Podcast Summary: Aviation Cybersecurity with Serge Christiaans

Software Engineering Daily, December 11, 2025
Guest: Serge Christiaans (Lead Instructor & Program Director, Aviation Cyber Academy)
Host: Gregor Vand

Overview

This episode explores the urgent and growing challenge of aviation cybersecurity. As commercial and military aircraft evolve into complex, interconnected digital environments, they face unique cyber threats with life-or-death consequences. Serge Christiaans—a former Dutch Air Force pilot, airline captain, CISO, and current cyber educator—joins host Gregor Vand to dissect the digital attack surface of modern aircraft, hybrid warfare, the slow adoption of cyber resilience in aviation, and what must change to secure the future of air travel.

Main Discussion Points & Insights

1. Serge Christiaans’ Career Journey & Dual Roles

[02:17]

Serge combines long-standing careers as a pilot (military and commercial) and as a cybersecurity leader.
Military experience fostered skills in electronic/hybrid warfare, later transitioning into commercial aviation and then IT/cybersecurity.
During COVID-19, he pursued a master’s in cybersecurity and held CISO roles, uncovering critical gaps in aviation cyber awareness.
Today, he raises awareness at the intersection of aviation and cybersecurity, advocating for greater recognition of cyber risks within the industry.
Quote: “I found myself in the middle of aviation cybersecurity... not many people are in that intersection. And I really felt I needed to do something with the knowledge I have on both sides.” (Serge, 03:36)

2. Aviation’s Cybersecurity Maturity & Culture

[05:54], [06:17]

Aviation’s cybersecurity maturity is average—behind sectors like finance or healthcare, ahead of manufacturing.
Aviation’s aversion to procedural change, driven by a safety-first mindset, can inhibit timely progress in cyber resilience.
Industry culture prioritizes minimizing change to preserve safety systems, which can inadvertently foster cyber vulnerabilities.
Quote: “Everything we change might compromise that safety. Because in aviation, safety is written in blood.” (Serge, 06:42)

3. The Aircraft as a ‘Flying Server Room’: Attack Surface

[08:02]

Modern airplanes are described as “a flying server room with hundreds of computers”—each a potential cyber entry point.
Attack surfaces extend beyond cockpits: navigation, flight management, GPS, ACARS (messaging), maintenance telemetry, and especially engines.
Real-time engine telemetry streams to manufacturers—raising concerns about potential remote manipulation.
Quote: “If somebody could switch these things off in flight, then I'm not an airplane anymore... Without engines, I'm a glider.” (Serge, 09:14)

4. Legacy Protocols and System Vulnerabilities

[10:44]

Outdated communication protocols, like ARINC 429, were engineered for reliability—not security—leaving them open to spoofing/injection.
Airplanes’ lengthy operational lifespans mean vulnerable legacy systems will be airborne for decades.
Newer protocols (like ARINC 664/AFDX) introduce security enhancements but roll out slowly.
Opacity from manufacturers (Airbus, Boeing, Embraer) makes it hard to assess current airframe resilience.

5. In-Flight Cyber Attacks and Pilot Training

[13:10], [13:42]

Very few pilots (<20%) receive simulator-based training for cyber events; most rely on memos, lacking practical preparation.
There’s a critical gap because authorities don’t mandate this training, mirroring management’s lack of cyber awareness.
Aviate, Navigate, Communicate remains the primary emergency protocol; pilots are told to:
- Keep flying the aircraft
- Reestablish situational awareness with primary instruments
- Communicate with ATC/crew/passengers
- Isolate compromised systems
- Document incidents for global cyber threat sharing
Quote: “The first thing you do, whatever is going on, fly the bloody airplane ... Then navigate ... Then communicate ... Then isolate and document.” (Serge, 15:17)

6. Legacy Messaging & Hybrid Warfare

[19:14], [19:41], [20:18]

