better go home now. Maybe nobody sees it." Then, without knowing it, your whole network is compromised and infected within 15 minutes. The threat actor is already moving horizontally through your network. If this employee had called their CISO, they might have been able to mitigate and keep it within the house. It's about the culture, and the culture goes top-down. It's leadership by example.
[0:27:56] GV: I think that's a good way of explaining it. There's a website that some of the audience may know, called Aviation Herald, AV Herald. That's at least where I, as a layman, go to just check up on reported incidents. They get classified as crash, obviously the worst, and then I think accident, then incident, or something like that. The funny thing is, I've noticed how the airline, again, let's just take British Airways, for example, a lot of things pop up from British Airways, and some people might look at that and go, "Wow, they have so many issues." Actually, I'm much happier seeing that than the airline I never see. I don't know which one to name, but there are certainly airlines that virtually never pop up. That, to me, is a reporting problem. Actually, there's just safety in reporting effectively.
[0:28:44] SC: How often do you see a Chinese or Russian airline pop up, or an airline that is part of any country with a dictatorship? None. It doesn't happen. Because they carefully cherish their ego, their image, and their reputation. Of course, let's not forget AV Herald, it's a British publication.
[0:29:00] GV: It could be. Yeah, I'm not actually super sure. But yeah.
[0:29:03] SC: Anyway, they are well linked with information about British Airways, apparently, which might give you, as a reader, the wrong idea. Luckily, there is international data on aviation accident statistics to keep it all in proportion.
[0:29:14] GV: I mean, we see this in, obviously, cybersecurity. To some degree, we've got, obviously, the Verizon DBIR, which comes out every year. I think the thing there, though, is that it's less attributed to specific companies, but at least in the report, it's more about stats. The point is that it can only exist because of reporting. Someone in a company has reported the incident, the breach, or what happened. I think it's fair to say, like, we're still way off in cybersecurity in terms of reporting.
[0:29:46] SC: Oh, yes. In cybersecurity globally, I see a traditional blame culture that discourages reporting of security incidents. It prevents the organisation from learning, and you're unable to improve your defences. I see it a lot. Not only in aviation, but blame culture in general is endemic, especially behind closed doors. There's no learning. There's no wanting to learn. It's all about KPIs and making money. And staying in power.
It's often very subtle. It's challenging, as an outsider, to see the blame culture. Because people are being laid off and fired on the spot. Then you ask them, Why are you fired? You never really find out, because they don't want to lose face either. Blame culture is widespread. In aviation, as I said before, aviation safety is written in blood. We learn from accidents. If we don't learn from accidents, more blood will be needed to write, and that's not good.
[0:30:36] GV: Yeah. Obviously, I've worked in Asia-Pacific for a while now, and indeed, in cybersecurity. It was challenging because companies sometimes won't help with an issue, because they simply don't want to talk about it.
[0:30:49] SC: Losing face is more dangerous than leaving a problem unsolved.
[0:30:53] GV: Yeah. I mean, obviously props to Verizon. I believe the Verizon DBIR reported that it had its own pretty major hack at one point. Instead of sweeping it under the carpet, so to speak, they went to the opposite side and said, "Look, we're going to be the people that hold the flag for reporting." I think that's very interesting.
As you call out, aviation has had to, or at least aviation outside of, say, dictator, state, country, sponsored airlines, they have to learn from each other. Otherwise, as you call up, unfortunately, people will literally die. That's why it's been so critical.
[0:31:33] SC: How these airlines in authoritarian regimes often learn is by reading our open-source reports and learn from that. They learn from us, they leach. Internally, if someone makes a mistake, they are fired on the spot. That's how a blame culture solves problems.
[0:31:50] GV: Yeah. We're going to move along to, we always have to talk about AI these days. Here, this is not bad. We've been going for well over half an hour without even mentioning AI. Where are you seeing AI? Especially, obviously, we're talking here about cybersecurity, cybersecurity in aviation systems. Is there anything being rolled out here related to AI for threat detection or anything along those lines? I mean, what are you seeing in that space?
[0:32:18] SC: Let's split the aviation industry into two parts. One, the aeroplane and the other one, just simply the rest, the airport, the airlines, which are also just buildings with people, computers, networks and their own vulnerabilities. On the aeroplane side, I do not see any AI being implemented. From where I can see, Boeing, Airbus and Embraer are all working on it, but I do not, at the moment, see any implementation of it in my aeroplane systems today.
