A

Aviation cybersecurity is becoming an urgent priority as modern aircraft increasingly rely on complex digital systems for navigation, communication and engine performance. These systems were once isolated, but are now interconnected and vulnerable to cyber threats ranging from GPS spoofing to ransomware attacks on airline infrastructure. As nation state actors and criminal groups grow more sophisticated, the aviation sector faces a rapidly expanding attack surface with life or death consequences. Understanding and addressing these risks is essential not only for passenger safety, but for the resilience of global transportation networks. Serge Christians is a former Dutch Air Force pilot with a background in electronic and hybrid warfare. He later flew commercially for Singapore Airlines and is now the lead instructor and Program director at the Aviation Cyber Academy. He joins the podcast with Gregor Vand to discuss the convergence of aviation and cybersecurity, the aircraft as a digital attack surface, hybrid warfare, the urgent need for aviation cyber resilience, and much more. Gregor Vand is a security focused technologist, having previously been a CTO across cybersecurity, cyber insurance and general software engineering companies. He is based in Singapore and can be found via his profile at Van HK or on LinkedIn.

B

Hello, welcome to Software Engineering Daily. My guest today is Serge Christian. Welcome Serge.

C

Hi Gregor. Thank you very much for the invitation.

B

Yeah, this is a very interesting one for us to do today as we're going to get into based on the the fact that you are a practicing pilot, but you're also a practicing CISO as well. So we're going to get into how this has all come about. So I think that's kind of where we should start. We always kind of start with guests career journey, if you like to call it that. It almost feels like you have two careers, both that you've managed and are still doing both today. So tell us about how are you doing these two jobs effectively?

C

Okay, well I started my career at the military academy in the Netherlands in the Air Force and then flying in the Netherlands for the Dutch Air force for about 16 years. I was also involved in electronic warfare, hybrid warfare and plenty of operations and NATO operations abroad. Then I moved to commercial aviation flying 737s in the Netherlands, but as an ex military pilot that was so insanely boring. I started my own IT company parallel to that and that company actually started growing into more cyber security as cyber became an issue around 2010, 2011 when we saw the first cyber attacks. I was still flying then, but also in my spare time serving customers, mostly SMEs and managing their infrastructure. Then at some point I moved to Singapore flying for Singapore Airlines or scoot actually for the Airbus 320 Covid happened. I took that opportunity to do a master's in cybersecurity. And then during COVID I had several full time CISO roles responsible for Asia Pacific regions, stock listed multinationals, which was very different from flying. But I'd say my military academy management skills were very useful. It was again, very interesting. I learned a lot. But then at some point I looked in the mirror and I thought, nah, dude, you want to fly again? You miss it? And I did. So I started flying again. But now all the knowledge that I had on cybersecurity and my CISO experience, I found myself in the middle of aviation cybersecurity. And when digging into that, it's actually a very small world, not many people are in that intersection. And I really felt I needed to do something with the knowledge I have on both sides. So I'm helping the aviation industry on plenty different occasions. I speak a lot at conferences, raising the flags on awareness, but especially airplane cyber and the threat service that an airplane poses. Because there are many people, also high level management of airlines that actually do not understand this risk and what we need to do, which is actually comparable to what I found when as a CISO working for large companies. It's the same problem all over. They don't understand the business risk of cyber, which is the largest risk that any company has, not even aviation or an airline. Cyber is your biggest risk. If you don't understand that, that your company can go down in a week, regardless of how great your clients feel about you, or how low your prices are, or how great your product is, you will go down if you have a ransomware attack that you haven't prepared.

B

Yeah, I think probably quite obvious to many, but worth calling out is just the stakes are incredibly high in aviation because you just don't have the same kind of time to deal with the problem. So we're going to get into kind of what that even means, cyber in the air. Just before we kind of go there, a couple of questions I guess is I have quite a few pilot friends actually, and there's obviously a lot of downtime between where you fly to and from. So I guess this is how you're able to kind of do both at once. And is it kind of difficult to mentally switch between flying and then being a ciso or how does that look?

C

Well, not for me. It's like switching languages. If you speak both languages well, you switch without knowing. You sometimes even think in the other language without knowing or compare it to Driving in Singapore, I drive on the left side. Here in Europe, I drive on the right side. I just get in a car and I just do it. Sometimes if I'm tired, I approach a roundabout, I need to think, okay, left or right, what is it? But in general, I don't have that problem because I speak both languages. Good.

B

I think that's a good way of describing it. And then if we just sort of think about just to kind of lay the land here, like cybersecurity in aviation, how would you describe. I mean, you've touched on it, I think, Justin, what you were saying a few minutes ago. But how would you describe kind of the maturity of cybersecurity compared to other critical infrastructure sectors?