ACARS, the primary airline messaging system, is outdated, unencrypted, and easily intercepted or spoofed.
Hybrid warfare is the “gray zone” between peace and kinetic war—includes cyber disruption of aviation/critical infrastructure without bullets or missiles.
Commercial aviation is squarely in the crosshairs of such indirect state-sponsored cyber threats aimed at creating chaos or sending political signals.
Quote: “Hybrid warfare... it's everything in between. Cyber warfare is a part... [but] there's many other grey shades... the goal is disruption, showing power below the threshold of war.” (Serge, 21:01)

7. Ground Infrastructure and Cyber Hygiene

[24:37]

Not just planes—airport systems are susceptible to cyber failures, as shown by the recent CrowdStrike incident.
The most foundational defense is “basic cyber hygiene”: vulnerability reduction, identity management, eliminating single points of failure.
The challenge isn’t advanced technology, but consistent, well-funded application of best practices.
Quote: “Simple vulnerability reduction, simply identity management. It's not rocket science ... but somebody has to put the money aside, organize it and say this is how we’re going to do it.” (Serge, 25:08)

8. Culture: Just Culture vs. Blame Culture

[26:42]

Aviation’s “just culture” encourages error and incident reporting without fear, enabling systemic learning and safer operations.
By contrast, blame cultures (common in cybersecurity and certain regions) foster silence, missed learning opportunities, and repeated failure.
Quote: “Just culture is a culture where you encourage incident reporting without fear of punishment to enable the organization to learn and to improve. Humans make mistakes by default. And that is okay as long as you don't do it intentional.” (Serge, 26:48)
Airlines in secretive or authoritarian countries rarely report incidents—leading to skewed risk perceptions and missed lessons.

9. AI, 5G, and Drones—Emerging Tech Impacts

[33:09], [34:35], [36:29]

No evidence yet of AI in onboard aviation systems; airports/airlines are using AI for ops and security like other industries.
5G is being used for engine telemetry (groundside), but has limited airborne impact. However, foreign-controlled 5G infrastructure (e.g., Huawei) poses hybrid threats.
Drones represent growing risks not just militarily, but as civilian technology—posing physical and potential cyber dangers to aircraft/airports.
Quote: “Imagine if you can control all the hardware being used for 5G with backdoors ... Hybrid warfare. We need to understand who is the enemy here.” (Serge, 35:04)

10. Training and the Slow Move Toward Cyber Resilience

[38:14], [39:22], [41:27]

Serge’s Aviation Cyber Academy runs the first hands-on cyber training for pilots—including simulator-based scenarios, despite simulators not being designed with cyber attacks in mind.
Industry uptake remains dismal; until management recognizes cyber as core business risk, progress is hard-fought.
Surveys show >90% of flight crew want better cyber-risk training.

11. Crystal Ball: The Next Five Years in Aviation Cybersecurity

[42:58], [44:42]

Nation-state cyber warfare and hybrid threats will increase, targeting aviation and related infrastructure.
Greater need for global ISACs (Information Sharing & Analysis Centers) and cross-industry cooperation.
Regulatory frameworks (ICAO, FAA, EASA) will become more prescriptive and enforcement-oriented.
The pace of technical change in aviation is slow due to long product lifecycles, complex supply chains, and the absolute need for safety over innovation.
Quote: “We need to have all our critical infrastructure CISOs together and we need to start sharing today. It's not a luxury, it's a necessity.” (Serge, 43:49)
Software/hardware vendors may struggle to enter the avionics market due to severe integration, safety, and regulatory hurdles.

Notable Quotes & Memorable Moments

“Cyber is your biggest risk. If you don’t understand that... you will go down if you have a ransomware attack that you haven't prepared.” — Serge [03:44]
“Aviation safety is written in blood.” — Serge [06:42]
“Modern aircraft [are] a flying server room with hundreds of computers on board ... that's a huge attack surface.” — Serge [08:06]
“The first thing you do, whatever is going on, fly the bloody airplane. ... Then isolate and document.” — Serge [15:17]
“Just culture is a culture where you encourage incident reporting without fear of punishment...” — Serge [26:48]
“If we don't learn from accidents, then there's more blood going to be needed to write. And that's not good.” — Serge [31:19]
“I am teaching cyber hygiene basics... it doesn't sell. The market is created to create money, not to create security in general.” — Serge [45:29]

