Business aviation in the U.S. so far has avoided many of the security regulatory burdens stemming from 9/11, but the industry still takes security “very seriously,” Doug Carr, NBAA’s vice president of regulatory and international affairs, said at the association’s inaugural security conference, which was held in late January in West Palm Beach, Fla. While the association's other conferences and seminars have touched on this topic briefly, “This is NBAA’s first attempt at a conference dedicated to security,” he said.
Because security has always been a core priority for business aviation, Carr said that additional federal regulations—such as the in-development large aircraft rule—might not necessarily yield any better security. However, Gregory Reigel of law firm Shackelford, Bowen, McKinley & Norton said that corporate flight departments should always be seeking to improve security. He suggested that departments work with their hangar lessor and airport management to evaluate and strengthen security at home base by examining access, surveillance systems and lighting.
Reigel said that flight departments should also have internal security policies for vendors and employees that address vetting, contract negotiations and non-disclosure/confidentiality agreements. On the employee side, these policies must address background checks, travel policies and non-disclosure/confidentiality agreements.
Hewlett Packard Enterprise v-p of global aviation Richard Walsh urged business aviation operators to take a multi-faceted approach: “One program will not provide the solution. It has to be a holistic approach; it’s no different from how we handle aviation safety.” But he acknowledged that getting passengers to adhere to the flight department’s security protocols can be difficult: “Expect that travelers will comply with only what they want to. Our customers are difficult and can be complacent about security.”
But globalization, pressure to contain flight department costs and operations at smaller, less secure airports, among other things, have all elevated the security risk for corporate aircraft operators. “In this higher-threat environment, we have a duty to look out for our passengers’ security,” Walsh said. On this note, he suggested putting together current travel and security tips for employees who travel, either commercially or on board the company aircraft. Travel warnings can be obtained from the U.S. State Department website or flight-planning companies, he noted. Walsh recommended conducting periodic security and travel safety training for employees.
Eric Moilanen of Premier Corporate Security added that being out of the country requires even more vigilance: “We stand out as foreigners. Trust your instincts; something usually doesn’t feel right before a crime happens.” Flight departments should also establish some kind of code word or phrase that passengers can use to alert the flight crew that something is wrong when they arrive for a flight, Walsh said. Should a passenger say that word or phrase upon their arrival at the airport, “Then we can cancel the flight for a supposed maintenance or weather issue and call the police for help.”
Cybersecurity Matters, Too
It’s not just physical security threats that should be on a flight department’s radar, according to NBAA director of information technology Todd Wormington. Cybersecurity is the “greatest threat” to companies, he warned, and phishing attacks sent by email top the list. “You need to train employees on how to spot and report suspicious emails,” Wormington said. “Routinely test them to raise awareness and educate about common tricks.”
When logging into company networks and websites, he recommended using two-tier authentication when available—the second layer typically being an access code sent to a cellphone—and always creating “strong” passwords. The password for the complimentary Wi-Fi at the conference emphasized his point: “longerpasswordsarebetter.” To avoid password fatigue, he suggested using a password manager or biometrics.
Wormington said that all flight department-issued computers, mobile phones and tablets should be patched with software updates as soon as they become available. “Attackers are able to exploit vulnerabilities much more quickly—often within days of disclosure,” he emphasized. “Automation is the key to getting this done quickly and universally.” Firewalls and anti-virus software are not a panacea, the NBAA staffer said, adding that “most malware” can evade both. Instead, Wormington advised attendees to use security software designed to look constantly for indicators of attacks or compromises and “isolate compromised devices automatically.”
Pilots and passengers should avoid using free public Wi-Fi, especially in hotels, he noted, adding that using cellular data is safer. He recommends using a virtual private network (VPN) whenever not on the company network for added security. Laptops, mobile devices, networks and websites should be encrypted, Wormington said, while emphasizing maintaining daily backups to protect against accidental data loss and to avoid being a victim of ransomware, where a cyber thief blocks access to a computer or device until a ransom is paid.
But cybersecurity doesn’t stop with electronic devices that pilots and passengers might bring on board the company airplane. Rockwell Collins principal systems security engineer Kelli Wolfe noted that the aircraft’s avionics should not be immune from cybersecurity scrutiny, especially as systems have become more digital and connected. However, she emphasized that there has been no successful cyberattack of an avionics system yet.
Next-generation all-digital backbone avionics systems have much more security exposure than “closed” systems of the past, Wolfe said. Modern avionics rely on common networking protocols, complex integrated computing platforms, mobile enablement of flight-deck services, tight integration with the “internet of things” and flight-deck services and automation of pilot control systems. Avionics manufacturers are addressing these vulnerabilities, she noted, by limiting accessibility through use of authentication and encryption; allowing changes only by authorized people or processes; and making service functions available only when needed. Also, per Arinc 811, essential aircraft control, communication and navigation functions are walled off from incoming data from cabin entertainment and other non-essential systems to protect against a cyber attack.
Still, Wolfe said that any device connected to the aircraft should be treated as a “potential threat.” As a precaution, she suggested that flight departments have in place policies and procedures to protect IT equipment that connects to their aircraft by monitoring security events and prohibiting the operation of company-issued devices for personal or unapproved uses.