C

Well, actually, we have statistics on that. There is research on that. And it seems that aviation is about in the middle, which aligns with my experience as well. In general, of course, the financial sector, the financial services, healthcare, energy sector, they're more mature in general, and manufacturing is way less mature in general. And we're about in the middle. And one of the main reasons is, of course, that in the aviation industry, we focus on physical security threats in general, and we don't like change because everything we change might change our safety posture as well. It's all about safety. What we do now is safe, and everything we change might compromise that safety. Because in aviation, safety is written in blood. We say it's based on experience with an open culture. We want to learn of everything that happens so we can prevent it from happening again. So then when everything is balanced, is coordinated, and it works like this, and we have a high safety level, you don't want to change it a lot because you're introducing more risks. And that's a part of our culture that doesn't help. Getting more cyber resilience. That's one of the things I'm fighting at the moment.

B

Got it. Okay. That makes a lot of sense. So let's dive into what it even means. Cybersecurity in aviation. Some of our listeners will be familiar with the term attack surface. Like in terms of just conventional what? An attack surface in cybersecurity, that is what an attacker might see and be able to think about attacking. How does that look in terms of aircraft? Like, what does an attack surface of an aircraft even look like? And what are things that people might just not realize even exist as part of that attack surface?

C

Okay, let's start with describing a modern aircraft as a flying server room with hundreds of computers on board. If you look at it like that, that is a huge attack surface on its own. There's a lot of digital stuff on board, but also cyber physical elements that are hybrid. And it's the hybrid things and the hybrid attacks by the way as well, and hybrid warfare that's actually falling in between. Nobody understands that one except the ex military guys. It's not cyber and it's not warfare and it's not in the newspapers, but that's a different topic. Talking about threat services of my airplane, it's all the computers, all my navigation systems, my flight management systems, big and small computers, GPS receivers, a car, satcom. It can all be spoofed, it can all be exploited. Even my maintenance systems can be compromised. And one of my biggest worries, where nobody talks about is actually my engines, my airplane, half of the price goes, half of the money goes to the engines. These things are insanely complex. If I open up a few of these hatches, you're going to be amazed what you see there. It's a miraculous piece of high tech. And these things are constantly sending data to the manufacturer. So this is also part of my threat service. If somebody could switch these things off in flight, then I'm not an airplane anymore. I can do without a computer. I have backups on this, backups on that. We have workarounds. That's all fine. As long as I still an airplane, I have fuel and I have a landing gear to land on, then I'm fine. But without engines, I'm a glider.

B

So that's an interesting one. Let's just stick on engines for a second. You mentioned that the engines are sending telemetry to the manufacturers. So in theory, is there a risk around that communication the other way around, where something goes wrong at the manufacturer and is able to, some kind of communication is able to be sent to the engine that does something nefarious? I mean, is that a possibility?

C

Theoretically, yes. It's the same as your phone. Somebody could switch it off, somebody could DDoS it or make it unusable or find a switch. What nation state threat actors are doing right now with our critical infrastructure, mainly China, they're creating switches that they can push. So they create chaos.

B

Yeah, interesting. So I mean, looking at sort of general connectivity, could you actually explain, I believe there's this acronym, ARINC systems. Perhaps you could just explain a. What does that stand for? And I believe it's a protocol and could maybe just dive into that protocol a little bit. And how has that increased the threat landscape as well?

C

So aroink is a protocol that was, I think 1927 in the last century, radio communication protocol that was designed for standardization purposes. And, and in airplanes we have an arinc 429er that was the first communication bus, actually, let's call it a communication bus that was built into the digital backbone of airplanes to communicate, to enable communication between different systems on board. Now, the Arinc 429ER was designed in the 70s, last century, long time ago, there were not really physical wars going on. The cyber didn't exist. The first computers, I think we had Ms. Dos back then, just came out. The word cyber security didn't even exist. So these things were designed for reliability and not for message injection or spoofing attacks. Now, next to that, the long operational life cycles we have in aviation means that we have a lot of vulnerable old systems flying around for many years to come. That doesn't mean there's no improvement. There are developments. We have in the Airwing 629ER, which is more secure, more safe, and we have the 664, the AFDX, which is a full duplex, which can handle encryption, which all is a big improvement, but it's only for the newer airplanes.

B

So for example, when you say newer airplane, are we talking like a 350 or does it have to be, I guess a 350 is one of the newest aircraft. But do a 320s have that newer? Like if they rolled out the factory Today, do the A320s get that new protocol or a new bus?

C

Yes, that's a funny thing. Every time I ask Airbus, they don't tell me.

B

Right? Okay.

C

And every time I ask Boeing, they don't tell me. And the same goes for Embraer. I visit a lot of aviation events, talk to the chief pilots and the test pilots of these airplanes. But I think you can imagine that this is proprietary information and they're not going to give it out to the first idiot with a bow and cap visiting their booth. It's very difficult to find out. We have to believe that they are doing their absolute best and that they have a very well equipped cyber team. Then they're looking at it. But at the end of the day, I cannot do a penetration test on my airplane because for that it actually needs to be in the air. You can understand it's physically, no pun intended, air gapped that nice. But if you want to do a pen test, you have it in the hangar. You need to have the engines running as well, because then you know all the systems are online. And even then the air ground switch will Be on the ground side. Not all will be working, so it's very difficult to do that.

