Cyber security company F-Secure launched its Aviation Cyber Security Services in mid-March. The service promises to help aviation companies “protect their aircraft, infrastructure, data, and reputations.” Such services have become necessary as the growing use of “off-the-shelf communication technologies” in airplanes significantly increases the cyber threat, according to the company.
F-Secure’s service addresses traditional cyber threats by providing training to IT staff, performing standard risk assessments of an organization to identify vulnerabilities, and responding if a cyber incident occurs. It then adds aviation-specific monitoring services, security assessments of ground systems and data connections, and IT training for cockpit and cabin crews.
A unique component of F-Secure’s new service is its assessment of avionics, primarily through "penetration tests and/or source code audits,” according to Andrea Barisani, F-Secure’s head of hardware security. This is significant because source code errors in avionics introduce an abundance of cyber threats seen only in the aviation industry.
After performing assessments, the F-Secure team typically encourages clients to segment their networks, separating systems so a compromised employee email can never lead to the remote takeover of an airplane. As for within the aircraft itself, Barisani emphasizes controlling the direction of communications using data diodes, a technology previously deployed in the power-generation industry.