Key Timestamps

[02:17]: Serge’s dual career: military, airline pilot, and CISO experiences
[06:17]: Aviation cyber maturity—why the culture makes advancement hard
[08:02]: What constitutes the airplane attack surface?
[10:44]: Legacy ARINC protocols and inherent vulnerabilities
[13:10]: State of pilot cyber training; disconnect between memos and simulators
[13:42]: How pilots should (and shouldn't) respond to mid-flight cyber threats
[19:41]: Definition and implications of hybrid warfare in aviation
[24:37]: Airport vulnerabilities and high-profile cyber failures
[26:42]: Cross-pollination of aviation’s “just culture” to cybersecurity
[33:09]: AI in aviation—limited in-flight implementation, more evident on the ground
[34:35]: 5G: telemetry benefits and supply chain threats
[36:29]: Drones: a new avenue of risk, both physical and cyber
[39:22]: Simulator-based cyber training for pilots
[42:58]: Five-year outlook—expect more nation-state cyber incidents, call for sector-wide resilience

Conclusion

Serge Christiaans compellingly articulates the rapidly shifting risks, cultural challenges, and technical nuances facing aviation’s cyber future. Despite technological advances, basic cyber hygiene, open incident reporting (“just culture”), and global collaboration remain the most urgent gaps. The sector’s most pressing challenge may be shifting institutional mindsets—before adversaries exploit the slow pace of change.

For more, Serge is open to connecting via LinkedIn.

Podcast Summary: Aviation Cybersecurity with Serge Christiaans

Software Engineering Daily, December 11, 2025
Guest: Serge Christiaans (Lead Instructor & Program Director, Aviation Cyber Academy)
Host: Gregor Vand

Overview

Main Discussion Points & Insights

1. Serge Christiaans’ Career Journey & Dual Roles

[02:17]

Serge combines long-standing careers as a pilot (military and commercial) and as a cybersecurity leader.
Military experience fostered skills in electronic/hybrid warfare, later transitioning into commercial aviation and then IT/cybersecurity.
During COVID-19, he pursued a master’s in cybersecurity and held CISO roles, uncovering critical gaps in aviation cyber awareness.
Today, he raises awareness at the intersection of aviation and cybersecurity, advocating for greater recognition of cyber risks within the industry.
Quote: “I found myself in the middle of aviation cybersecurity... not many people are in that intersection. And I really felt I needed to do something with the knowledge I have on both sides.” (Serge, 03:36)

2. Aviation’s Cybersecurity Maturity & Culture

[05:54], [06:17]

Aviation’s cybersecurity maturity is average—behind sectors like finance or healthcare, ahead of manufacturing.
Aviation’s aversion to procedural change, driven by a safety-first mindset, can inhibit timely progress in cyber resilience.
Industry culture prioritizes minimizing change to preserve safety systems, which can inadvertently foster cyber vulnerabilities.
Quote: “Everything we change might compromise that safety. Because in aviation, safety is written in blood.” (Serge, 06:42)

3. The Aircraft as a ‘Flying Server Room’: Attack Surface

[08:02]

Modern airplanes are described as “a flying server room with hundreds of computers”—each a potential cyber entry point.
Attack surfaces extend beyond cockpits: navigation, flight management, GPS, ACARS (messaging), maintenance telemetry, and especially engines.
Real-time engine telemetry streams to manufacturers—raising concerns about potential remote manipulation.
Quote: “If somebody could switch these things off in flight, then I'm not an airplane anymore... Without engines, I'm a glider.” (Serge, 09:14)

4. Legacy Protocols and System Vulnerabilities

[10:44]

Outdated communication protocols, like ARINC 429, were engineered for reliability—not security—leaving them open to spoofing/injection.
Airplanes’ lengthy operational lifespans mean vulnerable legacy systems will be airborne for decades.
Newer protocols (like ARINC 664/AFDX) introduce security enhancements but roll out slowly.
Opacity from manufacturers (Airbus, Boeing, Embraer) makes it hard to assess current airframe resilience.