B

Yeah. Okay, interesting. So let's talk about actual cyber attacks mid flight. So, I mean, I believe you do actually train pilots to understand what cyber attack might look like midair and I guess how to sort of deal with that. So could you just walk us through, what kind of things do you teach pilots in this sense? Like, what are they looking out for? And then crucially, what are they supposed to then? Like, what are some at a high level? Like, what kind of steps are they supposed to step through to help mitigate that whilst they're literally flying a plane at 35,000ft?

C

Yeah. Well, first of all, there's only about 20% of pilots globally that receive actual training in this. All the other receive memos. It's not being trained in simulators for the simple reason that aviation authorities are not asking for it. We do what we need to do to be compliant. We don't have time for other stuff. When I'm in a simulator for four hours, there's a very intense program. There's no 10 minute space to have a look at GPS spoofing or jamming. It's just not in the program. And that's exactly the same reason, because the proper management doesn't understand this is needed. There is no awareness of the risk, the business risk of cyber. So it needs to be top down. The board needs to decide, yes, we need to train this, then it goes to the training department, they will make a training program. Then we go in the simulator and then we learn how to react on this. Until that happens, nothing happens. And there's only 20% of pilots that are being actually trained. The other ones all. And there's also scientific interview data on that one. The other ones are uncomfortable in a situation like that because they don't actually know what's going on.

B

Can you walk us through just what a cyber attack might present? As in the cockpit, for example?

C

Yeah. In aviation we're being trained on emergencies and we practice these emergencies and we learn how to identify them. Quite often the airplane helps you identifying them. Let's say I have an oil pressure on my left engine, it's going below limits. And the airplane will pop up a message, a notification, if you will, that says, hey, have a look at your engine pressure because it's not going great. And then I make a decision, we look at it and we take out a checklist or we divert or whatever we feel we need to do to keep the operation and the People in the airplane and my crew. Safe now. Cyber attack on your airplane is actually something you never saw before. Most likely by now everybody has seen a GPS jamming or a GPS spoofing, but there are still plenty of pilots who do not understand yet the difference between it because they have no not be properly trained or the results or the long term effects on your airplane of a spoofing attack. So what we normally do, the basic rules for handling any emergency in any airplane anywhere in the world is aviate. Navigate, communicate. The first thing you do, whatever is going on, fly the bloody airplane. Use your primary instruments, keep on flying. Don't focus, don't look inside at instruments or try to get manuals out, or start a discussion with your first officer while the airplane is going down. That's not a good idea. Aviate first, then navigate. Where are you going? Where are you heading? Where do you want to go? Make sure you have a heading where you're not going into a mountain, for instance, or you're not going over a busy airport. Get out of dangerous airspace. And then the last one, Communicate this not only to air traffic control, but to your crew, to your cabin, to your passengers. If you have time in the right order now for any cyber attack, things will be happening that you don't understand. You will have contradicting information. Like this system says my position is here and this system says my position is there. So where am I? I don't know. Or hey, suddenly my engine data is blank. Maybe your engine is being hacked, I don't know. Or in hybrid warfare, maybe your ACARS is spitting out a message from operations that you're not expecting. So you need to think. You need to start thinking. So what we need to do is to isolate, disconnect the dispected system and try to resolve the problem after isolation. And then the last one is to document. We need documentation about this because every attack is probably new and because one of the more important things of cyber resilience is sharing cyber threat intelligence. We need to document this so we can immediately tell all the other pilots in the world that this is happening in this area, most likely by this threat actor. So sharing is caring. It's very important. Stronger together.

B

Yeah, you're a developer who wants to innovate. Instead you're stuck fixing bottlenecks and fighting legacy code. MongoDB can help. It's a flexible, unified platform that's built for developers by developers. MongoDB is acid compliant, enterprise ready with the capabilities you need to ship AI apps fast. That's why so many of the Fortune 500 trust MongoDB with their most critical workloads Ready to think outside rows and columns. Start building@mongodb.com build we're going to get on a bit to sort of culture in a bit as well. This idea of just culture versus blame culture. But we'll get there. So, yeah, I think that's very interesting just to think for a second just about that situation where as you're calling out, a pilot can never know for sure if what's going on is an attack. And so that's, I guess, half the problem. And then the second problem is then that distraction and your overarching way of training the situation is, as you say, fly the plane. That's the first thing. Don't take your eye off what you should just be doing, which is flying the plane. But obviously you're having to make a whole bunch of other mental assessments. I mean, you mentioned a car switch. I'm a hobbyist sim flyer. So that's this sort of like messaging system, I guess, where literally an airline can or I mean, I think pilots can also send messages like, you know, toilet broken. So when they land, people know to come and fix it and that kind of thing.

