Avionics News April 2023 - 44

CYBER RESILIENCE
Continued from page 42
or when they use simple Wi-Fi passwords, such as the
company's name or the aircraft's tail number, instead of
complex passwords. " If proper security measures aren't in
place, it's not hard if you're a hacker to figure it out and get
on the network, " Huntoon said. Many flight departments
intentionally try to keep passwords on the aircraft simple,
but that makes it easy to hack into those systems, he
warned.
" Flight departments should create an SOP that
incorporates these kinds of steps. It's fundamental, "
Wheeler said. " If someone knows your root password
and it's common, unless you change that root password,
anyone can go in and change it. Satcom Direct is big on
QR codes that allow flight crews to immediately connect to
networks securely and make it easier for crews to update the
password. "
Aviation departments also can prioritize patching and
hardening networks to address security flaws. Avionics
professionals should make sure they have the latest
firmware installed in all devices and have updated aircraft
avionics, recommended Wheeler, who noted that Satcom
Direct provides new firmware updates quarterly to address
vulnerabilities.
Cabin routers should be updated routinely. " Some
don't want to change routinely, but building a policy
for flight operations teams to harden and patch onboard
equipment is huge, " Wheeler said. " It's something we can
do without inconveniencing passengers. Your risk goes
down exponentially if you do a few easy things on the
aircraft. How you design your Wi-Fi in the cabin can make a
difference, and the threat profile can drop drastically. "
Other ways to boost cybersecurity
A big piece of cybersecurity is training, Wheeler noted.
Requiring a little bit of training on cybersecurity for both
flight department staff and passengers goes a long way in
protecting not only the integrity of aircraft systems, but
also the privacy of passengers and a company's intellectual
property.
Wheeler recommended that whenever the flight
department upgrades an aircraft's primary satcom system or
other avionics systems providing connectivity, they should
ask questions of those in the corporate office who'll be flying
for business, such as " do you know your mission? " and " will
you have corporate travelers and guests? "
These sorts of questions will help flight crews learn what
the passenger needs and expectations are, so they can secure
44 avionics news * april 2023
the aircraft against cyberattacks with minimum disruption or
inconvenience to passengers before they ever board.
Aside from requiring all passengers to use robust network
passwords and change them regularly, crews who are
looking to prevent the use of compromised devices on a
flight have several other options to help vet devices and
protect data, such as:
*
*
Assign different passwords to employees versus
guests.
Require everyone on board to update their device
software before boarding, including phones, laptops
and tablets.
* Request to scan each phone or device before each
passenger boards.
Treating the corporate aircraft as an extension of the
corporate office from an IT perspective is a useful exercise
for the flight department to undertake. " If our most senior
people with the most delicate information are riding in the
back of the aircraft, we need to protect them the same as
when they're in a boardroom, " Huntoon said. He suggested
that flight operations teams create user profiles that provide
different levels of customer interface and access for different
categories of passenger.
Ultimately, Huntoon asserted that more security is better
than less.
" Seek as many people out as possible, have as many
conversations as possible, and get the company's IT people
involved with the corporate flight department, " he said.
" Whether it's VPNs, safety protocols, or greater awareness
of an asset flying around the world where people are trying
to steal information, getting the IT department involved
helps a flight department ensure they're doing everything
possible to protect a company's information. "
When it comes to international flights, companies should
perform threat assessments and create threat profiles by
location, recommended Wheeler. Passengers and crews
should use loaner laptops on such trips and use VPNs while
staying in hotel rooms. Upon return to home base, crews
should perform cybersecurity sweeps of the aircraft and all
devices on board.
Flight crews and their passengers also should have
situational awareness when traveling abroad. Wheeler
recommends " locationally based practices " when flying
internationally. " Location-based risk assessment is easy and
can be done ahead of time to avert certain risks, combined
with what assets you're allowing on board. It's being
more cognizant of what devices are connecting up on your
network and where. "
Continued on page 46
Avionics News April 2023

Table of Contents for the Digital Edition of Avionics News April 2023
