Transforming Industries for Fun and Safety

I've known everybody thank you very much for coming we're going to talk about something which is of real importance to pretty much looking after what we care about prosperity human life and safety and that's how can we keep the aviation industry that looks after pretty much all of us around the globe as safe as it has ever been it's currently pushing out some really good numbers on growth and we need to secure it as we push forwards with digitizing and connecting I've got two amazing panelists here and we'll introduce them in a minute but really when we're talking about how we do this then I couldn't ask for a better panelists it's a really complex topic of

how we secure the aviation industry for the cyber threats we've got this is the report that I wrote last year which goes into a lot of the challenges so so my hope is that if you want to learn more about it then please dig into it it's available online just Google finding lift minimizing drag it comes up but what we're trying to achieve here is a safe and prosperous aviation industry with resilient trust and systems we've got to focus on maintaining that safety because if we look at what we're digitizing and what we're connecting on the aviation industry now it's everything from aircraft air traffic control airports UAVs all of the flying personal transport that we're looking at

we've got the supply chain everything from 3d printing all the way out to how we look at the satellites for the communications and then top left in that picture is actually a remote air traffic control tower where the people who are keeping the aircraft safe in and around the rep or actually aren't at the airport they're miles away so this is just a snapshot of how we're digitizing the industry and what that has done to the attack surface is make it large and complex and securing that is going to be something that's going to take more just the aviation industry but also tying in to the amazing research community whether you're working for a company or

working independently and how we can actually do that better and faster together because one of the things that that you look at when you've got perspectives of where we are at the moment is and these are some quotes that people have said about cyber security aviation industry about whether you look at the quote top left which is we've got a real problem here and we're going to struggle to get people to do something about it or it's not possible to hack an aircraft or we are secure but it's not possible we don't want to say how secure we are how we are secure but if we flip that back to 1970s when the aviation engineer is

trying desperately to improve its safety record you'd get perspectives like it's going to take a major incident before we learn how to fix this and improve ourselves it's just not possible to have an incident and we are safe but we're just not going to tell you how we're safe the industry has matured a lot now it's a lot safer and we've got to start moving away from the fact that this will get better by itself and we'll be able to cope we've got to be proactive in making this work across the entire industry but trying to get the vulnerabilities understood fixed and managed when you've got that complexity and sort of target audience of stakeholders is something that's going

to be a real challenge and that's why it's a massive honor to have we've got Jeff Troy and John Sheehy here so Jeff runs the global aviation Isacc so that's not just thought a u.s. one it's the global aviation highsec and he's got customers all over the world and John with ioactive Dave got a lot of experience in trying to look at vulnerabilities across the industry so we'll have a quick chat and go through the panel and then we'll open out questions the first question I've really got is the nature of the challenge we're facing is is really difficult everyone's got a different perspective but first of all to to you Jeff is what do you see is

the nature the challenge we've got right now well I'd say probably the the first challenge that we have is you have a research community that likes to go out test and try different things and when you look at the aviation system one of the pieces of the aviation ecosystem moves at about 500 miles an hour and carries a lot of people on it so when it comes to people going out and trying to do research on on on an actual plane that's certainly a challenge because that's not a safe environment for trying to do research and yet naturally when you have people doing research they find things that people want to take a look at so so

trying to find an environment where people who are curious can have an opportunity to look at things is a real challenge I think that's a key a key piece there one good thing I know from from from the industry from work in our members particularly very aggressively thanks to a lot of work that ioactive and John cheese teams have been doing is is to know that that the aviation companies and you've talked about right the 70s they looked at the number of accidents that were going on and they extrapolated it based on how many people they thought would be flying on planes and how many flights there would be and they figured that you know 20-25 years

from from the 70s there'd be an accident a day based on how many there were a year and they took the the space for error and and moved it you know to the point where you know flying is now the safest way to travel so they have that perspective that safety perspective that is pretty much driving the same adoption of digital systems onto the plane where they have a lot of redundancies a lot of multiple check type processes in place that pretty much give them you know a greater level of assurance that those systems that are protecting the flight safety are are resilient and and can operate you know regardless of anybody trying to attack them thanks to that and

really what what items or hearing the right there at the very start was how do you harness that creativity safely in something which is a safety critical industry and John with all of the researchers that you've got across ioactive and perspectively you've had on this is how do you manage that that challenge of being able to find those vulnerabilities and actually work on them responsibly so that's always a challenge there's a number of issues to be able to look at cyber physical systems in a safe way and you really need to understand the physical impacts of those cyber physical systems so you can design an environment where you can safely do that or if you're operating a live environment know

