Cyber security top priority for aircraft makers, says Airbus

Everything the air manufacturing industry plans is considered through the lens of cyber security, but not everyone is up to the same standard across the industry in general, even among suppliers of critical national infrastructure, said Ian Goslin, UK managing director of Airbus cyber security.

“The level of analysis that is done against every element of our platform development in terms of the aircraft is always considered through the lens of cyber security,” he told Computer Weekly.

This means, said Goslin, that whatever aircraft manufacturers are planning, they will consider the potential the cyber security implications from the start.

“That maturity of cyber security consideration should assure the public that aircraft are very safe in terms of cyber security. We isolate what we need to isolate, we put in place everything that is needed to protect our aircraft, and we continually review that to ensure it is always up to date.”

This is true across the aircraft manufacturing industry, which is very mature in terms of its approach to cyber security, said Goslin.

“Cyber security is the one area that rival manufacturers regularly collaborate on. Our biggest rival is Boeing, and there is a lot of intellectual property that we each want to protect to gain competitive advantage.

“But in cyber security, Airbus and Boeing collaborate completely because it is in both our interests to ensure that each of us understands the threat, where it is coming from and if it is being launched because if either of us is compromised, it could have a massive impact on the whole industry.”

Like any part of critical national infrastructure, Goslin said some airports are better than others when it comes to cyber security.

“The best airports are the ones that have recognised the threat, that there is intent [by malicious actors to carry our cyber attacks] and they recognise the financial impact it would have on them as a business, which is what businesses need to do to get the attention of the C-suite. Putting a risk in the context of a true business impact is really important,” he said.

However, Goslin is optimistic that cyber security at airports will improve where necessary. “We are working with several airports, but they are all looking at cyber security carefully and they are growing in terms of their cyber security maturity,” he said.

Where Airbus is working with airports as a managed security services provider, he said the company is applying its experience in vulnerability analysis to find and mitigate potential vulnerabilities in critical IT systems and systems of systems that would have an impact on the business if they were compromised or if they failed.

“In summary, aircraft are exceptionally safe in terms of cyber security, while airports are safe and are continually getting better,” said Goslin.

However, he said other elements of critical national infrastructure are not at the same level and there is still some work to be done in term raising cyber security maturity levels.

“There are still organisations that provide critical infrastructure that still do not have a chief information security officer [CISO], and the biggest challenge for the ones that do have a CISO, is to get the C-suite to understand that there is a real threat of cyber attack and that the potential impact is worth considering in terms of the effect it could have on the business.”

Airbus, which has a cyber security research facility in Newport and teams based in Corsham and Cheltenham, works closely with the UK’s Ministry of Defence (MoD). It provides consultancy services to the military, government and industry on cyber vulnerabilities, particularly those affecting operational technology, commonly found in industrial plants and suppliers of critical national infrastructure.

Commenting on the current cyber security threat landscape, Goslin said most organisations face the full spectrum of threat actors, from teenage hackers all the way up to nation state groups.

Airbus is no different, he said, but has a particular focus on protecting intellectual property and ensuring that products are not compromised by cyber attackers.

“The threat is large and growing in terms of sophistication, as well as the number of actors who want to tap into the benefits of cyber crime or cyber hacktivism. As a result, organisations need to recognise that they will regularly come under cyber attack, ranging from very obvious attacks to those that are extremely subtle in preparation for potential future attacks,” he added.

For this reason, Goslin believes it is important for organisations to improve their ability to recognise and characterise external probing of their networks that a state actor could potentially use at some time in the future when they want to create a maximum impact.

“It is a rich and diverse environment right now, and we need to recognise that there are people who are intent on benefiting from compromising the full spectrum of industry, including critical national infrastructure and government, so it is an interesting time to be in the business,” he said.