C

Yeah, the ACARS is our onboard fax. Very old system. It's not encrypted. Anybody can read it. I can build a little soft radio here and you can even receive it and read it. There's no classified information going over that thing, but operational information for sure. And you can also send up and imagine the chaos. You can do that with false messaging that are not verified in the military. We verify all messages in civil aviation. Not like that yet. Working on it.

B

So we're going to move on to. You've been using this phrase a lot, hybrid warfare. I think I'd just like to understand that one a bit more. When we talk about critical infrastructure, hybrid warfare, let's start with kind of. You've touched on obviously nation states already. Russia, China, Iran, for example. I mean, we're not maybe here to dig into exact nations so much, but just sort of the understanding what is this landscape and what is hybrid warfare at all? And I guess how does. Especially commercial. I mean, I guess are we talking commercial aviation comes into this or military aviation, drones? Like just what is all this, okay, classic warfare.

C

We call kinetic warfare. Kinetic warfare is when things are kinetically flying around like missiles, bullets, rockets, and it's about destruction. Hybrid warfare. There's actually nothing flying around. It's not peace, but it's also not kinetic warfare. So it's everything in between. Cyber warfare is a part of hybrid warfare, but there are many other great shades in hybrid warfare, like disrupting transport train systems in a country. Quite often the goal of hybrid warfare is disruption. It's showing power below the threshold of war. Which means that in NATO it's going to be very difficult to call out Article 5 if it's hybrid warfare. We need to agree on that. All of the member states, which is a problem because for some this might not be an act of war, for others it's a very clear act of war. So blowing up a bridge might be an act of war, but a cyber attack on the bridge control system might not be. But both have the same effect. The bridge is unusable for logistics and for ammunition and to go to the front line. So that is hybrid warfare creating chaos. And a cyber attack on my airplane is probably not aimed at killing us, but creating chaos about showing, hey, look, see what we can do better. Be careful, it's threatening and it's what Putin's doing all the time. Of course he's threatening with nuclear weapons, but he's also attacking the whole digital infrastructure, critical infrastructure of every country in Europe, next to all the disinformation campaigns that he's throwing out. That is also warfare. It's hybrid warfare, but it's still warfare.

B

I understand. And I mean, especially given a lot of airlines today are still effectively extensions of countries. Most countries have a national airline. I mean, in the uk, British Airways is not owned by the government, but I think most people still associate British Airways as sort of being the national airline, for example. And then obviously we have the big nation players like Emirates, Qatar, et cetera. So does that play into it where, as you say, causing chaos, showing a signal through cyber warfare on commercial aircraft is by extension targeting a government, for example?

C

I would say so, yeah, it's a show of force, definitely. Don't forget in China, all Chinese companies are owned by the Chinese government. Well, not owned, but at least controlled. And if you look now at Flight 24, you see Chinese airplanes just flying over Russia, no problem at all. So we need to avoid conflict zones, conflict areas, because there are trigger happy people down there with high tech equipment built to shoot you down. And that has happened before and it will happen again.

B

And I mean, if we sort of look at the cyber side, does proximity come into this as well as you call out flying over, flying in certain airspace? I think it's clear why flying in an airspace would make you more at Risk of a literal missile, for example. But does it then also increase sort of that attack surface in terms of where you are flying?

C

Actually it doesn't because these missiles are able to fly hundreds of miles. I don't even have to fly near the border. They can even hit me here over at Amsterdam if they want. But that must be an intentional order given by some high up commander. Quite often is just trigger happy untrained soldiers on the ground that see a target and think, oh crap, this is not ours and they fire. So if your military is badly trained and with a corrupt command and control structure, which we have in Russia, everybody's trigger happy. There's no discipline. Yeah.

B

So moving away from pure aircraft for a second, actually looking at airports as well now, I mean, I think maybe the one that our audience might be aware of recently, which was not a cyber attack, but it clearly showed what could happen, was obviously CrowdStrike and how CrowdStrike managed to inadvertently take out airports control systems. Well, not control systems, but a lot of display systems and just logistics systems. So people simply couldn't fly. Is that something you advise on or deal with as well? So not in air, but actually on the ground as well?

C

Well, I think one of the basics of cybersecurity all CISOs will preach that is stay away from single points of failure. It's not aviation related, it's a single point of failure and you need to have a plan B. And remember the. I think it was Heathrow that shut down for a few days due to an electrical substation. Yes, single point of failure, very effective DDoS actually not intended like that. Yeah, so those are basics in general. Whenever I am consulting anybody in aviation, we fall back to the basics. It's basic cyber hygiene. And that's not only in aviation, that's in every sector, every industry. Everybody needs to go back to basics. Simple vulnerability reduction, simply identity management. It's not rocket science. We have all the knowledge, we have all the tools, we can implement it, but somebody has to put the money aside, organize it and say this is how we're going to do it. And up till then we are vulnerable. Everybody, not only aviation, back to basics. Basic cyber hygiene is what we need to focus on for the next couple of years.

