Cybersecurity in aerospace isn’t just an IT issue
As everything in aerospace gets increasingly connected, the cyber risks go up. While a hacked aircraft poses huge and pretty terrifying safety threats, there are business risks on the ground too.
During a FINN Sessions panel on cybersecurity in aerospace at Farnborough Airshow last week, Dr Deeph Chana, Deputy Director, Faculty of Engineering, Institute for Security Science & Technology, Imperial College, summed it up: “We are in an environment of unprecedented innovation," moving into an environment where we have very complex cyber-physical systems, he said.
These used to be treated separately and are now interconnected, and this brings new risks.
The cost of down time
Professor Simon Bradley, VP, Head of Innovation, Security, Airbus, said that his company has increasingly paired safety and cybersecurity, and they now come under one umbrella of responsibility.
As well as the safety risk, though, Bradley also highlighted the supply chain risk. “We don’t get paid until we deliver,” he said.
Globally, Airbus produces the equivalent of 3.5 aircraft a day, representing half a billion dollars.
If Airbus suffered a week’s down time in its factories due to a cybersecurity breach, it would be looking at close to $3 billion in revenue being pushed out or potentially wiped, Bradley said.
If it was a month or even three before the factory recovered, as we have seen in other industries, that level of risk would be “unsustainable” for the business. “We need to maintain our manufacturing,” Bradley stressed.
Neil Cassidy, Director, Cybersecurity, Rolls-Royce, also highlighted the security risks around intellectual property (IP).
He said that hackers are working hard to steal product IP from companies such as Rolls-Royce, “even though some of it is useless without the manufacturing know-how.”
However, as companies are relying more heavily on data services – 50 per cent of Rolls Royce’s revenue comes from services, many built on data – the risks of operational disruption go up.
“If adversaries get inside that data flow, they can force companies to make poor decisions,” Cassidy said. For example, servicing engines too often or pushing repair parts to the wrong part of the world or parts not being in the right place when they’re needed.
All that means aircraft on the ground and damaged reputation, he noted.
The way ahead
The panellists highlighted a number of key actions aerospace companies can take to minimise cybersecurity risks:
Bulletproof security isn’t possible; it’s about “operational resilience”, Cassidy said – that’s how quickly you can get back up and running and ensuring that data is verified.
The panellists noted that SMEs (small and medium-sized businesses) will be key to tackling the cybersecurity challenge. However, it isn’t always easy for OEMs and other large suppliers to work together with these companies – large aerospace firms have long procurement cycles and rigorous onboarding procedures which don’t always chime with the way SMEs do things, or the speed at which they need to get paid.
Cassidy advised SMEs to “engage early” and understand the environment they’re going into because the rewards, eventually, are worth it.
Bradley pointed out, too, that there definitely is an appetite from OEMs to work with small, agile companies.
- Close the knowledge gap
Dr Chana highlighted a need for the boardroom to gain a better understanding of cybersecurity and how systems are bolted together – this gap, more than ever, he said, needs to be bridged.
Working with other industries is also important – for example, Airbus has collaborated with automotive companies and there’s something to be gained from both sides. Automotive companies want to know how to build things ‘rock solid’; aerospace companies want to understand how they can develop software faster.
Aerospace companies will also potentially need to collaborate with competitors. As Bradley pointed out: “Cybersecurity is not a competitive advantage” – the competitive element is in wing design, engine performance, etc.
- Create a security culture
“The one thing we always miss is the people,” Cassidy said, noting that getting the security culture right in an organisation offers a massive pay-off, compared to the outlay
“We spend a lot of time fixing problems caused by poor IT discipline,” he said.
In the industry more broadly: “That disciplined culture isn’t quite there yet,” he commented.
Hadley Beeman, Department for Digital, Culture, Media & Sport, outlined the work the UK government is doing to minimise the probability of a large-scale cyber-attack and its impact. She recognised the importance of aerospace in this context and said the UK is committed to finding “practical ways to de-risk the industry”.
In May, the Network and Information Systems Regulations 2018 were introduced, requiring certain critical infrastructure organisations to prove that they are taking adequate measures to close the cybersecurity gaps. Maximum penalties for non-compliance are £17 million ($22.3 million).
"We hope it will help us grow and evolve as you grow and evolve," Beeman said.
She added that the government is also working on a 'secure by design' code of practice, which will be turned into kitemarks.