Having said that, on the other side, of course, airports and airlines are working on their own AI applications. For airlines, it is mostly about operational efficiency and fuel efficiency. On the other hand, of course, client retention, passenger retention, passenger appreciation, and all those sides of the business. As in cyber, the same again: for any other industry, we're trying to use AI for threat detection, behaviour analysis, threat intelligence processing, and automated incident response. Again, for my airframe, I don't see anything yet.
[0:33:28] GV: Okay. Moving on from, say, AI to 5G. 5G, I believe, is rolling out. Well, is 5G rolling out within the airframes themselves, or is it more just that 5G has a standard, is having effects on, say, instrumentation, or what does 5G do in this case?
[0:33:44] SC: I can imagine that engine manufacturers are pleased with it, because with 5G chips in their engines, they can send loads of data way faster. That's all the telemetry they need for preventive maintenance, of course. It's critical data. Furthermore, I don't see this in or around my aeroplane alone. Most of the data, when I'm airborne, or all of it, will not go over 5G because at 12 kilometres there's simply no reception. It will go via ground stations. Then it might be further routed by 5G, but those are our ground systems. I don't consider that aviation systems at all. Just a ground-based communication system. With all the risks that come with it, because imagine, let's say, you can control all the hardware being used for 5G with backdoors, wouldn't that be great? What a great threat surface that is.
[0:34:33] GV: Yeah. I mean, it's widely reported. Obviously, that could be quite a threat.
[0:34:37] SC: Unfortunately, there are still a lot of people who don't understand this threat. Below the radar, it's hybrid warfare. It's not kinetic warfare, but it's still warfare. Or at least preparations for war. We need to know that we are being threatened. We need to understand who the enemy is here. That's why threat intelligence is crucial, and sharing that threat intelligence.
[0:34:55] GV: Yeah. Moving on from 5G, so we're just hitting the key, emerging technologies in this space. Drones. We can't ignore drones. Let's just talk about those for a second. We're not necessarily talking about military drones. But there are many commercial drones as well, but they're being integrated into controlled airspace these days. I mean, certainly, I found it fascinating in Singapore; I see so many commercial drones now. They're used for surveying. There's one I live near some water, and one pops up every morning to survey the water stations or something to that effect. I mean, these things are huge. How is that affecting, especially again, in the cybersecurity lens? What extra threats or challenges is that adding?
[0:35:39] SC: Stepping away from cybersecurity and just for aircraft safety, you don't want drones near your aeroplane. Now, anybody can buy a drone for $100 and fly this thing around. It's amateurs flying this cheap stuff around aeroplanes that is the real risk. In Singapore, we love our technology. It's widely being implemented for the benefit of the whole society, and it's all controlled. It's very tight control. No airport in the world allows drones close by, but how do you check until it's too late? Are you going to shoot it down if one appears?
I have heard many times on ATC frequencies someone reporting a drone nearby. Often, it's just some idiot with a camera trying to make a great shot for his Instagram feed, but it's not safe, and we shouldn't do that. It's more of a legal problem, since we need regulations to address it. Next to that, we also need tools to punish the people who do. It would be great if we could have a laser gun shooting down illegal drones around my aeroplane. Preferably automated. That would be great. Problem solved. But we don't have the legal tools for that yet. The legal framework is still in the making, but over the next couple of years, we'll see many regulations around drones. It's still all very much at the beginning of the development.
Then, I'm not even talking about warfare and hybrid warfare drones that are being used for surveillance, intelligence gathering, or just disrupting with GPS jamming and spoofing. Just fly around an airport and harass everybody for a couple of hours. There's a lot you can do with a drone to create chaos and to disrupt. Disrupting an airport operation directly disrupts a country's economy.
[0:37:24] GV: We're going to move along to more of the training and education side. I mean, I know you work on this a lot. I think you said, towards the beginning of the episode, that a lot of pilots simply aren't getting any training on the cyber side of things. I believe there is some form of simulator-based cyber training. Could you just speak a bit to that? How realistic is this to actually mimic the problems? Just where does it even start when it comes to bringing cyber training into the simulator side of things?
I guess for those not super familiar with aviation simulator training, it's always been a huge part of modern flying. You have to do set hours, I believe, on simulators and practice catastrophic situations and this kind of thing. That's my understanding, or until recently, without this lens, but it could be a cyber-attack. It's just, oh, my engine failed and for pure mechanical reasons, and now you need to deal with that, which is different to my aircraft being under cyber-attack. Yeah, could you just speak a bit to that?