B

Yeah, I think that's very interesting. Where people maybe think it's more complicated than it needs to be, quite frankly to keep on top of this stuff. Where even though it's an airport and it's a critical piece of infrastructure in a country, the people actually running the airport unfortunately might still be a bit behind when it comes to, as you call out, just basic cyber hygiene. So very interesting. Let's move on to. I know that you've got a lot of thoughts around leadership and culture in this space, and I think it's very interesting the sort of crossover here where the way that the aviation industry operates cybersecurity could probably learn a few things. So I think the big one here is this idea of just culture, which is juxtaposed with blame culture. So I think let's go there and maybe you could help us understand what is just culture. Why has it sort of been in aviation a while? How does that maybe translate over to, or should be translating over to cybersecurity as well.

C

A very interesting crossover. I gave a presentation last year at Blackhead about what cyber security teams can learn from aviation just culture. And it's actually very simple. Just culture is a culture where you encourage incident reporting without fear of punishment to enable the organization to learn and to improve. Because humans make mistakes. We are human, we make mistakes by default. And that is okay as long as you don't do it intentional. Basically, there's a gray area in that, but this is basically what it is. So if I make a hard landing, I make a mistake, okay? Then I report it so other people can learn. If I am being spoofed with a new system and I see data that I've never seen before on my instruments before, I report it so everybody can learn. And then I don't want it to stay inside my company. I want the companies to share. I want the aviation sector to share. And not only sovereign, I need global sharing. That's why we need CI isex to get all this information out there with our friendly allies. But back to just culture. That's basically what it is. And we see a lot in large companies, not aviation companies, but maybe also aviation companies like airports, where people are clicking a phishing email and oh, I think that was wrong. Oh, I better go home now. Maybe nobody sees it, right? And then without knowing it, within 17 minutes, your whole network is compromised and infected. If this person would have called their ciso, they might have been able to mitigate and keep it within the house. So it's about the culture, and the culture goes top down. It's leadership by example.

B

I think that's a good way of explaining it. There's a website that some of the audience may know called Aviation Herald, AV Herald. And that's sort of, at least that's where I as a layman go to just Sort of check up on reported incidents, you know they get classified. Crash obviously being the worst and then you know, I think accident and then incident or something like that. And the funny thing is I've noticed how the airline, again let's just take British Airways for example. A lot of things pop up from British Airways and some people might look at that and go wow, they have so many issues. And actually I am much happier seeing that than the airline I never see. I don't know which one to name but there are certainly airlines that virtually never pop up and that to me is. That's a reporting problem. So actually there's just safety in reporting effectively.

C

Capital One's tech team isn't just talking about multi agentic AI, they already deployed.

B

One, it's called chat concierge and a.

C

Simplifier in car shopping using self reflection and layered reasoning with live API checks.

B

It doesn't just help buyers find a.

C

Car they love, it helps schedule a test drive, get pre approved for financing and estimate trade in value, advanced, intuitive and deployed.

B

That's how they stack.

C

That's technology.

B

A capital one.

C

So how often do you see a Chinese or a Russian airline pop up or an airline that is part of any dictatorship? No, doesn't happen because they carefully cherish their ego and their image and their reputation. And of course let's not forget AV Herald, I think it's a British publication, isn't it?

B

It could be, yeah. I'm not actually super sure, but yeah.

C

Anyway they are well linked with information into British Airways apparently which might give you as a reader the wrong idea. Luckily there is a global international cap statistics to keep it all within proportion.

B

I mean we see this in obviously cybersecurity to some degree. We've got obviously the Verizon DBIR which comes out every year. I think the thing there though is it's less attributed to specific companies or at least in the report it's more about stats. But the point is that can only exist because of reporting. Like someone in a company has reported the incident or the breach, what happened. But I think it's fair to say we're still way off in cybersecurity in terms of reporting.

C

Oh yes, in cybersecurity I see the traditional blame culture which discourages reporting of security incidents, prevents the organization from learning and you're unable to improve your defenses. I see it a lot in Asia as well, not only in aviation, but blame culture is pretty much standard, especially behind closed doors. There's no learning, there's no wanting to learn. It's all about KPIs and making money. And it's often very subtle. It's very difficult to see as an outsider as well, blame culture because people are being laid off, being fired on the spot. Then you ask them, why are you fired? Ah, yeah. You never find out really, because they don't want to lose face as well. But the blame culture is pretty much standard. And in aviation, like I said before, aviation safety is written in blood. We learn from accidents. If we don't learn from accidents, then there's more blood going to be needed to write. And that's not good.