what the limitations of what you can do are and know it very very clearly and that's especially important in an industry like aviation where if there is an incident it can very quickly turn catastrophic you know we've done work on on ground vehicles passenger vehicles and if there is an incident the the outcome of that incident is is relatively small compared to the potential for an incident in the aviation world so those those are key things that's really understanding what the acceptable parameters are and it does take a lot of information domain knowledge about the particular environments to be tested and while our our focus is on the cybersecurity side we do go to the level of understanding

the physical processes perhaps an industrial control system or understanding vehicle operation what systems are critical to vehicle operation what systems are not critical vehicle operation so a a reasonable prudent risk aware set of guidelines can be created so that work can be done safely and do so in a way that builds trust with the manufacturers and users of those products and we want to make sure that we are sharing detailed actual information in a way to responsibly bring light to some of the concerns so that the the representative stakeholders can go forward to get the resources they need to address those those challenges one of the other things that that's important to understand is sometimes

when you're looking at a cyber physical system there are layers of safeguards and and and while our focus maybe on the the cyber security issues or the digital aspects of that system frequently there are non-technical controls in place whether the physical or policy or operational that may reduce the impact of our particular technical finding on a cybersecurity issue and it's extremely important to understand and contextualize that risk what we don't want to ever say is we got shell we can do all these things because that's probably not the case and you need to understand for example in an ICS system in the refinery there are fiscal controls that don't allow those systems go over pressure and

having that context and that deep domain knowledge are critical to being able to provide a useful outcome of that cybersecurity research so with the layered safety aspects they're in in place in the industry how are we really going to look at building that that trust because although the the cyber security if it's compromising those vulnerabilities there it shouldn't cause a critical failure but there is still a nervousness understandably from from both the the stakeholder trust and passengers trust and Industry Trust so that could be a real blocker going forward and trying to build up these relationships so we can be better safer so you know is that the only blocker we've got right now or there there are

other blockers that we've got to try and work through as an industry and says they called us first and and stay with the question if you want to so I think for some of the reasons you talked about the the aviation industry is a little bit more insular than some of the other other industries we we worked with and so it does take a little bit longer to build trust and they face a different set of threats than the passenger vehicle automobile industry faces the the automobile industry doesn't face the threats of bombings and vehicles it doesn't face some of security threats passenger vehicles aren't typically hijacked and and when there is an incident you're dealing with two to

three people four people rather than 300 400 500 and and so understanding the context in which they operate is important to having effective communication so that empathy is important understanding the particular risks and challenges of that industry of the members and stakeholders at industry the airlines verse an airframe manufacturer versus an avionics supplier is all very important are there other challenges certainly I think some of the good of the aviation industry has been this this really singular focus on safety what what that has allowed is these digital transformations that you talked about are taking place is there is a focus on specific aspects but they may not take the broader look and that's where engaging the research community engaging

people who have a different perspective a diversity of thought adds a lot of value doing so in a transparent way is also important everyone wants to build more trust in the operation of the aircraft in the operation of the Airlines the way you do that is you talk about potential problems you you reasonably categorize the risk while there may be a digital exploit or a cybersecurity issue what does it really mean for safety what does it mean for privacy how should privacy be addressed vers safety and and having those greater context allows the industry to be more effective um and on that trust issue traditionally or there there's been a lot of cases where the that relationship

between the research community in the aviation industry has been has been fraught through - there's been killing and I understand exactly why it's been fraught for various reasons Jeff you and I have spoke about that with the work you've done to try and increase trust in all of your customers so you can share data good data about threats and vulnerabilities a lot faster is there anything you've seen from building trust across your customers that you think would be able to help bring in the research community and actually help sort of learn lessons from a loss or wider perspective yes so we've had a lot of success I'd say in the past three three and a half years now that aviation

ice axe out there almost four years slowly building that's that that trust and it really requires a lot of personal engagement so we've brought people together from right now you know our members are on five different continents and four times a year we're bringing folks together to have face-to-face conversations and then you know we surround all that with daily engagement through our our other services that we have but we have we have rarely seen a marked increase in what we term in the aviation I sac as as wins where people are recognizing information that was shared by somebody else and deemed it important that's that's really how we measure our effectiveness and you know seeing that