5. In-Flight Cyber Attacks and Pilot Training

[13:10], [13:42]

Very few pilots (<20%) receive simulator-based training for cyber events; most rely on memos, lacking practical preparation.
There’s a critical gap because authorities don’t mandate this training, mirroring management’s lack of cyber awareness.
Aviate, Navigate, Communicate remains the primary emergency protocol; pilots are told to:
- Keep flying the aircraft
- Reestablish situational awareness with primary instruments
- Communicate with ATC/crew/passengers
- Isolate compromised systems
- Document incidents for global cyber threat sharing
Quote: “The first thing you do, whatever is going on, fly the bloody airplane ... Then navigate ... Then communicate ... Then isolate and document.” (Serge, 15:17)

6. Legacy Messaging & Hybrid Warfare

[19:14], [19:41], [20:18]

ACARS, the primary airline messaging system, is outdated, unencrypted, and easily intercepted or spoofed.
Hybrid warfare is the “gray zone” between peace and kinetic war—includes cyber disruption of aviation/critical infrastructure without bullets or missiles.
Commercial aviation is squarely in the crosshairs of such indirect state-sponsored cyber threats aimed at creating chaos or sending political signals.
Quote: “Hybrid warfare... it's everything in between. Cyber warfare is a part... [but] there's many other grey shades... the goal is disruption, showing power below the threshold of war.” (Serge, 21:01)

7. Ground Infrastructure and Cyber Hygiene

[24:37]

Not just planes—airport systems are susceptible to cyber failures, as shown by the recent CrowdStrike incident.
The most foundational defense is “basic cyber hygiene”: vulnerability reduction, identity management, eliminating single points of failure.
The challenge isn’t advanced technology, but consistent, well-funded application of best practices.
Quote: “Simple vulnerability reduction, simply identity management. It's not rocket science ... but somebody has to put the money aside, organize it and say this is how we’re going to do it.” (Serge, 25:08)

8. Culture: Just Culture vs. Blame Culture

[26:42]

Aviation’s “just culture” encourages error and incident reporting without fear, enabling systemic learning and safer operations.
By contrast, blame cultures (common in cybersecurity and certain regions) foster silence, missed learning opportunities, and repeated failure.
Quote: “Just culture is a culture where you encourage incident reporting without fear of punishment to enable the organization to learn and to improve. Humans make mistakes by default. And that is okay as long as you don't do it intentional.” (Serge, 26:48)
Airlines in secretive or authoritarian countries rarely report incidents—leading to skewed risk perceptions and missed lessons.

9. AI, 5G, and Drones—Emerging Tech Impacts

[33:09], [34:35], [36:29]

No evidence yet of AI in onboard aviation systems; airports/airlines are using AI for ops and security like other industries.
5G is being used for engine telemetry (groundside), but has limited airborne impact. However, foreign-controlled 5G infrastructure (e.g., Huawei) poses hybrid threats.
Drones represent growing risks not just militarily, but as civilian technology—posing physical and potential cyber dangers to aircraft/airports.
Quote: “Imagine if you can control all the hardware being used for 5G with backdoors ... Hybrid warfare. We need to understand who is the enemy here.” (Serge, 35:04)

10. Training and the Slow Move Toward Cyber Resilience

[38:14], [39:22], [41:27]

Serge’s Aviation Cyber Academy runs the first hands-on cyber training for pilots—including simulator-based scenarios, despite simulators not being designed with cyber attacks in mind.
Industry uptake remains dismal; until management recognizes cyber as core business risk, progress is hard-fought.
Surveys show >90% of flight crew want better cyber-risk training.

11. Crystal Ball: The Next Five Years in Aviation Cybersecurity

[42:58], [44:42]

Nation-state cyber warfare and hybrid threats will increase, targeting aviation and related infrastructure.
Greater need for global ISACs (Information Sharing & Analysis Centers) and cross-industry cooperation.
Regulatory frameworks (ICAO, FAA, EASA) will become more prescriptive and enforcement-oriented.
The pace of technical change in aviation is slow due to long product lifecycles, complex supply chains, and the absolute need for safety over innovation.
Quote: “We need to have all our critical infrastructure CISOs together and we need to start sharing today. It's not a luxury, it's a necessity.” (Serge, 43:49)
Software/hardware vendors may struggle to enter the avionics market due to severe integration, safety, and regulatory hurdles.

