Select Page

Security Professionals are Working with Colleagues in the Aviation Sector to Address Potential Vulnerabilities in the Industry

Americans love to fly. Whether it’s for business or pleasure, they take to the air. In 2019, 253 million Americans traveled on commercial airlines. In 2020 and 2021, the numbers were way down because of the worldwide Covid-19 pandemic. In 2020, the total dropped to about 67 million. In 2021 it fell to about 99 million. For 2022, the total number is expected to reach about 180 million passengers. Closer to the total numbers before Covid-19 hit the industry hard.

Like travelers all over the world, U.S. airline passengers are concerned with paying reasonable fares, arriving on time and sitting in relative comfort. Naturally travelers allow for the possibility of crying babies, overweight fellow passengers and meals that may not satisfy an adult appetite. What they usually don’t think about is aviation cybersecurity. But maybe they should. For their own safety. And that of their fellow travelers around the world.

One security policy professional who is paying attention is Simon Handler, assistant director of the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security. His work focuses on cybersecurity issues against the backdrop of geopolitics and international security. He is a former special assistant in the United States Senate. So, a security policy professional who operates across an international landscape that includes aviation and aerospace.

His organization, the Atlantic Council, produces publications and briefs on a range of global policy issues from NATO’s global role to energy security and cybersecurity. In 2019, the organization partnered with the Thales Group, a global technology company based in London, to publish Aviation Cybersecurity: Scoping the Challenge. The publication mapped out fresh perspectives across the aviation ecosystem and highlighted the pressing need for international collaboration.

The council also hosted a discussion with industry experts on public and private sector cooperation on aerospace cybersecurity and opportunities to apply industry best practices within the defense community. The efforts by the council and the Thales Group were done for two reasons. One, to raise public and industry awareness and spark a dialogue on cybersecurity vulnerabilities. And two, to advance stakeholder collaboration in pursuit of resilient aerospace systems.

Consider for a moment the second reason: ‘Advance stakeholder collaboration in pursuit of resilient aerospace systems.’ What these aerospace cybersecurity experts are saying is: ‘Our goal is to strengthen private industry and Department of Defense partnership and collaboration on this critical issue. And the end result we hope to see is enhanced aircraft operating and communications systems in order to avoid potentially catastrophic consequences.’

Now, all of this might seem like polite discussion by Washington security, aerospace and defense insiders. But remember that Boeing’s 737 MAX passenger airliner was grounded worldwide in March 2019 because of defective software in its maneuvering system. A fatal flaw that caused uncontrolled nosedives and killed 346 people in two separate crashes. One was Lion Air Flight 610 in October of 2018 and the other was Ethiopian Airlines Flight 302 in March of 2019.

A software flaw in a commercial airliner’s maneuvering system is a deadly serious vulnerability. One that could be exploited by a criminal gang intent on a big ransomware score. This was not the case in the two catastrophic 737 Max crashes, but the possibility of a software vulnerability in an airliner’s operating system is something that keeps Simon Handler and his colleagues at the Atlantic Council and throughout the aerospace cybersecurity community up at night.

The two fatal crashes and the 346 tragic deaths were a business, financial and legal disaster for Boeing. In January of 2020, the company reported a loss of $18.4 billion for 2019 and the cancellation of a 183 total 737 MAX orders for the year. As a result of the 737 Max software flaw and the ensuing crashes and tragic loss of life, Boeing quietly moved to change the name of the aircraft from 737 Max to 737-8.

Because passengers were doing something new: Asking airline reservation staff and travel websites exactly what kind of plane they were going to be flying ahead of their trips. Because no one traveling for business or pleasure wants to be reminded of similar planes falling out of the sky. A very tough lesson Boeing had to learn the hard way. And one that Simon Handler of The Atlantic Group and his Thales Group colleagues are working to ensure the industry has taken to heart.

Sources. Protecting the new frontier: Seven perspectives on aerospace cybersecurity, article by Simon Handler, The Atlantic Group, February 2021. A software bug caused Boeing’s new plane to crash, article by Naomi Smith, Tech Trends, April 2019.

©Copyright, Jorge González-García, Sr. Content Writer, Tucson, Arizona, April 2023.