Business aviation in the U.S. so far has avoided many of the security regulatory burdens stemming from 9/11, but the industry still takes security “very seriously,” Doug Carr, NBAA’s vice president of regulatory and international affairs, said at the association’s inaugural security conference, which was held early this year in West Palm Beach, Fla. While the association's other conferences and seminars have touched on this topic briefly, “This is NBAA’s first attempt at a conference dedicated to security,” he said.
Because security has always been a core priority for business aviation, Carr said that additional federal regulations—such as the in-development large aircraft rule—might not necessarily yield any better security. However, Gregory Reigel of law firm Shackelford, Bowen, McKinley & Norton said that corporate flight departments should always be seeking to improve security. He suggested that departments work with their hangar lessor and airport management to evaluate and strengthen security at home base by examining access, surveillance systems and lighting.
Reigel said that flight departments should also have internal security policies for vendors and employees that address vetting, contract negotiations and non-disclosure/confidentiality agreements. On the employee side, these policies must address background checks, travel policies and non-disclosure/confidentiality agreements.
Hewlett Packard Enterprise v-p of global aviation Richard Walsh urged business aviation operators to take a multi-faceted approach: “One program will not provide the solution. It has to be a holistic approach; it’s no different from how we handle aviation safety.” But he acknowledged that getting passengers to adhere to the flight department’s security protocols can be difficult: “Expect that travelers will comply with only what they want to. Our customers are difficult and can be complacent about security.”
But globalization, pressure to contain flight department costs and operations at smaller, less secure airports, among other things, have all elevated the security risk for corporate aircraft operators. “In this higher-threat environment, we have a duty to look out for our passengers’ security,” Walsh said. On this note, he suggested putting together current travel and security tips for employees who travel, either commercially or on board the company aircraft. Travel warnings can be obtained from the U.S. State Department website or flight-planning companies, he noted. Walsh recommended conducting periodic security and travel safety training for employees.
Eric Moilanen of Premier Corporate Security added that being out of the country requires even more vigilance: “We stand out as foreigners. Trust your instincts; something usually doesn’t feel right before a crime happens.” Flight departments should also establish some kind of code word or phrase that passengers can use to alert the flight crew that something is wrong when they arrive for a flight, Walsh said. Should a passenger say that word or phrase upon their arrival at the airport, “Then we can cancel the flight for a supposed maintenance or weather issue and call the police for help.”
Cybersecurity Matters, Too
It’s not just physical security threats that should be on a flight department’s radar, according to NBAA director of information technology Todd Wormington. Cybersecurity is the “greatest threat” to companies, he warned, and phishing attacks sent by email top the list. “You need to train employees on how to spot and report suspicious emails,” Wormington said. “Routinely test them to raise awareness and educate about common tricks.”
When logging into company networks and websites, he recommended using two-tier authentication when available—the second layer typically being an access code sent to a cellphone—and always creating “strong” passwords. The password for the complimentary Wi-Fi at the conference emphasized his point: “longerpasswordsarebetter.” To avoid password fatigue, he suggested using a password manager or biometrics.
Wormington said that all flight department-issued computers, mobile phones and tablets should be patched with software updates as soon as they become available. “Attackers are able to exploit vulnerabilities much more quickly—often within days of disclosure,” he emphasized. “Automation is the key to getting this done quickly and universally.” Firewalls and anti-virus software are not a panacea, the NBAA staffer said, adding that “most malware” can evade both. Instead, Wormington advised attendees to use security software designed to look constantly for indicators of attacks or compromises and “isolate compromised devices automatically.”
Pilots and passengers should avoid using free public Wi-Fi, especially in hotels, he noted, adding that using cellular data is safer. He recommends using a virtual private network (VPN) whenever not on the company network for added security. Laptops, mobile devices, networks and websites should be encrypted, Wormington said, while emphasizing maintaining daily backups to protect against accidental data loss and to avoid being a victim of ransomware, where a cyber thief blocks access to a computer or device until a ransom is paid.
But cybersecurity doesn’t stop with electronic devices that pilots and passengers might bring on board the company airplane. Rockwell Collins principal systems security engineer Kelli Wolfe noted that the aircraft’s avionics should not be immune from cybersecurity scrutiny, especially as systems have become more digital and connected. However, she emphasized that there has been no successful cyberattack of an avionics system yet.
Next-generation all-digital backbone avionics systems have much more security exposure than “closed” systems of the past, Wolfe said. Modern avionics rely on common networking protocols, complex integrated computing platforms, mobile enablement of flight-deck services, tight integration with the “internet of things” and flight-deck services and automation of pilot control systems. Avionics manufacturers are addressing these vulnerabilities, she noted, by limiting accessibility through use of authentication and encryption; allowing changes only by authorized people or processes; and making service functions available only when needed. Also, per Arinc 811, essential aircraft control, communication and navigation functions are walled off from incoming data from cabin entertainment and other non-essential systems to protect against a cyber attack.
Still, Wolfe said that any device connected to the aircraft should be treated as a “potential threat.” As a precaution, she suggested that flight departments have in place policies and procedures to protect IT equipment that connects to their aircraft by monitoring security events and prohibiting the operation of company-issued devices for personal or unapproved uses.