growth of wins occur really helps to develop that trust when it comes to product security there's a challenge all the time between intellectual property and security and where's that balance going to be where hey I can't tell I can't show you this and have you helped me secure it because if I do then my secret sauce is going to get weak doubt to you right so how do I find that balance so we found many of our members engage privately with companies like ioactive and other researchers that that go out there and they come in because they're not stuck in the paradigm of the company they're not from their engineering group they're not they're cyber group they've just come in and and

they they do that red teaming on their equipment so that they can get that outside perspective and maybe have somebody find some that was missed well we do have though is people sharing processes what are you doing about quality controls how you handle in supply chain risk even how do you handle your your red teaming engagements and things like that we have a lot more conversations going on now where people are sharing those best practices and that really helps again drive I think increased security we call it kind of raising raising the skills of everybody wait no all boats lift it up as opposed to just one or two players getting getting more skilled as all those players get skilled

also it's not just the plane right I mean the aviation ecosystem is everything we said there traffic control the airport the ground traffic control the services everything that's being digitized and analytics and the Internet of Things devices or services that are being added you know every every time you add another thing you add another risk and so the more that the companies are sharing the challenges around these risks the the more that the best ideas can be shared and people can can get more secure I'm so in order to make us more secure in the industry and finding those vulnerabilities as fast as possible working on them patching them yes it can take a while for patches to

go out across industry but that's being worked on to make that faster but if you could try and give advice to the community about how to engage and what they can offer what would you sort of and it's all sort of final points before we open up to the audience I think there's there's kind of two points for different to different parts of the audience and so on the aviation side as Jeff mentioned having the right secure development process having a rigorous repeatable process you follow to assess the security from design to implementation and maintenance is critical from the research community I think it's very important we work very closely on rubens most recent research

with the aviation Ishak to make sure that we had experts in the particular knowledge domains who were providing feedback on potential impacts of the cyber vulnerabilities he discovered that those are really critical and it's much more challenging for an independent researcher to be able to do a responsible disclosure if you need to disclose to 20 or 50 more entities even an organization like ours with significant resources a dedicated legal team people who are responsible for coordinated responsible disclosure it can be very tough to get to everybody and do so in the right time and so one of the things that we've really seen in partnering with with Jeff and the AI sac is they were able to get

us in many cases to have a conversation with the right people in a very very short amount of time so I would encourage the researchers who are doing independent work you know to engage with those right entities and I really can't say enough about the value of the Isacc that's fostering trust and communication and knowledge sharing within the community the next step both for us as a set of researchers in the computer security space and the Isacc is for us to partner up in a way that will let the aviation industry get get used to us us used to the aviation industry and produce better results for all the stakeholders just want to say fun also

words on that for now yeah I would kind of emphasize exactly you know what John said and I really think this exercise that we went through in the last two-and-a-half months or so was a win-win for both of us we were we were able to get very important information there were changes that had to be made by companies to secure things but at the same point in time the researchers were able to get a little bit more context so they could better understand what it is that they had and that's important I think for everyone because the industry obviously wants to make sure that anybody that has found something that they think could be an issue that that we're addressing it

and that's all that they understand again I guess that context around it because there are so many other controls and John mentioned also in aviation that are outside of that that just that digital component that helped keep that safety resilient system work very much now I'm gonna up to the audience stand up and oh just I was curious if that ever is plays a role in there was a that sought to secure certain components of flight control software in a drone follow those successful things go hand you'll nodding away don't say this yeah I'm familiar with it sure so the question was about what are the form of methods applied to secure engineering design of avionics systems

and used within the aviation industry specifically the asker of the question asked about hakam's which is a DARPA project which was focused not only on applications in the the unmanned aerial system space but also in other systems and it was intended to ensure that there was reliable execution and so it has buried depending on the systems and then of specific application within aviation you're far more likely to see those formal methods used in military systems than in commercial and certainly general aviation systems the formal methods do you have a lot of advantages one of the fundamental problems as we talk about assurance whether we're talking about software or more complex cyber-physical systems is it's it's an np-hard problem

and being non polynomial in terms of time you cannot necessarily exhaustively test all the potential vulnerabilities and so even looking at something like hakam's that's one component of a broader system and so his attackers we look to exploit wall abilities in the systems even if particular components are extremely secure and and sometimes that may be a human element and maybe you display information to a human to make them take an action because that's what they were trained for that produces in a fact so absolutely I think it's good that we're seeing significant efforts made to improve the component security but you can't get away from looking at the overall system or system of system security and that's one of the beauties