[0:38:31] SC: You say correctly that simulator training is actually the only way that pilots effectively learn and absorb procedures. You need to see, feel and do it. We do a lot of CBT training as well, but that is basically all compliance. You don't learn much from that. That's just not how it works. Not everybody is a visual learner. Since there are many complex procedures, you need to train hands-on. Only then will you fully understand what it means, how it works, and why the procedure is designed as it is. If we need to train cyber scenarios or hybrid warfare scenarios, we need to do that in the simulator. That is very obvious. Unfortunately, nobody does that in the world. Yet.
For that reason, I founded the Aviation Cyber Academy in Singapore last year, with a cybersecurity masterclass curriculum for pilots that begins with the basics. Then we talk about aeroplane threat surfaces. We identify it all. Then we move over to your specific aeroplane type. Then we do scenario-based training, followed by 2 hours in the simulator. Then it gets interesting because the simulators were not designed to simulate cyber-attacks or hybrid warfare. I need to be very creative in showing the right cues and data so they can understand what's really going on. There's a lot of creativity involved here, but I'm sure the simulator builders are now working on creating more realistic presentations as well.
It has to be simulator training. Hybrid warfare scenarios actually have to be recognised and trained as well. Those are much easier to present in a simulator, because I can simulate, of course, an unverified message coming from an illegal sender and a non-verified sender. That's much easier.
[0:40:17] GV: What general uptake, or reception, have you found? I mean, you're very much on the ground in Singapore doing this training. Are you finding that these are pilots from other countries coming to do this? Or at the moment, is it more of a Singapore-based thing? I'm just curious about how the industry is receiving this.
[0:40:36] SC: The industry is actually not receiving it yet at the moment. For the same reason I stated in the beginning, that the airline's top management does not yet see cyber as a primary business risk. I talk to pilots. They would love to go through the training, because we always feel we need to understand what's going on. Then again, they don't pay for the training, and you need to have it on your roster and schedule. The simulator needs to be reserved. You need to have an instructor. The whole training and organisation parts of that need to be planned as well.
For now, it's ready to roll, and I'm waiting for airlines to show up and tell me to start training their pilots. Because right now, 91% of crew reports that they are concerned about the flight safety impacts of not being trained rigorously enough about what's going on here. And I understand. It's complex.
[0:41:29] GV: Yeah, that's very interesting. I mean, obviously, I hope as a passenger, as much as anything, that this is taken more seriously by airlines. Yeah. I mean, we're coming up for time a little bit, but I just like to get your take on, I guess, the next, I don't know, this is always a bit of a crystal ball, the next five years, for example, in sort of aviation, cybersecurity. What are some things that maybe you think are very likely to actually advance? Then, maybe what are a couple of things that you would like to advance, but you're not convinced that even within five years they're going to change?
[0:42:07] SC: I'm convinced that nation-state cyber warfare will increase, because it's a very cheap and below-the-threshold way of disrupting your enemies. We're going to see more cyber warfare affecting aviation as well. We can see that Putin is now getting bolder. He's now blowing up supermarkets and rail lines across Europe. No shame at all. It's very difficult to attribute that to russian sabotage teams. Internally, he's framing that NATO is at war with russia, so the GRU is having fun.
We will have more disinformation and hybrid warfare attacks, and more nation-state cyber warfare, absolutely, which only makes my point that we need to remain more resilient and ramp up our security. For that, of course, critical infrastructure, ISACs are necessary. Not just get all aviation together. That's way too small. We need to bring together all our essential CISOs for infrastructure and start sharing today. It's not a luxury. It's a necessity.
[0:43:01] GV: Yeah. I mean, you've touched on it with your cyber simulator training. It's one of these, I guess, chicken-and-egg problems, where you've just predicted that all the problems are going to get worse. You'd think there are more opportunities for commercial businesses to come into the space, I guess. The way cybersecurity has exploded as an industry over the last 20 years, with, say, EDR providers and this kind of thing. Do you see a version of the next five years where aviation cybersecurity suddenly becomes a hot topic? I would say, or I'm questioning the incumbents, let's just take CrowdStrike as an example. Could you see CrowdStrike having an aviation offering, for example, where an EDR sits on a plane, or anything like that?