B

Yeah, I mean, obviously I've worked in Asia Pacific for a while now and certainly in cybersecurity, it was challenging on the basis that companies don't even sometimes want help with an issue because they simply don't even want to talk about the issue.

C

Exactly. Losing face is more dangerous than solving a problem.

B

Yeah. So yeah, I mean, obviously, props to Verizon. I believe the Verizon DBIR came out with the fact, well, it had its own pretty major hack at one stage and instead of sweeping it under the carpet, so to speak, they went completely the opposite side and said, look, we're going to be the people that hold the flag for reporting. So I think that's very interesting. And as you call out, aviation has had to, or at least aviation outside of say, dictator state country sponsored airlines, they kind of have to learn from each other. Otherwise, as you call up, unfortunately, people will literally die. And that's sort of why it's been so critical.

C

So how these airlines in authoritarian regimes often learn is by reading our open source reports and learn from that. So they learn from us, they leech. And internally, if somebody makes a mistake, that person is simply being fired on the spot. That's how a blame culture solves problems.

B

Yeah. So we're going to move along to. We always have to talk about AI these days, but here, this is not bad. We've gotten well over half an hour without even mentioning AI. But where are you seeing AI Especially? Obviously we're talking here about cybersecurity, cybersecurity in aviation systems. Is there anything kind of being rolled out here to do with AI in terms of threat detection or anything along those lines? I mean, what are you seeing, seeing in that space?

C

Well, splitting the aviation industry in two parts, one the airplane and the other one just simply the rest, the airport, the airlines, which are also just buildings with people and computers and networks and their own vulnerabilities on the airplane side, I do not see any AI being implemented from where I can see it. I'm sure Boeing and Airbus and Embraer, they're all working on it, but I do not at the moment see any implementation of it in my airplane systems today. Having said that, on the other side, of course, airports, airlines are working on their own AI applications. For airlines, that is mostly about efficiency, operational efficiency, fuel efficiency, and on the other hand, of course, client retention, passenger retention, passenger appreciation, and all that side of the business, as in cyber, I think the same again for any other industry. We're trying to use AI to threat detection, behavior analysis, threat intelligence, processing, automated incident response, the same as in every other industry. But again, for my airframe, I don't see anything yet.

B

Okay, moving on from say AI, but 5G, you know, 5G I believe is rolling out. Well, is 5G rolling out within the airframes themselves or is it more just that 5G as a standard is having effects on say, instrumentation? Or what does 5G do in this case?

C

I can imagine that engine manufacturers are very happy with it because with 5G chips in their engines, they can send loads of data way faster. And that's all telemetry they need for preventive maintenance. Of course, it's very important data. Furthermore, I don't see this in or around my airplane a lot. I guess most of the data when I'm airborne or old data will not go by 5G because at 12km there's simply no reception. So it will go via ground stations and then it might be further on routed by F5G, but those are our ground systems. I don't consider that aviation systems at all. Just a ground based communication system with all the risks that come with it. Because imagine if you can, let's say you can control all the hardware being used for 5G with backdoors, wouldn't that be great? What a great threat service that is. I'm just saying. Huawei.

B

Yeah, I mean it's widely reported, obviously that could be quite a threat.

C

Unfortunately, still a lot of people that don't understand below the radar, it's hybrid warfare. It's not warfare, but it's still hybrid warfare. And we need to understand that we are being threatened. We need to understand who is the enemy here. And that's where threat intelligence is crucial. And sharing threat intelligence.

B

Yeah. And moving on from 5G. So we're just sort of hitting the key emerging technologies in this space. Drones. We can't ignore drones. So let's just talk about those for a second. And we're not necessarily talking about military drones. We're very much commercial drones as well. But they're kind of being integrated into controlled airspace these days. Certainly I find it fascinating in Singapore, I see so many commercial drones now. They're used for surveying. There's one I live near some water and one pops up every morning to kind of survey the water stations or something to that effect. I mean, these things are huge. How is that affecting sort of, especially again, in the cybersecurity lens, what kind of extra threats or sort of challenges is that adding?

C

Well, stepping away from cybersecurity and just for aircraft safety, like birds, you don't want drones next to your airplane. Now anybody can buy a drone for a hundred dollars or euros or pounds or whatever and fly this thing around. And it's amateurs flying this cheap stuff around airplanes that is the real risk. In Singapore, we love our technology. It's widely being implemented for the benefit of the whole society. But it's all controlled. It's very tight controlled. There's no airport in the world allows drones close by. But how do you check until it's too late? I have quite often I hear on the radio somebody reports a drone nearby, just some idiot with a camera trying to make a great shot for his Instagram feed. Feed or whatever. But it's not safe and we shouldn't do that. But it's more a legal problem because we need regulations on that. And next to that, we also need tools to punish the people who do. I would be great if we could have a laser gun shooting down illegal drones around my airplane, preferably automated, that would be great. Problem solved. But we don't have the legal tools for that yet. So the legal frames are still in the making. But the next couple of five years, we're going to see a lot of regulations around Dr. Drones. It's still all very much in the beginning of the development. And then I'm not even talking about warfare and hybrid warfare drones that are being used for surveillance, intelligence gathering or just disrupting with GPS jamming and spoofing. Just fly around an airport and jam everything for a couple of hours. ADS B interference. Of course, there's a lot you can do with a drone to create chaos and to disrupt. And disrupting an airport is disrupting the economy very directly.