Notable Quotes & Memorable Moments

“Cyber is your biggest risk. If you don’t understand that... you will go down if you have a ransomware attack that you haven't prepared.” — Serge [03:44]
“Aviation safety is written in blood.” — Serge [06:42]
“Modern aircraft [are] a flying server room with hundreds of computers on board ... that's a huge attack surface.” — Serge [08:06]
“The first thing you do, whatever is going on, fly the bloody airplane. ... Then isolate and document.” — Serge [15:17]
“Just culture is a culture where you encourage incident reporting without fear of punishment...” — Serge [26:48]
“If we don't learn from accidents, then there's more blood going to be needed to write. And that's not good.” — Serge [31:19]
“I am teaching cyber hygiene basics... it doesn't sell. The market is created to create money, not to create security in general.” — Serge [45:29]

Key Timestamps

[02:17]: Serge’s dual career: military, airline pilot, and CISO experiences
[06:17]: Aviation cyber maturity—why the culture makes advancement hard
[08:02]: What constitutes the airplane attack surface?
[10:44]: Legacy ARINC protocols and inherent vulnerabilities
[13:10]: State of pilot cyber training; disconnect between memos and simulators
[13:42]: How pilots should (and shouldn't) respond to mid-flight cyber threats
[19:41]: Definition and implications of hybrid warfare in aviation
[24:37]: Airport vulnerabilities and high-profile cyber failures
[26:42]: Cross-pollination of aviation’s “just culture” to cybersecurity
[33:09]: AI in aviation—limited in-flight implementation, more evident on the ground
[34:35]: 5G: telemetry benefits and supply chain threats
[36:29]: Drones: a new avenue of risk, both physical and cyber
[39:22]: Simulator-based cyber training for pilots
[42:58]: Five-year outlook—expect more nation-state cyber incidents, call for sector-wide resilience

Conclusion

For more, Serge is open to connecting via LinkedIn.

wavePod

Aviation Cybersecurity with Serge Christiaans

Powered by Wave AI

Summary

Podcast Summary: Aviation Cybersecurity with Serge Christiaans

Overview

Main Discussion Points & Insights

1. Serge Christiaans’ Career Journey & Dual Roles

2. Aviation’s Cybersecurity Maturity & Culture

3. The Aircraft as a ‘Flying Server Room’: Attack Surface

4. Legacy Protocols and System Vulnerabilities

5. In-Flight Cyber Attacks and Pilot Training

6. Legacy Messaging & Hybrid Warfare

7. Ground Infrastructure and Cyber Hygiene

8. Culture: Just Culture vs. Blame Culture

9. AI, 5G, and Drones—Emerging Tech Impacts

10. Training and the Slow Move Toward Cyber Resilience

11. Crystal Ball: The Next Five Years in Aviation Cybersecurity

Notable Quotes & Memorable Moments

Key Timestamps

Conclusion

Summary

Podcast Summary: Aviation Cybersecurity with Serge Christiaans

Overview

Main Discussion Points & Insights

1. Serge Christiaans’ Career Journey & Dual Roles

2. Aviation’s Cybersecurity Maturity & Culture

3. The Aircraft as a ‘Flying Server Room’: Attack Surface

4. Legacy Protocols and System Vulnerabilities

5. In-Flight Cyber Attacks and Pilot Training

6. Legacy Messaging & Hybrid Warfare

7. Ground Infrastructure and Cyber Hygiene

8. Culture: Just Culture vs. Blame Culture

9. AI, 5G, and Drones—Emerging Tech Impacts

10. Training and the Slow Move Toward Cyber Resilience

11. Crystal Ball: The Next Five Years in Aviation Cybersecurity

Notable Quotes & Memorable Moments

Key Timestamps

Conclusion