[0:43:51] SC: Well, yes and no. I don't think CrowdStrike is going to do that because they don't have access to the aeroplanes' architecture. Within five years, I hope Boeing, Airbus, Embraer and all the big names are working very hard on that, and can show me one day a brochure and a diagram saying, "This is how we secure it. This is how we increase our resilience." Very unlikely they'll call me, but I really hope they're working on that.
On the other side of aviation, the non-aeroplane side of aviation, of course, CrowdStrike can do what they do best by creating more cybersecurity and resilience. That part of the aviation sector is less exciting because it faces the same challenges as other sectors, such as manufacturing, finance, and healthcare. It's just a building with a lot of IT network and most likely some OT attached to it as well. By the way, OT operational technology has its own challenges, but that aside.
Yeah, I really hope that there will be more vendors. But as you know as well, 20 years of cybersecurity, a multi-million dollar cyber vendor market, and it's all very sexy with nice dashboards and tools, but we forget the basics. I often have to start with teaching basic cyber hygiene. That's what we keep forgetting, because it's not sexy and it doesn't sell. The market is created to create money, not to create security. In general, I see many products on the market sold to people who don't need them, which confuses CISO teams. You walk around on these large cybersecurity event floors, and you're being attacked on all sides by 'can do' vendors. "You need this. You need that. We have AI. We can help you. Yes, we can do it." Months later: Oh, actually, it doesn't fit. Sorry. No, it cannot connect. No, actually, configuration doesn't work. Yeah, sorry, boss. Big problem.
Once it's connected, it's already legacy, because you can't get rid of it anymore. That's a big cybersecurity problem. A modern aeroplane, like a Boeing or an Airbus, has a lot of third-party hardware and software on board. Connecting all that stuff is a challenge, absolutely. That's why there are standards, like ARINC. Changing these standards has a huge impact, because everybody, every vendor, every third party, hardware and software provider has to adapt, which costs money, which makes the product more expensive, which makes the aeroplane more expensive. Which makes the tickets more expensive. It's all connected.
[0:46:13] GV: Yeah. I think that's a really good callout. We obviously saw that it wasn't cyber-related, but it was technology-related. We saw the outcome of this in those Boeing 737 MAX crashes, where effectively, technology had changed, but it had changed at a pace that hadn't, for various reasons, cost reasons, etc. Pilots were trained on that technology change, and the outcome was, unfortunately, catastrophic. I think what you're getting at is that, for anything to change inside an aircraft, we're not talking about a year's lead time. It's like 10 years from start to finish of, especially if we think of, again, let's just go back to the CrowdStrike example for a second, it touched the kernel of Windows, which is in theory why it's able to protect things, but it's also in theory why it's actually got the most risk if it goes wrong, because it can sink the whole system. I think in aircraft, that would obviously be just doubly problematic if you have systems that technically could fail the whole aircraft as well.
[0:47:14] SC: That's a great example. Then, next to that, you buy an airframe for 30-40 years. We have the same problem in the maritime sector. These big container ships have been around for 40-50 years. Many of them still run on MS-DOS. I tell you, MS-DOS. Talk about cybersecurity and resilience. Hacking a container ship, really. It's not that difficult.
[0:47:34] GV: Yeah. Well, maybe we'll need to find ourselves a maritime expert as well to bring on the show at some point, yeah.
[0:47:40] SC: Then next to that, we're going to have a lot of extra frameworks, new frameworks, regulation frameworks. They will mature significantly. ICAO will probably set the standards. The standards will become mandatory with enforcement mechanisms. Right now, it's all more advisory. But we need to enforce. Because you can imagine, let's say, one country is taking the ICAO standards seriously, and the country next to it is not, it's not working. We have to do it all together.
Cybersecurity is teamwork. Enforcement is going to be needed. Otherwise, we'll never have it secure and resilient. Then, in Europe, EASA will also implement binding cybersecurity requirements for aircraft certification and airline operations. We can't ignore it anymore. We can't afford it.
[0:48:25] GV: Yeah. Well, I think that's a great place to leave this today. I mean, I think this has just been a fascinating conversation, and obviously, a lot of knowledge and understanding shared from you today, sir. I really appreciate you coming on Software Engineering Daily, and I think I imagine 99% of our audience has learned something new today. Thank you so much for coming on.
[0:48:45] SC: My pleasure. If you have any questions? Find me on LinkedIn or my website and I'll gladly answer them.
[0:48:49] GV: Fantastic. Thank you so much.
[END]