B

Yeah. So we're going to move along to more the training and education side. I mean, I know this is something that you work in a lot. I think you said sort of towards the beginning of the episode, just that a lot of pilots are simply not getting any kind of training when it comes to the cyber side of things. But I believe there is some form of simulator based cyber training. Could you just speak a bit to that? And how realistic is this to actually mimic the problems? And just where does it kind of even start in terms of bringing cyber training into the simulator side of things? And I guess for those who are not super familiar with aviation, simulator training has always been a huge part of modern flying. You have to do sort of set hours, I believe on simulators and practice catastrophic situations and this kind of thing. But that's sort of to my understanding, always been or until recently without this lens of. But it could be a cyber attack. It's just, oh, my engine failed for pure mechanical reasons and now you need to deal with that, which is different to my aircraft is under cyber attack. So yeah, could you just speak a bit to that?

C

Yeah, you say correctly that simulator training is actually the only way that pilots learn. You need to see, feel and do it. We do a lot of CBT training as well, but that is basically all compliance. You don't learn much from that. That's just not how it works. Not everybody is a visual learner, especially pilots. Since there are a lot of complex procedures you need to hands on train these procedures only then you will fully understand what it means, how it works and why the procedure is designed as it is. So if we need to train cyber scenarios or hybrid warfare scenarios, we need to do that in the simulator. That is very obvious. Unfortunately nobody does that in the world yet. And for that reason I started last year the Aviation Cyber Academy in Singapore with a curriculum for our masterclass in cyber security for pilots where we start with the basics, then we talk about airplane threat services, we identify it all, then we move over to your specific airplane and then we do scenario based training. Two hours in the simulator afterwards and then gets interesting because the simulators were not designed to simulate cyber attacks and hybrid warfare attacks. So I need to be very creative in showing the right cues and data for them to understand what's really going on. So there's a lot of creativity involved yet. But I'm sure that the simulator builders are now working on creating more realistic scenarios in their simulator as well. But yeah, it has to be be simulator training. Hybrid warfare scenarios actually has to be recognized and trained as well. Those are actually much easier because I can simulate of course, a unverified message coming from an illegal sender, a non verified sender, that's much easier.

B

And what sort of general uptake or reception have you sort of found, I mean, you're very much on the ground in Singapore doing this training. I mean, are you finding these are pilots coming from other countries to come and do this or at the moment, is it more Singapore based thing? I'm just curious how the industry is receiving this.

C

Okay, well, the industry is actually not receiving it at all at the moment for the same reason. I stated in the beginning that the airline top management does not see cyber yet as a primary business risk. I talk to pilots, they would love to go through the training because we always feel we need to understand what's going on. But then again, they don't pay the training and you need to have it on your roster, on your schedule. The simulator needs to be reserved, you need to have an instructor. The whole training part of that and the organization part of that needs to be done as well. So for now it's ready to roll. And I'm waiting for airlines to show up and tell me that we need this because right now 91% of crew reports that they are concerned about flight safety impacts of not being trained rigorously enough about what's going on here. They just don't understand. And I can't blame them because this is quite complex stuff.

B

Yeah, that's very interesting. And obviously I hope as a passenger as much as anything that this is taken more seriously by airlines. So, I mean, we're coming up for time a little bit, but I'd just like to get your take on, I guess, sort of the next. I know this is always a bit of a crystal ball the next five years, for example, in sort of aviation, cybersecurity. What are some things that maybe you think are very likely to actually advance and then maybe what are a couple of things that you would like to advance but you're not convinced that even within five years they're going to change?

C

Okay, well, I'm very much convinced that nation state cyber warfare will increase because it's a very cheap and below the threshold way of disrupting your enemies. So we're going to see more cyber warfare also affecting aviation. And we can see Putin now is getting more bold. He's now blowing up supermarkets even in Europe. No shame at all. And it's very difficult to attribute that to him. So we will have more hybrid warfare, more nation state cyber warfare. Absolutely. Which only makes my point that we need to continue being more resilient and ramping up our security. And for that, of course, critical infrastructure ISACs are absolutely necessary, not just get all aviation together. That's Way too small. We need to have all our critical infrastructure CISOs together and we need to start sharing today. It's not a luxury, it's a necessity.