about the aviation industry is that all of those safety elements are layered so vulnerabilities in one layer might not necessarily actually call something which is critical okay I'll pass it over for next question yeah go for it we're trying to smash through the questions as much as we can because it we don't have much time basically tackling the weakest link risks so you have some stakeholders on this who operate on extremely thin margins and don't have a lot of extra money to invest and securing all of those stuff but they're also some of your people who are relied upon by all the other Airmen and in systems just things right so I'm kind of wondering

what is the ice act doing to try and identify where those systemic risks exist and how to shore up those weaker links it may not necessarily bring and deliver late the level of revenue probably more than every year that they can spend on okay it so the question basically is what's the ice act doing really to help everyone because not everyone's got the big budget right for security and safety so again one of the great things about the Isacc is we have air framers airlines satellite companies service companies airports everybody in between the supply chains that are members and because of the way I sacks work and the agreements they are able to do exactly what it is that you're

talking about as opposed to having monopoly issues and and things like that because we're not talking about prices of routes we're not talking about how you gonna set your seats up or anything like that or just talking about the security for everything so having the air framers in there with the airline see the operators of that allows for exactly that type of discussion to occur the air framers are the ones that are pretty much doing that from the design it begins at design then build and test and operate and the big thing is as you build all that and you hand it off right there comes a point in time where those who have designed and built

have now have to give it to those who operate and this discussion in the building of the trust is allowing for in that free-flowing discussion of what is it that you all are doing once you've gotten that part of the issue that's come up if you get a chance to see Rubens talk tomorrow has to do with hands off of equipment because it goes from someone who's built it to someone who installs it to maybe someone who replaces it puts in another type of system and each of those opportunities is also an opportunity for someone to make a security error and so things like continuous monitoring when it comes to what's considered a resilient system

have really has really kind of come to the forefront I think that's probably one of the biggest things that's come out of the last couple of months you can't accept anything as resilient right we all know you have to do continuous monitoring and ensuring that that's happening even on systems that you think are delivered resilient is is a big part of that now okay so the aim really is to try and make sure that we can find those vulnerabilities maintain the systems resilient and as profitable and safe as it has been really across all of those stakeholders and make sure we can do it in a way that the the research community is is brought in in a positive manner I

think we can do it I think that with the work of the Isacc and and companies like ioactive and all the other research community I think we've run out of time Mac sorry actually what we'll try and do is try and make sure that we can actually find those processes and those relationships and building trust so he can take this forwards I'll give final sore comments to both of you but they everyone we've we saw will be hanging around afterwards so he can answer questions if we miss chief for example sorry render man and then we'll hopefully pass over but final words to the panelists please I would I would just say over the last couple of months

we've been very actively involved actually with a couple of researchers so you know we were mentioned with with Ruben and ioactive but we've had other engagements here where this model of somebody coming in disclosing something to the aviation Isacc has helped them specifically because by by getting with us we were able to get them connected to the right people right away which was very important for both us and them again context for the researchers and awareness on the aviation side but the other thing that I think is really important and we're seeing it is when the vulnerability is found in one product if you go to that one company and disclose it to them give them a

chance to fix it and they fix it and then it goes public I think there's still a lot of risk in industries where other companies maybe they didn't have that exact same functionality but they probably have some similar type of functionality and the methodology that was used to uncover that risk we believe in the aviation industry should be shared amongst the industry so all of the other people who design and build to perform that same function can make sure that they don't have that same risk because you know we're talking again about a huge safety issue a huge economy and by having everyone be able to we look at what's going on then and then making it public I think we've done

a more responsible thing in terms of safety and security in the industry and I can I can say for sure that the information that was shared you know the companies that were involved in this thing immediately made their their Corrections but we know of many other companies that had shared with us that it made them relook and rethink and start to go back and challenge themselves and that I think is a win again for everybody so I know we're we're out of time I would say you know we work with a number of other ice axe and the I sac is something that's a little bit new to a lot of cybersecurity researchers but it's a very very very

valuable tool for engaging with those stakeholders are exposed to the risks of the research so thank you very much for coming everybody it's a topic which will not go away and I'm looking forward to discussing this lots more besides going forward but please can I speak to us afterwards and and hopefully we'll explore this to get it better thank you [Applause]