B

Yeah. And I mean, I think you sort of, I guess touched on it with your cyber simulator training. It's one of these sort of, I guess chicken and egg problems where you've just sort of predicted that, well, the problem's only going to get worse. So you'd think that there are more opportunities for there to be more, I guess, commercial businesses coming into the space. Like the way that cybersecurity has as an industry exploded over the last 20 years, an explosion of say EDR providers and this kind of thing. Do you see there being a version of the next five years where aviation cybersecurity suddenly is a hot thing? And I would say, or I'm questioning the incumbents. Let's just take CrowdStrike as an example. Could you see a CrowdStrike having an aviation offering, for example, where an EDR sits on a plane or anything like that?

C

Well, yes and no. I don't think CrowdStrike is going to do that because they simply don't have access to the architecture of the airplanes. I would love to say that within five years, I hope Boeing, Airbus, Embraer and all the big names are working very hard on that and can show me at one day a brochure and a diagram saying this is how we fix it, this is how we increase our resilience. Very unlikely they'll give me a call, but I really hope they're working on that. On the other side of aviation, the non airplane side of aviation, of course, CrowdStrike can do whatever they do and what they're good at doing by creating more cyber security and resilience. That part of the aviation sector I do not find very interesting because it's the same challenges like manufacturing, the finance or, or healthcare. It's just a building with a lot of network and most likely some ot attached to it as well. Which by the way ot operation. Technology has their own challenges. But that aside, yeah, I really hope that there will be more vendors. But as you know as well, 20 years of cybersecurity, a multi million cyber vendor market and it's all very sexy with nice tools, but we forget the basics. I am teaching cyber hygiene basic. That's what we keep forgetting because it doesn't sell. So the market is created to create money, not to create security in general. I see a lot of products on the market that are being sold to people that don't need it confusing CISOs, maybe they're inexperienced because there's also young CISOs and they walk around on these floors of large cybersecurity events and they're being attacked on all side by vendor. You need this, you need that. We can do this. Yes, we can do it. Months later oh, actually it doesn't fit now. Cannot connect now. Actually, configuration doesn't work. Yeah, sorry boss. Yeah, big problem. And once it's connected, it's already legacy because you can't get rid of it anymore. And that's a big problem. And that's why an airplane like a Boeing or an Airbus, it has a lot of third party hardware and software as well. And connecting all that stuff is a challenge. Absolutely. And that's why there are standards. So changing these standards, again, talking airwing, changing these standards has a huge impact because everybody, every vendor, every third party hard and software provider has to adapt, which costs money, which makes the product more expensive, which makes the airplane more expensive. It's all connected.

B

Yeah, I think that's a really good call out. And we obviously saw the, obviously it wasn't cyber related, but it was sort of technology related. We saw of the outcome of this in those Boeing 737 Max crashes where effectively technology had changed, but it changed at a pace that hadn't for various reasons, cost reasons, et cetera. Pilots hadn't been trained on that technology change and the outcome was catastrophic, unfortunately. And I think what you're getting at is the fact that for anything to change inside an aircraft, we're not talking like a lead time of like a year, it's like 10 years from sort of start to finish of especially if we think of again, let's just go Back to the CrowdStrike example for a second. It touched the kernel of Windows, which is in theory why it's able to protect things, but it's also in theory why it's actually got the most risk if it goes wrong, because it can sink the whole system. So I think in aircraft that would obviously be just doubly problematic if you have systems that technically could fail the whole aircraft as well.

C

Absolutely. Great example. And then next to that, you buy an airframe for 30, 40 years, we have the same problem like the maritime sector. These big container ships, they have been around for 40, 50 years, man. Most of them still run on Ms. Dos. I tell you, Ms. Dos talk about cyber security and resilience. I mean, hacking a container ship, really, it's not that difficult.

B

Yeah, wow. Well, maybe we'll need to find ourselves a maritime expert as well to bring on the show at some point. Yeah.

C

And then next to that, we're going to have a lot of extra frameworks, new frameworks, regulation frameworks. They will mature significantly. I think ICAO will probably set the standards. The standards will probably become mandatory with enforcement mechanisms. Right now it's all more advisory, but we need to enforce, because you can imagine, let's say one country is taking ICAO standards serious and the country next to it is not. That's not working. We have to do it all together. Cybersecurity is teamwork, so enforcement is going to be needed. Otherwise it's not working. And then in Europe, EASA and the faa, they will also implement, I think, binding cybersecurity requirements for aircraft certification and airline operations. We can't ignore it anymore. We can't afford it.

B

Yeah. Well, I think that's a great place to leave this today. I mean, I think this has just been a fascinating conversation and obviously a lot of knowledge and understanding imparted from you today, sir. So I really appreciate you coming on Software Engineering Daily, and I think, I imagine 99% of our audience have learned something new today. So thank you so much for coming on.

C

My pleasure. Have any questions, find me on LinkedIn and I gladly answer them.

B

Fantastic. Thank you so much.